DiscoverCISO-Security Vendor Relationship Podcast
CISO-Security Vendor Relationship Podcast
Claim Ownership

CISO-Security Vendor Relationship Podcast

Author: David Spark, Founder, Spark Media Solutions and Mike Johnson, CISO, Lyft

Subscribed: 347Played: 6,764
Share

Description

Discussions, tips, and debates around improving the communications and services that security vendors provide to their customers, the security buyer.
91 Episodes
Reverse
All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-blow-our-entire-marketing-budget-at-rsa/) Security professionals only think about security one week out of the year, right? So let's drop every single dollar we have budgeted for marketing on the last week of February. Whaddya say? This episode was recorded in person at Intel's offices in Santa Clara, California. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Tom Garrison (@tommgarrison), vp and gm of client security strategy at Intel (@IntelNews). David Spark, CISO Series, Tom Garrison, Intel, and Mike Johnson, CISO/Security Vendor Relationship Podcast. Thanks to this week's podcast sponsor, Intel. The globalization of technology has created an environment of complicated supply chains with limited transparency. Intel’s Compute Lifecycle Assurance (CLA) initiative solves this through a range and tools and solutions that deliver assurances of integrity throughout the entire lifetime of a platform --from build to retire. On this week's episode There’s got to be a better way to handle this Next week is RSA and by podcast law we're required to talk about it. We offer up tips on maximizing the following: education, engagement, and follow up. What’s the return on investment? On Peerlyst, John Mueller, a security architect with the US Navy, suggested ways to use incident response metrics to help determine whether your cybersecurity program is improving. But as Mueller points out, it's not easy as you could fool yourself into believing you're doing well if you don't valuable discovery tools. We discuss methods to measure improvements in security programs. What's Worse?! A really tough one that delivers a split decision. Please, enough. No, more. Our topic is trust and hardware manufactures. We discuss what we've heard enough about with trusting hardware manufacturers of tech products, and then we discuss what we'd like to hear a lot more. The fable of Walt Disney having been cryogenically frozen to be revived in an age where the science to do so existed is just that – a fable. But there is still something to be taken from that when it comes to documents archived on the cloud or consigned to data landfills. Just because encrypted data cannot be easily decrypted by hackers using today’s tools, that doesn’t mean tomorrow’s tools can’t do the job and revive the information stored inside. When threat actors take it upon themselves to steal data, through hacking, ransomware, or AI, they might, of course be searching for material that is immediately exploitable, such personal data, or data that has immediate value in being returned or unlocked as in the case of ransomware. But other players are in it for the long game, counting on the fact that the inexorable momentum of progress will lead to a decryption solution in time for stolen archived data to still be of use for future crimes, frauds and deep fakery. More from our sponsor ExtraHop. Close your eyes. Breathe in. It’s time for a little security philosophy. I got back from Tel Aviv where cybersecurity professionals find themselves innovating out of necessity. They're often short on resources. We discuss the kinds of exercises we've tried to help ourselves and our team to think creatively about cybersecurity. One suggestion is the interrogation technique of "Five Whys" to get at the root reason of why we make our choices.
All links and images for this episode can be found on CISO Series (https://cisoseries.com/empowered-working-together-to-pile-on-the-cyber-guilt/) We can all be more secure if we work together as a team to shame those who don't agree with how we approach security. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Chris Hatter, CISO, Nielsen. On this week's episode Mike's confused. Let's help him out. Mike inspired this brand new segment with his question to the LinkedIn community, asking what's the big deal with 5G security? The story I heard about 5G is just sheer volume over unsecured networks. But Mike said, we've been dealing with unsecured networks since 2G and 3G and we dealt with them using Transport Layer Security or TLS, and implementing other services such as multi-factor authentication or MFA. Mike called out to the community to clue him in as to why we should be more concerned with 5G. Does shaming improve security? Thanks to Mark Eggleston, CISO, Health Partners Plans for alerting me to Chris Castaldo, CISO of Dataminr, and his post about Rob Chahin's "Single Sign-On or SSO Wall of Shame". Chahin, who is the head of security at Eero, purports that SSO should be a standard feature in applications and websites that allow for secure sign on through third party identity services, such as Google and Okta. Single sign-on is a significant boon for security and management simplicity and Chahin argues that many companies force users to pay dearly to enable SSO. What's Worse?! A grand financial decision in this scenario. Is this the best solution? According to a recent article in the Wall Street Journal, there is an ever slight trend of CISOs moving away from reporting to the CIO, opting instead to report directly to the CEO. Why is this trend happening? What are the benefits and disadvantages?   