Defense in Depth promises clear talk on cybersecurity’s most controversial and confusing debates. Once a week we choose one controversial and popular cybersecurity debate and use the InfoSec community’s insights to lead our discussion.
When Is Data an Asset and When Is It a Liability?
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is my guest, Mario Trujillo, staff attorney, Electronic Frontier Foundation. In this episode: Data is the life blood of an organization but what happens when you collect too much? Do you put risk on both your organization and for any individuals that data belongs too? Is it still wise to collect as much data as possible? How can CISOs embrace data minimization that doesn't clash with the needs of the business? Thanks to our podcast sponsor, Material Security Material Security is purpose-built to stop attacks and reduce risk across Microsoft 365 and Google Workspace with unified cloud email security, data loss prevention, and posture management. Learn more at material.security.
2/22/2024 • 34 minutes, 49 seconds
Tracking Anomalous Behaviors of Legitimate Identities
All links and images for this episode can be found on CISO Series. The Verizon DBIR found that about half of all breaches involved legitimate credentials. It’s a huge attack surface that we’re only starting to get a handle of. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining me is our guest, Adam Koblentz, field CTO, Reveal Security. In this episode: Where are we in terms of monitoring anomalous behavior of our users? Why are we still struggling to understand what happens after threat actors are in our networks? How are new AI-based tools helping us to scale efforts? What's working and where do we need to improve? Thanks to our podcast sponsor, Reveal Security Reveal Security ITDR detects identity threats - post authentication - in and across SaaS applications and cloud services. Powered by unsupervised machine learning, it continuously monitors and validates the behavior of trusted human users, APIs and other entities, accurately detecting anomalies that signal an in-progress identity threat. Visit reveal.security
2/15/2024 • 34 minutes, 1 second
Why Do Cybersecurity Startups Fail?
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Mike Levin, deputy CISO, 3M. In this episode: Why do security startups fail? All startups are an inherently risky proposition, but what are the specific challenges for startups in our industry? What's unique about cybersecurity startups? What's the most common reason you've seen a cyber startup not succeed? Thanks to our podcast sponsor, RevealSecurity! Reveal Security ITDR detects identity threats - post authentication - in and across SaaS applications and cloud services. Powered by unsupervised machine learning, it continuously monitors and validates the behavior of trusted human users, APIs and other entities, accurately detecting anomalies that signal an in-progress identity threat. Visit reveal.security
2/8/2024 • 31 minutes, 43 seconds
Is "Compliance Doesn't Equal Security" a Pointless Argument?
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Derek Fisher, Executive director of product security, JPMorgan. In this episode: A security program shouldn't stop at compliance, but that doesn't mean we should undervalue it, right? Why are we so quick to dismiss compliance as simple check boxes? Why is compliance important and why is it often getting a bad name these days? What are the elements that make a great solution? Thanks to our podcast sponsor, RevealSecurity! Reveal Security ITDR detects identity threats - post authentication - in and across SaaS applications and cloud services. Powered by unsupervised machine learning, it continuously monitors and validates the behavior of trusted human users, APIs and other entities, accurately detecting anomalies that signal an in-progress identity threat. Visit reveal.security
2/1/2024 • 33 minutes, 33 seconds
CISOs Responsibilities Before and After an M&A
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Alexandra Landegger, Executive Director and CISO, Collins Aerospace. In this episode: Why do mergers and acquisitions always present challenges to an organization? When it comes to cybersecurity, how involved should a CISO be before AND after an acquisition? Can cybersecurity considerations make or break a deal? What skills did you find yourself flexing with your first M&A experience? Thanks to our podcast sponsor, Aphinia! Join Aphinia, a professional tribe of superheroes fighting cybercriminals. If you are a CISO, VP or a Director of cybersecurity, get instant free access to thousands of your peers, career advice, networking opportunities, consulting gigs and more. Join the good guys’ team because the only way to succeed is together: https://aphinia.com/#signup_form
1/25/2024 • 30 minutes, 33 seconds
Use Red Teaming To Build, Not Validate, Your Security Program
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Richard Ford, CTO, Praetorian. In this episode: When did we all agree that red teaming was about validating security? Does it seem like increasingly red teaming is a catch all term for a whole lot of testing that isn't clearly defined? Is this making it hard to see its value? Can moving red teaming upstream be more valuable to your organization? Thanks to our podcast sponsor, Praetorian Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.
1/18/2024 • 31 minutes, 34 seconds
The Do's and Don'ts of Approaching CISOs
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our guest, Adam Glick, CISO, PSG. In this episode: Vendors need to reach out to CISOs, but what does a successful approach look like? Do vendors often spray and pray with outreach, rather than doing a bare minimum of research? What else can vendors do to try to create meaningful outreach to CISOs? How do you like security sales professionals to build a relationship with you? Thanks to our podcast sponsor, Praetorian Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.
1/11/2024 • 31 minutes, 36 seconds
Doing Third Party Risk Management Right
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Erik Decker, CISO, Intermountain Health. In this episode: Why are we all struggling trying to manage third-party risk? Why do the hated questionnaires seem like compliance checkbox efforts? Does anyone believe it reduces risk? What's the right approach and how do you strike the right balance? Thanks to our podcast sponsor, Praetorian Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.
1/4/2024 • 30 minutes, 30 seconds
Warning Signs You're About To Be Attacked
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining me is our sponsored guest, Trevor Hilligoss, senior director of security research, SpyCloud. In this episode: What are the things that raise red flags that you're about to experience an attack? What signals set off your Spidey sense that things could go sideways? What are the early warning signs an attack is underway? Did you learn anything new? Thanks to our podcast sponsor, SpyCloud Get ahead of ransomware attacks by acting on a common precursor: infostealer malware. SpyCloud recaptures what’s stolen from infostealer-infected systems, and alerts your team to take action before compromised authentication data can be used by criminals to target your business. Get our latest research and check your malware exposure at spycloud.com/ciso.
12/14/2023 • 33 minutes, 7 seconds
Do We Have to Fix ALL the Critical Vulnerabilities?
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, David Christensen, VP, CISO, PlanSource. In this episode: How do you actually focus your patching efforts on the vulnerabilities that are seen as universally holding the most risk? With limited resources, is it possible to "patch all the things"? How do we focus patching efforts to fix the most vital issues quickly? What are the risks we’re dealing with? Thanks to our podcast sponsor, SpyCloud Get ahead of ransomware attacks by acting on a common precursor: infostealer malware. SpyCloud recaptures what’s stolen from infostealer-infected systems, and alerts your team to take action before compromised authentication data can be used by criminals to target your business. Get our latest research and check your malware exposure at spycloud.com/ciso.
12/7/2023 • 30 minutes, 48 seconds
Mitigating Generative AI Risks
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Jerich Beason, CISO, WM. In this episode: Does generative AI come with a new set of risks? How can we address these risks to take advantage of its benefits? How do we approach a much desired technology we're not so sure how we should secure? How can we take what we've learned from past technological advances and apply it to mitigate risks with generative AI? Thanks to our podcast sponsor, SpyCloud Get ahead of ransomware attacks by acting on a common precursor: infostealer malware. SpyCloud recaptures what’s stolen from infostealer-infected systems, and alerts your team to take action before compromised authentication data can be used by criminals to target your business. Get our latest research and check your malware exposure at spycloud.com/ciso.
11/30/2023 • 32 minutes, 38 seconds
Building a Cyber Strategy for Unknown Unknowns
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our sponsored guest, Himaja Motheram, Censys. In this episode: How can one create a security program around unknown problems? Don’t we know a lot of the things we lack visibility into that can cause security issues? But what about the things you don't even know about in the first place? Will that thing we don't even know to look at, ever cause a security issue? Thanks to our podcast sponsor, Censys Censys is the leading Internet Intelligence Platform for Threat Hunting and Exposure Management. We provide the most comprehensive, accurate, and up-to-date map of the internet, which scans 45x more services than the nearest competitor across the world’s largest certificate database (>10B). Learn more at www.censys.com.
11/16/2023 • 29 minutes, 57 seconds
Responsibly Embracing Generative AI
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Russell Spitler, CEO and co-founder, Nudge Security. In this episode: Are businesses walking a tightrope with generative AI? How can organizations implement generative AI responsibly? What can we learn from previous transitions that can help us responsibly bring generative AI into the workplace milieu? What else are we missing? Thanks to our podcast sponsor, Nudge Security Nudge Security provides complete visibility of every SaaS and cloud account ever created by anyone in your org, in minutes. No agents, browser plug-ins or network proxies required. With this visibility, you can discover shadow IT, manage your SaaS attack surface, secure SaaS access, and respond effectively to SaaS breaches.
11/9/2023 • 33 minutes, 23 seconds
People Are the Top Attack Vector (Not the Weakest Link)
All links and images for this episode can be found on CISO Series. In increasingly complex technical defenses, threat actors frequently target the human element. This makes them a top attack vectors, but are they actually the weak leak in your defenses? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Christina Shannon, CIO, KIK Consumer Products. Thanks to our podcast sponsor, SPHERE SPHERE is the Identity Hygiene pioneer. It closes the loop on ownership, certification, and remediation challenges through an automated remediation process. By working with the IAM and PAM solutions organizations have in place, SPHEREboard automates discovery and remediation on an ongoing basis. Learn more at sphereco.com! In this episode: Threat actors frequently target the human element, but are they actually the weak leak in your defenses? Have we been treating humans wrong in our environment? Is the blame on security professionals for failing to design security systems to set humans up for success? Is it disingenuous to presume that cybersecurity would be perfect if not for users?
11/2/2023 • 30 minutes, 35 seconds
What's Entry Level in Cybersecurity?
All links and images for this episode can be found on CISO Series. We often talk about the contradiction of seemingly entry-level security jobs requiring years of experience. But maybe that's because entry-level jobs don't actually exist. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us this week is our guest Jay Wilson, CISO, Insurity. Thanks to our podcast sponsor, SlashNext SlashNext Complete delivers zero-hour protection for how people work today across email, mobile, and browser apps. With SlashNext’s generative AI to defend against advanced business email compromise, smishing, spear phishing, executive impersonation, and financial fraud, your people are always protected anywhere they work. Request a demo today. In this episode: What's “entry level” in cybersecurity and does it even exist? What causes the contradiction of seemingly entry-level security jobs requiring years of experience? Why does it seem like there are still no entry level jobs? How do job candidates get creative with their experience to get a foot in the door?
10/26/2023 • 31 minutes, 11 seconds
New SEC Rules for Cyber Security
All links and images for this episode can be found on CISO Series. The Securities and Exchange Commission issued new cyber rules. What do these new rules mean for CISOs and will they ultimately improve our cybersecurity posture? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our guest, Jamil Farshchi, CISO, Equifax. Thanks to our podcast sponsor, Nudge Security Nudge Security provides complete visibility of every SaaS and cloud account ever created by anyone in your org, in minutes. No agents, browser plug-ins or network proxies required. With this visibility, you can discover shadow IT, manage your SaaS attack surface, secure SaaS access, and respond effectively to SaaS breaches. In this episode: The Securities and Exchange Commission issued new cyber rules. What do these new rules mean for CISOs and will they ultimately improve our cybersecurity posture? Are these rules something to celebrate, or are they just going to make a CISOs compliance efforts even more difficult? For those companies who actually follow the guidance, will this step up their cyber game considerably?
10/19/2023 • 35 minutes, 57 seconds
The Value of RSA, Black Hat, and Mega Cyber Tradeshows
All links and images for this episode can be found on CISO Series. Are trade shows like RSA getting so big that there's not enough economic value for a CISO to attend? Or do these events have enough industry gravity to justify the spend? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest Lee Parrish, CISO, Newell Brands. Thanks to our podcast sponsor, Censys In this episode: Everyone sees value in security professionals coming together, but what specific value does a huge expo like RSA deliver? Are trade shows like RSA getting so big that there's not enough economic value for a CISO to attend? Or do these events have enough industry gravity to justify the spend? Will FOMO continue to force vendors to sponsor big shows like RSA?
10/12/2023 • 29 minutes, 33 seconds
Is Remote Work Helping or Hurting Cybersecurity?
All links and images for this episode can be found on CISO Series. Work from home flourished during the pandemic. Many workers love it and don't want to go back. Some organizations are pushing for a return to the office. Is in-office work necessary to improve productivity and cybersecurity posture? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us for the episode is our guest, Shawn Bowen, CISO, World Kinect Corporation. Thanks to our podcast sponsor, Nudge Security Nudge Security provides complete visibility of every SaaS and cloud account ever created by anyone in your org, in minutes. No agents, browser plug-ins or network proxies required. With this visibility, you can discover shadow IT, manage your SaaS attack surface, secure SaaS access, and respond effectively to SaaS breaches. In this episode: Is in-office work necessary to improve productivity and cybersecurity posture? Is this push for return to office just an effort for managers to return to the "good 'ole days" with no other rationale? So technology can be great from anywhere, but people cannot? Does successful work from home require a mature approach to leadership?
10/5/2023 • 31 minutes, 25 seconds
How to Manage Users' Desires for New Technology
All links and images for this episode can be found on CISO Series. Large language models and generative AI are today's disruptive technology. This is not the first time companies just want to ban a new technology that everyone loves. Yet, we're doing it all over again. Whether its ChatGPT or BYOD, people are going to use desirable new tech. So if our job isn't to stop it, how do we secure it? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest, Carla Sweeney, SVP, InfoSec, Red Ventures. Thanks to our podcast sponsor, Censys Censys is the leading Internet Intelligence Platform for Threat Hunting and Exposure Management. We provide the most comprehensive, accurate, and up-to-date map of the internet, which scans 45x more services than the nearest competitor across the world’s largest certificate database (>10B). Learn more at www.censys.com. In this episode: Whether its ChatGPT or BYOD, people are going to use desirable new tech. So if our job isn't to stop it, how do we secure it? Are tools like ChatGPT so different from what we've seen before that we can't apply lessons already learned? What risks are we solving for with it and where do we go from there? Is this just a security issue?
9/28/2023 • 23 minutes, 54 seconds
Cybersecurity Questions Heard Around the Kitchen Table
All links and images for this episode can be found on CISO Series. What do the people least in the know about cyber, want to know? What are they asking? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest, Caitlin Sarian, AKA cybersecuritygirl on TikTok. Thanks to our podcast sponsor, DataBee from Comcast Technology Solutions DataBee™, from Comcast Technology Solutions, is a cloud-native security, risk and compliance data fabric platform that transforms your security data chaos into connected outcomes. Built by security professionals for security professionals, DataBee enables users to examine the past, react to the present, and protect the future of the business. In this episode: What do the people least in the know about cyber, want to know? What are they asking? How important is it to understand what concerns the average person? Are these reasonable concerns or do you think they're directed by media pressure? How do regular, everyday people know what is safe and best practices without a clear path or studying cybersecurity in depth?
9/21/2023 • 30 minutes, 29 seconds
How to Prime Your Data Lake
All links and images for this episode can be found on CISO Series. A security data lake, a data repository of everything you need to analyze and get analyzed sounds wonderful. But priming that lake, and stocking it with the data you want to get the insights you need is a more difficult task than it seems. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our sponsored guest, Matt Tharp, Head of Field Engineering, Comcast DataBee. Thanks to our podcast sponsor, Comcast Technology Solutions In this episode: What exactly is a data lake? How are people thinking about and handling the risks? If you want security data lakes to be successful, what customer problem are you trying to solve? How can you make it both dead simple to use AND highly effective?
9/14/2023 • 27 minutes, 18 seconds
Getting Ahead Of Your Threat Intelligence Program
All links and images for this episode can be found on CISO Series. A threat intelligence program sounds like a sound effort in any security program. But, can you pull it off? There are so many phases to execute properly. Blow it with any one of them and your threat intelligence effort is moot. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us today is our special guest Jon Oltsik, distinguished analyst and fellow, Enterprise Strategy Group. Thanks to our podcast sponsor, Comcast DataBee™, from Comcast Technology Solutions, is a cloud-native security, risk and compliance data fabric platform that transforms your security data chaos into connected outcomes. Built by security professionals for security professionals, DataBee enables users to examine the past, react to the present, and protect the future of the business. In this episode: A threat intelligence program sounds like a sound effort in any security program. But, can you pull it off? Which phase of a threat intelligence program gives you the most trouble, and why? What has been your personal experience, and does it change organization to organization? How do you measure the success of the program to prove the value of the work being done?
9/7/2023 • 33 minutes, 33 seconds
How Security Leaders Deal with Intense Stress
All links and images for this episode can be found on CISO Series. When you have an incident and you're engulfed by the stress that lasts more than a day, how do you manage and deal with it? And not only how do you manage your stress, but how do you manage everyone else's? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest, Tim Brown, CISO, Solarwinds. Thanks to our podcast sponsor, Push Security Do you have visibility of all the SaaS apps your employees are storing corporate data on? Are employees protecting all their accounts against identity-based attacks? Discover all the SaaS your employees use - including shadow apps and identities - and secure your data. Find out more at pushsecurity.com. In this episode: When you have an incident and you're engulfed by the stress that lasts more than a day, how do you manage and deal with it? And not only how do you manage your stress, but how do you manage everyone else's? During a major incident, which stress is more difficult to manage? Your own, or those around you? How is this everyone's concern?
8/31/2023 • 40 minutes, 46 seconds
How Do We Influence Secure Behavior?
All links and images for this episode can be found on CISO Series. We all know that our employees need to be more security aware, but what are the methods to get them there? How can we make our employees more security conscious? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest Jack Chapman, vp, threat intelligence, Egress. Thanks to our podcast sponsor, Egress Egress helps organization stop email security risks is by addressing both inbound and outbound threats together,. We recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss. Learn more at egress.com. In this episode: We all know that our employees need to be more security aware, but what are the methods to get them there? How can we make our employees more security conscious? What does it take to get security to "stick" with your coworkers? Why does security remain so darn difficult?
8/24/2023 • 31 minutes, 49 seconds
Security Concerns with ChatGPT
All links and images for this episode can be found on CISO Series. Users have tried to upload sensitive company information and PII, personally identifiable information, into ChatGPT. Those who are successful getting the data in, have now made that data free to all. Will people's misuse of these generative AI programs be our greatest downfall to security and privacy? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest Suha Can, CISO, Grammarly. Thanks to our podcast sponsor, Opal Opal is building the next generation of intelligent identity. Identity is one of the last great enterprise frontiers. It’s fragmented with legacy architecture. Opal's mission is to empower teams to understand and calibrate access end to end, and to build identity security for scale. Learn more by at www.opal.dev. In this episode: Will people's misuse of these generative AI programs be our greatest downfall to security and privacy? Is AI the problem? Or is poor human judgement the problem? Is it better to get started with any guardrails until setting up a full policy? What are we going to do now?
8/17/2023 • 28 minutes, 59 seconds
Create A Pipeline of Cyber Talent
All links and images for this episode can be found on CISO Series. The demand for cybertalent is sky high. It's very competitive to get those people with skills. What if you were to train your staff and give them the skills you want? Essentially, what if you were to grow your own unicorn? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest, Jesse Whaley, CISO, Amtrak. Thanks to our podcast sponsor, Opal Opal is building the next generation of intelligent identity. Identity is one of the last great enterprise frontiers. It’s fragmented with legacy architecture. Opal's mission is to empower teams to understand and calibrate access end to end, and to build identity security for scale. Learn more by at www.opal.dev. In this episode: What if you were to train your staff and give them the skills you want? What if you were to grow your own unicorn? What’s the best way to grow your staff? How do you figure out the right mix of talent and prioritize the hiring, training, on the job, and other experiences?
8/10/2023 • 32 minutes, 5 seconds
Improving Adoption of Least Privileged Access
All links and images for this episode can be found on CISO Series. What are we doing to improve access management? Make it too loose and it's the number one way organizations get breached. Put on too many controls and now you've got irritated users just trying to do their job. How does each organization find their sweet spot? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Paul Guthrie (@pguthrie), information security officer, Blend. Thanks to our podcast sponsor, Opal Opal is building the next generation of intelligent identity. Identity is one of the last great enterprise frontiers. It’s fragmented with legacy architecture. Opal's mission is to empower teams to understand and calibrate access end to end, and to build identity security for scale. Learn more by at www.opal.dev In this episode: What is the one most significant action you’ve taken to improve access management? What are we doing to improve access management? What is the correct balance between too many controls and not enough? How does each organization find their sweet spot?
8/3/2023 • 27 minutes, 39 seconds
Securing SaaS Applications
All links and images for this episode can be found on CISO Series. With the growth of business-led IT, does SaaS security need to be a specific focus in a CISO’s architectural strategy? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Steve Zalewski who also hosts Defense in Depth. Thanks to our podcast sponsor, AppOmni Do you know which 3rd party apps are connected to your SaaS platforms? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk. Get visibility to all 3rd party apps — and their level of data access — with AppOmni. Visit AppOmni.com to request a free risk assessment. In this episode: With the growth of business-led IT, does SaaS security need to be a specific focus in a CISO’s architectural strategy? Is the problem the architecture of the applications themselves or the fact that a non-security group is bringing these applications online? Is it both? Is this problem solvable? What technical controls can you put in place to mitigate risk from apps you deem risky?
7/27/2023 • 30 minutes, 33 seconds
How Do We Get Better Control of Cloud Data?
All links and images for this episode can be found on CISO Series. When it comes to data, compliance, and reducing risk, where are we gaining control? Where are we losing control? And what are we doing about that? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. We welcome our sponsored guest Amer Deeba, CEO and Co-founder, Normalyze. Thanks to our podcast sponsor, Normalyze Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches. Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium. In this episode: When it comes to data, compliance, and reducing risk, where are we gaining control? Where are we losing control? And what are we doing about that? Is "losing control" inevitable? Is SaaS really extremely difficult to work with at scale?
7/20/2023 • 30 minutes, 15 seconds
Finding Your Security Community
All links and images for this episode can be found on CISO Series. If you're struggling to get your first job in security or you're trying to get back into the industry after being laid off, you need to lean on your security community. But like networking, you should find it before you need it. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Thanks to our podcast sponsor, Egress Egress helps organization stop email security risks is by addressing both inbound and outbound threats together,. We recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss. Learn more at egress.com. In this episode: Are you struggling to get your first job in security or trying to get back into the industry after being laid off? What is the importance of building your security community network ? What should you look for in a community? What should you expect to put into it, and what should you expect to get back?
7/13/2023 • 29 minutes, 55 seconds
Let's Write Better Cybersecurity Job Descriptions
All links and images for this episode can be found on CISO Series. What should a cyber job description require, and what shouldn't it? What's reasonable and not reasonable? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rob Duhart (@robduhart), deputy CISO, Walmart. Thanks to our podcast sponsor, Normalyze Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches. Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium. In this episode: What should a cyber job description require, and what shouldn't it? What's reasonable and not reasonable? Do these completely unrealistic job descriptions hurt the entire industry? What is it we need to put in a cyber job description, and what do we need to leave out? Who’s losing out here?
7/6/2023 • 30 minutes, 18 seconds
How Should Security Better Engage with Application Owners?
All links and images for this episode can be found on CISO Series. Since so much technology today is not launched by the IT department, but by business units themselves. How do security professionals engage with business and application owners and have a conversation about security policy and procedures? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Harold Byun (@haroldnhoward), chief product officer, AppOmni. Thanks to our podcast sponsor, AppOmni Do you know which 3rd party apps are connected to your SaaS platforms? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk. Get visibility to all 3rd party apps — and their level of data access — with AppOmni. Visit AppOmni.com to request a free risk assessment. In this episode: What's your experience talking about security policy and procedures with business and application owners? How do security professionals engage with business and application owners? How do they have a conversation about security policy and procedures? Is there anything you learned that you didn't realize before?
6/29/2023 • 30 minutes, 48 seconds
How To Get More People Into Cybersecurity
All links and images for this episode can be found on CISO Series. There are millions of cybersecurity jobs open. Over time, that number has just been growing. What we're doing now does not seem to be working. So what's it going to take to fill all these jobs quickly? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Rich Gautier, former CISO for the U.S. Department of Justice, Criminal Division. Thanks to our podcast sponsor, Brinqa Understand your cyber assets, prioritize vulnerabilities, automate remediation, and continuously monitor cyber hygiene across the entire attack surface — infrastructure, applications and cloud — with Brinqa. See how at brinqa.com. In this episode: There are millions of cybersecurity jobs open. What's it going to take to fill all these jobs quickly? Are job description requirements partially to blame for holding back the industry from tapping into greater diversity of expertise? Is it better off if you hire, train, culturally integrate, and reward that person? Does burn out and a steep learning curve keep adding to the problem?
6/22/2023 • 29 minutes, 52 seconds
How to Create a Positive Security Culture
All links and images for this episode can be found on CISO Series. How do you create a positive security culture? It's rarely the first concept anyone wants to embrace, yet it's important everyone understands their responsibility. So what do you do, and how do you overcome inevitable roadblocks? Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest, Jadee Hanson, CISO/CIO for Code42. Thanks to our podcast sponsor, Code42 Code42 is focused on delivering solutions built with the modern-day collaborative culture in mind. Code42 Incydr tracks activity across computers, USB, email, file link sharing, Airdrop, the cloud and more, our SaaS-based solution surfaces and prioritizes file exposure and data exfiltration events. Learn more at Code42.com. In this episode: How do you create a positive security culture? Where do we run into struggles when trying to create a positive security culture? Given its importance, why is it rarely the first concept anyone wants to embrace? What do you do, and how do you overcome inevitable roadblocks?
6/15/2023 • 30 minutes, 59 seconds
How Should We Trust Entry Level Employees?
All links and images for this episode can be found on CISO Series. All experienced security professionals were at one time very green. Entry level status means risk to your organization. That's if you give them too much access. What can you trust an entry level security professional to do that won't impose unnecessary risk? And how can those green professionals build trust to allow them to do more? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Kemas Ohale, vp, global information security, Lippert. Thanks to our podcast sponsor, Normalyze Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches. Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium. In this episode: What can you trust an entry level security professional to do that won't impose unnecessary risk? How can those green professionals build trust to allow them to do more? What can they do with zero experience? How can they graduate upwards?
6/8/2023 • 30 minutes, 57 seconds
How Must Processes Change to Reduce Risk?
All links and images for this episode can be found on CISO Series. What do we need to do to fix our processes to truly reduce risk and vulnerabilities? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Amad Fida (@brinqa), CEO, Brinqa. Thanks to our podcast sponsor, Brinqa Understand your cyber assets, prioritize vulnerabilities, automate remediation, and continuously monitor cyber hygiene across the entire attack surface — infrastructure, applications and cloud — with Brinqa. See how at brinqa.com. In this episode: What do we need to do to fix our processes to truly reduce risk and vulnerabilities? How to work with all departments to improve process, communication, and motivation? Why does security need to be treated as a function of the enterprise risk program? What are the elements that make a great solution?
6/1/2023 • 28 minutes, 47 seconds
Reputational Damage from Breaches
All links and images for this episode can be found on CISO Series. Security professionals talk a lot about the reputational damage from breaches. And it seems logical, but major companies still do get breached and their reputation seems spared. What's the reality of what breaches can do to a company's reputation? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Cecil Pineda, CISO, R1. Thanks to our podcast sponsor, Brinqa Understand your cyber assets, prioritize vulnerabilities, automate remediation, and continuously monitor cyber hygiene across the entire attack surface — infrastructure, applications and cloud — with Brinqa. See how at brinqa.com. In this episode: Security professionals talk a lot about the reputational damage from breaches, so why do companies still get breached? What's the reality of what breaches can do to a company's reputation? Does a breach really result in lasting reputation damage? Are we more accepting of breaches now?
5/25/2023 • 30 minutes, 45 seconds
Do RFPs Work?
All links and images for this episode can be found on CISO Series. Do RFPs or request for proposals work as intended? It seems they're loaded with flaws yet for some organizations who must follow processes, they become necessary evils for both buyers and sellers. What can we do to improve the process? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Keith McCartney (@kmflgator), vp, security and IT, DNAnexus. Thanks to our podcast sponsor, TrustCloud TrustCloud is the all-in-one platform to accelerate sales and security reviews, automate compliance efforts, and map contractual liability across your business. Connect with us to learn how you can transform security from a cost center into a profit driver with TrustCloud’s programmatic risk and compliance verification tools. In this episode: Do RFPs or request for proposals work as intended? Does it seem they're loaded with flaws? Have they become necessary evils for both buyers and sellers? What can we do to improve the process?
5/18/2023 • 27 minutes, 36 seconds
Successful Cloud Security
All links and images for this episode can be found on CISO Series. What are the moves we should be making in cloud to improve our security? What constitutes a good cloud security posture? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Andy Ellis, operating partner, YL Ventures. We welcome our sponsored guest Yoav Alon, CTO, Orca Security. Thanks to our podcast sponsor, Orca Security Orca Security is the pioneer of agentless cloud security that is trusted by hundreds of enterprises globally. With continuous first-to-market innovations and expertise, the Orca Platform ensures security teams quickly identify and remediate risks to keep their businesses secure. Connect your first account in minutes by visiting www.orca.security. In this episode: What does successful cloud security look like? What are the moves we should be making in the cloud to improve our security? What constitutes a good cloud security posture? What should we be measuring when it comes to cloud security?
5/11/2023 • 31 minutes, 13 seconds
How Should Security Vendors Engage With CISOs?
