DiscoverCISO-Security Vendor Relationship Podcast
CISO-Security Vendor Relationship Podcast
Claim Ownership

CISO-Security Vendor Relationship Podcast

Author: David Spark, Founder, Spark Media Solutions and Mike Johnson, CISO, Lyft

Subscribed: 239Played: 2,918
Share

Description

Discussions, tips, and debates around improving the communications and services that security vendors provide to their customers, the security buyer.
67 Episodes
Reverse
All links and images for this episode can be found on CISO Series (https://cisoseries.com/like-fine-wine-our-vendor-bs-meter-gets-better-with-age/)  The bouquet of this particular vendor BS is a mixture of FUD, unnecessary urgency, and a hint of pecan. Look to your left and grab the spittoon because we don't expect everyone to swallow what you're about to hear on this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Olivia Rose, CISO for MailChimp. Thanks to this week's podcast sponsor Remediant Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant’s SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this week's episode Why is everyone talking about this now? One of the reasons we hate hearing security buzzwords is because it doesn't help us understand what it is a vendor is trying to sell. When a vendor says we have a "zero trust" product, what does that mean? We delve into some of the tell-tale signs that a vendor or consultant is trying to BS you. According to Olivia Rose, if you're going to pitch a CISO, make sure you can answer the following simply and succinctly: What does our product/service do? What specific security problem does it solve? How will it affect the typical strategic/business drivers for a company? It's time for "Ask a CISO" Fernando Montenegro, analyst for 451 Research, asked, "How can the CISO be a change agent for the security team so it can better align with the business?" What's Worse?! For this week's game I picked a question very apropos for our guest's current situation. Um… maybe you shouldn't have done that Unconscious bias towards women in professional settings is not always overt nor intentional, but it happens. We discuss some examples of unconscious bias for both women and men. And we discuss how too much of it can really push women out of the security industry. A distributed denial of service attack is the scourge of IT security. According to Verisign, one-third of all downtime incidents are attributed to DDoS attacks, and thousands happen every day. Are they created by sophisticated black hatted evil doers from an underground lair? Of course not. Welcome to the world of cybercrime-as-a-service. You too can silence a competitor or cause havoc for pretty much anyone for as low as $23.99 a month. Just have your credit card or Bitcoin ready. For more, go to CISOSeries.com. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 days of a CISO Being just six weeks in, our guest, Olivia Rose is living the first 90 days of a CISO. We asked her and Mike what it's like those first few weeks. And to no one's surprise, it's beyond overwhelming.
All links and images for this episode can be found on CISO Series (https://cisoseries.com/if-capital-one-listened-to-our-podcast-they-still-would-have-been-breached/)  We guarantee listening to our show would have done absolutely nothing to prevent the Capital One breach. We've consulted our lawyers and we feel confident about making that claim. It's all coming up on this week's episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in the ExtraHop booth during Black Hat 2019. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Tom Stitt (@BlinkerBilly), sr. director, product marketing - security, ExtraHop. Thanks to this week's podcast sponsor ExtraHop Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop. On this week's episode Why is everyone talking about this now? I have noticed an either disturbing or coincidental trend. Every year, just before either RSA or Black Hat conferences, there is some massive breach. This year it was Capital One. In the past we've had Ashley Madison, Target, Marriott - all within a few months of the shows. I know I know I know that CISOs absolutely hate being sold on FUD (fear, uncertainty, and doubt), but all conferences are affected by industry relevant news. You simply can't avoid it. Capital One was brought up multiple times during the Black Hat conference. We discuss the do's and don'ts of bringing up the most recent breach at a huge trade show. We don't have much time. What's your decision? On LinkedIn, you asked "When your risk and threat models all agree that this feature/product/decision is of low concern but your gut tells you otherwise, what do you do?" It appears most people said go with your gut to which Richard Seiersen of Soluble pointed out that guts are models too. What happens when you're faced