With hacks and breaches becoming all too commonplace and even encrypted data still vulnerable to hackers who can read and copy it, focus is now being placed on Quantum Communication as a potential next option. This is a technique that encodes data into photons of light, each of which can carry multiple copies of ones and zeroes simultaneously, but which collapses into a single one-and-zero if tampered with. Basically, the scrambling of data to an unusable format. Although Quantum communication has been development for a few years, researchers in China have apparently already outfitted a fleet of drones that will soon be able to communicate upwards to its already launched Quantum satellites and downwards to ground stations while remaining stable in flight. This paves the way for the field of quantum teleportation, a glamorous term whose uses and actual development are no longer just the realm of science fiction. For data at least. More from our sponsor ExtraHop. Close your eyes. Breathe in. It’s time for a little security philosophy. Simon Goldsmith, adidas, said, "I’ve been having some success in replacing risk with uncertainty. By which I mean not having a threat, vulnerability or impact made tangible creates uncertainty which is next to impossible to factor into any modern decision making process. If I make it tangible, it becomes a risk and I can help you make a better decision. Puts value on turning uncertainty to risk and fights FUD."
All links and images for this episode can be found on CISO Series (https://cisoseries.com/youre-mistaken-im-not-annoying-its-chutzpah/) We're pushing just to the edge of irritation on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience in Tel Aviv on the eve of the 2020 Cybertech conference. Special thanks to Glilot Capital for hosting this event. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and my special guest co-host, Bobby Ford, global CISO for Unilever. Our guest is John Meakin, veteran financial CISO, and currently CISO for Equiniti. David Spark, producer, CISO Series, Bobby Ford, CISO, Unilver, and John Meakin, CISO, Equiniti. Thanks to this week's podcast sponsors, Polyrize and Intsights. As newly adopted SaaS and IaaS services add an additional layer of risk for security teams, Polyrize provides a cloud-centric approach to simplifying the task of protecting user identities and their access across the public cloud by right-sizing their privileges and continuously protecting them through a unified authorization model. IntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response. To learn more, visit intsights.com. On this week's episode How do you go about discovering new security solutions? In an article on LinkedIn entitled, "Why do CISOs take a vendor meeting?" Dutch Schwartz, of AWS said that they take meetings per a recommendation of their staff, their peers, or they have an explicit problem that they've already researched, or they have known unknowns. Are those the reasons to take a meeting with a security vendor? We discuss what meetings CISOs take, and which ones are the most attractive. It's time for "Ask a CISO" Israel is known for a thriving startup community. But what I always see is cross pollination between Israel and Silicon Valley when it comes to startups. We discuss what Israeli startups can learn from Silicon Valley and vice versa. What's Worse?! We've got two rounds. One agreement and one split vote. It’s time to measure the risk Five years ago I wrote an article for CIO.com about the greatest myths of cloud security, The first myth was the cloud is inherently insecure. And the other 19 are ones I'm still hearing today. My conclusion for the whole article was if you can overcome these myths about cloud security, you can reduce risk. In this segment we dispel cloud security myths and explain how the cloud helps reduce risk possibly in ways many of us are not aware. Close your eyes. Breathe in. It’s time for a little security philosophy. On this podcast we talk a lot about CISOs needing to understand the business. In a thought-provoking post on Peerlyst, Eh-den Biber, a student of information security at Royal Holloway, University of London, noted that the job of cybsecurity is more than that. It's about understanding the flow of business and being present in the individuals' lives and their stories. We discuss the importance of being present in your users' lives. It's time for the audience question speed round The audience has questions and our CISOs have answers. We get through a lot really quickly.  
All links and images for this episode can be found on CISO Series (https://cisoseries.com/revisiting-a-whole-career-of-cyber-screw-ups/) This episode was recorded in front of a live audience at Malwarebytes' offices in Santa Clara, California for the Silicon Valley ISSA chapter meeting. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Peter Liebert, former CISO, state of California. Peter is now an independent consultant and commander of cyber operations for California State Guard. (left to right) David Spark, producer, CISO Series, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, and Peter Liebert, commander, cyber operations, California State Guard Thanks to this week's podcast sponsor, Malwarebytes. Malwarebytes secures endpoints, making workplaces resilient. Our adaptive cyber protection predicts and detects attacks with multi-layer detection across the kill chain. We enable active threat response with machine learning that is actionable and automated, allowing for full recovery when a compromise occurs. We empower enterprise endpoint orchestration across siloed IT and Security organizations, simplifying security management and making responses effective. Malwarebytes makes endpoints resilient so workplaces can protect and remediate, and employees can regain control of their digital lives. On this week's episode Why is everybody talking about this now? Chris Roberts of Attivo Networks posted about his video game addiction as he admitted one certain game ate up 475 hours of his life. He really struck a chord with the community as he got hundreds of comments of people