All links and images for this episode can be found on CISO Series. One CISO has had enough of the security vendor marketing emails and cold sales calls. He's blocking them all. But it's not a call to avoid all salespeople. He just doesn't have the time to be a target anymore. So how should vendors engage with such a CISO? And does CISO represent most CISOs today? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Joy Forsythe, VP, Security, Thrive Global. Thanks to our podcast sponsor, Code42 Code42 is focused on delivering solutions built with the modern-day collaborative culture in mind. Code42 Incydr tracks activity across computers, USB, email, file link sharing, Airdrop, the cloud and more, our SaaS-based solution surfaces and prioritizes file exposure and data exfiltration events. Learn more at Code42.com. In this episode: How should vendors engage with CISOs who are tired of being targeted? How can vendors reach CISOs who have had enough of the security vendor marketing emails and cold sales calls? Does CISO represent most CISOs today? Is the sales "system" essentially broken?
5/4/2023 • 37 minutes, 14 seconds
Gartner Created Product Categories
All links and images for this episode can be found on CISO Series. Do we really need more categories of security products? Every new Gartner magic quadrant complicates the marketplace but at the same time helps us understand the other vectors we need to protect. Do new categories of security products help or hurt the industry? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Corey Elinburg (@celinburg), CISO, CommonSpirit Health. Thanks to our podcast sponsor, Egress In this episode: Do we really need more categories of security products? Does it seem like every new Gartner magic quadrant complicates the marketplace but at the same time helps us understand the other vectors we need to protect? Do new categories of security products help or hurt the industry? Does this make it hard to keep up to date on all new products?
4/27/2023 • 34 minutes, 32 seconds
How to Always Make a Business Case for Security
All links and images for this episode can be found on CISO Series. How can security leaders and how do they go about matching business case to every security action you want to take? Is this the right way to sell security to the board? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Sravish Sridhar (@sravish), founder and CEO, TrustCloud. Thanks to our podcast sponsor, TrustCloud TrustCloud is the all-in-one platform to accelerate sales and security reviews, automate compliance efforts, and map contractual liability across your business. Connect with us to learn how you can transform security from a cost center into a profit driver with TrustCloud’s programmatic risk and compliance verification tools. In this episode: How can security leaders best make a case for security? How do you go about matching business cases to every security action you want to take? Is this the right way to sell security to the board? How do you show that security can be aligned to business objectives?
4/20/2023 • 31 minutes, 7 seconds
Do Breaches Happen Because the Tool Fails, or the Tool Was Poorly Configured?
All links and images for this episode can be found on CISO Series. Security tools are supposed to do a job. Either they need to alert you, protect you, or remediate an issue. But they don't always work and that's why we have breaches. Who's at fault, the tool or the administrators who configured the tool? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Kenneth Foster (@Kennethrfoster1), vp of IT governance, risk and compliance at FLEETCOR. Thanks to our podcast sponsor, AppOmni Do you know which 3rd party apps are connected to your SaaS platforms? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk. Get visibility to all 3rd party apps — and their level of data access — with AppOmni. Visit AppOmni.com to request a free risk assessment. In this episode: Why do security tools fail? Who's at fault, the tool or the administrators who configured the tool? Is it usually because the control is ineffective or was the control misconfigured / ignored? Do InfoSec produts have an efficacy issue or an implementation issue?
4/13/2023 • 32 minutes, 27 seconds
What We Love About Working in Cybersecurity
All links and images for this episode can be found on CISO Series. We talk a lot on this show about what makes cybersecurity such a hard job, yet there are so many people who are in it and love it. What draws people to this profession and why do they love it so much? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest David Cross (@MrDBCross), CISO, Oracle SaaS Cloud. Thanks to our podcast sponsor, Orca Security Orca Security is the pioneer of agentless cloud security that is trusted by hundreds of enterprises globally. With continuous first-to-market innovations and expertise, the Orca Platform ensures security teams quickly identify and remediate risks to keep their businesses secure. Connect your first account in minutes by visiting www.orca.security. In this episode: We talk a lot on this show about what makes cybersecurity such a hard job, yet there are so many people who are in it and love it. What draws people to this profession and why do they love it so much? Do you love the ability to influence the organization and leadership? Do you love making an impact by helping people and businesses with safer behaviors and activities?
4/6/2023 • 28 minutes, 53 seconds
Security That Accounts for Human Fallibility
All links and images for this episode can be found on CISO Series. We expect our users to be perfect security responders even when the adversaries are doing everything in their power to trick them. These scams are designed to make humans respond to them. Why aren't we building our security programs to account for this exact behavior that is simply not going to go away? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ken Athanasiou, CISO, VF Corporation. Thanks to our podcast sponsor, Code42 In this episode: Why do we expect our users to be perfect security responders even when the adversaries are doing everything in their power to trick them? Aren’t these scams designed to make humans respond to them? Why aren't we building our security programs to account for this exact behavior that is simply not going to go away? Why do so many security practitioners treat our users as children to be managed instead of adults to be educated and assigned a level of accountability?
3/30/2023 • 31 minutes, 55 seconds
Why You Should Be Your Company's Next CISO
All links and images for this episode can be found on CISO Series. How do you make the argument that your company needs a CISO, and that YOU should be that leader? What do you need to demonstrate to prove you can be that person? Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Radley Meyers (@radleymeyers), Partner, SPMB Executive Search. Thanks to our podcast sponsor, SPMB SPMB connects top executive talent to the world’s best and fastest growing innovators across the country. A key area we bring extensive knowledge and expertise to is our dedicated Security Practice, leading both functional searches (CISO and VP’s defining security strategy) and building out executive teams at top security software companies. In this episode: How do you make the argument that your company needs a CISO, and that YOU should be that leader? What do you need to demonstrate to prove you can be that person? Do you have a sound understanding of the WHY behind the organization's existence and how value is added or taken away? How do you lay out a plan to win in whatever industry you are in because of security NOT despite it?
3/23/2023 • 27 minutes, 55 seconds
How to Become a CISO
All links and images for this episode can be found on CISO Series. How do you become a CISO? It doesn't follow a linear pattern as many other professions. There are many different paths and there are many different entry points. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Yabing Wang, CISO, Justworks. Thanks to our podcast sponsor, SPMB SPMB connects top executive talent to the world’s best and fastest growing innovators across the country. A key area we bring extensive knowledge and expertise to is our dedicated Security Practice, leading both functional searches (CISO and VP’s defining security strategy) and building out executive teams at top security software companies. In this episode: How do you become a CISO? Why doesn't it follow a linear pattern as many other professions? Why are there so many different paths and entry points? Why is it valuable to know how others did it and how you can glean that knowledge and apply it to your situation?
3/16/2023 • 30 minutes, 46 seconds
Can You Build a Security Program on Open Source?
All links and images for this episode can be found on CISO Series. What would it take to build your entire security program on open source software, tools, and intelligence? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome guest DJ Schleen (@djschleen), distinguished security architect, Yahoo Paranoids. Thanks to our podcast sponsor, SPMB SPMB connects top executive talent to the world’s best and fastest growing innovators across the country. A key area we bring extensive knowledge and expertise to is our dedicated Security Practice, leading both functional searches (CISO and VP’s defining security strategy) and building out executive teams at top security software companies. In this episode: What would it take to build your entire security program on open source software, tools, and intelligence? Is it possible/feasible/practical to run a security program entirely based upon free and open source software, open source tools, and open source intelligence? Is it true that the more open source you use the more people you need? Do commercial software systems, tools, and intelligence have value above what can be found in open source?
3/9/2023 • 25 minutes, 10 seconds
Third Party Risk vs. Third Party Trust
All links and images for this episode can be found on CISO Series. Businesses grow based on trust, but they have to operate in a world of risk. Even cybersecurity operates this way, but when it comes to third party analysis, what if we leaned on trust more than trying to calculate risk? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and our guest co-host is Yaron Levi (@0xL3v1), CISO, Dolby. Yaron and I welcome Dan Walsh, CISO, VillageMD. Thanks to our podcast sponsor, TrustCloud TrustCloud is the all-in-one platform to accelerate sales and security reviews, automate compliance efforts, and map contractual liability across your business. Connect with us to learn how you can transform security from a cost center into a profit driver with TrustCloud’s programmatic risk and compliance verification tools. In this episode: When it comes to third party analysis, what if we leaned on trust more than trying to calculate risk? Should we have a “glass half empty” or a “glass half full” attitude towards third party risk? Wouldn't it be better to measure the level of how much we can TRUST the 3rd party? Is it vitally important to assess how resilient the organization is to failure caused by each third party?
3/2/2023 • 28 minutes, 40 seconds
How Can We Improve the Cyber Sales Cycle?
All links and images for this episode can be found on CISO Series The cybersecurity sales process is so terribly inefficient. And everyone, the targets and cybersecurity leaders, are losing valuable time because of that inefficiency. Where can we start making improvements? Check out this post for the discussion that's the basis for this podcast episode. This week's Defense in Depth is hosted by me, David Spark (@dspark), producer, CISO Series. Our guest co-host is John Overbaugh, CISO, ASG. John and I welcome our guest, Jerich Beason (@blanketsec), commercial CISO, Capital One. Thanks to our podcast sponsor, Compyl GRC solutions often cause process roadblocks within organizations. They are either antiquated and lack the functionality needed or so stripped down they can’t fix the problems you set to solve. That's why the team over at Compyl created the all-in-one security and compliance automation platform. Compyl quickly integrates with the tools you use, and automates 85% of the day-to-day tasks, all while providing complete transparency and comprehensive reporting along the way. Start your free trial with Compyl today and see all the efficiency gains you can expect from a leading solution. Learn about Compyl today at www.compyl.com/getstarted. In this episode: Why is the cybersecurity sales process so terribly inefficient? Where can we start making improvements? What could be done to improve the efficiency? What is the solution to removing wasted effort and time?
2/23/2023 • 26 minutes, 11 seconds
What Leads a Security Program: Risk or Maturity?
All links and images for this episode can be found on CISO Series. When you think about building a plan (and budget!) for your security program, do you lead with risk, maturity, or something else? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ngozi Eze, CISO, Levi Strauss. Thanks to our podcast sponsor, runZero runZero is the cyber asset management solution that helps you find and identify every managed and unmanaged asset connected to your network and in the cloud. Get the data and context needed to effectively manage and secure your environment. Try runZero for free at runzero.com. In this episode: When you think about building a plan (and budget!) for your security program, do you lead with risk, maturity, or something else? What's the overall theme you lead with when you're building a security program? Why is it an important question to answer before you build your program? How greatly can it vary?
2/16/2023 • 32 minutes, 58 seconds
Limitations of Security Frameworks
All links and images for this episode can be found on CISO Series Why do strongly supported security frameworks have such severe limitations when building a security program? Check out this post for the discussions that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Stas Bojoukha, CEO, Compyl. Thanks to our podcast sponsor, Compyl GRC solutions often cause process roadblocks within organizations. They are either antiquated and lack the functionality needed or so stripped down they can’t fix the problems you set to solve. That's why the team over at Compyl created the all-in-one security and compliance automation platform. Compyl quickly integrates with the tools you use, and automates 85% of the day-to-day tasks, all while providing complete transparency and comprehensive reporting along the way. Start your free trial with Compyl today and see all the efficiency gains you can expect from a leading solution. Learn about Compyl today at www.compyl.com/getstarted. In this episode: Why do strongly supported security frameworks have such severe limitations when building a security program? Is it because the product security landscape updates with such speed and ferocity that these frameworks can't keep up? Are most regulatory and third-party compliance "programs" simply non-prescriptive? Is the intention to achieve compliance with every single control?
2/9/2023 • 28 minutes, 14 seconds
Why Is There a Cybersecurity Skills Gap?
All links and images for this episode can be found on CISO Series. Why is there a cybersecurity skills gap? Practically everyone is looking to hire, and there are ton of people getting training and trying to get into the industry, but we still have this problem. Why? Check out this post for the discussions that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome Edwin Covert (@ebcovert3), head of cyber risk engineering, Bowhead Specialty. Thanks to our podcast sponsor, Orca Security In this episode: Why is there a cybersecurity skills gap? Practically everyone is looking to hire, and there are tons of people getting training and trying to get into the industry, but we still have this problem. Why? Is there a problem with the system of hiring junior people, training, and preventing burnout? Is the problem gatekeepers who don't do anything to mentor or groom the next wave?
2/2/2023 • 32 minutes, 18 seconds
What Can the Cyber Haves Do for the Cyber Have Nots?
All links and images for this episode can be found on CISO Series. Given that your company's security is dependent on the security of your partners and others, what can we do to get more organizations above the security poverty line? Check out this post for the discussions that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest, Jason Kikta (@kikta), CISO, Automox. Thanks to our podcast sponsor, Automox Are you ready to ditch manual patching? With Automox, you can automatically patch your third-party applications, Windows, macOs, and Linux devices with one easy-to-use, cloud-native platform. Try for yourself with our free 15-day trial and have all your endpoints safe and secure in just 15 minutes. In this episode: Given that your company's security is dependent on the security of your partners and others, what can we do to get more organizations above the security poverty line? How can we give them guidance towards working on priorities in cybersecurity? How are the Vendors handling this? Can we create an "Adopt a Highway" program for cybersecurity?
1/26/2023 • 32 minutes, 18 seconds
Securing Unmanaged Assets
All links and images for this episode can be found on CISO Series. "When the asset discovery market launched, every single company that offered a solution used the line, “You can’t protect what you don’t know.” Everyone agreed with that. Problem is, “what you don’t know” has grown… a lot." Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Huxley Barbee (@huxley_barbee), security evangelist, runZero. Thanks to our podcast sponsor, runZero runZero is the cyber asset management solution that helps you find and identify every managed and unmanaged asset connected to your network and in the cloud. Get the data and context needed to effectively manage and secure your environment. Try runZero for free at runzero.com. In this episode: Everyone agrees that, “You can’t protect what you don’t know”, but what do you do when, “what you don’t know” has grown…a lot? With all our efforts to know our assets, are we doing any better understanding? How do we decide what we should really be measuring? How do we determine what’s most important in terms of asset management?
1/19/2023 • 30 minutes, 33 seconds
Ambulance Chasing Security Vendors
All links and images for this episode can be found on CISO Series A good high profile security threat seems like a good time to alert potential customers about how your product could help or even prevent a breach. Seems like a solid sales tactic for any industry that is not cybersecurity. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Angela Williams, CISO, UL. Thanks to our podcast sponsor, Automox Are you ready to ditch manual patching? With Automox, you can automatically patch your third-party applications, Windows, macOs, and Linux devices with one easy-to-use, cloud-native platform. Try for yourself with our free 15-day trial and have all your endpoints safe and secure in just 15 minutes. In this episode: Is tying your product to a high profile event a good sales tactic for vendors? How can vendors best help cybersecurity professionals during emergency situations? Is there a correct way for vendors to capitalize on a high profile event?
1/12/2023 • 32 minutes, 44 seconds
Do CISOs Have More Stress than Other C-Suite Jobs
All links and images for this episode can be found on CISO Series Why do CISOs seem more stressed out than other C-level executives? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Jared Mendenhall, Head of information security, Impossible Foods. Thanks to our podcast sponsor, Compyl GRC solutions often cause process roadblocks within organizations. They are either antiquated and lack the functionality needed or so stripped down they can’t fix the problems you set to solve. That's why the team over at Compyl created the all-in-one security and compliance automation platform. Compyl quickly integrates with the tools you use, and automates 85% of the day-to-day tasks, all while providing complete transparency and comprehensive reporting along the way. Start your free trial with Compyl today and see all the efficiency gains you can expect from a leading solution. Learn about Compyl today at www.compyl.com/getstarted. In this episode: Do CISOs undergo more stress than other C-Suite jobs? Why do CISOs seem more stressed out than other C-level executives? Is it because the role is not fully formed and that CISOs don't get enough resources? Do the blurred lines of the CISO job increase the stress? Even more so that the CEO?
1/5/2023 • 30 minutes, 38 seconds
How Should We Discuss Cyber With the C-Suite?
All links and images for this episode can be found on CISO Series How detailed do we get in our conversation with business leaders? Do we dumb it down? Or is that a recipe for trouble? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Lee Parrish (@leeparrish), CISO, Newell Brands. Thanks to our podcast sponsor, Qualys Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. In this episode: How detailed do we get in our conversation with business leaders? Do we dumb it down? Or is that a recipe for trouble? To what level does the C-Suite need to be cyber savvy? How essential is it for senior leaders to know more?
12/15/2022 • 28 minutes, 40 seconds
Can You Be a vCISO If You’ve Never Been a CISO?
All links and images for this episode can be found on CISO Series Why are there so many vCISOs who have never been a CISO? Isn't it difficult to advise on a role you've never done? Do organizations feel comfortable hiring an inexperienced vCISO as their CISO? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Steve Tran, CSO, DNC. Thanks to our podcast sponsor, runZero runZero is the cyber asset management solution that helps you find and identify every managed and unmanaged asset connected to your network and in the cloud. Get the data and context needed to effectively manage and secure your environment. Try runZero for free at runzero.com. In this episode: Why are there so many vCISOs who have never been a CISO? Isn't it difficult to advise on a role you've never done? Do organizations feel comfortable hiring an inexperienced vCISO as their CISO? If the person has the requisite background, why does it matter what the title they had before is?
12/8/2022 • 28 minutes, 40 seconds
How Should We Gauge a Company's Cyber Health?
All links and images for this episode can be found on CISO Series As an outside observer, how can you tell if a company is staying cyber healthy? While there is no financial statement equivalency to let you know the strength of a company's security profile, there are signals that'll give you a pretty good idea. Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Matt Honea, CISO, SmartNews. Thanks to our podcast sponsor, Automox Are you ready to ditch manual patching? With Automox, you can automatically patch your third-party applications, Windows, macOs, and Linux devices with one easy-to-use, cloud-native platform. Try for yourself with our free 15-day trial and have all your endpoints safe and secure in just 15 minutes. In this episode: As an outside observer, how can you tell if a company is staying cyber healthy? What are the signals to let you know the strength of a company's security profile? How do we go about trying to determine a company's cyber health? Why is it important to know about another company's cyber health?
12/1/2022 • 31 minutes, 20 seconds
Reducing the Attack Surface
All links and images for this episode can be found on CISO Series The cyber attack surface just keeps growing to the point that it seems endless. Protecting it all is impossible. Is there anything that can be done to reduce that attack surface and limit your exposure? Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Jonathan Trull (@jonathantrull), CISO, Qualys. Thanks to our podcast sponsor, Qualys Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. In this episode: Is there anything that can be done to reduce that attack surface and limit your exposure? Is attack surface reduction a new security development philosophy or is it just a rebranding of vulnerability management? And what value does it have in comparison to other popular theories such as zero trust and defense in depth? Is everything just another form of exposure management?
11/17/2022 • 31 minutes, 11 seconds
Do We Need a Marketing Manager for the Security Team?
All links and images for this episode can be found on CISO Series Those reports on security procedures for the business are falling short. No one is reading them. What good are security controls if your staff doesn't know about them or adhere to them? Is it time to hire a marketing manager for the security team? Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Laura Deaner (@b3dwin), CISO, Northwestern Mutual. Thanks to our podcast sponsor, IANS Research CISOs, how does your compensation compare with your peers? Download IANS + Artico Search's 2022 CISO Compensation Benchmark Report. Find objective insights and comprehensive compensation data from over 500 CISOs across the U.S. and Canada. In this episode: What good are security controls if your staff doesn't know about them or adhere to them? Is it time to hire a marketing manager for the security team? Why does it make sense to think of who the stakeholder is and what’s happening in their world? How to best build policies that don’t get ignored?
11/10/2022 • 32 minutes, 13 seconds
Cybersecurity Budgets
All links and images for this episode can be found on CISO Series Cybersecurity budgets are increasing, by a lot. What's fueling the increase and where are those budgets being spent? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest sponsored guest Nick Kakolowski, senior director of research at IANS Research. Thanks to our podcast sponsor, IANS Research CISOs, how does your compensation compare with your peers? Download IANS + Artico Search's 2022 CISO Compensation Benchmark Report. Find objective insights and comprehensive compensation data from over 500 CISOs across the U.S. and Canada. In this episode: What's fueling the increase in cybersecurity budgets and where are those budgets being spent? Do we understand where the money is being spent? Is it on new hires? More tooling? Does training new hires provide a good ROI for an increased budget? Should we equate the success of a security program with the size of the budget? Or not?
11/3/2022 • 26 minutes, 43 seconds
How Can We Make Sense of Cybersecurity Titles?
All links and images for this episode can be found on CISO Series What's the difference between a head of security, a vp of security, and a CISO? Do job responsibilities change whether you're a security analyst or a threat engineer? Roles are confusing and so is the pay and responsibilities attached to them. Check out this post and this post for the basis of today's discussion. this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Hadas Cassorla, CISO, M1. Our guest is Renee Guttman, former CISO of Coca-Cola, Time Warner, Campbells. Thanks to our podcast sponsor, IANS Research CISOs, how does your compensation compare with your peers? Download IANS + Artico Search's 2022 CISO Compensation Benchmark Report. Find objective insights and comprehensive compensation data from over 500 CISOs across the U.S. and Canada. In this episode: What's the difference between a head of security, a vp of security, and a CISO? Do job responsibilities change whether you're a security analyst or a threat engineer? Why are cyber security roles so confusing? And why is there such a variance of pay and responsibilities attached to them?
10/27/2022 • 30 minutes, 51 seconds
Walk a Mile in a Security Recruiter's Shoes
All links and images for this episode can be found on CISO Series Instead of complaining about the security hiring process, walk a mile in a recruiter's shoes and have a little compassion to what they're going through, and how you might be able to help, at any level. Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap) with our guest Caleb Sima (@csima), CSO, Robinhood. Thanks to our podcast sponsor, Safe Security If your CFO or Board was to ask: ‘How much could we lose to a cyber attack?’ Would you know? Introducing SAFE - the industry’s most complete Cyber Risk Quantification solution to help you answer those crucial questions in real-time: Visualize and measure cyber risk across your entire estate Discover your $ risk exposure per attack vector Gain personalized, actionable insights to tackle your most critical risks Communicate your real-time cyber risk posture to your Board Learn more at www.safe.security In this episode: Instead of complaining about the security hiring process, CISOs should walk a mile in a recruiter's shoes and have a little compassion to what they're going through. Have we thought about the process we’re creating for candidates? Are we being responsible and thinking about the candidate's journey vs. being opportunistic?
10/20/2022 • 29 minutes, 13 seconds
Moving Security from a Prevention to a Resilience Strategy
All links and images for this episode can be found on CISO Series Are security programs drifting from a prevention to a resilience strategy? If so, are you truly operating in a resilient environment? Or are you still acting in a prevention stance but you know you should be resilient? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest David Ratner (@davidhratner), CEO, HYAS. Thanks to our podcast sponsor, HYAS "Better production environment security starts with visibility. After all, how can you protect your most valuable asset if you don’t know A: what’s expected and B: when something’s happening that isn’t expected? This is why HYAS Confront monitors traffic to alert you to anomalies, letting you address risks, threats, and changes, while blocking infiltrations before they become successful attacks. Don’t just react, take your security back with HYAS. Visit HYAS.com" In this episode: Are security programs drifting from a prevention to a resilience strategy? If so, are you truly operating in a resilient environment? Or are you still acting in a prevention stance but you know you should be resilient? What does a resilience strategy look like? How does your security stack change when you choose resilience?
10/13/2022 • 28 minutes, 17 seconds
How to Engage with Non-Technical Business Leaders
All links and images for this episode can be found on CISO Series How do you talk to non-technical business leaders about cybersecurity? It's a concern, it's a risk, they want to know so they can make logical business decisions. How do you help? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Our guest is Sara Hall, deputy CISO, MassMutual. Thanks to our podcast sponsor, HYAS "Better production environment security starts with visibility. After all, how can you protect your most valuable asset if you don’t know A: what’s expected and B: when something’s happening that isn’t expected? This is why HYAS Confront monitors traffic to alert you to anomalies, letting you address risks, threats, and changes, while blocking infiltrations before they become successful attacks. Don’t just react, take your security back with HYAS. Visit HYAS.com" In this episode: How do you talk to non-technical business leaders about cybersecurity? It's a concern, it's a risk, they want to know so they can make logical business decisions. How do you help? Does storytelling and/or other strategies work? How do you have a risk discussion while also avoiding FUD - fear, uncertainty, and doubt?
10/6/2022 • 29 minutes, 58 seconds
Cybersecurity Burnout
All links and images for this episode can be found on CISO Series Why are cybersecurity professionals burning out? What's the dynamic of the job, the pressures being put on them, that causes the best to leave? And this industry can't afford to lose its best talent. Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and special guest co-host Shawn Bowen (@SMbowen), CISO, World Fuel Services. Our guest is Bozidar Spirovski (@spirovskib), CISO, Blue dot. Thanks to our podcast sponsor, HYAS Better production environment security starts with visibility. After all, how can you protect your most valuable asset if you don’t know A: what’s expected and B: when something’s happening that isn’t expected? This is why HYAS Confront monitors traffic to alert you to anomalies, letting you address risks, threats, and changes, while blocking infiltrations before they become successful attacks. Don’t just react, take your security back with HYAS. Visit HYAS.com In this episode: Why are cybersecurity professionals burning out? What's the dynamic of the job, the pressures being put on them, that causes the best to leave? Are certain areas of cyber are more prone to burnout than others? Do we have a training and communication crisis in the field?
9/29/2022 • 32 minutes, 37 seconds
How to Build a Greenfield Security Program
All links and images for this episode can be found on CISO Series You're starting a security program from scratch and you're trying to figure out where to start, what to prioritize, and how to architect it so it grows naturally and not a series of random patches over time. Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO. Our guest is Mark Bruns, CISO, First Bank. Thanks to our podcast sponsor, Keyavi Myth: Data can’t protect itself. Fact: Now it does! You control where your data goes in the world, who can access it and when. On any device. Anytime. Anywhere. FOREVER. Learn more at Keyavi.com. In this episode: Have you ever had a purely greenfield situation? When starting a security program from scratch, how do you figure out where to start and what to prioritize? What are the top five actions if you were going to implement a brand new/greenfield security program? How do you architect a security program so that it grows naturally and not a series of random patches over time?
9/22/2022 • 31 minutes, 6 seconds
Managing the Onslaught of Files
All links and images for this episode can be found on CISO Series Files are still the core of how people do business. How are you dealing with the onslaught of files coming into your network? People are sharing files across a multitude of platforms, and many for which you may not even know about. What checks and balances do you put in place to make sure you've got file integrity no matter the source? Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Aviv Grafi, founder and CTO, Votiro. Thanks to our podcast sponsor, Votiro Can you trust that your content and data is free of malware and ransomware? With Votiro you can. Votiro removes evasive and unknown malware from content in milliseconds, without impacting file fidelity or usability. It even works on password-protected and zipped files. Plus, it’s an API, so it integrates with everything – including Microsoft 365. Learn more at Votiro.com. That’s v-o-t-i-r-o.com In this episode: How are you dealing with the onslaught of files coming into your network? What checks and balances do you put in place to make sure you've got file integrity no matter the source? Who has the authority to decide whether a file should be protected or deleted?
9/15/2022 • 31 minutes, 36 seconds
Can You Have Culture Fit and Diversity, or Are They Mutually Exclusive?
All links and images for this episode can be found on CISO Series Hiring managers speak about looking for culture fit and diversity, but never at the same time. Can they coexist? Are they mutually exclusive? Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Sherron Burgess, CISO, BCD Travel. Thanks to our podcast sponsor, Votiro Can you trust that the files entering your organization are free of hidden threats like malware & ransomware? With Votiro you can. Votiro removes evasive and unknown malware from files in milliseconds, without impacting file fidelity or usability. It even works on password-protected and zipped files. Plus, it’s an API, so it integrates with email, cloud apps & storage, and content collaboration platforms like Microsoft 365 - wherever files need to flow. Learn more at Votiro.com. In this episode: Hiring managers speak about looking for culture fit and diversity, but never at the same time. Can they coexist? Are they mutually exclusive? How can you learn and grow as a company if everyone fits into one box? Is reaching diversity an overnight achievement, or a longer journey?
9/8/2022 • 34 minutes, 59 seconds
How to Follow Up With a CISO
All links and images for this episode can be found on CISO Series Cyber sales is hard. But don't let the difficulty of doing it get in way of your good judgement. So what is the right way to follow up with a CISO? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Jack Kufahl, CISO, Michigan Medicine. Thanks to our podcast sponsor, SolCyber At SolCyber we're hell-bent on delivering Fortune 500 level cyber security for small and medium-sized enterprises. When you're being targeted by the same bad guys, nothing else will do. We bring to the table a curated stack of leading technologies and around-the-clock SOC support, all simply priced per user. Let us do the heavy lifting. In this episode: What is the right way to follow up with a CISO? How to prevent the difficulty of sales from clouding your good judgement? What are some ideas on how best to reach out to CISOs and other potential customers?
9/1/2022 • 36 minutes, 23 seconds
Roles to Prepare You to Be a CISO
All links and images for this episode can be found on CISO Series One day you want to be a CISO. What area of security you begin your studies? Or maybe you shouldn't be studying security. Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Evelin Biro (@wolfsgame), CISO, Alliant Credit Union. Thanks to our podcast sponsor, Qualys Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. In this episode: What path should I take if I want to be a CISO? What security jobs/roles best prepare you to become a CISO? In what ways does the CISO role require totally different skills than the technical roles?