with such a scenario and what causes the tools and threat models to be so off your gut? "What's Worse?!" We've got a split decision and a really fun scenario. Please, Enough. No, More. Today's topic is "network behavior analysis." In the world of anomaly detection, what have Mike and Tom heard enough about and what would you like to hear a lot more? It’s been two weeks. Time to change your password again. How many times have we all bumped up against this wall – intended to help keep us secure, but extremely annoying when you have things do do? The battle for password security has been a long and arduous one, moving and evolving, sometimes ahead of, but more often lagging behind the activities of the hackers and bad guys, whose limitless resources seek out every possible weakness. Challenge questions and strings of letters, numbers and characters might soon be coming to the end of their functional life, as security companies start to roll out biometric and behavioral security protocols in their place. Paired with increased access to data and artificial intelligence, it will become easier for organizations to contemplate a switch from basic strings of words to something more esoteric – a retinal scan paired with an extensive ergonomic behavior database for every individual. These things are not new to the consumer marketplace of course. Apple iPhones are one of many devices that can be unlocked by a fingerprint, and credit card companies and web applications routinely call out unusual login behaviors. But the new secret sauce in all of this is the availability of huge amounts of data in real time, which can be used to analyze a much larger set of behavioral activity, not simply an unusually timed login. This can then be managed by an Identity-as-a-service (IDaaS) company that would take over the administration, upkeep and security of its clients using the as-a-service model. A retinal scan paired with a secure knowledge of which hand you carry your coffee in and where you bought it might very soon replace the old chestnut challenge of your mother’s maiden name. That one should stay safe with Mom. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. And now, a listener drops some serious knowledge On LinkedIn, Ian Murphy of LMNTRIX put together an incredibly funny presentation with great graphics entitled the BS Cybersecurity Awards which included such impressive glass statuettes like the "It'll Never Happen to Us" Award and the "Cash Burner" Award. In general, they were awards for all the bad repeated behavior we see from vendors and users in cybersecurity. What are the awards that are not given out that we'd actually like to see?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/improve-security-by-hiring-people-who-know-everything/) If you're having a hard time securing your infrastructure, then maybe you need to step up the requirements for expertise. Why not ask for everything? We're offering unreasonable advice on this week's episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience at ADAPT's CISO Edge conference in Sydney, Australia. This special episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Liam Connolly, CISO of Seek. Our guest is Matt Boon (@mattjboon), director of strategic research for ADAPT. Plus, we have a special sponsored guest appearance from John Karabin, vp, cybersecurity, Dimension Data. Thanks to this episode's sponsors Dimension Data/NTT and ADAPT By 1 October 2019, all 28 NTT companies, including Dimension Data, will be branded as NTT. Together we enable the connected future. Visit NTT at hello.global.ntt. ADAPT’s mission is to equip IT executives with the knowledge, relationships, inspiration and tools needed to gain competitive advantage. ADAPT’s membership platform provides business leaders with fact-based insights, actionable patterns of success and the collective experience of 3,000 peers to improve strategic IT, security, and business decisions. Visit ADAPT for more. On this week's episode Why is everyone talking about this now? Independent security consultant Simon Goldsmith sent this post from Stu Hirst, a security engineer at JUST EAT who posted a job listing that requested subject matter expertise on 12 different aspects of security. This highly demanding request resulted in well over 200 responses from the community. Is it laziness on the part of the company posting? Is it an attempt to just capture job seekers' search queries? Or is it simply an editorial mistake that they shouldn't have requested subject matter expertise but rather basic knowledge across 12 different aspects of security? Ask a CISO Mitch Renshaw, Fortinet, describes a problem that many vendors are having. He says: "Fortinet’s broad portfolio makes it hard to give a concise yet effective overview of our value. As a result I’m worried my emails