8/25/2022 • 31 minutes, 55 seconds
Minimizing Damage from a Breach
All links and images for this episode can be found on CISO Series What can we do to reduce the damage of a breach and the duration of detection and remediation? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Dave Klein (@cybercaffeinate), director, cyber evangelist, Cymulate. Thanks to our podcast sponsor, Cymulate The Ultimate Guide to Security Posture Validation: Learn how to effectively measure and reduce risk through continuous validation of your enterprise’s security posture. Download the playbook here. In this episode: What can we do to reduce the damage of a breach and the duration of detection and remediation? How do we determine what’s most important and how to best reduce risk? How can teams best reduce the impact of the "boom" you feel during a breach?
8/18/2022 • 25 minutes, 18 seconds
We're All Still Learning Cyber
All links and images for this episode can be found on CISO Series Learning cyber is not a question for those who are just starting out. It's for everybody. Where and how do we learn at every stage of our professional careers? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Jerich Beason, CISO, Commercial, Capital One. Thanks to our podcast sponsor, SlashNext SlashNext protects the modern workforce from phishing and human hacking across all digital channels. SlashNext Complete™ utilizes our patented AI SEER™ technology to detect zero-hour phishing threats by performing dynamic run-time analysis on billions of URLs a day through virtual browsers and machine learning. Take advantage of SlashNext's phishing defense services for email, browser, mobile, and API. In this episode: Where do we go to learn at every stage of our professional careers? We discuss how the learning process never really stops, but is on-going with cyber professionals continuing to learn throughout their careers. Why is the “know-it-all” leader a red flag to avoid?
8/11/2022 • 28 minutes, 21 seconds
Practical Cybersecurity for IT Professionals
All links and images for this episode can be found on CISO Series You’re a CISO, vCISO, or MSSP rolling into a company that has yet to launch a cybersecurity department. How do you communicate about cyber with the IT department? They’re not completely new to cyber. What’s the approach to engagement that helps, but doesn’t insult? How do you offer practical cybersecurity advice? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is sponsored guest Scott McCrady (@scottsman3), CEO, SolCyber. Thanks to our podcast sponsor, SolCyber At SolCyber we're hell-bent on delivering Fortune 500 level cyber security for small and medium-sized enterprises. When you're being targeted by the same bad guys, nothing else will do. We bring to the table a curated stack of leading technologies and around-the-clock SOC support, all simply priced per user. Let us do the heavy lifting. In this episode: How do you communicate about cyber with the IT department? What’s the approach to engagement that helps, but doesn’t insult? How do you offer practical cybersecurity advice?
8/4/2022 • 28 minutes, 26 seconds
Data Protection for Whatever Comes Next
All links and images for this episode can be found on CISO Series Cybersecurity boils down to securing your data or data protection. But that simple concept has turned into a monumental task that is only exacerbated every time we move our data to a new platform. How do we secure data today, to be ready for whatever comes next in computing? Check out this post and this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and guest co-host Gary Hayslip (@ghayslip), global CISO, SoftBank Investment Advisers. Our sponsored guest is Elliot Lewis (@ElliotDLewis), CEO, Keyavi. Thanks to our podcast sponsor, Keyavi Myth: Data can’t protect itself. Fact: Now it does! You control where your data goes in the world, who can access it and when. On any device. Anytime. Anywhere. FOREVER. Learn more at Keyavi.com. In this episode: How do we secure data today, to be ready for whatever comes next in computing? How do we go about building a data transformation program that's platform agnostic? Why has this simple concept turned into a monumental task?
7/28/2022 • 25 minutes, 46 seconds
What Is Attack Surface Profiling?
All links and images for this episode can be found on CISO Series Is attack surface profiling the same as a pen test? If it isn't what unique insight can attack surface profiling deliver? Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Nick Shevelyov, former CSO, Silicon Valley Bank. Thanks to our podcast sponsor, Keyavi Myth: Data can’t protect itself. Fact: Now it does! You control where your data goes in the world, who can access it and when. On any device. Anytime. Anywhere. FOREVER. Learn more at Keyavi.com. In this episode: Is attack surface profiling the same as a pen test? What unique insight can attack surface profiling deliver? Is “Attack Surface Profiling” more like a natural evolution from traditional vulnerability management?
7/21/2022 • 31 minutes, 36 seconds
How Can You Tell If Your Security Program Is Improving?
All links and images for this episode can be found on CISO Series What’s your best indicator that your security program is actually improving? And besides you and your team, is anyone impressed? Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Simon Goldsmith (@cybergoldsmith), director of information security, OVO Energy. Thanks to our podcast sponsor, Votiro Can you trust that your content and data is free of malware and ransomware? With Votiro you can. Votiro removes evasive and unknown malware from content in milliseconds, without impacting file fidelity or usability. It even works on password-protected and zipped files. Plus, it’s an API, so it integrates with everything – including Microsoft 365. Learn more at Votiro.com. In this episode: What's the best indicator that your security program is actually improving? Does anyone care that you're actually improving your security posture? What should we be measuring to prove a security program is working and getting better?
7/14/2022 • 31 minutes, 17 seconds
How Can We Improve Recruiting of CISOs and Security Leaders?
All links and images for this episode can be found on CISO Series Interviewing for leadership positions in cybersecurity is difficult for everyone involved. There are far too many egos and many gatekeepers. What can be done to improve recruiting of CISOs? Check out this post and this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn with our guest Ty Sbano (@tysbano), CISO, Vercel. Thanks to our podcast sponsor, Thinkst Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents. In this episode: What can be done to improve CISO recruiting? Is there a disconnect between HR and what the company actually needs regarding a position? How long should the interview process take?
7/7/2022 • 29 minutes, 50 seconds
How Is Our Data Being Weaponized Against Us?
All links and images for this episode can be found on CISO Series How are nefarious actors using our own data (and metadata) against us? And given that, in what way have we lost our way protecting data that needs to be course corrected? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is John Ayers (@cyberjohn1747), vp of advanced detection and response office of the CTO, Optiv. Thanks to our podcast sponsor, Optiv The modern enterprise needs a solution as unique as its business. Optiv’s Advanced Detection and Response (ADR) works with your organization to comb through the D&R clutter and find the ideal security solutions for your business. ADR delivers tailored detection and response backed by technology, real-time intel and deep expertise applied at touch. Bottom line: ADR finds and neutralizes threats fast, so you can focus on what matters. In this episode: How are nefarious actors using our own data (and metadata) against us? In what way have we lost our way protecting data that needs to be corrected? We examine how our interconnectedness is both a blessing and a curse. Is there already far too much sensitive data in essentially open source intelligence?
6/30/2022 • 28 minutes, 6 seconds
Can Security Be a Profit Center?
All links and images for this episode can be found on CISO Series Is it possible to position your security team as a profit center instead of the traditional cost center reporting to the CIO? Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Michael Weiss, CISO, Human Interest. Thanks to our podcast sponsor, Optiv The modern enterprise needs a solution as unique as its business. Optiv’s Advanced Detection and Response (ADR) works with your organization to comb through the D&R clutter and find the ideal security solutions for your business. ADR delivers tailored detection and response backed by technology, real-time intel and deep expertise applied at touch. Bottom line: ADR finds and neutralizes threats fast, so you can focus on what matters. In this episode: Is it possible to position your security team as a profit center instead of the traditional cost center reporting to the CIO? Is security still primarily an efficiency conversation or has effectiveness now changed the dialogue on how success is measured? How to go about measuring the value cybersecurity provides the enterprise. We examine the problems that can arise when security is treated as a profit center.
6/23/2022 • 29 minutes, 35 seconds
Getting Ahead of the Ongoing Malware Fight
All links and images for this episode can be found on CISO Series For years we've been referring to malware protection as a cat and mouse game. The crooks come up with a new malware attack, and then the good guys figure out a way to stop it. And that keeps cycling over and over again. So where are we today with malware protection and is there any way to get ahead of the cycle? Check out this post and this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Aviv Grafi (@avivgrafi), CTO and founder, Votiro. Thanks to our podcast sponsor, Votiro Can you trust that your content and data is free of malware and ransomware? With Votiro you can. Votiro removes evasive and unknown malware from content in milliseconds, without impacting file fidelity or usability. It even works on password-protected and zipped files. Plus, it’s an API, so it integrates with everything – including Microsoft 365. Learn more at Votiro.com. In this episode: How can we take proactive approaches that are capable of stopping attacks, not just detecting them? What do you think we’re doing really well in terms of malware, and where could we do a lot better? We examine the need for organizations to upgrade their defenses. Has ransomware made a massive target out of every organization?
6/16/2022 • 27 minutes, 8 seconds
Building a Security Awareness Training Program
All links and images for this episode can be found on CISO Series We all know and have experienced bad security awareness training. People can learn, and should learn about being cyber aware. How do you build a security awareness training program that sticks? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn with our guest Lisa Kubicki (@lmk2), trust and security, training and awareness director, DocuSign. Thanks to our podcast sponsor, Drata Save 200+ hours with Drata's automated continuous compliance solution for SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, & CCPA. Drata connects to your techstack with 75+ integrations, including AWS, GitHub, GCP, & more to automate the compliance process. Kickstart your compliance journey by requesting a demo and get 10% off In this episode: We ask, “How do you build a security awareness training program that sticks?” How do you develop a program that resonates with staff and actually improves security outcomes? We get tips from the community on how they built a security awareness training program. We examine what a successful engagement would look like.
6/9/2022 • 28 minutes, 14 seconds
Onboarding Cyber Professionals with No Experience
All links and images for this episode can be found on CISO Series You want to bring on entry level personal, But green employees, who are not well versed in security, IT, or your data introduce risk once they have access to it. What are ways to bring these people on while also managing risk? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rich Lindberg, CISO, JAMS. Thanks to our podcast sponsor, SolCyber At SolCyber we're hell-bent on delivering Fortune 500 level cyber security for small and medium-sized enterprises. When you're being targeted by the same bad guys, nothing else will do. We bring to the table a curated stack of leading technologies and around-the-clock SOC support, all simply priced per user. Let us do the heavy lifting. In this episode: We ask, “What are ways to bring entry-level people onboard the company while also managing risk?” How does education stack up against on-the-job experience? Are there advantages to hiring an inexperienced greenthumb versus experienced only new hires?
6/2/2022 • 28 minutes, 44 seconds
Where's the Trust in Zero Trust?
All links and images for this episode can be found on CISO Series Zero trust is a hollow buzzword. In any form of security, there exist critical points where we have to trust. What we need is a move away from implicit trust to explicit trust, or identity that can be verified. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Yaron Levi (@0xL3v1), CISO, Dolby. Thanks to our podcast sponsor, Optiv Need a guide on your Zero Trust journey? Jerry Chapman, Engineering Fellow at Optiv and author of "Zero Trust Security: An Enterprise Guide" shares the following takeaways: - The key elements of Zero Trust - How to visualize your Zero Trust journey and place it in the proper context - Integrated technologies to drive adaptive processes and a mature security model Learn more at www.optiv.com/zerotrust. In this episode: We ask cyber professionals, where is the ‘trust’ in zero-trust? What and who should we be trusting? How should we refer to zero trust since you can't run any kind of operation where you trust no one and nothing?
5/26/2022 • 28 minutes, 15 seconds
Who Investigates Cyber Solutions?
All links and images for this episode can be found on CISO Series Cyber professionals, who is responsible on your team for investigating new solutions? Check out this post and this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Nick Ryan, director of enterprise technology security and risk, Baker Tilly. Thanks to our podcast sponsor, Votiro Can you trust that your content and data is free of malware and ransomware? With Votiro you can. Votiro removes evasive and unknown malware from content in milliseconds, without impacting file fidelity or usability. It even works on password-protected and zipped files. Plus, it’s an API, so it integrates with everything – including Microsoft 365. Learn more at Votiro.com. In this episode: We ask cyber professionals, who is responsible on their team for investigating new solutions? If it's a collaborative effort, how is that handled? What are CISOs looking for in a solution? And we discuss using existing solutions before purchasing and implementing more solutions.
5/19/2022 • 27 minutes, 53 seconds
Does the Cybersecurity Industry Suck?
All links and images for this episode can be found on CISO Series In the cyber industry we pat each other on the back and give each other awards, all while the statistics for breaches appear to be worsening, Are we celebrating growing failure? Does the cyber industry suck? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Fredrick Lee (AKA "Flee") (@fredrickl), Flee, CSO, Gusto. Thanks to our podcast sponsor, Cymulate The Ultimate Guide to Security Posture Validation: Learn how to effectively measure and reduce risk through continuous validation of your enterprise’s security posture. Download the playbook here. In this episode: We ask if our very own industry, ourselves, are the ones to blame for our constant woes? Where do we stand in accepting fault and responsibility for the industry's continued problems? Are the companies to blame for not taking IT seriously within their organizations? Are industry awards just fluff for patting each other on the back?
5/12/2022 • 33 minutes, 30 seconds
Are We Taking Zero Trust Too Far?
All links and images for this episode can be found on CISO Series For some, the definition of zero trust has expanded from how we grant access to networks, applications, and data to how we trust individuals in the real world. Are we taking zero trust too far? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Thomas Doughty, CISO, Prudential Financial. Thanks to our podcast sponsor, Netfoundry NetFoundry, built on OpenZiti, is the only solution purpose-built to connect massively distributed apps, edges, clouds and devices in minutes, ensuring zero trust of the internet, local and OS host network and delivered as SaaS. Isolating the app to make network security irrelevant and remove the pain of public DNS, VPNs, bastions, as well as complex firewall rules. In this episode: We ask if we’re taking the concept of zero-trust too far. We try to distinguish between where do we have to trust and where do we have to implement zero trust principles? Differentiating between humans and machines when it comes to trust. And is zero trust supposed to be a silver bullet or a cure-all?
5/5/2022 • 29 minutes, 43 seconds
Is Shift Left Working?
All links and images for this episode can be found on CISO Series Developers and security professionals have been heavily sold on the concept of "shift left" or deal with security issues early in development rather bolting it on at the end. It all made logical sense, but now we've been doing it for a few years and has shift-left actually reduced application security concerns? Check out this post, this post, and this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Mike Gorman (@gormamic), head of security and compliance, NetFoundry. Thanks to our podcast sponsor, Netfoundry NetFoundry, built on OpenZiti, is the only solution purpose-built to connect massively distributed apps, edges, clouds and devices in minutes, ensuring zero trust of the internet, local and OS host network and delivered as SaaS. Isolating the app to make network security irrelevant and remove the pain of public DNS, VPNs, bastions, as well as complex firewall rules. In this episode: We look at dealing with security issues early in development rather than bolting it on at the end. We ask whether or not application developers and security professionals are actually reducing security issues with "shift left” framework. And do they actually reduce or even eliminate the need for other security controls?
4/28/2022 • 32 minutes, 51 seconds
Technical vs. Compliance Professionals
All links and images for this episode can be found on CISO Series Do we have a Monitgue/Capulet rivalry between technical and compliance professionals? Why is this happening, and what can be done to improve it? Does it need to be improved? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Linda White, director of InfoSec, Axiom Medical. Thanks to our podcast sponsor, Netfoundry NetFoundry, built on OpenZiti, is the only solution purpose-built to connect massively distributed apps, edges, clouds and devices in minutes, ensuring zero trust of the internet, local and OS host network and delivered as SaaS. Isolating the app to make network security irrelevant and remove the pain of public DNS, VPNs, bastions, as well as complex firewall rules. In this episode: We look at the Monitgue/Capulet rivalry between technical and compliance professionals. Is there a solution to this never-ending feud? And what can be done to improve relations?
4/21/2022 • 28 minutes, 43 seconds
Why Do So Many Cybersecurity Products Suck?
All links and images for this episode can be found on CISO Series Why do we end up with so many bad security products? Who is to blame and how can we fight back an ecosystem that may be fostering subpar products? Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Haroon Meer (@HaroonMeer), founder and researcher, Thinkst Canary. Thanks to our podcast sponsor, Thinkst Canary Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this. Deploy Canaries in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents. In this episode: Is the cybersecurity ecosystem giving a rise to subpar products? Why are so many security products implemented poorly How important is vendor feedback?
4/14/2022 • 31 minutes, 33 seconds
Training for a Cyber Disaster
All links and images for this episode can be found on CISO Series What are you doing to prepare for the next cyber disaster? You must train for it, because when it happens, and it will happen, everyone should know what they need to do. Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Roland Cloutier (@CSORoland), CISO, TikTok. Thanks to our podcast sponsor, Keyavi Data that protects itself? Now it does! We made data so smart it can think for itself. Secure itself. Stay continually aware of its surroundings. Control where, when and who is allowed access. And automatically report back to its owner. This changes the entire cybersecurity paradigm. Learn how. In this episode: What is the importance of cyber crisis management and training? What are the best ways to prepare for a cyber disaster? How to build exercises and training into a successful cybersecurity culture?
4/7/2022 • 27 minutes, 47 seconds
Virtual Patching
All links and images for this episode can be found on CISO Series What if you didn't spend all your time patching vulnerabilities but instead created a security policy that prevented known vulnerabilities from being exploited. How doable is this solution of virtual patching? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ody Lupescu, CISO, Ethos Life. Thanks to our podcast sponsor, Araali Networks Managing vulnerabilities at the speed and scale of the cloud is challenging, especially when the implications of a single mistake gives attackers an asymmetric advantage over defenders. Araali allows your security teams to resilient patch and monitor the most valuable apps and services so they cannot be exploited even if they are vulnerable. To learn more, visit araali. In this episode: What is virtual patching really? Is it a misnomer? What gets missed when it comes to virtual patching? Looking at a comprehensive approach to virtual patching.
3/31/2022 • 29 minutes, 30 seconds
Start a Cybersecurity Department from Scratch
All links and images for this episode can be found on CISO Series A 500+ person company doesn't have a security department. They need one and they need to convince the CEO they need one. How do you build a cybersecurity team and program from scratch? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rishi Tripathi (@ris12hi), CISO, Mount Sinai Health System. Thanks to our podcast sponsor, Tines Tines was founded by experienced security practitioners who cared about their teams. When they couldn’t find an automation platform that delivered, they founded a company and built their own. A few years later, customers like Coinbase, McKesson, and GitLab run their most important security workflows on Tines – everything from phishing response to employee onboarding. To learn more, visit tines.com. In this episode: How to go about measuring risk? Leveraging compliance to get the point across. What needs to be considered to make a program uniquely geared to your company's needs?
3/24/2022 • 28 minutes, 33 seconds
How to Think Like a Cybercrook
All links and images for this episode can be found on CISO Series "If you want to catch a cybercrook, you need to think like one." But how do you actually go about thinking like a cybercriminal? What's the actual process? Check out this post and this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Brian Brushwood (@shwood), creator of Scam School and World's Greatest Con. Plus he's launched multiple channels with millions of subscribers and multiple number one comedy albums. Plus, he's a touring magician. He's our first non-cyber professional guest, but he is so perfect for this episode. Thanks to our sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to “Zero Trust.” Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: How much does actively thinking like a crook help build your cyber defenses? How do you actually go about thinking like a cybercriminal How do you break down their process?
3/17/2022 • 31 minutes, 20 seconds
Building a Data-First Security Program
All links and images for this episode can be found on CISO Series Could you build a data-first security program? What would you do if you focused your security program on just the asset? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Brian Vecci (@brianthevecci), field CTO, Varonis. Thanks to our sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to “Zero Trust.” Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: Do I know where my sensitive data lives? How can I tell? Why do all the tools that try to classify data fail miserably? How much should we teach the data owners about risks in collecting and storing the information?
3/10/2022 • 32 minutes, 50 seconds
Offensive Security
All links and images for this episode can be found on CISO Series Offensive security or "hacking back" has always been seen as either unethical or illegal. But now, we're seeing a resurgence in offensive security solutions. Are we redefining the term, or are companies now "hacking back?" Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Eric Hussey, CISO, Aptiv. Thanks to our podcast sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to “Zero Trust.” Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: Has the definition of offensive security changed? Can we truly fight back without legal repercussions? How does it apply when hackers hide behind proxies? Is hacking back even worth it?
3/3/2022 • 31 minutes, 43 seconds
When Vendors Pounce on New CISOs
All links and images for this episode can be found on CISO Series A security professional announces a new position as CISO. As a vendor you see this as good timing to try a cold outreach to sell your product. Why do so many vendors think this is a good tactic, when in reality it’s exactly what you should not do? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Yaron Levi (@0xL3v1), CISO, Dolby. In this episode: Is the pouncing on new CISOs actually a successful sales technique? Should vendors refine their relationship, and focus on "pull" rather than "push"? What about focusing on content marketing and thought leadership? Should vendors shift from "marketplace" to "metricplace?"
2/24/2022 • 29 minutes, 55 seconds
Building a Cybersecurity Culture
All links and images for this episode can be found on CISO Series How do you begin building a cyber security culture for the whole company? And more importantly, how do you maintain that? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Mike Hanley (@_mph4), CSO, GitHub. Thanks to our podcast sponsor, Anjuna Anjuna Confidential Cloud software effortlessly enables enterprises to safely run even their most sensitive workloads in the public cloud. Unlike complex perimeter security solutions easily breached by insiders and malicious code, Anjuna leverages the strongest secure computing technologies available to make the public cloud the most secure computing resource anywhere. In this episode: When building a cybersecurity culture, where is the most important place to start? How can we avoid it just becoming "lip service"? How can we blend cybersecurity culture into the main corporate culture?
2/17/2022 • 27 minutes, 29 seconds
How to Pitch to a Security Analyst
All links and images for this episode can be found on CISO Series You're a security vendor and you've got a short briefing with a security analyst from a research firm. What do you want to get across to them, and what do you want to hear back from them? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Ed Amoroso (@hashtag_cyber), founder and CEO, Tag Cyber. Huge thanks to our sponsor, Cymulate The Ultimate Guide to Security Posture Validation: Learn how to effectively measure and reduce risk through continuous validation of your enterprise’s security posture. Download the playbook here. In this episode: What are the right questions to ask? How can we better understand each other? What to NOT do in an analyst conversation
2/10/2022 • 31 minutes
Is Your Data Safer in the Cloud?
All links and images for this episode can be found on CISO Series Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Michael Johnson, CISO, Novi (the financial arm of Meta, formerly Facebook) Thanks to our podcast sponsor, Anjuna Anjuna Confidential Cloud software effortlessly enables enterprises to safely run even their most sensitive workloads in the public cloud. Unlike complex perimeter security solutions easily breached by insiders and malicious code, Anjuna leverages the strongest secure computing technologies available to make the public cloud the most secure computing resource anywhere. In this episode: Which is safer for sensitive data: public cloud or on-prem? Is it the technology, the people or the process that makes the difference? Who is most affected by the public/on-prem decision? Where does technical debt fit into this?
2/3/2022 • 27 minutes, 46 seconds
What Should We Stop Doing in Cybersecurity?
All links and images for this episode can be found on CISO Series Security professionals are drowning in activities. Not all of them can be valuable. What should security professionals stop doing be to get back some time? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Jim Rutt, CISO, Dana Foundation. Thanks to our podcast sponsor, Thinkst Most companies discover they’ve been breached way too late. Thinkst Canary fixes this: just 3 minutes of setup; no ongoing overhead; nearly 0 false positives, and you can detect attackers long before they dig in. Check out why our Hardware, VM and Cloud-based Canaries are deployed and loved on all 7 continents. In this episode: What tool or process should we stop doing to stop wasting time? Are "third-party risk reviews" useful at all? Can we smooth out the sales cycle? Are users to blame, or are they the victims?
1/27/2022 • 24 minutes, 57 seconds
DDoS Solutions
How seamless are Distributed Denial of Service or DDoS solutions today? If you get a denial of service attack, how quickly can these solutions snap into action with no manual response by the user? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Alastair Cooke (@demitasenz), analyst, GigaOm. Huge thanks to our podcast sponsor, MazeBolt In this episode: Where should a DDoS solution reside? What vital elements should go into a DDoS solution? Do we need more automation and intelligence in these solutions? How involved should the customer be with their DDoS solution?
1/20/2022 • 28 minutes, 46 seconds
Making Cybersecurity Faster and More Responsive
All links and images for this episode can be found on CISO Series Knowing is only one-third the battle. Another third is responding. And the last third is responding quickly. It’s not enough to just have the first two thirds. We need to be faster, but how? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Jason Elrod (@jasonelrod), CISO, MultiCare Health System. Thanks to our podcast sponsor, Eclypsium Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants. In this episode: What can we do as a pragmatic first step to make our cybersecurity teams quicker and more responsive? Would continuous authorization and real time emergency messaging help? Should we improve test automation? What about people - better teaching & work conditions?
1/13/2022 • 30 minutes, 53 seconds
Promises of Automation
All links and images for this episode can be found on CISO Series Automation was supposed to make cybersecurity professionals’ lives simpler. And it was supposed to solve the talent shortage. Has any of that actually happened? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Brian Lozada (@brianl1775), CISO, HBOMax. Thanks to our podcast sponsor, deepwatch Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together. In this episode: Should we be disappointed with what automation has actually delivered? Is it a tools vs people thing? Should we be better at assessing the impact of automation? Should we change the way we hire to help with automation?
1/6/2022 • 26 minutes, 59 seconds
When Social Engineering Bypasses Our Cyber Tools
All links and images for this episode can be found on CISO Series Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Josh Yavor (@schwascore), CISO, Tessian. Thanks to our podcast sponsor, Tessian 95% of breaches are caused by human error. But you can prevent them. Learn how Tessian can stop “OH SH*T!” moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data. In this episode: What do you do for the attacks your rule sets can't catch? Would it help if we eliminated email systems as the standard b2b toolset for communications? Are there any better ways to handle spearphishing? Are you ready to add BCC - Business communications compromise to your threat list?
12/16/2021 • 28 minutes, 51 seconds
How Can We Simplify Security?
All links and images for this episode can be found on CISO Series Why is cybersecurity becoming so complex? What is one thing we can do, even if it's small, to head us off in the right direction of simplicity? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Leda Muller, CISO at Stanford, Residential and Dining Enterprises. Thanks to our podcast sponsor, Eclypsium Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants. In this episode: Is cybersecurity becoming too complex? Should we change the way we talk about security to management? Maybe it's time to reframe the argument?
12/9/2021 • 28 minutes, 17 seconds
Convergence of Physical and Digital Security
All links and images for this episode can be found on CISO Series Security convergence is the melding of all security functions from physical to digital and personal to business. The concept has been around for 17 years yet organizations are still very slow to adopt. A company's overall digital convergence appears to be happening at a faster rate than security convergence. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest is Anne Marie Zettlemoyer (@solvingcyber), business security officer, vp, security engineering, MasterCard. Thanks to our podcast sponsor, Tessian 95% of breaches are caused by human error. But you can prevent them. Learn how Tessian can stop “OH SH*T!” moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data. Why are we still holding back on security convergence? Is it a matter of "if" or "when"? What happens when physical and info security are run by different departments? How can we measure the risks?
12/2/2021 • 30 minutes, 39 seconds
How Do You Measure Cybersecurity Success?
All links and images for this episode can be found on CISO Series In most jobs there’s often a clear indicator if you’re doing a good job. In security, specifically security leadership, it’s not so easy to tell. “Nothing happening” is not an effective measurement. So how should security performance be graded? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest is Deneen DeFiore (@deneendefiore), CISO, United Airlines. Thanks to our podcast sponsor, Tessian In this episode: How should security performance be graded? Is "keeping it simple" the best option? What's the best measurement option?
11/18/2021 • 29 minutes
How Do We Turn Tables Against Adversaries?
All links and images for this episode can be found on CISO Series If we’re going to turn the tables against our adversaries, everything from our attitude to our action needs to change to a format where attacks and breaches are not normalized, and we know the what and how to respond to it quickly. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Scott Scheferman (@transhackerism), principal strategist, Eclypsium. Thanks to our podcast sponsor, Eclypsium Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants. Moving from a reactive to a proactive attitude Accelerating teams' ability to respond before damage happens Stopping marketing informing your strategy Patching "fast enough to matter"
11/11/2021 • 26 minutes, 47 seconds
Ageism in Cybersecurity
All links and images for this episode can be found on CISO Series Is it too much experience? Is it that they're difficult to work with? Do they want too much money? Will they not be motivated? Are cyber professionals over the age of 40 being discriminated in hiring practices? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ben Sapiro, head of technology risk and CISO at Canada Life. Thanks to our podcast sponsor, Qualys Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. In this episode: Are cyber professionals over the age of 40 being discriminated in hiring practices? Is "older experience" a threat to younger managers? Do older professionals have too much attitude? What other work options exist for the 40+ expert?
11/4/2021 • 31 minutes, 46 seconds
Proactive Vulnerability Management
All links and images for this episode can be found on CISO Series How do we turn the tide from reactive to proactive patch management? Does anyone feel good about where they are with their own patch management program? What would it take to get there? Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Sumedh Thakar (@sumedhthakar), CEO, Qualys. Thanks to our podcast sponsor, Qualys Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. In this episode: How do we turn the tide from reactive to proactive patch management? Do cultural differences make a difference? Do we need a new framework or template?