are going long. Customers know us for our firewalls – and a full firewall refresh is hard to come by as a sales rep. So if I get more targeted in my demand generation techniques, I’m met with an 'I’m all set, I’ve got Palo/checkpoint/juniper/etc.'" Mitch has got a conundrum. He's looking for the happy medium on how to sell a company with a wide variety of products, some of which are highly commoditized in the industry. How should he reach out to security professionals? "What's Worse?!" We play two rounds and the audience gets to play along as well. Hey, you're a CISO, what's your take on this?' My American co-host, Mike Johnson, asked this question of the LinkedIn community, and I ask you this as well. "Why do sites still **** out the password field on a login page?" It's designed to stop shoulder surfing. Is this really the main problem? What else is it helping or hurting, like password reuse? Passwords are a broken system that are easily hacked. We have solutions that add layers on top of it, like multi-factor authentication. What solutions do we have for the password process itself? OK, what's the risk? Ross Young of Capital One, asks this question about what risk should you be willing to take on? "What should cyber professionals do when they can’t contract or outsource services like pen testing however they struggle to acquire the talent they need. If they train folks they find them poached sooner and if they don’t they are stuck without the talent they need to survive." Why is this a bad pitch? We've got a pitch sent in to us from Eduardo Ortiz. It's not his pitch, but one he received. You may need to strap in when you hear this. It’s time for the audience question speed round Yep, it's just like it sounds. I ask the panel to ask some questions submitted from our audience.    
Find all images and links for this episode on CISO Series (https://cisoseries.com/just-click-accept-as-we-explain-informed-consent/) Even if you do give "informed" consent, do you really understand what we're doing with your data? Heck, we don't know what we're going to do with it yet, but we sure know we want a lot of it. It's all coming up on this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Francesco Cipollone (@FrankSEC42), head of security architecture and strategy, HSBC Global Banking and Markets. Thanks to this week's podcast sponsor ExtraHop Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop. On this week's episode Should you ignore this security advice? This is advice you should not ignore. It comes from an article by Jonathan Jaffe, director of information security at People.ai where he offered up a great recipe for startup security. We discussed standout tips and were there any disagreements or omissions? Close your eyes. Breathe in. It's time for a little security philosophy. Phil Huggins, GoCardless, said, "If we don't know what value is in our data until it has been enriched and analysed can we give informed consent as to its use?" What's Worse?! We're concerned with the state of data in this game. Ask a CISO Mike Baier, Takeda Pharmaceuticals, asks, "When faced with the scenario of the vendor providing a recent SOC 2 Type 2 report, and then tells you that their internal policies/procedures are considered 'highly confidential' and cannot be shared, what tips would you provide for language that could help cause the vendor to provide the required documentation?" The 1979 movie When a Stranger Calls gave us that unforgettable horror moment when the police informed Jill that the calls from the stalker were coming from inside the house. Nineteen years earlier, Hitchcock’s Psycho did a similar type of thing with the shower scene. We humans have a real problem when danger pops up in the place we feel safest – our homes. A similar problem happens in corporate IT security. We place a great deal of attention on watching for external hackers, as well as those that seek to dupe our overstressed employees into clicking that spearfishing link. What was it that Edward Hermann’s character, the vampire, said in the Lost Boys? “You have to invite us in.” But what about internal bad actors? There are those who see great opportunity in accessing, stealing and selling company resources – data – like social security numbers, credit card numbers and medical files. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. OK, what's the risk? A question from Robert Samuel, CISO, Government of Nova Scotia that I edited somewhat. It's commonly said that the business has the authority for risk-trade off decisions and that security is there just to provide information about the risk and measurement of the risk. I'm going to push this a little. Is this always the case? Do you sometimes disagree with the business or is it your attitude of "I communicated the risk, it's time for me to tap out."