10/28/2021 • 32 minutes, 36 seconds
Why Is Security Recruiting So Broken?
All links and images for this episode can be found on CISO Series Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Tony Sager (@sagercyber), svp, and chief evangelist, Center for Internet Security. Thanks to our podcast sponsor, Qualys In this episode: What role should HR play in the hiring process of cybersecurity candidates? What happens when HR's algorithms don't see the right keywords? What are some better ways to get noticed by a human decision maker?
10/21/2021 • 32 minutes, 55 seconds
How to Be a Vendor that CISOs Love
All links and images for this episode can be found on CISO Series Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Andy Ellis (@csoandy), operating partner, YL Ventures. Thanks to our podcast sponsor, Varonis What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn’t stand a chance. Get a free risk assessment. In this episode: What are some "positive vendor engagement" characteristics? What tips can we share with vendors who want to build a lasting good impression? How can a vendor go about building trust?
10/14/2021 • 30 minutes, 2 seconds
The "Are We Secure?" Question
All links and images for this episode can be found on CISO Series When a senior person at your company asks you, "Are we secure?" how should you respond? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Paul Truitt, principal US cyber practice leader, Mazars. Thanks to our podcast sponsor, Varonis Still in the news is REvil’s ransomware attack on Kaseya VSA servers. Varonis is here to help mitigate the blast radius of such attacks. Want a step-by-step guide on what you should be looking for? Learn more about how to prevent ransomware. In this episode: When a senior, non-technical person asks, "Are we secure?" how do you respond?" What does this question say about an executive's engagement level? Why are they asking this now? How relevant/accurate is this question anyway?
10/7/2021 • 28 minutes, 33 seconds
Ransomware Kill Chain
What are the tell tale signs you've got ransomware before you receive the actual ransomware threat? Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Brian Vecci (@BrianTheVecci), field CTO, Varonis. Thanks to our podcast sponsor, Varonis What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn’t stand a chance. Get a free risk assessment. In this episode: How to catch the ransomware threat earlier The individual capabilities needed in a full anti-ransomware stack Honeypots and anomalous behavior Back to basics: look at how ransomware works
9/30/2021 • 31 minutes, 5 seconds
Can Technology Solve Phishing?
All links and images for this episode can be found on CISO Series Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Robert Wood (@holycyberbatman), CISO at Centers for Medicare & Medicaid Services. Thanks to our podcast sponsor, Living Security Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers. In this episode: Will there be a day that phishing can be solved by technology? Does more training lower risk? Is it enough just to protect "inside" the environment? What can we do to change the culture?
9/23/2021 • 30 minutes, 33 seconds
Convergence of SIEM and SOAR
All links and images for this episode can be found on CISO Series SIEM tools that ingest and analyze data are ubiquitous in security operations centers. But just knowing what's happening in your environment is not enough. For competitive reasons, must SIEM tools expand and offer more automation, intelligence, and the ability to act on that intelligence? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Chris Grundemann (@ChrisGrundemann), category lead, security, GigaOm. Thanks to our podcast sponsor, Keyavi Cyber criminals who attack healthcare systems know medical record information has tremendous value for stealing identities. If you infuse personally identifiable information with geographical awareness and intelligence, you dramatically reduce the risk of patient identity theft. Join a live demo session on www.keyavi.com/sessions to learn more. In this episode: Will products from these two categories just merge as one product? Or will they NEED to merge? Are there advantages for them to stay separate? Where does “trust” fit into this merger?
9/16/2021 • 27 minutes, 2 seconds
Cybersecurity Is Not Easy to Get Into
All links and images for this episode can be found on CISO Series Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Adam Keown, director, information security, Eastman. Thanks to our podcast sponsor, VMware In this episode: What's more valuable to get hired: degrees or experience? What's better: narrow focus or broad skill range? What's more attractive: knowledge or drive? What's the deal: is there even such a thing as "entry level"?
9/9/2021 • 31 minutes, 8 seconds
Preventing Ransomware
All links and images for this episode can be found on CISO Series What is the most critical step to preventing ransomware? Security professionals may be quick to judge users and say it's a lack of cyberawareness. Could it be something else? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Rebecca Harness (@rebeccaharness), CISO, St. Louis University. Thanks to our podcast sponsor, VMware In this episode: What is the one critical step to preventing ransomware? The importance of leadership and employee buy-in How to make training and education actually work Should backups be included on this list? What about the supply chain?
9/2/2021 • 27 minutes, 16 seconds
Managing Lateral Movement
All links and images for this episode can be found on CISO Series For four years in a row, Verizon's DBIR, has touted compromised credentials as the top cause of data breaches. That means bad people are getting in yet appearing to be legitimate users. What are these malignant users doing inside our network? What are the techniques to both understand and allow for good yet thwart bad lateral movement? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our sponsored guest Sandy Wenzel (@malwaremama), cybersecurity transformation engineer, VMware. Thanks to our podcast sponsor, VMware In this episode: Why are bad people getting inside our networks? Can machine learning help find them? How can we separate lateral movement from credential stuffing? Would using threat modeling and going passwordless help?
8/26/2021 • 29 minutes, 3 seconds
First Steps as a CISO
All links and images for this episode can be found on CISO Series You've just joined a company as CISO, what's the very first step you would take to improve the security posture of your new company? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Olivia Rose, vp of IT and security, Amplitude. Thanks to our podcast sponsor, Proofpoint Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint's 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report. In this episode: How can new CISOs fast-track their learning process to make better decisions sooner? How much does the CISO need to know about the environment before they start pentesting? Using a " Power Interest Matrix" to help manage the people who influence your work Why aligning with HR is a key move
8/19/2021 • 30 minutes, 21 seconds
How Does Ransomware Enter the Network?
All links and images for this episode can be found on CISO Series How is ransomware getting into your network? Is the path direct, like via email, or does it take a more circuitous route? Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our sponsored guest Ryan Kalember (@rkalember), evp, cybersecurity strategy, Proofpoint. Thanks to our podcast sponsor, Proofpoint Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint's 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report. In this episode: What role do email and phishing actually play? Has working from home really increased the threat? How dwell time has changed things Getting up to speed on sufficient backups
8/12/2021 • 28 minutes, 47 seconds
What's the Value of Certifications?
All links and images for this episode can be found on CISO Series Why should security professionals get certifications? Do they actually teach you what you need to know to solve cybersecurity challenges? OR do they act as gateways or approval checks to be admitted into the field of cybersecurity? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Will Gregorian (@willgregorian), head of IT and security, Rhino and our guest Shawn M. Bowen (@smbowen), CISO, World Fuel Services. Thanks to our podcast sponsor, Palo Alto Networks First, every company became a software company. Now, every company needs to be a cybersecurity company too. Prisma Cloud from Palo Alto Networks a single security platform that delivers comprehensive protection from code through app, so your company can keep doing what it's supposed to do. Learn more at paloaltonetworks.com/prisma/cloud. In this episode: Are certifications like the CISSP necessary? Even if they are necessary to get hired, are they relevant? Let's say something good about certs. Who benefits most from certs? The candidate or the hiring manager?
8/5/2021 • 30 minutes, 14 seconds
Measuring the Success of Cloud Security
All links and images for this episode can be found on CISO Series How are you measuring your progress and success with cloud security? How much visibility into this are you providing to your engineering teams? Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our sponsored guest Matthew Chiodi (@mattchiodi), CSO, public cloud, Palo Alto Networks. Thanks to our podcast sponsor, Palo Alto Networks If you're doing cloud security right, no one knows if you've done anything. When you do it wrong, well, you end up on Cybersecurity Headlines. Prisma Cloud from Palo Alto Networks helps ensure your security stays in the quietly appreciated group. It's a single security platform that delivers comprehensive protection from code to cloud. Learn more at paloaltonetworks.com/prisma/cloud. In this episode What requirements need to be measured? Measuring against compliance Building a company-specific guardrails framework Measuring team performance by number of opened and closed issues
7/29/2021 • 27 minutes, 17 seconds
How do I get my first cybersecurity job?
All links and images for this episode can be found on CISO Series What does a young person, eager to get into cybersecurity, have to show or prove to land their first help desk, tech support role? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our guest Bryan Zimmer (@bryanzimmer), head of security, Humu. Thanks to our podcast sponsor, Palo Alto Networks In 1666, Sir Isaac Newton famously used a prism to disperse white light into colors. Today, cloud security professionals use Prisma Cloud from Palo Alto Networks to disperse full lifecycle security and full stack protection across their multi- and hybrid-cloud environments. We think Sir Isaac would approve. Learn more about Prisma Cloud paloaltonetworks.com/Prisma/cloud. In this episode Balancing out certifications and experience If we train you, will you stay, or will you leave? What's your compelling story that shows what you can do? Researching the competition: what are other candidates doing?
7/22/2021 • 28 minutes, 32 seconds
Educating the Board About Cybersecurity
All links and images for this episode can be found on CISO Series What do we want the Board and C-Suite to know about cybersecurity? If you could teach them one thing about cybersecurity that would stick, what would that be? Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our guest Phil Huggins (@oracuk), CISO, NHS Test & Trace, Department of Health and Social Care. Thanks to our podcast sponsor, Proofpoint Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint's 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report. In this episode What the Board needs to know to make the CISO’s job more effective It’s not about the Board understanding cyber – but it is about mitigating risk Security is a shared responsibility: Board & CISOs Using other companies’ breaches as Board learning opportunities
7/15/2021 • 25 minutes, 58 seconds
CISO Recruiting Is Broken
All links and images for this episode can be found on CISO Series The demand for CISOs is growing due to increased regulations and cyber threats. Yet, while the demand is there, the supply keeps rotating. Companies think the next CISO is going to fix the problems of the last one. Why is a CISO's tenure so short and why is the hiring process for CISOs so disjointed? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, Steve Zalewski, and Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers Thanks to our podcast sponsor, RevCult On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you’re protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses. In this episode: Why a CISO's tenure is so short and why they leave The value of keeping risk management in the CISO’s sights The need to clarify the CISO role in the mind of the executive The need to clarify the CISO role in the mind of the CISO
7/5/2021 • 28 minutes, 13 seconds
Retaining Cyber Talent
All links and images for this episode can be found on CISO Series Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Liam Connolly, CISO, Seek. and our guest Ben Sapiro (@ironfog), head of technology risk and CISO, Canada Life. Thanks to our podcast sponsor, RevCult On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you’re protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses. In this episode: What actions can a manager take to retain staff? What do team members/employees want? How important is team chemistry? Establishing a creative thinking culture
7/1/2021 • 34 minutes, 7 seconds
Salesforce Security
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-salesforce-security/ Thanks to our podcast sponsor, RevCult On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you’re protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses. In this episode: Where is Salesforce delivering in security controls and where is it falling short? Salesforce security is more than just a single topic Working with 3rd party SalesForce apps
6/24/2021 • 23 minutes, 25 seconds
Cloud Configuration Fails
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-cloud-configuration-fails/ Why do we hear so many stories about incidents related to poor or misconfigured cloud services? Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our sponsored guest, Brendan O'Connor, CEO, AppOmni. Thanks to our podcast sponsor, AppOmni AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data. In this episode: Why configuration drift and 3rd party access are still significant issues Are cloud providers to blame? The dynamic nature of cloud over time – we can’t keep up! Who is ultimately responsible?
6/17/2021 • 24 minutes, 35 seconds
Starting Pay for Cyber Staff
All links and images for this episode can be found on CISO Series https://cisoseries.com/starting-pay-for-cyber-staff/ What should an entry level cybersecurity person be paid? And what level of education and training should be expected of them? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Naomi Buckwalter (@ineedmorecyber), director of information security and IT at Beam Technologies, and our guest Dan Walsh (@danwalshciso), CISO, VillageMD. Thanks to our podcast sponsor, AppOmni AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data. In this episode: Discussing the $15/hour entry level position Why are qualified people applying for low paying entry level jobs? The classic: This entry level position needs prior experience Assessing the value that interns can bring
6/10/2021 • 30 minutes, 11 seconds
Fear of Automation
All links and images for this episode can be found on CISO Series. https://cisoseries.com/fear-of-automation/ Why are security professionals so darn afraid of automation? We continue to hold on to the idea that people have to be integral in the real-time decision process to protect ourselves from the technology we deploy to protect us. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and Steve Zalewski, CISO, Levi Strauss, with our guest Edward Frye (@edwardfrye), CISO, Aryaka Networks and president of Silicon Valley chapter of ISSA. AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data. In this episode: Is it a fear of heavy lifting or not knowing what to lift? Is it a fear of change or a fear of cost? Is it a fear of automating human judgment?
6/3/2021 • 24 minutes, 11 seconds
Hiring Talent with No Security Experience
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-hiring-talent-with-no-security-experience/ Should you look for the ideal candidate that has all the security talent you want, or should you find the right person and train them with the security talent you want. And if the latter, what is the right person to work in security who doesn't have security experience? Check out this post and this Twitter discussion for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Dev Akhawe (@frgx), CISO, Figma. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. Is there a cyber talent shortage? If so, does the shortage come from the hiring side? The dangers of leaving positions open too long The dangers of focusing on checklists vs. candidate potential
5/27/2021 • 27 minutes, 18 seconds
Security Hygiene for Software Development
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-security-hygiene-for-software-development/ How do we improve the quality of our software? In the rush to be competitive, security has often taken a back seat to be first to market. What's the formula for fast and secure applications? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, and sponsored guest Wayne Jackson, CEO, Sonatype. Thanks to our podcast sponsor, Sonatype In this episode: Are we working too fast and under too much pressure to be secure? What types of scanning should we do, and how often? What about open source/third party software in the pipeline? What are the dangers inherent in purchasing "secure software"?
5/20/2021 • 25 minutes, 31 seconds
How Much Do You Know About Your Data?
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-how-much-do-you-know-about-your-data/ Do cybersecurity professionals even know what they're protecting? How aware are they of the data, its content and its sensitivity? What happens to your security posture when you do understand the data you're protecting? What can you do that you weren't able to do before? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and Steve Zalewski, CISO, Levi Strauss, with our sponsored guest, Aidan Simister (@aidansimister), CEO, Lepide. Thanks to our podcast sponsor, Lepide Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide’s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats – fast. In this episode: How much do you know about the data you are being asked to protect? Equating the value of the data to be protected with the cost of protection How to find out how data is being used Moving beyond the bare minimum of protection
5/13/2021 • 26 minutes, 24 seconds
Do Startups Need a CISO?
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-do-startups-need-a-ciso/ Startups are all about proving the value of their product and growth. At the beginning, all of their money is funneled into product and market development. When do they need a CISO, if at all? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and guest co-host Jimmy Sanders (@jfireluv), head of cybersecurity for Netflix DVD and our guest is Bryan Zimmer (@bryanzimmer), head of security for Humu. Thanks to our podcast sponsor, Lepide Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide’s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats – fast. In this episode: Should a company get a CISO right away, or wait until the security program matures? If they get a CISO should they go for "on-prem" or on-demand? Or.... should they just go and seek CISO-level advice from the security community?
5/6/2021 • 28 minutes, 13 seconds
Insider Risk
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-insider-risk/ By just doing their jobs, your employees are introducing risk to the business. They don't mean to be causing issues, but their simple actions and sometimes mistakes can cause great harm. Is it their fault, or is it security's fault for not creating the right systems? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Steve Zalewski, CISO, Levis, and our sponsored guest Mark Wojtasiak (@markwojtasiak), vp, portfolio strategy & product marketing, Code42 and author of Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Distractions and fatigue causing split-second mistakes The need for tailored education and training Making it easier for people to make the right choice Identify ways damage could happen, in order to mitigate
4/29/2021 • 29 minutes, 7 seconds
What’s the Obsession with Zero Trust?
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-whats-the-obsession-with-zero-trust/ Why is everyone obsessed with Zero Trust? Is it just a marketing ploy that vendors are using to sell their products? Or, is it truly a methodology that provides better security, especially in today's environment. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, Melody Hildebrandt (@mhil1), evp, product & engineering and CISO, Fox. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode Does Zero Trust obscure the core principles it's supposed to serve? How does Zero Trust affect the assumptions around cybersecurity’s control and ownership of a network What are the real Zero Trust best practices?
4/22/2021 • 28 minutes, 33 seconds
Mentoring
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-mentoring/ Companies want security people with experience and they want to grow cybersecurity leaders. It's often hard to find that experience, and while there are certification courses aplenty, courses in cybersecurity leadership are hard to find. One possible solution is mentoring, but that has its own hurdles. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, and our guest Sean Catlett, CSO, Slack. In this episode The mutual value of being a mentor What obligations does a mentee have? Mentorship: large-scale concepts or day-to-day or both?
4/15/2021 • 27 minutes, 23 seconds
Securing the Super Bowl and Other Huge Events
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-securing-the-super-bowl-and-other-huge-events/ How do cybersecurity professionals secure a huge event like the Olympics, the Superbowl, or a city's New Year's Eve party? What are the unique considerations that come into play? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Tomás Maldonado (@tomas_mald), CISO, NFL Thanks to our podcast sponsor, Lepide Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide’s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats - fast. In this episode Protecting large events starts long before, like years before How threat actors targeting events differ from than those targeting companies It's not just the target - there's also public safety When it goes live, it GOES LIVE
4/8/2021 • 30 minutes, 20 seconds
Cybersecurity Isn’t That Difficult
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-cybersecurity-isnt-that-difficult/ What are you security people complaining about? As compared to 10, 15, 20 years ago, the technical aspects of cybersecurity are not that difficult. We've got the control frameworks, tools, and training that are predecessors didn't have. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Naomi Buckwalter (@ineedmorecyber), director of information security and IT at Beam Technologies, and our guest, John Overbaugh (@johnoverbaugh), vp, security, CareCentrix Thanks to our podcast sponsor, Trend Micro as bold Threat actors want what you’re storing in the cloud. Trend Micro’s Cloud One platform provides cloud security from a single console, keeping you at your most resilient. Let what happens in the cloud, stay in the cloud. In this episode What infosec was like "back in the day" What's out of alignment: the technology or the culture? Can we really stand on the shoulders of giants amid so much change? Where is individual cyberhygiene in all of this?
4/1/2021 • 26 minutes, 50 seconds
Cloud Security Myths
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-cloud-security-myths/ The cloud is inherently insecure! The cloud will handle all your security needs. More data breaches happen in the cloud. These are just some of the many many myths of cloud security. Listen as we debunk as many as we possibly can. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, CISO, Levis, and our sponsored guest Mark Nunnikhoven (@markna), vp, cloud research, Trend Micro. Thanks to our podcast sponsor, Trend Micro Threat actors want what you’re storing in the cloud. Trend Micro’s Cloud One platform provides cloud security from a single console, keeping you at your most resilient. Let what happens in the cloud, stay in the cloud. In this episode How many cloud myths from years back still endure? Is cloud less secure or more secure now? Who has the responsibility for security? Just because you're in the cloud, does that mean you're protected?
3/25/2021 • 28 minutes, 29 seconds
What Is Security's Mission?
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-what-is-securitys-mission/ What's the mission of your security program? Is it to proactively SECURE THE COMPANY against a compromise of the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY, OR, is it to PROTECT THE COMPANY BRAND by effectively PREVENTing, DETECTING and RESPONDING to cyber-threats? These are the two options for security's mission that we discuss on this week's show. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest, Johna Till Johnson (@JohnaTillJohnso), CEO, Nemertes Research. Thanks to our podcast sponsor, Trend Micro The conversation between you and your board of directors is not always a walk in the park. With more cloud projects coming your way, it’s time to change the conversation to speak their language and start paving the way for a secure future. For more, go to http://trendmicro.com/CISO In this episode Security mission option 1: protecting the company Security mission option 2: protecting the brand & revenue stream Does one lead to/support the other? Does the degree of cloud presence make a difference? How much of this is technical vs philosophical?
3/18/2021 • 25 minutes, 56 seconds
Vendor CISOs
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-vendor-cisos/ It's hard to be a CISO. But, what's it like to be a CISO at a security vendor, doing the hard work while carrying the stigma of being a "vendor"? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Allan Alford (@AllanAlfordinTX), CTO/CISO, TrustMAPP, and host of The Cyber Ranch Podcast. Thanks to our podcast sponsor, TrustMAPP Does your board want to see yet more heat maps? No, they do not. They want to see that security investments align with business goals, and that their costs are objectively justified. TrustMAPP’s data visualization helps you communicate with your board in a way they can understand – and approve. In this episode How to balance being an advocate, an evangelist and an operator Are there really "stigmas" to being a security vendor? What's unique to practicing security while being a security vendor?
3/11/2021 • 27 minutes, 9 seconds
How Much Log Data Is Enough?
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-how-much-log-data-do-you-need You're a CISO struggling with an influx of log data into your SIEM. What's the data you want to keep, and for how long? You want insights, but you also want to keep costs down. Holding onto everything is going to cost a fortune. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, deputy CISO, Levis, and our guest Naomi Buckwalter (@ineedmorecyber), director of information security and IT at Beam Technologies . Thanks to our podcast sponsor, TrustMAPP Does your board want to see yet more heat maps? No, they do not. They want to see that security investments align with business goals, and that their costs are objectively justified. TrustMAPP’s data visualization helps you communicate with your board in a way they can understand – and approve. In this episode So, what is the sweet spot for retaining log files? 90 days? 1 year? Should you categorize according to business criticality? How do you separate the "junk" from the valuable data?
3/4/2021 • 25 minutes, 5 seconds
Should Finance or Legal Mentor Cyber?
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-should-finance-or-legal-mentor-cyber Cybersecurity leaders are constantly looking for ways to improve how they think about risk, and how they communicate risk. But they're not the only ones. Others have been managing risk long before CISOs existed. So, who could be the best mentor to help a CISO gain better insight into business risk and how to communicate about it: the chief financial officer, or the legal department's general counsel? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest, David Schellhase (@davidschellhase), general counsel, Slack. Thanks to our podcast sponsor, TrustMAPP TrustMAPP delivers Security Performance Management, giving CISOs a real-time view of the effectiveness of their security program. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP gives organizations the ability to manage security as a business, quantifying and prioritizing remediation actions and costs. To learn about the MAPP methodology, download the white paper at https://trustmapp.com/mapp-paper/ In this episode Which executive could a CISO learn more about risk? Determining ROI of finance, legal and other execs Analyzing why its so important to establish the ideal mentorship relationship
2/25/2021 • 25 minutes, 17 seconds
Data Destruction
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-data-destruction How do you deal with data at end of life? Holding onto data too long can be very costly and increase risk. So how do you get rid of it... safely? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Shawn Bowen, CISO, Restaurant Brands International (RBI), and our sponsored guest, Frank Milia, partner, (@ITAssetRecvry), IT Asset Management Group. Thanks to our podcast sponsor, IT Asset Management Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties. Is it clear who is responsible for the performance of your data disposition practice? IT Asset Management Group’s free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. Download the program guide today at itamg.com/CISO In this episode Is the risk of holding onto data greater than the value of keeping it? Should client data be considered a "toxic byproduct"? When disposing of client data, how much destruction is enough? What legal and regulatory requirements should be considered before destroying data?
2/18/2021 • 27 minutes, 24 seconds
How to Make Cybersecurity More Efficient
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-how-to-make-cybersecurity-more-efficient/ You're a new CISO told to hold headcount even and find the resources to do 20% more work. We're already maxed out. So how do we do more? Coming up next we're getting smart and more efficient with security. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest, Mike Morgan, (@theywerecones) head of information security, infrastructure director, Foster Farms Thanks to our podcast sponsor, IT Asset Management Group Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties. Is it clear who is responsible for the performance of your data disposition practice? IT Asset Management Group’s free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. Download the program guide today at itamg.com/CISO In this episode Improving processes right from the beginning of the pipeline Looking for waste - and knowing what "waste" is Doing more with less means at some point, something important will break Delegating and crossing over skills Watching out for IT sprawl and "new fangled" solutions
2/11/2021 • 25 minutes, 42 seconds
Does a CISO Need Tech Skills?
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-does-a-ciso-need-tech-skills Does a CISO need technical skills to be an effective cybersecurity leader? Many CISOs don't have them. Are they still effective and does it affect their ability to lead? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and guest co-host Ben Sapiro, (@ironfog), CISO, Great-West LifeCo, and our guest, Zach Powers, CISO, Benchling. Thanks to our episode sponsor, IT Asset Management Group Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties. Is it clear who is responsible for the performance of your data disposition practice? IT Asset Management Group’s free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. Download the program guide today at itamg.com/CISO. In this episode Why having the skills helps with realistic expectations Being able to see through the nonsense The value of staying passionate about the profession
2/4/2021 • 27 minutes, 8 seconds
How Do You Know if You're Good at Security?
All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-how-do-you-know-if-youre-good-at-security/ What metrics or indicators signal to you that an organization is “good at security”? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Justin Berman (@justinmberman), former CISO, Dropbox. Thanks to our podcast sponsor, Imperva Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it’s stored and who’s accessing it. Start a free trial now. In this episode How do go about measuring risk Assessing the ratio of critical/high severity issues to issues closed The difference between a reactive or proactive threat management policy
1/28/2021 • 25 minutes, 53 seconds
Building a Security Team
All links and images for this episode can be found on CISO Series You're a new CISO at a new org given a headcount of ten to build a cybersecurity team. What's your strategy to build that team? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest JJ Agha (@jaysquaredx2), CISO, Compass. Thanks to our podcast sponsor, Imperva Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it’s stored and who’s accessing it. Start a free trial now. In this episode The importance of assessments and gap analyses Why you need to leveraging your network Educating and empowering teams Introspection and self-awareness as a leader
1/21/2021 • 31 minutes, 58 seconds
Are our Data Protection Strategies Evolving?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-are-our-data-protection-strategies-evolving/) As we're evolving from putting data on premises to the cloud, are our data protection strategies evolving as well? There are issues of securing data, knowing where it travels, and privacy implications of data. How are we handling all of that? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest, Chris Brown, senior director, data security at Imperva. Thanks to our podcast sponsor, Imperva. Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it’s stored and who’s accessing it. Start a free trial now. In this episode Cloud platforms and exposure make it easier to deploy with less oversight, making mistakes easier. There's a need for a change of mindset of product and marketing leaders to consider consequences of taking in different data types in the design phase. There's also a need for SIEM tools and access management.
1/14/2021 • 25 minutes, 12 seconds
Should CISOs Be Licensed Professionals?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-cisos-be-licensed-professionals/) Many professionals are required to obtain a license before they can do their job legally. The demands of cybersecurity professionals, especially CISOs, has become more critical as evidenced by the increasing number of regulations demanding a person oversee security and privacy controls. Should CISOs be licensed to maintain a minimum standard? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Patrick Benoit (@patrickbenoit), vp, global head of GRC and BISO, CBRE. Thanks to this week's podcast sponsor, F5 External threats to your organization’s security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial. Highlights from this episode of Defense in Depth: Almost universally, nobody liked the idea of requiring a CISO to have a license in order to practice. But, with that said, the subject stirred up a hornet's nest of discussion. Main complaint is the job changes so drastically depending on what industry you're in. Many argued that a license won't translate into success. Hard to tell how to put a license around someone who is managing risk, but doesn't own the risk.
1/7/2021 • 26 minutes, 47 seconds
Inherently Vulnerable By Design
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-inherently-vulnerable-by-design/) Much of what we do as practitioners is to prevent inadvertent security problems - oversights, zero-days, etc. What about inherent and unavoidable problems? When the very design of the thing requires a lack of security? What do you do then? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Dan Woods, vp of the Shape Intelligence Center, F5. Thanks to this week's podcast sponsor, F5. External threats to your organization’s security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial. On this episode of Defense in Depth, you’ll learn: The mere act of conducting business requires you to have certain procedures that would make you vulnerable. Simple things like taking customer information to create user accounts and processing credit cards. That's inherent to doing business, and by opening that up, it makes you vulnerable. A lot of this inherent vulnerability comes down to having users or customers and needing to authenticate them. When you start a business you're also accepting the inherent vulnerability and you have to ask yourself to what level can the business function having that vulnerability abused? It's all about risk appetite. Two factor authentication sure is nice, but there has to be multiple "behind the scenes" authentications going on to verify identity continuously. As you're collecting all these additional data points you can use that information to ask the user to verify. Provide discounts to customers and users for good security practices. Insurance companies do this with people who prove safe driving practices. It could be a win-win for everybody. For example, with Mailchimp, they give you a discount if you enable 2FA. Why not offer a discount for a really long and complicated password? One of the major issues is the password reset process happens through email. Email wasn't designed for critical authentication. Many hacks happen through the reset process via email.