All images and links for this episode can be found on CISO Series (https://cisoseries.com/who-are-the-perfect-targets-for-ransomware/) If you've got lots of critical data, a massive insurance policy, and poor security infrastructure, you might be a perfect candidate to be hit with ransomware. This week and this week only, it's an extortion-free episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Walls (@sean_walls2000), vp, cybersecurity, Eurofins. Thanks to this week's podcast sponsor Core Security Assigning and managing entitlements rapidly to get employees the access they need is critical, but it can come at the cost of accuracy and security. Core Security’s identity governance and administration (IGA) solutions provide the intelligent, visual context needed to efficiently manage identity related security risks across any enterprise. On this week's episode How CISOs are digesting the latest security news An article in the NYTimes points to a new trend in ransomware that is specifically attacking small governments with weak computer protections and strong insurance policies. Payments from $400-$600K. Lake City, Florida, population 12K paid $460K to extortionists. They got some of their information back but they have been set back years of what will require rescanning of paper documents. Mike, I know your standard philosophy is to not pay the ransom, but after a ransomware attack against the city of Atlanta, the mayor refused to pay $51,000 in extortion demands, and so far it's cost the city $7.2 million. Probably more. These payments by the small cities must be incentivizing more attacks. Does this information change the way you're willing to approach ransomware. What can a small city with zero cybersecurity staff do to create a program to reduce their risk to such a ransomware attack? Ask a CISO Bindu Sundaresan, AT&T Consulting Solutions, asks a very simple question, "How is each security initiative supporting the right business outcome?" Do you find yourself selling security into the business this way? If not, would you be more successful selling security to the business if you did do this? What's Worse?! We've got a split decision on what information we prefer after a breach. Listen up, it’s security awareness training time Jon Sanders, Elevate Security, said, "Security awareness involves A LOT of selling… there’s no cookie cutter approach in security awareness or sales!" Is the reason security training is so tough because so many security people are not born salespeople? I've interviewed many and there's a lot of "just listen to me attitude," which really doesn't work in sales. Cloud Security Tip, sponsored by OpenVPN We talk a lot about penetration testing here, given that it remains a staple of proactive IT security. But not everyone feels it’s all it’s cracked up to be. Or should that be, all it’s hacked up to be?” More than one cybersecurity organization points out there are a few flaws in the pen testing concept that make it worth a second look. Pen testing often consists of a small collection of attacks performed within a set time period against a small sample of situations. Some experts doubt the efficacy of testing against a limited field of known vulnerabilities, without knowing what other weaknesses exist in plain sight, or merely invisible to jaded eyes. More on CISO Series... What do you think of this pitch? We have a pitch from Technium in which our CISOs question what exactly are they selling?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/passwords-so-good-you-cant-help-but-reuse-them/) We've just fallen in love with our passwords we just want to use them again and again and again. Unfortunately, some companies more interested in security aren't letting us do that. We discuss on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is William Gregorian (@WillGregorian), CISO, Addepar. Thanks to this week's podcast sponsor Cyberint The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505's latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. How CISOs are digesting the latest security news Chris Castaldo of 2U and a former guest on the show posted this great story of TripAdvisor invalidating user credentials if a member's email and password were found in publicly leaked data breach databases. Is this a great or bad move by TripAdvisor? Ask a CISO On LinkedIn, Chad Loder, CEO, Habitu8 posted an issue about the easy deployment and ubiquity of cloud applications. He argues it's no longer Shadow IT. It's just IT. And securing these cloud tools you don't manage nor know about requires a lot of education. Is Shadow IT inevitable. Should we lose the name? And is education the primary means of securing these services? It's time to play, "What's Worse?!" One of the toughest rounds of "What's Worse?!" we've ever had. Close your eyes. Breathe in. It's time for a little security philosophy. Mike posed a "What's Worse?!" scenario to the LinkedIn community and got a flurry of response. The question was "Would you rather have amazing, quality cybersecurity incident response in 24 hours or spotty, unreliable response in one hour?" I wanted to know what was Mike's initial response and did anyone say anything in the comments to make him change his mind? For quite a while, IT security experts have been touting the value of two factor authentication (2FA) as a better way to keep data safe than simply using passwords alone. We have even spoken about it here. In its most popular form, 2FA sends a confirmation code to your phone, which you must then enter into the appropriate log-in confirmation window within a short amount of time. This is like having a second key to the safe, like many bank vaults used to have. (more on the site) It’s time to measure the risk Chelsea Musante of Akamai asks, "What would you say to someone who thinks their risk for credential abuse / account takeover has decreased because they've implemented MFA (multi-factor authentication)?"
All links and images for this episode can be found at CISO Series (https://cisoseries.com/please-dont-investigate-our-impeccable-risk-predictions/) It's easy to calculate risk if no one ever checks the accuracy of those predictions after the fact. It's all coming up on CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Bob Huber (@bonesrh), CSO, Tenable. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. On this week's episode What's the ROI? Do we analyze how good we are at predicting risk? Phil Huggins, GoCardless said, "We conduct detailed rigorous risk assessments to support security transformation business cases and identify a series of mitigation actions and then declare success if those actions are completed on time and on budget... We never revisit our risk assessments a year later and see how good we were at predicting risk occurrence. I worry that the avoidance of feedback contributes to the underperformance of security." Are we looking back and seeing how good we are at analyzing risk? Close your eyes. Breathe in. It's time for a little security philosophy. We have evolved from an unchecked "Cloud first" model to a more thoughtful "cloud smart" strategy. Are these just PR slogans apparently implemented by the last two administrations, or is there something to them? Looking ten years ago vs. today, have we really become smarter about implementing cloud technologies? In what way have we made the greatest strides? How are we falling short and where would you like us to be smarter? What's Worse?! What would you sacrifice to get all the training you could get? Please, Enough. No, More. Our topic is DevSecOps. It's a big one. Mike, what have you heard enough of on the topic of DevSecOps, what would you like to hear a lot more? What do you think of this pitch? Shazeb Jiwani of Dialpad forwarded me this pitch from Spanning Cloud Apps. He asks, "how they feel about vendors using an availability issue from a partner (not even a competitor) as a sales pitch." Parkinson’s Law states that “work expands to fill the time available,” and any IT specialist knows this applies equally to data and can be stated as “Data expands to fill the storage available.”  As cloud service providers – and the cloud itself both continue to expand, the opportunity to transport and store all of your data seems to be a great convenience. But data management requires oversight, control and governance. The more data – and daily data flow –one has, the greater the potential for misuse, redundancy, errors, and costly maintenance.  More at https://openvpn.net/latest/security-tips/
CISO Series One Year Review

CISO Series One Year Review

2019-06-2500:28:37

Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-series-one-year-review/)  The CISO/Security Vendor Relationship Podcast is now more than a year old. On this episode, the hosts of both podcasts, reflect on the series and we respond to listeners critiques, raves, and opinions. Check out this post and this post for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is the co-host of the CISO/Security Vendor Relationship Podcast, Mike Johnson. Thanks to this week’s podcast sponsor, Trend Micro On this episode of Defense in Depth, you'll learn: We provide the definitive story of how the CISO/Security Vendor Relationship Podcast started and how David, Allan, and Mike all connected. We've been challenging many of the sales techniques that have essentially irked CISOs. The podcast has become a validation tool for sales people to show to their management and say, "We need to change direction." One of the critiques we've heard is the desire to understand more of the sales process. We are actually very much in the dark as to the different levels of incentives are for sales staff. A security sale is often a long and involved process and we know the incentives are more involved than just a sales commission. We've actually done webinars that take a look behind the scenes of sales and we plan to do more. Those who feel isolated with their company enjoy hearing the different viewpoints. There is actually a real return on investment to listening to our show. Sales people say that they've changed their strategy based on advice on the show and it has proved to be fruitful.