12/17/2020 • 26 minutes, 54 seconds
Imposter Syndrome
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-imposter-syndrome/) For CISOs and other security leaders, suffering from imposter syndrome seems inevitable. How can you ever be really confident when there's an endless stream of threats and a landscape that changes without your knowledge? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest David Peach (@realdavidp), CISO and head of privacy, The Economist Group. Thanks to this week's podcast sponsor, F5. CISOs are dealing with the increasing sophistication of cyber attackers that are taking advantage of their applications. Find out how F5 helps organizations expand their security and see the unseen by watching the F5 Security Summit webinar. View it here. On this episode of Defense in Depth, you’ll learn: Imposter syndrome is a feeling of not being as good as you purport to be or others perceive you to be. Almost all security professionals, especially CISOs, have moments of imposter syndrome. The root of the problem is underestimating your contributions. Imposter syndrome can debilitate a security professional. But the opposite is also dangerous. If you don't question your ability and think you alone can solve things and others perceive that you can do that as well, that's a disaster waiting to happen. The relentless change of technology and threats can overwhelm a professional and feel that they can't keep up. There's a sense of you will always be behind. It's not a sprint, nor a marathon. Security is an infinite game. There's no winning and no moment of relief, but looking at it as a journey you can see success along the way. There is an outside pressure that CISOs know more than they actually do, and at the same time they don't want to disappoint management, the business, or the team. Imposter syndrome can be seen as a positive when it leads to self awareness and improvement. Be smart enough to know how little you do know and accept it, but still stay on that journey to keep learning more. You can't teach the person who thinks they know it all. The flipside is you rarely get congratulated for your work as a security professional.
12/10/2020 • 28 minutes, 43 seconds
Why Don't More Companies Take Cybersecurity Seriously?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-why-dont-more-companies-take-cybersecurity-seriously/) With every cybersecurity breach, we still don't seem to be getting through. Many companies don't seem to be taking cybersecurity seriously. What does it take? Obviously not scare tactics. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Ben Sapiro, global CISO, Great-West LifeCo. Thanks to this week's podcast sponsor, Sonatype. On this episode of Defense in Depth, you’ll learn: Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy. Problem with the "I'm too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses. Watching other companies survive a breach makes one feel as if they'll be just as resilient. Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis. A company in a highly regulated industry has no choice but to take cybersecurity seriously. Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk. Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort. Many people simply don't feel attached to any type of cybersecurity effort. If you're not vested in it, why care about it? Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity. On this episode of Defense in Depth, you’ll learn: Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy. Problem with the "I'm too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses. Watching other companies survive a breach makes one feel as if they'll be just as resilient. Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis. A company in a highly regulated industry has no choice but to take cybersecurity seriously. Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk. Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort. Many people simply don't feel attached to any type of cybersecurity effort. If you're not vested in it, why care about it? Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity.
12/3/2020 • 27 minutes, 55 seconds
Data Protection and Visibility
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-protection-and-visibility/) Where is your data? Who's accessing it? You may know if you have an identity access management solution, but what happens when that data leaves your control. What do you do then? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Elliot Lewis (@elliotdlewis), CEO, Keyavi Data. Thanks to this week's podcast sponsor, Keyavi Data. Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com. On this episode of Defense in Depth, you’ll learn: In general, all of security is based on detecting threats and stopping threats. When those two fail, and they do, what's your recourse to protect your data? What if when your data leaves your control either accidentally or through a malicious breach, you were still able to see your data wherever it went and your data could communicate back to you its status, allowing you to control access to your data? There are so many scenarios when data leaves you, it's impossible to protect for all scenarios. Asset inventory is first step in the CIS 20. Just trying to get an asset inventory of equipment is difficult. An inventory of data is near impossible especially when you may be pumping out a terabyte of data a day. Ideal situation is to protect data proactively, as it's being created. The ultimate goal is to have visibility of your data in perpetuity, for the life of the data, and you can decide when to destroy it even when it's no longer within the confines of your greater network and ecosystem. Governing your network, your applications, the rules, and the data is half the battle. Data visibility also allows you to make informed decisions as a business and can provide the answers your legal team will need in case there's a breach. You want the data protection and visibility schema to be platform and ecosystem independent. If data is taken out of the ecosystem, then the protection and visibility is moot. A good precursor to this is digital rights management or DRM. They have figured out how to manage data from being copied and manipulated and they can place controls on it. The limiting factor though is it's platform dependent.
11/19/2020 • 33 minutes, 7 seconds
What's an Entry Level Cybersecurity Job?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-whats-an-entry-level-cybersecurity-job/) Naomi Buckwalter, director of information security at Energage analyzed one thousand random information security job posts on LinkedIn. The most notable trend she found was that 43% of the posts had CISSP and 5-year experience requirements for entry level positions. Are companies trying to lowball cybersecurity professionals, or do they simply not know what an entry level cybersecurity job is. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Joseph Carrigan (@JTCarrigan), senior security engineer at Johns Hopkins University Information Security Institute, and co-host Hacking Humans podcast. Thanks to this week's podcast sponsor, Keyavi Data. Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com. On this episode of Defense in Depth, you’ll learn: There has been an ongoing trend for companies to post "entry level but experience required" job listings for cybersecurity professionals. This is self-defeating for companies because the positions don't get filled. And for true entry level people, they get discouraged. They feel it's impossible to get into the industry. This can drive them away from cybersecurity which hurts the entire industry. Others would argue that we shouldn't even have this conversation because there is no such thing as an entry level position. Like there are no entry-level doctors. You must have some type of training or experience to do this job. There's no doubt that CISOs fight more for headcount than they do overall dollars. And if they get a limited headcount, they're going to want to get as much talent as they possibly can with that limited number of positions they can fill. Security is a layer on top of IT, engineering, or development. For that reason it can be seen as mid-level experience or above, simply because security is a specialization. Is this behavior of shooting so high for an entry-level cybersecurity role causing the cybersecurity skills gap? Best way to prove your value to a hiring cybersecurity professional is to setup your own home lab. The skill that is hard to put on a resume or to explain in a job listing is non-linear thinking. But that's essentially what you're looking for with an entry-level cybersecurity hire.
11/12/2020 • 28 minutes, 27 seconds
Securing Digital Transformations
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-securing-digital-transformations/) Digital transformation. It's definition is broad. Meaning securing it is also broad. But there are some principles that can be followed as companies undergo each step in a deeper dive to make more and more of their processes essentially computerized. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Paul Asadoorian (@securityweekly), founder & CTO, Security Weekly, and chief innovation officer, Cyber Risk Alliance. Thanks to this week's podcast sponsor, Keyavi Data. Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com. On this episode of Defense in Depth, you’ll learn: Digital transformation is about relying on computing technology for more integral processes and aspects in our daily work lives. Lots of debate on the definition of digital transformation and as well securing digital transformations. Definition: A targeted change to process and technology for the benefit of the people. Definition: increasing levels of interoperability of information. We heard the recurring argument of the need for security to have a seat at the table at the beginning of a digital transformation, and not at the end. But at the same time reality sunk in and it was argued that security doesn't get to dictate that. And if security tried to, it would create a greater wedge with the business. When security is brought in at the end though, security has no option but to disrupt the business. Then no one is happy. Digital transformation simply introduce new risks, often greater risk. If the point is to integrate more of your processes, then that integrates the risk as well. If you're undergoing a true transformation, you are looking at core processes and saying, "What new tech facilitates, streamlines, and/or actualizes these core processes?" You no longer have to settle for shopping for a solution and then smashing your processes up against it. Your security tools should also undergo a transformation. That includes a transformation in monitoring as well.
10/29/2020 • 29 minutes, 1 second
Leaked Secrets in Code Repositories
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-leaked-secrets-in-code-repositories/) Secrets, such as passwords and credentials, are out in the open just sitting there in code repositories. Why do these secrets even exist in public? What's their danger? And how can they be found and removed? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Jérémy Thomas, CEO, GitGuardian. Thanks to this week's podcast sponsor GitGuardian. GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline. On this episode of Defense in Depth, you’ll learn: Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out. Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub. Exposed credentials can appear in SIEMS as it's being exported from the developers' code. There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility. Scanning public code repositories should be your first step. You don't want to be adding code that has known issues. Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills. Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn't eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.
10/22/2020 • 28 minutes, 41 seconds
Measuring the Success of Your Security Program
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-measuring-the-success-of-your-security-program/) How does a CISO measure the performance of their security program? Sure, there are metrics, but what are you measuring against? Is it a framework or the quality of protection? How do you tell if your program is improving and growing? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Chad Boeckmann (@SDS_Advisor), CEO, TrustMAPP. TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs. On this episode of Defense in Depth, you’ll learn: The process is very systematic. Start with knowing your risks, how you're going to track them, and the controls you're going to put them in place to manage them. Simple to say, hard to do. Security risk is just one of a multitude risks a business faces. Data's whereabouts is a moving target. Having confidence in its location and protections is key to managing overall risk. Constantly be asking who has access to the data and what communications processes are you using to share that information between humans and machines. Discuss with leadership as to how you will judge success and what metrics you will use. C-suite will need to lead the discussion with security providing guidance as to what they can and can't measure. If you're measuring security's performance this is a great opportunity for security to tell its story and prove its value, ultimately setting it up for increased budget and participation from others. An informal metric for success could be how often is security getting invited to informal meetings. Overall positive sentiment of security by non-security employees. How well are you able to build (are people eager to work with you?) and maintain your staff? Another "out of the box" metric to consider are opportunity costs. How many contracts are you losing because you were incapable of meeting a potential customer's security standards? Strong debate as to what is the goal of a security program: Risk reduction or risk management? It's very possible that you are currently managing risk well and the additional cost to reduce risk is not necessary.
10/15/2020 • 27 minutes, 19 seconds
Privacy Is An Uphill Battle
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-privacy-is-an-uphill-battle/) Privacy is an uphill battle. The problem is those gathering the data aren't the ones tasked with protecting the privacy of those users for whom that data represents. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Dave Bittner (@bittner), host, The CyberWire Podcast. Thank to our episode sponsor, TrustMAPP. TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs. On this episode of Defense in Depth, you’ll learn: Marketers, the ones often collecting the data, have no incentive to not gather more. The only thing holding them back, barely, are newly growing privacy regulations. Security professionals are tasked with protecting privacy but they're not usually on the front lines of data collection and are often brought in after the data has been collected. The public has become numb to the abuse of their privacy. A little is being chipped away at the time that they either don't know they're being abused or it appears to be so slight they don't even care. They see the benefits of sharing far outweighing the negatives. GDPR is large and very difficult to comply with. And although it only affects site visitors from Europe, most site owners are deploying GDPR controls system-wide for all visitors for fear of making a mistake while at the same time realizing that similar regulations will launch in other parts of the world.
10/8/2020 • 28 minutes, 43 seconds
Legal Protection for CISOs
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-legal-protection-for-cisos/) What's the legal responsibility of a CISO? New cases are placing the liability for certain aspects of security incidents squarely on the CISO. And attorney-client privilege has been overruled lately too. What does this mean for corporate and for CISO risk? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Evan Wolff, partner at Crowell & Moring. Thank to our episode sponsor, TrustMAPP. TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs. On this episode of Defense in Depth, you’ll learn: We repeatedly joke about Davi Ottenheimer's comment that the CISO has held the moniker of "designated felon" in American risk mitigation. Big piece of advice that was repeated throughout the episode is to have an employment contract. In the employment contract you want an exit strategy that allows you to leave if you think a situation is not tenable or the company is asking you to do something that you believe to be unethical. It gives you an opportunity to leave without any blame assigned. The cc field is your friend. If you don't want to be seen as the only one "in the know" take advantage of making sure key people are also in the loop. We heard one unbelievable story of an employment contract where it was clear that the CISO would be the "designated felon" should there be any breach. This was put in place to protect the executive team. The contract offered financial security for two years post breach. We all agreed this was insane and had never heard of anything like that before. Be wary of being forced to take on personal ownership of security issues. A CISO is responsible, not accountable.
10/1/2020 • 29 minutes, 21 seconds
XDR: Extended Detection and Response
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-xdr-extended-detection-and-response/) Is XDR changing the investigative landscape for security professionals? The "X" in XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors. Having this full breadth, XDR can contextualize alerts to tell a more cogent story as to what's going on in your environment. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Dave Bittner (@bittner), host, The CyberWire. Thanks to our sponsor, Hunters. Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint. On this episode of Defense in Depth, you’ll learn: XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors. XDR is viewed as a comprehensive solution that rolls up all your critical feeds, sensors, and analytics. Having this full breadth, XDR can contextualize alerts to tell a more cogent story as to what's going on in your environment. If you've got a greenfield security program (essentially it's non existent), XDR is a no-brainer. But for everyone else, which is most of us, rolling out XDR is not as clear cut a decision. How does it integrate with your existing tech stack? Lots of question as to why do you need a SIEM if you have XDR? But, most responded that the two technologies are complimentary. Where XDR becomes redundant is if you have SIEM + SOAR + XDR + NDR. XDR's real power is the ability to give you some of the investigative details rather than just telling you that somebody breached a certain endpoint. But it can connect the dots and explain that a certain breach also resulted in a certain action. This greatly reduces the time your SOC needs to spend investigating cases. Don't though be fooled with solutions that sell purely on reducing time and effort. You're only going to have that if you have useful integrations.
9/24/2020 • 25 minutes, 3 seconds
Calling Users Stupid
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-calling-users-stupid/) Many cybersecurity professionals use derogatory terms towards their users, like calling them "dumb" because they fell for a phish or some type of online scam. It can be detrimental, even behind their back, and it doesn't foster a stronger security culture. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Dustin Wilcox, CISO, Anthem. Thanks to our sponsor, Hunters. Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint. On this episode of Defense in Depth, you’ll learn: Security people have notoriously had a "better than them" attitude towards their users who they view as the ones causing all the problems and making their lives more difficult. Calling users stupid for making a "mistake of effort" even if it's behind their back does not foster a bond with the security team. It fosters the us vs. them attitude. Security professionals will have a lot more success if they understand why users do the things they do. Once there is that understanding, then cybersecurity will better be able to design systems that accommodate users. About a third of your users confidently believe they're following the right cybersecurity procedures. That discrepancy is not the fault of the users, it's the fault of cybersecurity's education of users. Security can always be more effective in offering up the right tools and the correct education. Security awareness must begin with good service and process design. Phishing tests are pointless to determine security effectiveness. That's because no matter how low your click rates go, someone can always create a more creative test that will send them soaring back up again. If your defense in depth strategy is so poorly designed that your company can be compromised by the simple click of a phish, then you've got a poorly configured security stack. Security professionals' jobs exist because of their users. If there was no organization and users, then there would be no need for security professionals. Quoting Albert Einstein: "If you judge a fish by his ability to climb a tree, he will live his whole life thinking he is stupid.” Look at user mistakes as an education moment, not an opportunity to put them down. If you educate them, they'll go onto educate others as well. Mistakes can actually be very beneficial.
9/17/2020 • 27 minutes, 27 seconds
Is College Necessary for a Job in Cybersecurity?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-college-necessary-for-a-job-in-cybersecurity/) Where is the best education for our cyber staff of the future? Where does college fit in or not fit in? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Dan Walsh, CISO, Rally Health. Thanks to our sponsor, Hunters. Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint. On this episode of Defense in Depth, you’ll learn: Years ago most would say a college degree is necessary, but it appears the ROI for exorbitant college education simply doesn't deliver like it used to. Tons of valuable online courseware can deliver a targeted education for individuals wanting to start a career in cybersecurity. If organizations believe these first two statements to be true, then why are they putting down a college degree as a requirement for jobs in cybersecurity? Is requiring a college degree a false and elitist narrative that doesn't drive better cybersecurity talent? With such a stringent requirement, it detracts many people, including women and minorities, who may not have college degrees to pursue cybersecurity roles. Most college courseware in computer science is often quickly outdated. But that doesn't speak to all colleges. Some that specialize in cybersecurity are doing their best to stay current. Those arguing the need for college explain it teaches critical thinking and the desire to always keep learning. Does the lack of having a college degree prevent an individual from moving up the ranks in cybersecurity leadership? The college degree requirement may be arbitrary or it may be there because of management's jealousy. They had to have a college degree when they joined so everyone else should as well. A college degree doesn't necessarily mean you'll be a great technician.
9/10/2020 • 28 minutes, 14 seconds
When Red Teams Break Down
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-when-red-teams-break-down/) What happens when red team engagements go sideways? The idea of real world testing of your defenses sounds great, but how do you close the loop and what happens if it's not closed? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest, Dan DeCloss, founder and CEO, PlexTrac. Thanks to this week’s podcast sponsor, PlexTrac. PlexTrac is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time. On this episode of Defense in Depth, you’ll learn: Don't make the mistake of red teaming too early. If you don't have your fundamental security program in place, you'll be testing out non-existing defenses. If you're just starting to build up your security program, conduct a vulnerability scan and do some basic patch management. A red team exercise exists to discover risks you didn't even know about and couldn't have predicted in your threat model exercises. Have a plan of what you're going to do after the red team exercise. Just discovering you've got problems with no plan to remediate them will not only be a waste of money, but will also breed discontent. Don't red team just to fill out an audit report. You can do a vulnerability scan for that. Consider moving the red team to purple to actually help the blue team remediate the findings. If you don't have a plan for remediation you'll find yourself running the same red team and filling out the same report. Prioritize! The red (now purple) team can greatly help along with those who've assessed business risks. First to remediate are the ones that are high impact and easy to execute. The rest is determined by an analysis of likelihood and impact.
9/3/2020 • 25 minutes, 17 seconds
What Cyber Pro Are You Trying to Hire?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-what-cyber-pro-are-you-trying-to-hire/) Do companies hiring cybersecurity talent even know what they want? More and more we see management jobs asking for engineering skills, and even CISO jobs with coding requirements. What's breaking down? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Liam Connolly, CISO, Seek. Thanks to this week's podcast sponsor, Salt Security. Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy. On this episode of Defense in Depth, you’ll learn: The poor focus of cybersecurity job listings often exposes either the poor understanding or lack of maturity of a company's information security program. We often see management cyber jobs asking for engineering skills and vice versa. Job listings can also portray the "last guy" syndrome. Those are the job listings that tack on desired skills the last person did not have. When you see too many requirements it comes off as a wish list. It's not what is required, it's more of a question as to how many boxes can a candidate check off. There can be serious harm to a company's ability to hire if they throw down too many requirements or even optional items. People who are truly required for the position you want may never apply because they'll be scared off by the other skills required or desired. CISOs are often hired by non security people and as a result they don't have a full understanding of what type of CISO they want. As a result it's often hard to find two similar CISO job listings. While CISO technical competencies are desired, it's clear that once hired a CISO will not be showing off their technical expertise. As a result, there's a lot of debate as to how much technical skill a CISO really needs. The job requires management, influencing, and communications. Many hiring teams have a hard time parsing out the types of security people they need to build out a security team. That's why you get a single job listing that appears to want to hire five different types of security people. If a CISO isn't given the budget and authority to hire a staff to fill all the necessary gaps for the company's security program, they will become fed up and leave. That starts the whole process again. Many debate that job titles in job listings are just there to massage the ego. But if compensation doesn't match the title, then they realize the title is just for show.
8/27/2020 • 28 minutes, 35 seconds
Junior Cyber People
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-junior-cyber-people/) There are so few jobs available for junior cybersecurity professionals. Are these cyber beginners not valued? Or are we as managers not creating the right roles for them to improve our own security? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Naomi Buckwalter (@ineedmorecyber), director of information security & privacy at Energage. Thanks to this week's podcast sponsor, Salt Security. Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy. On this episode of Defense in Depth, you’ll learn: There are tons of newbies eager to work in cybersecurity. The shortcoming is not the available pipeline, but a lack of headcount and managers' willingness to train and find appropriate assignments. Because headcount is often the limitation to hiring, leaders will opt to hire the most senior person they can get. Common feeling is hire one experienced person and stress them out rather than hire three junior people and train them. Problem with the former is if you stress that experienced person they will leave and tell others not to work there. There is plenty of good junior-level cybersecurity work, such as asset management cleanup, PII discovery, procedure documentation, filling out security questionnaires, scrubbing and tuning out false positives from alerting systems, reviewing vendor contracts, patch verification, following up on vulnerability management with other teams, launching and managing vulnerability scans, interviewing for shadow IT installations, working with help desk for user account remediation, and scanning logs for anomalies.
8/20/2020 • 29 minutes, 17 seconds
Trusting Security Vendor Claims
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-trusting-security-vendor-claims/) Do security vendors deliver on their claims and heck, are they even explaining what they do clearly so CISOs actually know what they're buying? Check out this post and the Valimail survey for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Lee Parrish (@LeeParrish), CISO, Hertz. Thanks to this week's podcast sponsor, AttackIQ. AttackIQ, the leading independent vendor of breach and attack simulation solutions, built the industry’s first Security Optimization Platform for continuous security control validation and improving security program effectiveness and efficiency. AttackIQ is trusted by leading organizations worldwide to plan security improvements and verify that cyberdefenses work as expected, aligned with the MITRE ATT&CK framework. On this episode of Defense in Depth, you’ll learn: From those surveyed by Valimail survey, a third to a half didn't believe that vendors did a good job explaining what their product does, or that the product actually performed, or there was any way to actually measure that performance. Many questioned those numbers because they feel many security buyers still fall for security vendors' boastful claims. Both can actually be true. Stunned behavior at a trade show is not the indicator of knowledge and susceptibility to vendor pitches. When you're under the gun as a security professional to produce results you often become victim to security vendor claims because you want to deliver on demands from the business. By nature, CISOs should be skeptical about vendor claims and information within their own environment. There's a battle between those vendors truly trying to deliver value and those who are using their marketing savvy to sway industry thinking. Don't place all the blame on the vendors. CISOs still have trouble understanding their requirements, risk, and priorities. Many are guilty of engaging in "random acts of security". Claims can often be more trustworthy if the vendor is willing to explain what they can't do.
8/13/2020 • 27 minutes, 55 seconds
How Vendors Should Approach CISOs
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-how-vendors-should-approach-cisos/) "How do I approach a CISO?" It's the most common question I get from security vendors. In fact, I have another podcast dedicated to this very question. But now we're going to tackle it on this show. Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Ian Amit (@iiamit), CSO, Cimpress. Here also is my original article with Allan Alford when he first launched this engage with vendors campaign. Thanks to this week's podcast sponsor, Sonrai Security. Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud. On this episode of Defense in Depth, you’ll learn: All CISOs are different so any advice we provide will vary from CISO to CISO. Plus, we have an entire other show, CISO/Security Vendor Relationship Podcast, dedicated to this very topic. We acknowledge that this is tough because to be really on target you need to know what the CISO has, what their mix of products are, and how your product could work in their current security maturity and mix of security products and processes. It's all a very tall order for a security vendor. Vendors must stop thinking of themselves as point solutions, but rather how they fit into the overall makeup of a security program. You're not coming in with a blank slate. How do you interoperate with what's existing? There's unfortunately the trend of the people who make the contact, then initiate a meeting, and hand off to someone else. CISOs do not welcome that kind of engagement, although it may be very cost effective for security vendors to hire junior people to make those contacts and hand offs. Lots of argument about the efficacy and the acceptance of cold calling. Those who claim they don't like it are often working at organizations that do it repeatedly to great success. The pushy salesperson who eventually gets through after repeated attempts even when they're told no may show success, but they don't calculate all the people they've angered and the word-of-mouth negativity that has resulted from that behavior. If you push beyond a request to stop, the worse that can happen is your reputation will be destroyed. CISOs are more receptive to market pull into your organization. That can happen through traditional marketing, content marketing, podcasts, analyst reviews, and word-of-mouth. Problem is these techniques don't leave any room for salespeople to operate.
8/6/2020 • 30 minutes, 12 seconds
Secure Access
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-secure-access/) What is the Holy Grail of secure access? There are many options, all of which are being strained by our new work from home model. Are we currently at the max? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Rohini Kasturi, chief product officer, Pulse Secure. Thanks to this week’s podcast sponsor, Pulse Secure. Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 24,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance. On this episode of Defense in Depth, you’ll learn: Multiple technologies, such as VPN, split-tunnel VPN, VDI, SASE, EDR, and secure management, are used in attempts to insure secure access. But given that secure access isn't just about managing endpoints, but users, you also have to look at IAM. We look to conditional access to provide more support than just full VPN access. Argument that we are moving away from endpoints to identity as that's the new perimeter. SASE solution blocks by default, instead of allows by default, and requires permission for access. User is secured dynamically based on a combination of identity and device. Would be great if secure access solutions were universal, but they vary country by country based on costs, availability, and regulations. Secure access models must be user experience first. One possible play that works in this way is IAM + SASE + EDR + secure management. Another factor that prevents the one-size fits all model for secure access is the complexity of stacks.
7/30/2020 • 22 minutes, 53 seconds
InfoSec Fatigue
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-infosec-fatigue/) Have we reached peak InfoSec fatigue? Revolving CISOs and endless cyber recruitment OR the fact that we're spending more money to reduce even greater risk. Is it all leaving our grasp? Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Helen Patton (@OSUCISOHelen) CISO, The Ohio State University. Thanks to this week's podcast sponsor, Sonrai Security. Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud. On this episode of Defense in Depth, you’ll learn: Are we sliding in our effort to get ahead of security issues? There's a sense the tools and our ability isn't keeping up with the onslaught. Are we able to prove risk reduction to show that our efforts are successful? Those people who don't burn out are the ones who thrive on the technical and political challenges of cybersecurity. Disagreement on how you lead a discussion. Should it be story-based or data-based? Classic complaint about cybersecurity is success is measured by the absence of activity. Preventative security is not easily quantifiable as reactive security. CISOs have to step up and show evidence of security's success in the most understandable and digestible format. Suggested measures and metrics: likelihood and impact, business impact analysis, security program maturity curve, framework compliance, pen test results, and threat modeling. FUD (fear, uncertainty, and doubt) may be effective in the short run, but it's exhausting. It never works in the long term. Approach cybersecurity altruistically. If it benefits you and those around you, then it's worth doing. Lean on security vendors to help you show the value of their product. The business impact will be on the CISO's shoulder, but the vendor should help build the case.
7/23/2020 • 28 minutes, 23 seconds
Securing a Cloud Migration
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-securing-a-cloud-migration/) You're migrating to the cloud. When did you develop your security plan? Before, during, or after? How aware are you and the board of the cloud's new security implications? Does your team even know how to apply security controls to the cloud? Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Sandy Bird, CTO and co-founder, Sonrai Security. Sandy was the co-founder and CTO of Q1 Labs, which was acquired by IBM in 2011. At IBM, Sandy became the CTO for the global security business and worked closely with research, development, marketing, and sales to develop new and innovative solutions to help the IBM Security business grow to ~$2B in annual revenue. Thanks to this week's podcast sponsor, Sonrai Security. Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud. On this episode of Defense in Depth, you’ll learn: You can't just migrate to public cloud and secure things like you secure your on-premise servers and applications. You have to think cloud-native in all security decisions. Cloud migrations intensify the focus between data and identity. "Security as an afterthought" is never a good plan. Those who succeed build security into the migration. Don't let IT broker a deal to migrate to cloud and then bring in cyber after the fact. In the cloud, knowing where your data is one step, securing the data is another. There's a multitude of variances with data. There are the API controls on data, who has access through those APIs, is the data cloned or cached, and how are permissions being adjusted to that data? Start by knowing who and what should access your data and build your controls from there. The people side of securing cloud migration is critical. If your staff is not properly trained, a single mistake can be extremely expensive. Speeds in the cloud, especially if you've got a DevOps and CI/CD approach, can make problems move at lightening speed. There's a need for automation and to continuously monitor your controls and coverage. Get ahead of problems. DevOps learned the fail fast technique, but also the ability to recover quickly. If security wants to play as well, they have to develop the same strategy and tools.
7/16/2020 • 25 minutes, 54 seconds
API Security
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-api-security/) APIs are gateways in and out of our kingdom and thus they're also great access points for malicious hackers. How the heck do we secure them without overwhelming ourselves? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Roey Eliyahu, CEO, Salt Security. Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy. On this episode of Defense in Depth, you’ll learn: The skill set needed to secure APIs is different than web security. The move towards the cloud, DevOps, and the need to have security tools talk to each other has brought a lot more attention to the need for API security. Like in all areas of security, just knowing what you've got is a struggle. Same is true with APIs. Just knowing what APIs you have is not enough. You must know their functionality. Map your APIs to the systems and the data their transmitting. How aware are your developers of the pitfalls of API misuse? There's a myriad of security options but start with strong authenticate using hash-based message authentication. Much of the advice we got was simply shrinking the API attack surface. This can be done by either limiting the functionality of the API or removing unused APIs. The "review the code" advice that we heard often is sadly not realistic. APIs are resistant to both automatic and manual code review. API security seems like a 300 or 400 level security effort. Smaller companies that don't have a security operations center (SOC) may simply not be able to handle it and will need to outsource their API security and SOC needs to a third party or managed security service.
7/9/2020 • 23 minutes, 28 seconds
Shared Threat Intelligence
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-shared-threat-intelligence/) We all know that shared intelligence has value, yet we're reticent to share our threat intelligence. What prevents us from doing it and what more could we know if shared threat intelligence was mandated? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Joel Bork (@cincision), senior threat hunter, IronNet Cybersecurity. Thanks to this week's podcast sponsor, IronNet Cybersecurity. To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity. On this episode of Defense in Depth, you’ll learn: We all benefit from sharing threat intelligence, so why don't we do it? If threat data is public, is it useful? The argument is that if the good guys know about the threat intelligence, then all the bad guys know as well. But that's if it's in a public forum. If threat intelligence was shared in a more rapid, comprehensive, and secure manner it would have more utility. Sometimes the "intelligence" a company first gets is just a data feed. There has to be a greater discussion of the risks of sharing as compared to the upside. Often, it's so easy to shut the doors and not share with the benefit never calculated into the equation. When an organization is in the middle of their security maturity curve, they hold all their data as close to their chest as possible. As they continue on their journey and continue to learn lessons along they way, they begin to understand that collaboration will help the community as a whole - including themselves. Threat data is really not what professionals need. What they need is intelligence. And this requires a way to onboard and make sense of the data on its own and in aggregate and over time. Each of us are collecting different pieces of the threat landscape puzzle. If someone doesn't provide their piece, then we have an incomplete puzzle and there are now holes in our knowledge and ability to protect ourselves. Threat intelligence does not hold the same weight for every user. What's valuable to someone may not be of value to another. And you may be holding onto that data that you don't necessarily think is valuable. You want threat intel to be actionable, not necessarily responding automatically. We spoke of threat intel with the analogy of animals traveling in herds for protection. The attackers often pick off the weak ones, but when everyone is working together, the stronger animals can actually protect the weak. Even with everything we know and value with shared threat intel, there is still a ton of paranoia around sharing. While there is lots of discussion about data not being identifiable, most choose to opt out of sharing threat intel.
7/2/2020 • 27 minutes, 7 seconds
Drudgery of Cybercrime
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-drudgery-of-cybercrime/) Why does the press persist on referring to all cyber breaches as sophisticated attacks? Is it to make the victim look less weak, or do they simply not know the tedium that's involved in cybercrime? Check out this post by Brian Krebs for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Steve Zalewski, deputy CISO, Levi Strauss. Thanks to this week's podcast sponsor, IronNet Cybersecurity. To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity. On this episode of Defense in Depth, you’ll learn: There's a dichotomy between how the press glorifies cybercrime as being "sophisticated" when the reality is much of cybercrime is drudgery. Most cybercrime is under a pay-for-hire or a web-based service model. Cybercriminals have to deal with many of the same business-related issues we all do, such as support, infrastructure, customer relations, and sales. Given that the cybercriminals are usually doing work for someone else, they have customers and those customers will often complain if they are not getting the expected service. There was question if cybercrime does pay. It seemed that if you had some basic technical talents then legitimate InfoSec was a far more lucrative field that would probably offer benefits that cybercrime couldn't offer. The paper states that low-skilled administrators often don't know much about the systems they maintain. This would lead one to believe they're also far removed from the criminal activity. Many of these claims of the boredom of cybercrime can be made of the InfoSec community as well. Once you understand that cybercrime is a business with a need for ROI like any other business, the goal in protecting oneself is to simply make it too costly and not financially attractive to be hacked.
6/25/2020 • 26 minutes, 5 seconds
Security Budgets
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-security-budgets/) How do you calculate a security budget? Is it a percentage of the IT budget? Something else? And why does it grow so drastically after a breach? Thanks to this week's podcast sponsor, IronNet Cybersecurity. To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity. On this episode of Defense in Depth, you’ll learn: The general consensus among the community is cybersecurity is a spend it now or spend more later decision. While everyone wants to find a metric to determine how much to spend on cybersecurity, there doesn't seem to be any that are useful. The CISO's job is to provide data about risks so the business can make the decision about cybersecurity spending. Most assume that after a breach there's more cybersecurity budget, but what you get first is cooperation. Look at security as a market differentiator. What if you could withstand a cyber attack but your competition couldn't? Or possibly you could deliver a higher level of reliability to your customers. How would your business be perceived by the market? A business impact analysis calculator can help understand your risk levels. Allan Alford has one his site. Many felt the biggest cost to a company suffering a breach isn't loss of data or the regulatory fines, but the damage to the company brand. The cost of proactive protection always beats the cost of suffering a data breach. One listener recommended that MBA programs should have a breach case study as part of their curriculum.
6/18/2020 • 25 minutes, 43 seconds
Role of the BISO
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-role-of-the-biso/) What is a business information security officer or BISO? Do you need one? Is it just an extension of the CISO or is it simply taking on the business aspect of the CISO role? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Nicole Dove (@IssaUrbanGirl), BISO, ADP, and host of Urban Girl Corporate World podcast. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play. On this episode of Defense in Depth, you’ll learn: A BISO becomes very valuable where they can be mapped to a specific business unit (by locale or business line). The BISO role has become important because practically all companies are reliant on data and technology. The BISO must have power to do their job. That requires autonomy and decision making ability. Another way to describe a BISO is as a senior business analyst with a security focus. From CISO to project manager, roles change often for a BISO. Geo-aligned positions for BISOs have become extremely valuable in light of different and growing territorial regulations. BISO is a good role for a wannabe CISO. Only large companies have room for a BISO. A BISO who can cozy up to a particular business units sales strategy is of enormous value. Make sure the BISO is actually bringing value and not just acting as a gatekeeper between security and the business.
6/11/2020 • 28 minutes, 52 seconds
Shared Accounts
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-shared-accounts/) As bad as all security professionals know, shared accounts are a fact in the business world. They still linger, and from an operational standpoint they're hard to secure and get accountability. Why are they still around and what can be done about them? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Jake King (@jakeking), CEO, Cmd. Thanks to this week's podcast sponsor, Cmd. Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems. On this episode of Defense in Depth, you’ll learn: As much as it makes security professionals cringe, shared accounts are a business reality that can't be avoided. Certain business processes force shared accounts to exist, but that doesn't mean as a security professional you shouldn't grill to find out why the shared account exists and if there's a way you can remove that shared privilege. Get an inventory of your shared accounts. Also, you can do this with mapping credentials with location information. Time pressures in a physical environment often force shared accounts. You need to shine a light on shared accounts even if they're not going to go away. It's part of your GRC (governance, risk, and compliance) program. There are compensating controls one can put around shared accounts such as password rotation, monitoring usage, and alerts. Privileged access management (PAM) is the favorite solution for dealing with shared accounts. Often you don't need compensating controls if you have a dynamic PAM solution in place. The need for accountability is key here. If you don't have an equal understanding of its importance then those eventual issues are simply going to magnify.
6/4/2020 • 26 minutes, 21 seconds
Bug Bounties
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-bug-bounties/) What is the successful formula for a bug bounty program? Should it be run internally, by a third party, or should you open it up to the public? Or, maybe a mixture of everything? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Justin Berman (@justinmberman), head of security, Dropbox. Thanks to this week's podcast sponsor, Cmd. Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems. On this episode of Defense in Depth, you’ll learn: Like red teaming, you need outside eyes looking at your environment and vulnerabilities. There was much debate between internal, private, and public bug bounty programs. But it was agreed that if you do them, that you do them in that order. There was another concern regarding the cost of a bug bounty program. Whether you do them or not, you're still going to pay for coding errors and vulnerabilities one way or another. It's either upfront or later. Those new to bug bounty programs are not aware of the additional costs of management and engaging with the researchers and white hat hackers. That is a critical part of the bug bounty program. Before you begin, set up a system to manage the flow of problems reported. If not, you and your staff could very quickly be overwhelmed. Having a consistent and clear way you handle the findings is often more important than the findings. Have you allocated budget to remediate the findings? Are you going to need to make cases as each weakness is found? Keep in mind that companies don't go into bug bounty programs for the same reason. Some go into it for reasons of publicity or forming relationships with researchers. Communications between your engineers and the bug bounty researchers is critical. If your team is non-responsive, the bug bounty program could backfire. Most people are wary of public bug bounty programs because of the low signal-to-noise ratio. As there is a rush for attention and money, the whole effort may implode.
5/28/2020 • 29 minutes, 30 seconds
Data Classification
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-classification/) The more data we horde, the less useful any of it becomes, and the more risk we carry. If we got rid of data, we could reduce risk. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Nina Wyatt, CISO, Sunflower Bank. Thanks to this week's podcast sponsor, Cmd. Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems. On this episode of Defense in Depth, you’ll learn: Usable, user-friendly, viable-in-every-scenario data protection that is invisible, seamless, and always on does not exist, but could exist, and should exist. Classification tools that tout automation, really aren't. There is still a good amount of manual intervention. Another way to solve the data protection issue is to get rid of data. Our data protection problem amplifies as we find ourselves protecting more data. But a lot of data simply doesn't need to be protected. It could be classified for non-protection or just destroyed. Data is mostly unstructured and it needs to be structured to the sense that you know how data is flowing, and that is extremely difficult to do. We spend more time on hardware and networking diagrams but what we should be doing is diagramming data flow. Mandate retention limits on data. People don't like it, but it's going to make you a lot safer. Just mandate the lifespan of data. If it's not needed or accessed in a certain period of time, archive it or possibly kill it. People think holding onto data is costless, but reality is the more you hold onto it becomes very costly from a security perspective. Utility to you vs. utility to the bad guys is relative. For example, a bank statement from five years ago has little utility to you now, but if a bad guy is looking for information, that has the same value as a bank statement from today. The questions you need to be asking: Is your data sensitive, does it have open permissions, how long has it been since the data was accessed? Data with PII is both an asset and a liability. Classifying data also has a major problem with consistency. Often data can be put into multiple categories or classes. Security of data is usually not the factor many consider. We are often thinking about the security around data.
5/21/2020 • 24 minutes, 41 seconds
Prevention vs. Detection and Containment
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-prevention-vs-detection-and-containment/) We agree that preventing a cyber attack is better than detection and containment. Then why is the overwhelming majority of us doing detection and containment? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Steve Salinas (@so_cal_aggie), head of product marketing, Deep Instinct. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play. On this episode of Defense in Depth, you’ll learn: A recent Ponemon study notes that most security professionals agree that prevention is a better security strategy than detection and containment. Even with the acceptance that prevention is a better security posture, most security spending goes into detection and containment. By implementing firewalls, patching, and security training, many of us are already doing prevention, but may not classify it as such. Prevention is not nearly as expensive as creating a detect and respond security program. The two halves work in concert together. No prevention program can be perfect, and that's why you always need a detect and contain program as well. The reason you don't only go with detect and respond without prevention is that the flood of valid information will be too much for a security program to handle. There was a strong argument for detect and respond because it shows the products you spent money on are actually working. This is not just to humor the security professional, but also to give some "evidence" to the senior executives. A lot of prevention comes down to the individual. But since it's so tough to get people to change behavior, there's less friction to just purchase another prevention tool to protect people from their own behavior. Prevention tools won't stop the attackers who sit dormant on a network waiting to attack. Their behavior has to be spotted with the use of detection and containment.
5/14/2020 • 26 minutes, 40 seconds
Asset Valuation
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-asset-valuation/) What's the value of your assets? Do you even understand what they are to you or to a criminal looking to steal them? Do those assets become more valuable once you understand the damage they can cause? Check out this post for the basis for our conversation on this week’s episode which features me and Allan Alford. Our guest is Bobby Ford, global CISO, Unilever. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this episode of Defense in Depth, you’ll learn: Allan revised the well known formula for risk (Risk = Likelihood x Impact) to reflect an asset's importance. So instead, Risk = Threat plus Vulnerability as aimed at an Asset. It's hard to get a stakeholder to tell you the value of their assets. Instead, ask them the reverse. Describe the absolute worst breach scenario. What's the second worse? And then on down until you have an understanding of the hierarchy of the assets. A business impact analysis (BIA) will also help uncover asset valuation. Allan Alford has a BIA calculator on his site. The simple question of "What are you defending?" is one that most business leaders struggle to answer. They need to be able to answer that question often. Once you know what to defend the question is how much to defend and then after that is there anything that doesn't need to be defended. You may actually not be able to start this process if you doing know what your asset inventory is. This should be managed with a discovery tool and multiple iterations of discovery. While you're valuing your own assets, try to make sense of what these assets mean to an attacker. That will help you answer the question of "how much to defend".
5/7/2020 • 28 minutes, 26 seconds
DevSecOps
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-devsecops/) We know that security plays a role in DevOps, but we've been having a hard time inserting ourselves in the conversation and in the process. How can we get the two sides of developers and security to better understand and appreciate each other? Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Sumedh Thakar (@sumedhthakar), president and chief product officer, Qualys. Thanks to this week’s podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you’ll learn: It's debatable whether the term "DevSecOps" should even exist as a term. The argument for the term is to just make sure that security is part of the discussion, but security people feel that's redundant. Security is not an additional process. It should be baked in. It's an essential ingredient. But should it really be seen as "embedding" or rather a partnership? Developers and operations operate as partners. Instead of dumping security tools on developers and just demanding "implement this" security needs to go through the same transition development had to go through to be part of "Ops". As DevOps looks forward to what's next, how can security do the same? Security is unfortunately seen as an afterthought, and that's antithetical to the DevOps philosophy. Security is an innate property that imbues quality in the entire DevOps effort. Security will slow down DevOps. It's unavoidable. Not everything can be automated. But, if you deliver the security bite-sized chunks you can get to an acceptable level of speed. Business needs to specify the security requirements since they were the ones who specified the speed requirements. That's how we got to DevOps in the first place.
4/30/2020 • 26 minutes, 39 seconds
Fix Security Problems with What You've Got
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-fix-security-problems-with-what-youve-got/) Stop buying security products. You probably have enough. You're just not using them to their full potential. Dig into what you've got and build your security program. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Brent Williams (@brentawilliams), CISO, SurveyMonkey. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play. On this episode of Defense in Depth, you’ll learn: It's very possible you're not using the tools you've purchased to their full potential. What would happen if you completely stopped buying security products and tried to fix your problems with the tools you've already purchased? The reason this is such a popular discussion is that as an industry we're still struggling with managing the fundamentals of security. Shelfware happens because we buy before we're ready. Purchase decisions should be made in conjunction with knowing if you have the staff and understand the integration points to implement the solution. Tooling for the few layers must be dealt with first. You don't need a solution selling a higher layer of security if you don't have the foundation built. Much of this argument is based on the messaging we hear from vendors. They're understandably in the business of selling product. Be cognizant of how you're absorbing information. We need to also focus on the people who unfortunately are fallible and can make non-malicious, but poor decisions. If there was going to be any additional spending, the argument was to invest in your people - from the entire staff to specific training for your security staff.
4/23/2020 • 28 minutes, 22 seconds
Should Risk Lead GRC?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-risk-lead-grc/) Defining risk for the business. Is that where a governance, risk, and compliance effort should begin? How does risk inform the other two, or does calculating risk take too long that you can't start with it? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our guest is Marnie Wilking (@mhwilking), global head of security & technology risk management, Wayfair. Thanks to this week’s podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you’ll learn: The model of risk = likelihood x impact doesn't take into account the value of assets. Assets have to be valued first before you calculate risk. Is the reason risk isn't used to lead governance, risk, and compliance (GRC) because it's so darn hard to calculate? Many CISOs say their toughest job starting out is trying to understand what the crown jewels are and what the board's risk tolerance is. Risk management allows the board to know when you have enough security. Some assets may require eight layers where others may only require one or two. Determining likelihood of an attack involves a good amount of guesswork. We've discussed on a previous episode of CISO/Security Vendor Relationship Podcastthat we don't go back to see how good our risk predictions were. If you want to get better at it, you should. Otherwise, it will always be guesswork. Even if you can get someone to agree what their risk tolerance is, or what asset is of importance, trying to get agreement among a group can be a blocker. Keep in mind that each person is going to have a different viewpoint and concerns. Knowing risk appetite is critical. You can apply security controls without knowing it, but that's providing a unified security layer across all data, people, and applications when they are all not equal when it comes to asset valuation.
4/16/2020 • 24 minutes, 57 seconds
Responsible Disclosure
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-responsible-disclosure/) Security researchers and hackers find vulnerabilities. What's their responsibility in disclosure? What about the vendors when they hear the vulnerabilities? And do journalists have to adhere to the same timelines? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Tom Merritt (@acedtect), host, Daily Tech News Show. Thanks to this week’s podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you’ll learn: Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure. Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure. While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor's Hippocratic Oath, the goal is to minimize harm. You can't announce a vulnerability without offering a fix. It's opening the door to the bad guys to come in and cause havoc. There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities. One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure." There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they're not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn't a good fix yet.
4/9/2020 • 25 minutes, 10 seconds
Internet of Things
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth:-internet-of-things/) When Internet of Things or IoT devices first came onto the market, security wasn't even a thought, let alone an afterthought. Now we're flooded with devices with no security and their openness and connectivity are being used to launch malicious attacks. What are methods to secure environments today and how should these IoT devices being secured in the future? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Josh Corman (@joshcorman), founder of I Am The Cavalry. Thanks to this week’s podcast sponsor, Pulse Secure. Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance. On this episode of Defense in Depth, you’ll learn: For years, manufacturers didn't consider device security. As a result, attackers have used insecure devices like connected webcams to gain entry into a corporate network. If you're manufacturing devices, then make security and patches a top concern even after end of life support. Big gap between public trust and the reality. Almost all people trust manufacturers to secure their devices. The reality is most manufacturers aren't securing their devices. While we've seen webcams used to launch distributed denial of service (DDoS) attacks, the greatest concern is of a similar style attack being launched against industrial IoT. The discussion of IoT security goes beyond security of devices. We know there are devices with zero security connected to our network. This is where a larger discussion of zero trust and defense in depth style security programming comes into play. We have a growing number of unmanaged devices. Devices that are just always on and connected to the Internet providing simple functions like reading their environment. How much responsibility do manufacturers have for the security of their devices after they've been purchased and shipped? They can create updates and patches, but they can't enforce them.
4/2/2020 • 29 minutes, 13 seconds
Is Governance the Most Important Part of GRC?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-governance-the-most-important-part-of-grc) Your policy should rarely change. But your ability to achieve that policy is found in procedures or governance that should inform, steer, and guide your team. Those procedures should change often and others should follow. Are they? Check out this post for the basis for our conversation on this week’s episode which features me and Allan Alford. Our guest is Mustapha Kebbeh (@mustaphake), CISO, Brinks. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this episode of Defense in Depth, you’ll learn: By leading with governance, how do you make a governance, risk, and compliance (GRC) program meaningful? Without the right governance it will be hard to accomplish the bigger picture. GRC requirements have to adhere to the three A's: actionable, accountable, and achievable. GRC programs require strong leaders. Without them, nobody will follow a governance effort. There was debate on whether risk or governance should lead the GRC effort. But everyone appeared to agree that leading with compliance is very dangerous. A list of rules, or governance, is completely pointless if it's not enforced. Enter risk, compliance, and a good leader and you've got the opportunity for enforcement. Governance that's not tied to risk will probably be ignored and therefore useless. The argument to lead with risk is because it has applicability to the business where it's questionable with governance and compliance. But for the purpose of this episode's argument, we were making a case for governance leading the conversation. The main argument for governance over risk is that you can't truly understand the risk if there isn't some type of structure to understand what you're dealing with.
3/26/2020 • 27 minutes, 16 seconds
Who Should the CISO Report To?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-who-should-the-ciso-report-to/) Who should the CISO report to? What factors determine that decision? And why is that single decision so critical to a company's overall security? Check out this post for the basis for our conversation on this week’s episode which features me, special guest co-host Yaron Levi (@0xL3v1) CISO, Blue Cross Blue Shield of Kansas City. Our guest is Gary Harbison, vp, global CISO, Bayer. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you’ll learn: We're having this discussion because as Allison Berey, M:CALIBRATE explained, "Wrong reporting lines can mean poor decision-making." There is no definitive answers as to what the reporting line should be. The final answer on this this discussion was "it depends." A CISO's placement within an organization should depend on where a company derives its value. All companies say security is important. How they place the CISO within the reporting structure and the influence they have on the organization is very telling as to whether the company truly does value security. There was a lot of concern reporting to other C-level executives that are not the CEO as the CISO's concerns could play second fiddle to a CFO, CIO, or CRO's primary desires. Many felt the most desirable reporting line was CISO-to-CEO. But, assuming every department is dealing with some sort of business risk, don't they all have the right to report to the CISO? Where do you draw the line?
3/19/2020 • 24 minutes, 35 seconds
Hybrid Cloud
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-hybrid-cloud/) The consistency of your security program becomes a challenge once you introduce the cloud. Controls and visibility are not necessarily transferable. How do you maintain the control you want in a hybrid environment? Check out this post for the basis for our conversation on this week’s episode which features me, special guest co-host Taylor Lehmann (@BostonCyberGuy), vp, CISO, athenahealth, and our sponsored guest, Chris Meenan (@chris_meenan), director, offering management and strategy, IBM Security. Chris Meenan, director, offering management and strategy, IBM Security, David Spark, producer, CISO Series, Taylor Lehmann, vp, CISO, athenahealth. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you’ll learn: Moving to the cloud, like any other technology initiative, is a business decision. What controls are you ceding over to the cloud provider? What service level agreements (SLAs) and performance measurements do you have for the provider? Be realistic about what’s going to be done if a service provider violates the SLA. You’re not going to all of a sudden dump the provider. You’re going to put some types of corrections in place. Make sure you know what those are and how that can be handled, realistically. Understand your shared responsibility in the cloud. According to a report by FireMon on hybrid cloud use and adoption, about one-third do not fully understand the shared responsibility model of the cloud. Start slow. While you may need to go with multiple cloud providers to fill distribution and requirements, begin with one and learn from that experience. Use cloud adoption as an excuse to join forces with your privacy team to understand where data is being placed and what control you have over it. Cloud providers are not interchangeable like a utility. Cloud providers are chosen based on the services they offer.
3/12/2020 • 27 minutes, 45 seconds
CISO Tenure
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-tenure/) The CISO has the shortest tenure of any C-level role. Why so brief? Is it the pressure, the responsibility, the opportunities, or all of the above? Check out this LinkedIn discussion to read the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. Our guest is John Meakin, CISO, Equiniti. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you’ll learn: There's a lot of confusion as to what a CISO needs to do. All job descriptions for CISOs are different. There are humans behind the data and as a result CISOs are tasked with protecting the humans. CISOs can improve their tenure if they seek out a business mentor to allow them to better support the business. CISOs who aren't able to communicate clearly will not last long. It's a CISO's job to communicate in the language of the business, not the other way around. Before the CISO ever arrives, there's a business culture. There's always going to be a natural push back from the business. "Why are you making us change?" A simple walkabout the office can solve a lot of uncertainty. If employees start asking questions about their personal security, that's a good sign the CISO has successfully inserted security into the business culture. Another huge factor that impacts CISO tenure are the increased opportunities. Regulations and privacy laws are pushing companies to get CISOs to provide much needed oversight. What does the reporting structure in your organization mean in regards to the CISO being heard at the executive and board level?
3/5/2020 • 29 minutes, 16 seconds
Toxic Security Teams
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-toxic-security-teams/) There's an endless number of variables that contribute to creating a toxic security teams. How does it happen, and what are ways to manage and eradicate the toxicity? Check out this LinkedIn discussion to read the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Jinan Budge (@jinan_forrester), principal analyst serving security & risk professionals at Forrester. On this episode of Defense in Depth, you’ll learn: Toxic security teams happen because of tribalism, not just within security, but across all departments. Security is seen as an expense and an IT problem and many don't think it's everyone's issue. One core issue is the lack of security culture and management simply not supporting the InfoSec team's efforts. There are many ways a security team's culture can become toxic. The issues are so numerous that it seems more of a challenge to prevent a team from its natural tendency to go sideways. The hero mentality of one individual, who thinks only he/she can solve the problem, can poison an entire group. It can be argued that it's an issue of ego, but many see it as insecurity. Often the individual needs to prove to themselves and others in order to maintain their cybersecurity rockstar status. A toxic security team will have a very hard time hiring new staff. People will leave and tell others you don't want to work there. If you have a diverse team and there's toxicity, the team won't last. There's an enormous cost to disengaged employees.
2/27/2020 • 25 minutes, 34 seconds
Personality Tests in the Workplace
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-personality-tests-in-the-workplace/) As a cybersecurity leader, should you use personality tests for hiring and managing a team? Does it create diversity, understanding of communication styles, or does it just create more conflict? Check out this LinkedIn discussion to read the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Ursula Alford, psychologist, Department of Neuropsychology, Baylor Scott & White Institute of Rehabilitation. On this episode of Defense in Depth, you’ll learn: There is plenty of debate as to whether a security leader should use personality tests, such as Myers-Briggs, for hiring or managing employees. Almost universally, no one wanted to use the tests for hiring as it creates bias, but many saw value in using them for managing employees. About half of the people who participated in the discussion just wanted to steer clear of personality tests altogether, never wanting to force their employees to take them either. The tests reveal individuals' preferred communication styles which can be helpful for customizing employee management. This is the main reason they're used. Don't mistake these tests as defining who you are in the future. It's a test to measure personality and communications in a moment in time. People are often asked to take these tests repeatedly and we often score differently with our personalities changing. Meyers-Briggs definitely has issues with validity and reliability. One significant value to any personality test is to see if you're getting a variety of thought patterns on your team. If you're not, then you may be building the wrong team.
2/20/2020 • 23 minutes, 26 seconds
Lack of Diversity in Cybersecurity
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-lack-of-diversity-in-cybersecurity/) Cybersecurity teams are notoriously not diverse. At the same time we keep hearing and talking about the need for diversity. Is it critical? Can you be just as successful without it? Check out this Twitter feed for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Christopher Zell, vp, head of information security, The Wendy's Company. Thanks to this week's sponsor, Electronic Frontier Foundation. On this episode of Defense in Depth, you’ll learn: Discussion is based on a quote by one PayPal co-founder, Max Levchin, who said, "The notion that diversity in an early team is important or good is completely wrong. You should try to make the early team as non-diverse as possible." There is diversity of people and there's diversity of opinions. Those two often go together, but they don't have to. While appalling, there is some truth to Levchin's statement. When everyone thinks the same you don't have conflict and can move quickly. But lack of diversity of opinion means you don't see the full picture and that can make you susceptible to unforeseen vulnerabilities. If you don't know what problems you're facing, you should want diversity. Minorities often face different and more struggles than those who never have to suffer diversity issues. They've been hardened and that should make them an even more attractive candidate. Start building your diverse network now. When it comes time to hire diversity and you don't have that network already in place, you're going to have a very difficult time. For more, check out the (ISC)^2 study "Innovation Through Inclusion: The Multicultural Cybersecurity Workforce" and Computerworld article, "The next tech skillset is ‘differently-abled neuro-diverse’".
2/13/2020 • 27 minutes, 50 seconds
When Are CISOs Responsible for Breaches?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-when-are-cisos-responsible-for-breaches/) When is a CISO responsible for a breach or cyber incident? Should they be disciplined, fired, or let go with an attractive payout? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Norman Hunt (@normanhunt3), deputy CISO, GEICO. On this episode of Defense in Depth, you’ll learn: On the onset, one may want to jump to finding liability. But a CISO's responsibility should not be isolated at the moment of the breach. There are more issues to consider, such as authority, accountability, efficacy, and expectations. Be wary of assigning accountability if the CISO didn't have the authority to actually carry out his/her intended plan. Often the CISO is seen as a necessary scapegoat when there is a breach. It shows an aggressive move by the company to make a change, but then they'll have to go ahead and hire another CISO, probably at a much higher salary (see last week's episode). When are you measuring the performance of the CISO? Is it as they build the security program, or is it only at the moment of the breach? How well does a CISO handle the breach when it happens and how well do his direct reports and the rest of the company handle it? That's a better measurement of the efficacy of the CISO. CISOs are held to a higher level of expectation to prevent a risky event from happening. CIOs, CEO, and CFOs are not held to the same standard. Even the best CISOs will suffer a breach. It's a single point in time. It sure is a very bad point in time, but what are the events that led up to this moment. Were they building out a security program and were there improvements or was staff education and leadership falling short? The best standard of measurement of a CISO is how well do they communicate and implement security and risk decisions? Failure may be at the definition of the role of the CISO. A CISO's role and its responsibilities are far from standardized.
2/6/2020 • 28 minutes, 37 seconds
Post Breach Desperation and Salary Negotiations
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-post-breach-desperation-and-salary-negotiations/) A data breach usually spells financial and reputational disaster. But such an event can also be an opportunity for a security professional to capitalize. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Michael Piacente, co-founder and managing partner, Hitch Partners. Thanks to this week’s podcast sponsor, Anomali. Anomali is a leader in intelligence-driven cybersecurity solutions. Anomali turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com On this episode of Defense in Depth, you’ll learn: Salary negotiation is a topic that is always in vogue, but the post-breach angle shows the value companies are eventually seeing in the CISO role. Unfortunately for them they realize it after the fact. A bad breach incident will cost far more than an investment in a good security team. But that's your insurance policy. Location, industry, and size of company are all key factors on whether or not a CISO will be able to command a seven figure salary. Industry specific skills will definitely come into play. If a bank is breached and you've been a security professional or a CISO at multiple banks that has maintained its cybersecurity without any significant incidents, then you have a lot of leverage. When a company needs a CISO to right the ship, they're going to want someone who has gained skills in the areas of communicating with the board, strategy, vision, leadership, and successfully creating a pro-security culture. Negotiating salary is not just isolated to CISO role. There are cloud security architects that are in high demand and can garner a much higher wage than just a couple years ago. Threats outnumber security people regardless of their rank. There's no one person that's going to prevent breaches. But if you have a poor security culture, then a company will need to pay for the talent to get it operating in the right direction.