Images and links for this episode can be found at CISO Series (https://cisoseries.com/worst-question-award-goes-to-how-secure-are-we/) We've got better ways to determine the overall quality of your security posture than asking this unanswerable question. It's all coming up on CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Helen Patton (@osucisohelen), CISO, Ohio State University. Thanks to this week's podcast sponsor Trend Micro. On this week's episode Why is everyone talking about this now? Jamil Fashchi, CISO, Equifax, "In speaking with a CEO the other day, I was asked, 'As someone who isn’t technical, what questions should I ask to determine if my security team is effective?'" This caused a flurry of discussion. What's your advice, and do you agree it's a lot better question than "How secure are we?" Hey, you're a CISO, what's your take on this? One issue that comes up a lot in cybersecurity is the lack of diversity. We have discussed the value of diversity, in that it avoids "one think" and brings in the critical need of different viewpoints. The problem is we're often attracted to people like us, and we ask for referrals which if you hired people like you is probably going to deliver more people like you. We focus this discussion on actionable tips that CISOs can take to bring in a diverse workforce. What's Worse?! What's it like to work with the business and their acceptance or lack of acceptance of risk? First 90 days of a CISO Steve Luczynski, just became CISO of T-Rex Corporation. In the past the CIO has handled both IT and security at the company. "Now with a CISO onboard, the struggle is figuring out who does what with the expected reluctance by the CIO to let go of certain things and trust me, the new CISO to maintain the same standards. For example, I wanted to change our password policy when I first showed up to match the new NIST guidance of not changing based on a set time period. There was disagreement and it did not change even when I showed the NIST verbiage," said Luczynski. How should Steve deal with such disagreements? Ask a CISO For a while, FUD (fear, uncertainty, and doubt) worked on the average person, to get them to install basic security measures, like an anti-virus. But it appears that's all changed. The cause could be apathy. When there's so many breaches happening the average person feels powerless. Are we marketing cyber-awareness wrong to non-security people? What would get them to be true advocates? The Pre-nup. It’s a difficult thing for most people to talk about in their personal lives, but it’s something that should always be considered when setting up a relationship with a cloud service provider. Not all business relationships last, and if your organization needs to move its data to another provider, it’s not like packing up your furniture and saying goodbye to your half of the dog. 
The images and links for this episode can be found at CISO Series (https://cisoseries.com/youre-not-going-anywhere-until-you-clean-up-that-cyber-mess/) Our CISOs and Miss Manners have some rules you should follow when leaving your security program to someone else. It's all coming up on CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is newly free agent CISO, Gary Hayslip (@ghayslip). Thanks to this week's podcast sponsor Trend Micro On this week's episode Why is everyone talking about this now? Mike, you asked a question to the LinkedIn community about what department owns data privacy. You asserted it was a function of the security team, minus the legal aspects. The community exploded with opinions. What responses most opened your eyes to the data privacy management and responsibility issue you didn't really consider? Hey, you're a CISO, what's your take on this?' Someone who is writing a scene for a novel, asks this question on Quora, "How does a hacker know he or she has been caught?" Lots of good suggestions. What's your favorite scenario? And, do you want to let a hacker know he or she has been caught, or do you want to hide it? What circumstances would be appropriate for either? What's Worse?! Mike decides What's Worse?! and also what's good for business. First 90 days of a CISO Paul Hugenberg of InfoGPS Networks asks, "What fundamentals should the CISO leave for the next, as transitions are fast and frequent and many CISOs approach their role differently. Conversely, what fundamentals should the new CISO (or offered CISO) request evidence of existence before saying YES?" Mike, this is a perfect question for you. You exited and you will eventually re-enter I assume as a CISO. What did you leave and what do you expect? Ask a CISO Fernando Montenegro of 451 Research asks, "How do you better align security outcomes with incentives?" Should you incentivize security? Have you done it before? What works, what doesn't? Imagine how hard it would be to live in a house that is constantly under attack from burglars, vandals, fire ants, drones, wall-piercing radar and virulent bacteria. Most of us are used to putting a lock on the door, cleaning the various surfaces and keeping a can of Raid on hand for anything that moves in the corner. But could you imagine keeping a staff of specialists around 24/7 to do nothing but attack your house in order to find and exploit every weakness?
loading
Comments 
loading
Download from Google Play
Download from App Store