1/30/2020 • 26 minutes, 20 seconds
Presenting to the Board
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-presenting-to-the-board/) What metrics, reports, or strategies should a security professional utilize to communicate the value to the board? Or is the mode of "presenting to the board" a damaged approach? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Barry Caplin (@bcaplin), executive leadership partner, Gartner. Thanks to this week’s podcast sponsor, Anomali. Anomali is a leader in intelligence-driven cybersecurity solutions. Anomali turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com On this episode of Defense in Depth, you’ll learn: A conversation with the board begins with a discussion of what risk is. But getting that information out of the board is far from a simple task. Vague answers are not helpful. Metrics are of value to the board, but avoid offering up tactical metrics. Instead, utilize strategic metrics. Once risk appetite is understood and agreed upon, then it's appropriate to begin a discussion of the security program's maturity. Caplin recommends a four-slide presentation for the board: Where we were, problem areas identified per risk and maturity. What we spent and a bit of why we spent. Where we are now (metrics come into play here). Best to show how much progress you've made in implementing security programs. Where we want to go next, and what the next ask is. If you're going to show a metric, it should answer a very specific question for the board. If you are going to show one metric, the most popular one is dwell time or the time between when an attack happens, when you discover it, and when it's remediated. The one metric of dwell time provides a lot of information as to the maturity of a CISO's security program as it coincides with its ability to respond to incidents. Some CISOs aim for a storytelling approach completely avoiding metrics because metrics have unfortunately led the board down the wrong path. It's either the wrong metrics, too detailed of a metric, or metrics not tied to business risk or to a maturity model.
1/23/2020 • 25 minutes, 11 seconds
The Iran Cybersecurity Threat
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-the-iran-cybersecurity-threat/) The Iran conflict has threatened new retaliations and we don't know where they're going to come from. Cyber retaliation is a real possibility. Who's being threatened and how should we prepare? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Nicholas Hayden, global head of threat intelligence, Anomali. Thanks to this week’s podcast sponsor, Anomali. Anomali is a leader in intelligence-driven cybersecurity solutions. Anomaly turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com On this episode of Defense in Depth, you’ll learn: As we're seeing now, it often takes a scare like Iran, to get everyone to pay attention to their threat detection and response capabilities. if you believe you're a target for an APT (advanced persistent threat) you need to also assume it's going to be hidden. If and when you find an APT, also assume it's at the beginning of an attack chain. You're going to have to go deeper. Shutting it off at that moment won't let you understand what's happening. Iran may use the resources of China and Russia as they have hooks into other industries. There's a strong belief that cyber warfare is commingled with organized crime. The two groups need each other. Much of the "how to handle Iran" advice is to focus on foundations, not basics, because it's actually not easy, said Yaron Levi, CISO, Blue Cross/Blue Shield of Kansas City, we use these potential threats as an area of focus. If you are doing the fundamentals, and doing them well, you are doing what you can. You don't have the intelligence that the military has, and therefore, you don't have the ability to craft specific defenses. Beware of complacency and going in and out of "heightened alert". Eventually, people will forget about this perceived impending Iran threat. That's why threat intelligence needs to be handled consistently over time.
1/16/2020 • 26 minutes, 28 seconds
Building a Fully Remote Security Team
Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-building-a-fully-remote-security-team/) Could you be successful with a fully virtual InfoSec team? Many say it can't be done, while some have actually done it and been successful. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Kathy Wang, former CISO, GitLab. Thanks to this week’s podcast sponsor, Pulse Secure. Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance. On this episode of Defense in Depth, you’ll learn: A fully remote team is possible. Our guest was formerly the CISO of GitHub which is a fully remote organization so the concept of remote work was built into the company's DNA. Two of the most important factors to great remote success are each individual's willingness to over communicate and never be afraid to escalate an issue. Not surprisingly, remote work requires top-down support and it starts at the point of hiring. Trust is a two-way street in remote work. Under the umbrella of "over communicating" is documenting everything. Huge benefit of having a remote team is you are no longer competing with location-based hiring. There are talented people all over the world. With your staff living all over the world, you in effect create a 24/7 office network with everyone operating in different time zones. A fully virtual company is perfect for cloud native companies. It can be very costly to place a person physically on site. Saving money is a great side effect of remote staffing. Make sure to have in-person team building events. Kathy does one to two a year and tries to make sure one of them coincides with a big security event like DEFCON, RSA, or Black Hat. One unforeseen benefit of remote work is that you're always able to start meetings on time. Problem with in-person meetings is you're often waiting for another meeting to finish in a room so you can start your meeting.
1/9/2020 • 25 minutes, 33 seconds
Account Takeover
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-account-takeover/) An account takeover traditionally follows a methodical path that takes considerable time before anything bad happens. Is it worth a company's time and effort to be monitoring a potential account takeover at the earliest stages? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Mike Wilson, CTO and co-founder, Enzoic. Thanks to this week’s podcast sponsor, Enzoic. Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic. On this episode of Defense in Depth, you’ll learn: Attack takeover (ATO) has a life cycle with multiple (6) steps. The first step is reconnaissance and you need to focus on that to stop the life cycle. There's plenty of talk about sharing OSINT (open source intelligence), but the reality is, and always been, that there are more consumers than contributors. Like any open source endeavor, it can only get better if more people contribute. Account takeover has at its root in stolen credentials, and as we know from sites like "Have I been pwned?" there are billions of stolen credentials floating out there that are consistently being used in credential stuffing attacks. What is your credential situation? How unique are they? Can they be learned? Start threat modeling your existing systems to determine what type of investment you'll need to make in account takeover. You can greatly reduce the risk of ATO by implementing multi-factor authentication (MFA) and privileged access management (PAM). The bad guys are playing the same game as we are and we essentially need to have better reconnaissance than them. Problem is they're sharing information freely and we're not.
12/19/2019 • 25 minutes, 38 seconds
UX in Cybersecurity
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ux-in-cybersecurity/) Security products and programs may be functional and work correctly, but are they usable in the sense that it fits into the work patterns of our users? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Rakesh Patwari (@rakeshpatwari), UX lead, Salesforce and UX instructor at UC Berkeley Extension. Thanks to this week’s podcast sponsor, Enzoic. Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic. On this episode of Defense in Depth, you’ll learn: There is the path to security you create and the path that your users take, or the desired path. As a security and UX professional you should plan to make those two the same path. If not, your users will take the simpler route and circumvent your security controls. Users will always choose the easier path which is not necessarily the most secure path. Security is an "ask." You're requesting users do something, but it's hard to get them to keep doing that "ask" if you don't give them feedback as to the reason or value of the ask. Error messages historically provide little to no information to the user and thus no guidance to solve the problem. We often have to go outside of the environment (a search engine) to find a solution. Security professionals need to take on the role of a UX designer which requires defining work processes by interviewing users, not deciding what you want those processes to be. Creating a simple process is far more difficult than creating a complex process. Secure processes don't require users to constantly turn functions on and off or go through additional unnecessary steps to get their job done. View your users as customers where you're trying to sell them on your process rather than dictating which will eventually be avoided.
12/12/2019 • 26 minutes, 31 seconds
InfoSec Trends for 2020
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-infosec-trends-for-2020/) We're coming to the end of the year and that means it's time to make our predictions for 2020. Mark this episode and check back in one year to see how we did. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Rob Potter, chief revenue officer for Verodin. Thanks to this week’s podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you’ll learn: More large scale breaches is not a prediction. At this stage that's an inevitability. ML/AI/Blockchain will continue to be oversold and under-delivered. Most cloud breaches are configuration errors. They are not mastermind attacks. They can't be called a breach if they were never secured properly in the first place. Note that cyber insurance does not pay out unless proper protections were in place. "Better" cloud and Internet of Things (IoT) security is not possible given how far it's been mismanaged up to this point. There are so many insecure nodes out there that it appears an impossibility to create any type of patch protection. There was strong debate as to whether this was a true statement or not. Strongest prediction (and it's already in motion) is the convergence of privacy and security. Privacy will be driven by regulations and as a result more people will be instituting chief privacy officers to avoid being in violation.
12/5/2019 • 26 minutes, 20 seconds
Cybersecurity Readiness as Hiring Criteria
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-readiness-as-hiring-criteria/) What if every candidate interviewed was tested on their cybersecurity competency? How would that affect hiring and how would that affect your company's security? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Greg van der Gaast, head of information security, University of Salford. Thanks to this week’s podcast sponsor, Enzoic. Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic. On this episode of Defense in Depth, you’ll learn: For all candidates, whether in cybersecurity or not, gauge their current level of cybersecurity awareness. There was a time we put knowledge of Microsoft Word and Excel on our resumes. Now you never see it because it's common knowledge. Security knowledge is not common. At this stage it would be seen as a valuable bonus to have it on your resume. There are always small things that hiring managers look for to tip the scales in a candidates favor. Cybersecurity skills should be one of them. For candidates who would have the most to gain from cybersecurity awareness, bring in the CISO to ask one or two questions during the hiring process. Different departments bounce candidates off each other even if they're not going to be working in a specific department. They want to know how well a person will or won't interface with your department. There's a strong fear that adding cybersecurity into the hiring criteria will greatly slow down the hiring process which could damage business productivity. There was much debate around seemingly great candidates, such as an accountant with 20 years of experience, who fails miserably on cyber awareness. Would that raise a red flag?
11/21/2019 • 26 minutes, 22 seconds
Cybersecurity and the Media
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-and-the-media/) Cybersecurity and the media. It rides the line between providing valuable information and feeding the FUD cycle. What's the media's role? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Dave Bittner (@bittner), producer and host of The CyberWire Podcast, Hacking Humans podcast, and Recorded Future podcast. Thanks to this week’s podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you’ll learn: Stop laying blame on the media for negative cybersecurity perceptions. They're acting as a reflection of ourselves, both good and bad. When done right, the media can bring about much needed attention to issues, most often to enlighten those not in the know. A good indicator of media's success in informing us is when our friends and family, who are not as cybersavvy, start asking us our thoughts on big security issues. Disturbing trend is the media referring to an attack as "sophisticated" when it's often a poorly secure server that was just waiting to be breached. Given this trend, many are eager for the media to demystify these supposedly "advanced" attacks demonstrating that the rest of us can protect ourselves even if we're not cyber-sophisticated. Social engineering demos are often done for the purpose of humor rather than showing how dangerous it can be when we let our guard down. Outside of someone like Bruce Schneier, the cybersecurity industry needs the equivalent of a high-profile expert who can speak to the lay person, à la Bill Nye, The Science Guy.
11/14/2019 • 29 minutes, 47 seconds
The Cloud and Shared Security
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-the-cloud-and-shared-security/) When your business enters the cloud, you are transferring risk, but also adding new risk. How do you deal with sharing your security obligations with cloud vendors? Check out this LinkedIn post for the basis of this show's conversation on shared responsibility of security with a digital transformation to the cloud. This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Paul Calatayud (@paulcatalayud), CSO for Americas, Palo Alto Networks. Thanks to this week’s podcast sponsor, Palo Alto Networks. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you’ll learn: You have to have a business reason to go to the cloud. Usually it's done as a business imperative in order to stay competitive. Security is rarely the primary reason businesses move to the cloud. It's often an adjunct reason. Moving to the cloud may transfer risk, but it also introduces new risk. Security professionals have long avoided the cloud because they feel they give up perceived control. If I can't see or touch it, how can I secure it? One issue security people need to grapple with during digital transformation and a move to the cloud is what does it mean to manage risk when you don't own the program? Much of the online discussion was about getting your service license agreements (SLAs) in place. But if you're a small- to medium-sized businss (SMB) you're going to have a hard if not impossible time negotiating. Don't lean on SLAs to be your entire risk profile. It's like using insurance as your only means of security. Cloud security requires setting up automation guard rails. For cloud evolution you'll need a change in talent and it probably won't be your traditional network engineers. Because of performance, privacy, and data protection issues you're probably going to find your business moving apps in and out of the cloud. The Cloud Controls Matrix (CCM), from the Cloud Security Alliance (CSA) is a controls framework designed to help you assess the risk of a cloud security provider.
11/7/2019 • 24 minutes, 57 seconds
Is Product Security Improving?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-product-security-improving/) We've been at this cybersecurity thing for a long time. Are products improving their security? A recent study says they aren't. Check out this tweet and the ensuing discussion for the information on the study and the concerns people have about the history of poor security in consumer-grade networking products. This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Michael L. Woodson (@mlwoodson), CISO, MBTA. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you’ll learn: We focus our conversation mostly on consumer products, most notably networking, which was the focus of the relevant study. Some basic measurements of security such as stack guards and buffer overflow protection showed no noticeable improvement. Margins are so slim on consumer products that manufacturers are put in a bind. They can't overcharge and stay competitive, so they have to underdeliver, and often security protections are cut as a result. People accept the failures of cybersecurity products by just accepting the end user license agreement (EULA). Be very careful with these agreements. Often a vendor will make outrageous claims like saying they own the data. When we have security incidents companies are not blamed or liable. What type of pressure would need to be put on manufacturers to get them to improve security? Will it have to be standards, regulations, or government regulations?
10/31/2019 • 26 minutes, 6 seconds
Best Starting Security Framework
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-best-starting-security-framework/) If you were building a security program from scratch, which many of our listeners have done, which framework would be your starting point? Check out this post initiated by Sean Walls, vp, CISO of Visionworks, who asked, "If you were building a security program from scratch, would you align with ISO 27001, NIST CSF, or another framework, and why?" That conversation sparked this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Omar Khawaja (@smallersecurity), CISO, Highmark Health. Thanks to this week’s podcast sponsor, Palo Alto Networks. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you’ll learn: When determining a starting security framework, always lead with the "Why?" What are you trying to accomplish and achieve? In some cases you're building a framework to build trust. Although most in security take a risk-based approach. That's not always necessary when picking a framework. Frameworks are often very regulatory driven. Framework decisions will be built on both internal and external pressures. If you don't have a specific security problem, a specific security solution makes no sense. The Secure Controls Framework is a free meta-framework that allows users to pick and choose elements from multiple frameworks. Check out Allan Alford's four-year mapping of NIST CSF, CIS CSC 20, and ISO 27001. While there are plenty of great frameworks out there, for someone who is truly starting from scratch, many security professionals pointed to the CIS top 20 because it maps to frameworks like NIST and ISO.
10/24/2019 • 26 minutes, 46 seconds
Cyber Defense Matrix
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cyber-defense-matrix/) A simple way to visualize your entire security program and all the tools that support it. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Sounil Yu (@sounilyu), creator of the Cyber Defense Matrix and former chief security scientist at Bank of America. Thanks to this week’s podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you’ll learn: First, just look at the darn thing and it'll start to make sense. The Cyber Defense Matrix's original purpose was to provide a visual way to see where your gaps are in your technology. Users have found lots more uses for the matrix, such as seeing those same gaps in people, processes, and trying to map out the vendor landscape. By visualizing, you can see also where you have too much and you can actually get rid of technologies. The matrix provides structural awareness of your vulnerabilities. The matrix admittedly gets a little wonky when cloud technologies are introduced. They often bleed across categories, not neatly fitting into any specific buckets.
10/17/2019 • 27 minutes, 46 seconds
User-Centric Security
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-user-centric-security/) How can software and our security programs better be architected to get users involved? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Adrian Ludwig, CISO, Atlassian, a customer of our sponsor, Castle. Thanks to this week’s podcast sponsor, Castle. Castle is helping businesses keep customers’ online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: It's impossible to create a security system that removes the user from the equation. They are integral and they have to be part of your security program. Security is defined by the individual. The minimum expectation you can have of your users is that they'll operate in good faith. Avoid complexity because as soon as it's introduced it drives problems everywhere. Instead, keep asking yourself, how can I make security more usable? Individuals are suffering from alert fatigue. If you're going to send an alert to a user, make it relevant and actionable. And always be aware that your security alerts are not the only alert the user is seeing and deciding or not deciding to take action on. Think about all the alerts you completely ignore, like the confidentiality warning in a corporate email. One of the main problems with security is the party who suffers is not the one who has to act. The user often does not have any stake in the goods he/she is protecting.
10/10/2019 • 28 minutes, 54 seconds
Securing the New Internet
All links and images from this episode can be found at CISO Series (https://cisoseries.com/defense-in-depth-securing-the-new-internet/) If you could re-invent the entire Internet, starting all over again with security in mind, what would you do? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode, Davi Ottenhimer (@daviottenheimer), who happens to be working on this project with Tim Berners-Lee at Inrupt to create a new Internet and secure it. Thanks to this week’s podcast sponsor, Castle. Castle is helping businesses keep customers’ online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: Much of the advice on how to secure the Internet focused on just improving known protocols such as SMTP, IPv6, and TCP/IP. Is that limited thinking or not? Creating a new Internet has a lot of political and socioeconomic issues connected to it so you have to consider both relative (changing existing protocols) or absolute updates (reinventing and trashing existing protocols). One suggestion was dynamic port assignments which was an interesting tip, but it runs into the issue that at some point someone needs to know where you're communicating. Future of identity is that it's not controlled by one entity. But the solution is not blockchain. That's essentially a spreadsheet of information and banking on a spreadsheet or blockchain would not be wise. Another suggestion would be to create a data-centric approach to the Internet, but this would put a massive load on the endpoints. One core philosophy of securing the new Internet is creating a system where each individual can own their own data, put rights on it to others to use it, rather than being beholden to the rights others give us to manage our own data. Our favorite suggestion was about looking to biomimicry and our millions of years of evolution to help us build an Internet that could learn to evolve on its own. The issue is that history has given us tectonic shifts that come all at once and don't necessarily evolve gradually. Could a security system be built to adapt in that manner? Creative Commons photo attribution to Joybot.
10/3/2019 • 32 minutes, 22 seconds
Resiliency
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-resiliency/) How fortified is the business to withstand cyberattacks? Can it absorb the impact of the inevitable hits? Would understanding the business' level of resilience provide the appropriate guidance for our security program? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Anne Marie Zettlemoyer, vp, security engineering and divisional security officer, MasterCard. Thanks to this week’s podcast sponsor, Castle. Castle is helping businesses keep customers’ online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: Resiliency allows the business to perform in conjunction with risk. A conversation about resilience forces security to think about business processes and the criticality of each one to the business' ability to sustain itself. We're forcing ourselves to think proactively when we have no choice but to react, hopefully automatically. Disaster recovery (DR) and business continuity planning (BCP) come into play here. There's a concern that of the CIA (confidentiality, integrity, and availability) triad, "integrity" doesn't have enough outside forces to insure its credibility. While security teams may just be coming up to speed, or are just thinking of resiliency, the business has been thinking about it since day one of becoming a business. If security begins thinking this way, they will be more in alignment with the business. And here are some items Anne Marie mentioned at the end of the show: Cybersecurity Talent Initiative GCA Cybersecurity Toolkit
9/26/2019 • 26 minutes, 24 seconds
Ransomware
All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ransomware/) Why is Ransomware so prevalent? Why are so many getting caught in its net? And what are some of the best tactics to stop its scourge? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Brian Vecci (@BrianTheVecci), field CTO, Varonis. Thanks to this week’s podcast sponsor, Varonis. The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab. On this episode of Defense in Depth, you'll learn: The ability to exploit the stealing of data takes work. Ransomware requires no knowledge. Ransomware targets the lowest common denominator, just data in general. The attackers often don't need to know much about the data. Ransomware is extremely dangerous when it goes after shared data which probably isn't being monitored. The more savvy ransomware criminals can live dormant in a system, learn where the most valuable data is, and be able to know how much a company can pay. The solution to fighting back requires one to understand that ransomware targets people and files. It's the combination of the two that makes ransomware particularly dangerous. Your best bet to mitigate ransomware's damage is to limit users' file access. Not all users need to be able to access everything at all times. Many security professionals believe the solution to ransomware is just good security hygiene and patching. While patching does narrow your attack surface, it doesn't make you immune to ransomware. Unlike most cybercrime, ransomware is noisy. The attackers want you to know that they're there so you'll pay up.
9/19/2019 • 26 minutes, 4 seconds
Top CISO Communication Issues
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-top-ciso-communication-issues/) Understanding risk. Communicating with the board. Getting others to understand and care about security. What is the most vexing cybersecurity issue for a CISO? Check out this post by Kate Fazzini, cybersecurity reporter for CNBC, for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Mark Eggleston (@meggleston), CISO, Health Partners Plans. Thanks to this week’s podcast sponsor, Varonis. The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab. On this episode of Defense in Depth, you'll learn: Communications starts with engaging people where they work. CISOs can't have any long-term success selling fear, uncertainty, and doubt (AKA "FUD"). CISOs need to focus on people skills. If a CISO is going to be rolling out a solution it's going to be in his/her hands to get others to adopt. Successful CISOs integrate the community into their thinking. While CISOs want to be proactive, you can't be purely proactive or reactive. It's always a blend. The best start for a CISO is to get the C-suite and board to listen and understand. Not only do CISOs need to have conversations about risk, they need to document it and revisit it. Look at where the company is making money by examining the 10-Q report. See where you can apply risk analysis to all of those revenue streams. Whenever a FUD-like headline appears, the C-suite and board will see it. Don't let them fall into the trap of absorbing the hype. CISOs need to show how they're handling such situations and how they would if something similar happened to them. Top issues for CISOs include having a clear understanding of who owns what risk. And more importantly, individual contributors should acknowledge their specific role in the overall security program.
9/12/2019 • 27 minutes, 40 seconds
Cybersecurity Excuses
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-excuses/) "I've got all the security I need." "I'm not a target for hackers." These are just a few of the many rationalizations companies make when they're in denial of cyberthreats. Why are these excuses still prevalent and how should a cyberprofessional respond? Check out this post by Ian Murphy, co-founder of LMNTRIX, for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. Thanks to this week’s podcast sponsor, Varonis. The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab. On this episode of Defense in Depth, you'll learn: Security professionals must endure an endless string of excuses to not improve a security program. On this episode, the ones we saw fall into four categories: "What I've got is good enough", "Denial", "False safety net", "Costs too much time/money". Never rest on what you've got today. Today's configuration is tomorrow's vulnerability. Security is a process, not an end state. There are always issues because humans are involved. Small companies may not have a huge payout, but their defenses are usually weaker making them an easy score. A bunch of small companies add up to a big one. If you have not invested well in a good security program, you are already breached and don't know it. As this show title explains, you can't rely on a single layer of defense (e.g., firewall) to protect you. No CISO is complaining they're spending too much on security. A great security partner is awesome, but you don't hand off your security to someone else. It's a shared responsibility. Don't rely on cyber insurance in the same way you don't leave your front door unlocked even though you've got home insurance.
9/5/2019 • 24 minutes, 40 seconds
Employee Hacking
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-employee-hacking/) A cyber professional needs their staff, non-IT workers, and the board to take certain actions to achieve the goals of their security program. Should a CISO use the hacking mindset on their own people? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Yael Nagler (@MavenYael), consultant. Thanks to this week’s podcast sponsor, Anomali. Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions. On this episode of Defense in Depth, you'll learn: Employee hacking is an effort to get employees to do what you need them to do in order to pull off your security program There's a grand debate as to whether you should be hacking employees (use the tools you've got) or working with them (don't trick). Many listeners likened this motivation technique to be no different than sales persuasion methods. But these methods are focused on getting individuals to take a single action, to purchase. This is not the case for a CISO who must change a wide ranging set of behaviors that are often not connected to individual desires. To complicate matters even more, a CISO must sell a process and culture change, NOT a product. It's not easy to change human behavior. Manipulation is a tainted word. You need to respect differences and find a common ground to motivate employees to show concern to want to stay with a security program. One way to get people to care about security is to internally explain what do big security news items have to do with your business and how a similar breach could or couldn't happen to your business. While you're trying to win someone over, it's not a selfish interest. It's of interest to the individual and the company. It's just the individual has to understand why they're changing behavior and see value in making that change.
8/29/2019 • 25 minutes, 40 seconds
100% Security
100% Security. A great idea that's impossible to achieve. Regardless, CEOs are still asking for it. How should security people respond and we'll discuss the philosophical implications of 100% security. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Rich Friedberg (@richf321), CISO, Blackbaud. Thanks to this week’s podcast sponsor, Anomali. Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions. On this episode of Defense in Depth, you'll learn: Even though security people learned a long time ago that 100 percent security is not achievable if you can run a business, CEOs are still asking their security departments to deliver it. The most common response to the 100 percent security request is to point out that nothing in business is 100 percent. Everything is a type of a risk. Pointing out that everything is a risk doesn't necessarily endear a CISO to the security department. Instead, use empathy and try to understand what are they really asking when they make the 100 percent security request. It's often difficult for a CEO to initiate a discussion about risk. The question shouldn't be "how safe are we" but rather "how prepared are we". Should a breach happen, which seems inevitable these days, how quickly can the business respond and continue to function. A breach doesn't need to destroy a business. The best way to connect with the business on security risk is to correlate it to another risk decision that makes sense to them. For example, battling fraud. No business tries to eliminate 100 percent of fraud because at one point the cost to eliminate the remaining fraud far exceeds the cost of the remaining fraud. As a theoretical exercise, most agreed that if you truly did try to achieve 100 percent security, the business would cease to function.
8/22/2019 • 24 minutes, 56 seconds
Proactive Security
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-proactive-security/) How proactive should we be about security? What's the value of threat intelligence vs. just having security programs in place with no knowledge of what attackers are trying to do? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is AJ Nash, director of cyber intelligence strategy, Anomali. Thanks to this week’s podcast sponsor, Anomali Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions. On this episode of Defense in Depth, you'll learn: You can't start a threat intelligence until you understand your internal threat landscape and business mission. Sadly, very few organizations have a good answer to "What and where are your crown jewels, your high valued assets?" But if you can answer that question, your threat intelligence will be far more effective. It's possible to understand internal and external landscape in parallel. But you won't get great value of your intelligence until you understand your environment. How do we judge the value of intelligence? It's all about dealing with costs before the "boom" vs. afterwards. Because afterwards is far more expensive. The reason to invest in threat intelligence is because once you know your assets, and you know what your adversaries are after, you can adjust your defenses accordingly. If your goal is to harden everything, you're going to be very busy. It's not economically and physically possible. Make sure you're manning the threat intelligence and incident response teams properly. This is a common misstep that many shops make. If you don't have intelligence you're doing reactive security, which nobody wants, yet that's what many often end up doing.
8/15/2019 • 28 minutes, 35 seconds
ATT&CK Matrix
All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-attck-matrix/) Is the ATT&CK Matrix the best model to build resiliency in your security team? What is the best way to take advantage of the ATT&CK framework and how do you square away conflicting data coming in from your tools. What can you trust and not trust? And is the disparity of results the fault of the tool, the user, or neither? Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Ian McShane (@ianmcshane), VP, product marketing, Endgame. Thanks to this week’s podcast sponsor, Endgame Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode of Defense in Depth, you'll learn: ATT&CK Matrix should be used both strategically and tactically. Use it strategically to understand gaps in your security program. As for tactics, it's great for blue team exercises. When you're being attacked, it helps you understand what's going to happen next. You can use ATT&CK framework even on 0 day viruses. It allows you to focus on the techniques in an attack rather that the specifics of an attack. When you're being attacked, be wary of getting conflicting information from your tools. If you have a tool that's constantly producing noise, you have two options: either fix it or dump it. The reason two seemingly similar tools are producing different results is because they're taking different paths. Once you understand the paths you'll understand the variances. The goal would be for industry standardization or maybe even a third party to come in and act as middleware to offer standardization. Is that even possible?
8/8/2019 • 24 minutes, 59 seconds
Hacker Culture
All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-hacker-culture/) The hacker community needs a new PR campaign. Far too many people equate hacker with criminal. But hacker is a mindset of how one approaches security. What is that approach and why are CISOs so attracted to hiring hackers? Check out this post for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Joseph Menn (@josephmenn), journalist, Reuters, and author of "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World". Thanks to this week’s podcast sponsor, Trend Micro On this episode of Defense in Depth, you'll learn: Hacking's definitions are varied, but the one that speaks to all theories is that hacking is critical thinking. Hackers don't follow a manual. They look at systems with an open mind. Hackers nurture the sense of the inner rebel. They want to truly understand the inner workings of a system. Hackers aren't creating havoc, they're exposing problems that are already there. And they do it because it's the only way to get attention to the problem. Security professionals understand the value of finding existing problems, that's why they instituted and support bug bounty programs that provide a financial incentive to hack. Hackers are not afraid to be challenged. If cybersecurity students jump straight from schooling to the corporate world, and they don't have time to explore their desire to hack, they won't have the opportunity to create their own moral code when it comes to hacking. It's important for a hacker to discover their moral compass, because there are going to be situations where a hacker will have the opportunity to do bad things without getting caught. How will they handle it?
8/1/2019 • 25 minutes, 29 seconds
Bad Best Practices
All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-bad-best-practices/) All professionals like to glom onto "best practices." But in security, "best" practices may be bad out of the gate, become useless over time, or they're not necessarily appropriate for all situations. Stay tuned, we're about to expose some of the worst "best" practices. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Yaron Levi (@0xL3v1), CISO, Blue Cross/Blue Shield of Kansas City. Thanks to this week’s podcast sponsor, Endgame Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode of Defense in Depth, you'll learn: The response of "This is how we've always done it", is not a reason to continue a "best" practice. One of the most universally bad "best" practices is counting the number of people who fall for a phishing test. Both Allan and Yaron told stories of phishing test reports that could swing wildly based on the type of email sent. CISOs argue that a better metric to track is the number of people who report the phishing email. Let employees know that you're going to test them. If you don't it can be seen as a means to discipline them, which you're not. Cybersecurity best practices don't stand the test of time. If a best practice seems off, challenge it by simply asking, "Why?" Awareness training should be measured by testing afterwards, not by the number of people who actually took it.
7/25/2019 • 23 minutes, 33 seconds
Cyber Harassment
All images and links are available on CISO Series (https://cisoseries.com/defense-in-depth-cyber-harassment/) Whether a jilted lover or someone trying to wield their power over another, cyber harassment takes many forms and it doesn't stay in the digital world. It comes into our real world and gets very dangerous. What is it and how can it be thwarted? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Parry Aftab (@parryaftab), founder of StopCyberbullying Global. Thanks to this week’s podcast sponsor, Endgame Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode of Defense in Depth, you'll learn: You can be public or anonymous in your effort to stop cyber harassment. If you are public about your efforts, you are putting yourself out there to be a target for harassment yourself. Our guest has received death threats and also been SWATted. Cyber harassment can be devastating to the one who is being attacked. The fear of it can stay with you for years even after it's been "resolved." Traditional response to cyber harassment is to stop, block, and tell. Ignoring is one technique, but it doesn't always work if they're trying to blackmail you. Cyber harassers can often just be bored. They're looking for something to do and sending death threats can be "fun." Cyber harassers are looking for attention. It could be a situation of an employee feeling they weren't given the promotion they wanted or a jilted lover who's looking for revenge. One best technique for prevention is early detection. Do regular Google searches of your name and all your online handles to see if someone is starting to mess with your online reputation.
7/18/2019 • 23 minutes, 43 seconds
CISO Series One Year Review
Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-series-one-year-review/) The CISO/Security Vendor Relationship Podcast is now more than a year old. On this episode, the hosts of both podcasts, reflect on the series and we respond to listeners critiques, raves, and opinions. Check out this post and this post for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is the co-host of the CISO/Security Vendor Relationship Podcast, Mike Johnson. Thanks to this week’s podcast sponsor, Trend Micro On this episode of Defense in Depth, you'll learn: We provide the definitive story of how the CISO/Security Vendor Relationship Podcast started and how David, Allan, and Mike all connected. We've been challenging many of the sales techniques that have essentially irked CISOs. The podcast has become a validation tool for sales people to show to their management and say, "We need to change direction." One of the critiques we've heard is the desire to understand more of the sales process. We are actually very much in the dark as to the different levels of incentives are for sales staff. A security sale is often a long and involved process and we know the incentives are more involved than just a sales commission. We've actually done webinars that take a look behind the scenes of sales and we plan to do more. Those who feel isolated with their company enjoy hearing the different viewpoints. There is actually a real return on investment to listening to our show. Sales people say that they've changed their strategy based on advice on the show and it has proved to be fruitful.
6/25/2019 • 28 minutes, 9 seconds
Economics of Data
All images and links for this episode available at CISO Series (https://cisoseries.com/defense-in-depth-economics-of-data/) Do we understand the value of our data? Do our adversaries? And is the way we're protecting it making it too expensive for them to steal? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Chip Witt (@rt_clik), head of product strategy for SpyCloud. Thanks to this week’s podcast sponsor, SpyCloud Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you'll learn: Understand what your crown jewels are and what is the most important data to protect. Many companies have a hard time answering that question and they end up trying to protect everything and that can get very costly. Be strategic about understanding what it costs to go after your data. Look for ways to auto protect your assets. Most people do not spend a lot of time understanding the underground economy. On average, your employees have 207 online accounts. Those seemingly innocuous sites (e.g., fantasy football) sites can often be used as opportunities to break into your network and as we know, most people use the same password on multiple accounts. Criminal enterprises operate like any other business. They're looking to generate ROI. Make it so there is no ROI or it's too difficult to achieve it. Focus on credential theft. Check your set of users for exposed credentials because people use weak credentials to access valuable credentials. As a business you also want to protect your employees' personal accounts from account takeover.
6/25/2019 • 27 minutes, 42 seconds
Tool Consolidation
All links and images can be found on CISO Series (https://cisoseries.com/defense-in-depth-tool-consolidation/) While cybersecurity professionals always want more tools, more often than not they're dealing with too many tools delivering identical services. The redundancy is causing confusion and more importantly, cost. Why should you pay for it? How does it happen and how do InfoSec leaders consolidate tools? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Adam Glick, vp, cybersecurity, Brown Brothers Harriman. Thanks to this week’s podcast sponsor, SpyCloud. Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you'll learn: The tools bloat problem does not happen overnight. Often you have no choice with tools bloat. It's a function of the industry that companies add new capabilities and they acquire companies so you start to get redundancy even if you didn't plan on it. You can run into the trap of having excellent independent tools, but then they cause overlap and because they're independent and not integrated you eventually fall on the side of going with the lesser tool because it has integration with other capabilities. Best of breed doesn't sit still. It starts to morph and doesn't necessarily become the best anymore. Even if you did a great job consolidating, you can't set it and forget it. Given the industry's behavioral morphs and your growing needs, you'll need to revisit the issue at least once or twice a year. You need to do a tools audit. A lot of political issues will come into play as people will defend the tools they love, built upon, and use. If you can't figure out a way to mediate, you'll need to hire a third party to do the audit and make the assessment. Integration is critical. If there aren't APIs and other ways for the tools to communicate, it doesn't matter how awesome it is, the tool will need to be dumped.
6/19/2019 • 23 minutes, 52 seconds
Camry Security
Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-camry-security/) The Camry is not the fastest car, nor is it the sexiest. But, it is one of the most popular cars because it delivers the best value. When CISOs are looking for security products, are they also shopping for Camry's instead of "best of breed" Cadillacs? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Lee Vorthman (@leevorthman), sr. director, global security engineering and architecture, Pearson. Thanks to this week’s podcast sponsor, SpyCloud. Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you'll learn: CISOs have budgets and they simply can't purchase the most expensive and best option for every InfoSec need. Good enough is often exactly what they want. It's often not possible to take advantage of all the features on a Cadillac-type security product. So you end up paying for shelfware, or tools that never end up being used. The tool's complexity factors into the cost. This is often an argument against open source software which has been branded, most often by the proprietary software community, as "tough to use." Each tool creates a new demand on your staff in terms of time and complexity. What new costs are you introducing by acquiring and deploying a new tool? "Best of breed" everything can also turn into an integration nightmare. If you don't need everything a company is trying to offer, try to de-scope the requirements. Some companies are so big that they have no choice but to purchase the Cadillac for everything since so many departments will need access to the tool. It's far too complicated to create an RFP that takes into account everyone's needs. To speed access to the tool these large companies just get the product that "does everything" and then let all the departments "have at it" once it's available for use.
6/12/2019 • 22 minutes, 21 seconds
Amplifying Your Security Posture
All links and images can be found on CISO Series (https://cisoseries.com/defense-in-depth-amplifying-your-security-posture/) In security, you never have enough of anything. But the scarecest resource are dedicated security people. When you're running lean, what are some creative ways and techniques to improve overall security? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Matt Southworth (@bronx), CISO of Priceline. Thanks to this week’s podcast sponsor, SecurityBridge Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation. On this episode of Defense in Depth, you'll learn: When you manage too many people you get to a point of saturation. Are you doing security or are you managing people? Core success comes from looking outside your immediate staff for security help. Most common programs are Security Champions and Security Prime. The first are just people outside of the InfoSec team who really want to learn about security, and the Prime players are actually implementing it. Look for ways to reduce overheard in terms of paperwork, meetings, and unnecessary programs. If what you're doing is not helping, stop doing it. Empower individuals to make their own decisions about security without the chain of command of approvals. Avoid giving orders, because once you do you'll always be called into a meeting on that topic. Use artificial intelligence (AI) to take work off of the security operations center (SOC) and incident response team. The "lazy" sysadmin who automates all his tasks is a highly productive member. Communicate to everyone that security requires the entire company's support, not just the security staff. And here's Jan Schaumann's presentation at BsidesNYC 2016 entitled "Defense at Scale". Matt mentioned it on the show.
6/4/2019 • 26 minutes, 52 seconds
ERP Security
All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-erp-security/) For most organizations, their ERP solution holds its crown jewels. Should custom and complex applications that trade such vital customer and corporate data be secured any differently? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Branden Newman, CISO, adidas, brought to us by our sponsor, SecurityBridge. Thanks to this week’s podcast sponsor, SecurityBridge Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation. On this episode of Defense in Depth, you'll learn: The volume of log files are so overwhelming from an ERP system that most security groups just turn them off. The reason you want an ERP-specific security solution is that they handle a lot of the log management and customization for you. You'll still need to do plenty of customization on your part, but these tools take away a lot of the heavy lifting. Make sure you're on a first-name basis with all the key people whose departments are in the ERP system. You're going to need their support and knowledge to build out the effective ERP solution matrix. If you have ERP or SAP installed, move an ERP-specific security solution to the front of your security maturity program.
5/30/2019 • 21 minutes, 41 seconds
Managing Obsolete (Yet Business Critical) Systems
All links and images from this episode can be found at CISO Series (https://cisoseries.com/defense-in-depth-managing-obsolete-yet-business-critical-systems/) Obsolete systems that are critical to your business. They're abandoned, unpatchable and unmanaged. We've all got them, and often upgrading is not an option. What do you do? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Mitch Parker (@mitchparkerCISO), Exec. Director, InfoSec and Compliance, Indiana University Health. Thanks to this week’s podcast sponsor, SecurityBridge Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation. On this episode of Defense in Depth, you'll learn: This issue appears to affect every security and IT person. At one time they've all had to deal with it. Obsolete technology should not be treated like any new technology. It needs to be isolated. Lots of great advice from the community regarding containing the outdated technology through firewalls, air gapping, segmenting, virtual machines, and a jump box. Constantly measure the risk of not just intrusion of the outdated technology, but the cost of keeping the thing running as you can't rely on outside support or updates. As you're reporting the risk, constantly push for solutions to end reliance on this outdated technology. The obsolete technology is often an expensive and critical piece of hardware that's difficult if not impossible to replace. The UK National Cyber Security Center has some great guidance on what to do with obsolete platforms.
5/22/2019 • 28 minutes, 23 seconds
Cybersecurity Hiring
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-hiring/) Everyone needs more security talent, but what kind of talent, how specialized, and what kind of pressure is hiring requirements putting on security professionals? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is one our favorite InfoSec gadflies, Greg van der Gaast. Thanks to this week’s podcast sponsor, Morphisec Detection-based security technologies are by definition reactive, responding to threats after they’ve hit. Morphisec takes an offensive strategy to advanced attacks, dismantling the attack pathways to prevent an attack from ever landing. No detection, no hunting, no clean-up. Watch the on-demand webinar to see how it works. More at www.morphisec.com. On this episode of Defense in Depth, you'll learn: Specialization also veers towards simplifying as Greg said, "A lot of middle of the road positions are being narrowed and dumbed down in a push towards commoditization." Is the collection of so many tools pushing us to more specialization? Have we created our own hiring problem? There are needs for specialists and generalists in cybersecurity. The issue is where do you find the balance from the creation of your toolset to your hiring? Too many open positions for security analysts which isn't a defined role. Sometimes there's an inherent laziness in hiring managers just wanting "a security person" and not understanding their environment as to what they really need. Greg notes that "you can often tell how broken an infosec organisation is just by looking at the job roles they're looking to fill and the job descriptions." If you're developing a tech stack and then looking for people to manage it, that is the reverse way you should be building a security program. Students are eager to learn, but degrees are useless when companies are hiring for specific tools.
5/16/2019 • 25 minutes, 30 seconds
How CISOs Discover New Solutions
Find images and links for this episode on CISO Series (https://cisoseries.com/defense-in-depth-how-cisos-discover-new-solutions/) Are security professionals so burned out by aggressive cybersecurity marketing that they're giving up on discovering new and innovative solutions? What are the best ways for cyber professionals to discover new solutions? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Yaron Levi (@0xl3v1), CISO, Blue Cross and Blue Shield of Kansas City. Thanks to this week’s podcast sponsor, ComplianceForge ComplianceForge is a business accelerator. ComplianceForge offers a full-stack of cybersecurity documentation that ranges from policies and standards, to controls, metrics, procedures and program-level documentation to provide evidence of due diligence in managing risk, vulnerabilities, secure design and other pertinent areas that requires clear and concise documentation. On this episode of Defense in Depth, you'll learn: The two tactics of carpet bombing with marketing emails and cold calls are universally hated, but they must produce results and that's why they continue. If a CISO wants to discover new solutions, they must expose themselves somehow to what's out there. New solutions aren't magically going to land in your lap. Many CISOs rely on their networks of CISOs but that can limit your thinking if none of the CISOs are willing to venture outside of the group. Don't rely on your own discovery. Task your staff members to do it as well. Encourage and reward the showing of new ideas to the group which can and will foster disruption and innovation. You need a trusted partner, a reseller, or a vendor who can be your eyes and ears. Finding that trusted partner doesn't come easily, but when you find it, hold onto it because you're going to need them. Your trusted partner should be proactive about giving you quarterly updates. Large conferences and vendor emails act as touch points, but they don't act as a valuable source of information. Engage in smaller local conferences where you can meet and build trust with your local experts. If you do go to a large conference, and you walk the trade show floor, aim for the edges where you find the smaller companies. Best advice for CISOs was to create a form for vendors to fill out if they want the chance to meet with you. Yelp-like review sites have questionable credibility, but they are a touch point in tool discovery. Lean on podcasts and discussion groups, such as Slack.
5/9/2019 • 29 minutes, 28 seconds
Is the Cybersecurity Industry Solving Our Problems?
Find all links and images from this episode on CISO Series (https://cisoseries.com/defense-in-depth-is-the-cybersecurity-industry-solving-our-problems/) Is the cybersecurity industry solving our problems? We've got lots of new entrants. Are they doing anything new, or just doing the same thing slightly better? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest this week is Taylor Lehmann (@BostonCyberGuy), CISO, Wellforce. Thanks to this week’s podcast sponsor, Remediant Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Industry is just growing symptoms to core issues. The cybersecurity industry is motivated by marketplace which justifies investment. As one might expect many security solutions are just hyped rather than built on innovations. While many of our listeners are rather savvy, we expect most purchases are reactive rather proactive. And if this continues, then the profit-minded vendors will still deliver reactive-based solutions. We've got a radical increase in problems. We're just chasing the problems by spending more money. Security people know that the solution is people, process, and technology, but far too often we're looking for a 'box' to solve our problems. We don't look at the tougher challenge of people and processes. So much of the security market is reactive in its purchase decision. To improve your success rate in cybersecurity you need to be forward-thinking about building out your security program and your spend. One area of opportunity that not enough companies are taking advantage of is offering dramatically cheaper solutions than alternatives even though they don't perform as well. There is a definite market for those types of solutions. We always lean on security products to solve our problems rather looking internally at our people and processes. There is always a losing comparison between attackers and defenders. An attacker can come up with a new variant of attack in minutes to hours. Defenders in enterprises often take months to implement patches for known vulnerabilities.
5/1/2019 • 29 minutes, 51 seconds
Vulnerability Management
This is a special episode of Defense in Depth being shared on this feed. Find the full post with links and images on the CISO Series site here (https://cisoseries.com/defense-in-depth-vulnerability-management/) So many breaches happen through ports of known vulnerabilities. What is the organizational vulnerability in vulnerability management? Check out this post and discussion and this one for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Justin Berman (@justinmberman), CISO for Zenefits. Vulcan’s vulnerability response automation platform allows enterprises to automate their TVM programs. Vulcan integrates to existing IT DevOps and security tools to fuse enterprise data with propriety intelligence which allows to accurately and subjectively priorities and remediate vulnerabilities - either using a patch workaround or compensating control. On this episode of Defense in Depth, you'll learn: As the CIS 20 concurs, vulnerability management is the first security measure you should take right after asset inventory. Vulnerability management needs to be everyone's issue and managed by all departments. Lots of discussion around vulnerability management being driven by culture which is a very hard concept to define. To get a "vulnerability management culture" look to a combination of awareness and risk management. Vulnerabilities don't get patched and managed without someone taking on ownership. Without that, people are just talking and not doing. Increased visibility across the life cycle of a vulnerability will allow all departments to see the associated risk. Who are the risk owners? Once you can answer that questions you'll be able to assign accountability and responsibility.
4/25/2019 • 21 minutes, 29 seconds
Privileged Access Management
If you can't see all the show notes (with images and links) head here: https://cisoseries.com/defense-in-depth-privileged-access-management-pam/ Where does privileged access management (PAM) fit in the order of operations? Check out this post and discussion and this one for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our sponsored guest for this episode is Tim Keeler, CEO and co-founder of Remediant. Thanks to this week’s podcast sponsor, Remediant Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Privileged access management is designed to control lateral movement when an intruder gets legitimate access to your network. You can't protect what you don't know. A privileged access management program is ineffective without complete asset inventory and classification. Don't wait to begin instituting a PAM solution. It's unrealistic to believe you'd have a complete inventory right away that you could begin PAM. You'll probably have to work with what you've got. It's a moving target for all. It may be an incomplete target as well... at the beginning. Two-factor authentication (2FA) has a role. It can help with both initial intrusion and escalation. PAM's role is more refined with its ability to prevent escalation. One of the debated issues was how does PAM negatively affect the user experience. Concerns of pushback and productivity issues resulted in companies refusing to implement 2FA or PAM.
4/17/2019 • 25 minutes, 14 seconds
Machine Learning Failures
Full post for this episode (https://cisoseries.com/defense-in-depth-machine-learning-failures/) Is garbage in, garbage out the reason for machine learning failures? Or is there more to the equation? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Davi Ottenheimer (@daviottenheimer), product security for MongoDB. Thanks to this week’s podcast sponsor, Remediant 81% of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Don't fall victim to believing that success and failure of machine learning is isolated to just garbage in/garbage out. It's far more nuanced than that. Some human actually has to determine what is considered garbage in and what is not. It only takes a very small amount of data to completely corrupt and ruin machine learning data. This knowledge of small infection can spread and corrupt all of the data and can have political and economic motivations to do just that. We have failures in human intervention. Machine learning can just magnify that at rapid rates. While there are many warning signs that machine learning can fail, and we have the examples to back it up, many argue that competitive environments don't allow us to ignore it. We're in a use it or lose it scenario. Even when you're aware of the pitfalls, you may have no choice but to utilize machine learning to accelerate development and/or innovation.
4/10/2019 • 31 minutes, 43 seconds
Software Fixing Hardware Problems
The full post (if you're not seeing links and images) can be found here (https://cisoseries.com/defense-in-depth-software-fixing-hardware-problems/) As we have seen with the Boeing 737 MAX crashes, when software tries to fix hardware flaws, it can turn deadly. What are the security implications? Thanks to this week’s podcast sponsor, Unbound Tech Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode Dan Glass (@djglass), former CISO for American Airlines. Founded in 2014, Unbound Tech equips companies with the first pure-software solution to protect cryptographic keys, ensuring they never exist anywhere in complete form. By eliminating the burden of hardware solutions, keys can be distributed across any cloud, endpoint or server to offer a new paradigm for security, privacy and digital innovation. On this episode of Defense in Depth, you'll learn: The reason the Boeing 737 MAX airplane crashes are such a big story is airplanes don't usually crash because the airline industry is ingrained in a culture of safety. Even though safety culture is predominant in the airline industry , there were safety features (e.g., training for the pilots on this new software correcting feature) that were optional for airlines to purchase. Software is now in charge of everything. What company is not a digital company? We can't avoid the fact that we have software running our systems, even items that control our safety. The software industry does not operate in a safety culture like the airline industry. Is this just a data integrity issue? Is that the root cause of problems? How do we increase the integrity of data? Can we override software when we believe it's making a bad decision? Allan brought up one example of a friend who tried to swerve out of his lane to avoid something in the road. The self-driving car forced him back in his lane and he hit the thing he was trying to avoid. Fortunately, it was just a bag, but what if it was a child? The self-correcting software didn't let him takeover and avoid the object in the road.
4/4/2019 • 22 minutes, 55 seconds
Tools for Managing 3rd Party Risk
To see all the notes and links for this episode, go here (https://cisoseries.com/defense-in-depth-tools-for-managing-3rd-party-risk/) Are there any good tools that really help to manage third-party risk? Can tools alone solve this problem? What else is required? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Eric Cowperthwaite, director of information security, Esterline. Got feedback? Join the conversation on LinkedIn. Thanks to this week’s podcast sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this episode of Defense in Depth, you'll learn: We question if there's some type of pseudo-protection racket going on with auditors offering to increase vendors' security scores if they go into business with them. The basic model is to help you identify issues and resolve them in order to reduce your risk and protect yourself from certain types of risk. While our risk changes on a daily basis, we're not measuring the risk other 3rd parties may be introducing at the same iteration level. Often it's only annual which doesn't coincide with how we measure our own risk. As a result, there's a desire for ongoing real-time assessment of third party risk. CISOs want the depth of an audit combined with real-time monitoring. Best of breed approach often introduces new risk at the lines of integration.
3/28/2019 • 25 minutes, 3 seconds
CISO Burnout
Are CISOs the most stressed individuals on a security team, or do mental health issues affect everyone in security? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Webroot. Thanks to this week’s podcast sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this episode of Defense in Depth, you'll learn: You have to come to an acceptance that a security program that's at 90 percent is good enough. Accept that you will never reach the end of the tunnel. You'll never have a perfect defense. The CISO's role is that of a change agent and depending on the depth of your relationship, you may get push back. Don't underestimate the impact you're trying to make on the business culture. Organizations can only change in increments. Stressing that will generate stress in you, the security professional. Since security touches every department and you need to engage with every department, you will deal with a lot of personalities. In addition to dealing with all the departments, you won't have authority over them, but you will be perceived as accountable for their security issues. The business needs to own security and its relevant risk. Don't fall into impostor syndrome where you chronically feel you're doing a bad job. Accept small wins. Break up huge projects into smaller chunks and celebrate those wins.
3/21/2019 • 27 minutes, 13 seconds
RSA 2019: Success or Failure?
Is the RSA Conference a must attend for security professionals? Or is it enough to "just be in San Francisco that week"? Check out this post and discussion for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Tyson Martin, CISO for Lumber Liquidators. David Spark, producer of CISO Series, Tyson Martin, CISO, Lumber Liquidators, and Allan Alford, CISO, Mitel. Thanks to this week's sponsor, Praetorian. As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this episode of Defense in Depth, you'll learn: Is RSAC for education or connecting? Does the value happen in the conference center or outside? This was the initial part of our debate and one argument is you need to graduate from RSAC to make it more of a "connecting outside of the event" type of event. The show floor is overwhelming. As David Gorton of OverwatchID noted, "The circus hides the serious of what we're trying to do." There were a lot of comments about people not having fear of missing out (FOMO), but you can't argue that RSAC has a gravitational force that brings tons of security-minded people to San Francisco for one week every year. There is enormous value in that. The marketing model for vendors during and after the show is starting to grate on practitioners. They're not enjoying the endless cold calls the following week. The expo hall is focused on leads and given that so many of these products are high ticket items, if just a few sales comes through, then the event pays for itself. It's impossible for small booths to compete for visibility with huge booths at the conference.
3/14/2019 • 29 minutes, 36 seconds
Security IS the Business
If a company's brand and value is built on trust, then your security department is critical to building the value of the company. Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Scott McCool (@McCoolScott), former CIO of Polycomm. Thanks to this week’s podcast sponsor, SpyCloud Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you’ll learn: When a business becomes an idea, the only thing that matters is the perceived value by the owners. If you deem security is the business, then it no longer can take a consultative role. It must take the role of brand and value building. Explicit value is generating or saving money. Implicit value is what drives those two opposite ends of the spectrum. A security department shouldn't be focused on trying to get more budget for themselves. They should see where they are in the value chain and at any given point in time they must fully understand the business and see which department could generate the most business value. If you only lobby for the security department in terms of its importance for getting budget, and not lobby for the overall business then you will lose credibility with your partners within the business.
3/7/2019 • 25 minutes, 59 seconds
Threat Intelligence
Do companies who deliver "threat intelligence" deliver on that promise, or is there more the customer needs to bring to the table to be able to take action? Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our sponsored guest for this episode is Eric Murphy (@_EricMurphy), VP, security research, SpyCloud. Thanks to this week’s podcast sponsor, SpyCloud Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you’ll learn: Threat intelligence is about telling a story. And that story is broken up into three parts: strategic, operational, and tactical intelligence. Threat intelligence today really isn’t about creating that story. Most of the cases are about correlating data points. Threat intelligence becomes stale when you are reactionary vs. being proactive. Threat intelligence fails when you don’t mix multiple intelligence points to form a more complete full story of your adversaries. Feeds are not valuable by themselves. When you combine it with your internal data, that’s when you could actually come up with something actionable. If you’re not ingesting and onboarding your data appropriately into your internal threat intelligence team, why do you even have it? Find more at CISOSeries.com
2/27/2019 • 20 minutes, 59 seconds
Secure Controls Framework
Defense in Depth is available at CISOSeries.com. Is the "free to use" Secure Controls Framework the one meta-framework to rule them all? Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Tom Cornelius, founder and contributor of the Secure Controls Framework (SCF) (@scf_support). Thanks to this week’s podcast sponsor, SpyCloud Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you’ll learn: Purpose of the Secure Controls Framework is to have a single framework to address multiple requirements. It's a meta framework that takes into consideration the controls of all other frameworks. You only need to use the security controls that are important and relevant to you. For that reason, don't be daunted by the number of controls on SCF (currently 750). You can have security without privacy, but you can't have privacy without security. Integrating privacy and security is critical to SCF.
2/21/2019 • 24 minutes, 52 seconds
Insider Threats
Defense in Depth is available at CISOSeries.com. Is your own staff the greatest threat to the security of your company? On this episode of Defense in Depth we discuss protecting your business from itself. Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Vijay Bolina (@_jamesbaud_), CISO, Blackhawk Network. Thanks to this week’s podcast sponsor, Fluency Security: Fluency’s correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization’s path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019. On this episode of Defense in Depth, you’ll learn: Nearly 1 in 5 people would sell their health record for $500. (source) Insider threat mistakes can take many forms. It could be someone carelessly leaving a USB key somewhere or it could be a developer simply not securing their code. Security people make mistakes just like non-security people. Difference is when a security person makes a mistake, chances are the gravity of the damage will be much higher. A breach doesn’t necessarily have to damage the company. A breach simply means data left your protected area of the business. And that is still bad even if there was no actual damage.
2/14/2019 • 20 minutes, 50 seconds
Building an Information Security Council
Defense in Depth is part of the CISO Series network, which can be found at CISOseries.com. Security for the business affects everyone and all departments. On this episode of Defense in Depth we discuss the values and difficulties of building an information security council. Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Nick Espinosa (@NickAEsp), host of nationally syndicated show The Deep Dive with Nick Espinosa, and his daily podcast is called Nick's Nerd News Daily. Find Nick on Facebook, YouTube, and his articles on Forbes. Thanks to this week’s podcast sponsor, Fluency Security: Fluency's correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization’s path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019. On this episode of Defense in Depth, you’ll learn: A good starting point for building an information security council is to develop a business continuity and disaster recovery plan with all departments and stakeholders. Understand the risk tolerance of each division. A well-informed information security council can often benefit from less security training. The number one battle to develop an InfoSec council is never technical. It is always cultural. Need to create a culture of not shaming people for making mistakes that compromise security. You want employees to feel free to speak up if they do make a mistake.
2/7/2019 • 24 minutes, 12 seconds
Privacy
Will the privacy outcry and new regulations limit companies’ abilities to do business, or will it span a whole new industry? We discuss building a business in the new age of privacy regulations on this week’s Defense in Depth. Chris Jordan, CEO, Fluency Security This episode of Defense in Depth is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our sponsored guest is Chris Jordan, CEO of Fluency Security. Thanks to this week’s podcast sponsor, Fluency Security: Fluency’s correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization’s path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019. On this episode of Defense in Depth, you’ll learn: While new privacy regulations may hamper a company’s ability to collect and sell any data they want, they don’t necessarily stifle the economy. For example, the introduction of HIPAA regulations spawned a growing industry. DuckDuckGo is a search engine that doesn’t collect your browsing history to determine your search results. Even if you are very protective of your data, the people around you probably aren’t. Through relationships and triangulation a profile of you, sans your personal data, can still be created. Because of this ability to triangulate data, your employees’ personal data, outside of work can become a risk to your company.
1/31/2019 • 28 minutes, 57 seconds
Security Metrics
Defense in Depth is part of the CISO Series network which can be found at CISOSeries.com. What are the most important metrics to measure when building out your security program? One thing we learned on this episode is those metrics change, as your security program matures. This episode of Defense in Depth is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is my co-host of the other show, Mike Johnson, CISO of Lyft. Fluency's correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization's path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019. On this episode of Defense in Depth, you'll learn: There is no golden set of security metrics. Metrics you use to measure your security program this year won't necessarily be the same ones you use next year. Use the NIST model to determine your security program maturity. Unlike B2C, B2B companies can use metrics to build a closer tie between security and the business. Regulations and certifications is one easy way to align security with the business.
1/23/2019 • 24 minutes, 11 seconds
Welcome to Defense in Depth
Just a quick welcome message to this weekly show covering controversial and confusing topics in cybersecurity.