admitting to the same but also recognizing that video games are great stress relievers and that the problem solving in games actually helps keep your mind sharp. There is the obvious need for a break, but is there a correlation between how gaming in any form can help someone with their job in cybersecurity? Hey, you're a CISO, what's your take on this?' Are we doing a good job defining the available jobs in cybersecurity? The brand that we see out there is the image of the hacker and the hoodie. In a post on Peerlyst, Nathan Chung lists off eleven other cybersecurity jobs that don't fall under that well known cybersecurity trope. Jobs such as data privacy lawyers, data scientists developing AI and machine learning algorithms, law enforcement, auditors who work on compliance, and even project managers. We discuss some of the concrete ways to explain the other lesser known opportunities in cybersecurity. What's Worse?! We play two rounds with the CISOs. Um… maybe you shouldn't have done that In an article on Peerlyst, cybersecurity writer Kim Crawley, asked her followers on Twitter, "What mistakes have you made over the course of your career that you would recommend newbies avoid?" There was some great advice in here. We discuss our favorite pieces of advice from the list and our CISO admit what is the mistake they've made in their cybersecurity career that they specifically recommend newbies avoid. We’ve got listeners, and they’ve got questions Chris Hill of Check Point Software, asked, "How can non-technical people working their way up in the security industry improve their knowledge and abilities from a CISO perspective." Chris is a newbie and he wants advice on being a “trusted advisor” and he's trying to figure out the best/most efficient way to get there. It's time for the audience question speed round We go through a ton of questions the audience has for our CISOs
All links and images for this episode can be found on CISO Series (https://cisoseries.com/debunking-the-misused-chased-by-bear-cybersecurity-metaphor/) We don't want anyone to be caught by the bear on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Elliot Lewis (@ElliotDLewis), CEO, Encryptics. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Is this the best solution? On LinkedIn, Rich Malewicz of Wizer opened up a discussion of security is really just about making the lives difficult for attackers, or more difficult than another target. Rui Santos summed Rich's theory succinctly, "you don't have to be Fort Knox, just make it not worth the effort of hacking your organization." Let's dive into the specifics of this. Provide some examples of how you architect a security program that makes it too difficult or too costly for an attacker. Obviously, this would change given the asset you're trying to protect. The great CISO challenge Brad Green, Palo Alto Networks, asks, "What are the most important functions of the SOC (security operations center), and what are the most important activities that support them? What's Worse?! As always, both options stink, but one is worse. Please, Enough. No, More. Today's topic is data security. What have you heard enough about with data security, and what would you like to hear a lot more? Mike? Communicating cyberthreats to the general public has always been a challenge for cybersecurity specialists, especially when it comes to eliciting cooperation in areas like cyberhygiene. Sometimes it helps to give people an awareness that the need for proactive security doesn’t exist only on screens, but everywhere. One fascinating example of this can be seen in the research of Dina Katabi of MIT, who has shown how WiFi signals can be monitored – not for their content, but as a form of radar that can see through walls, and which can accurately observe people physically moving around, or even detecting heartbeats and sleep patterns. Remote espionage opens up all kinds of opportunities for bad actors to build ergonomic profiles of anyone and then deploy AI and ML enabled analysis to influence and impersonate them. Showing people just how many different dimensions can be used in cybercrime may one day shift public perception of cybersecurity into the center spotlight where it belongs. More from our sponsor ExtraHop. There’s got to be a better way to handle this For years security professionals have talked about trying to secure the exponentially expanding surface area. One way to simplify, that we've all heard before, is driving security to the data level. Could we let networks run wild, within reason, and just have a data-security first approach? How is that different from zero trust, if at all? To what extent does this work/not work? We've all been having conversations about encryption for decades. It's not a new story. But it's still not universally used. There are billions of user accounts available in open text. After decades, why has the encryption story still not been getting through? What's holding back universal usage?
We Put the FUN in InFunSec

We Put the FUN in InFunSec

2020-01-1400:31:59

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-put-the-fun-in-infunsec/) We're cranking up the entertainment value on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Adrian Ludwig, CISO, Atlassian. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Close your eyes and visualize the perfect engagement What should a CISO's relationship with the board be and how much should a CISO be involved in business decisions? According to a Kaspersky survey, 58% of CISOs say they're adequately involved in business decision making. 34% say they're summoned by the board for data/security related manners. 74% of CISOs are not part of the board and of that group, Of that group, 25% think they should be. What are the pros and cons of a CISO being heavily involved in the business? The great CISO challenge On Dark Reading, Joan Goodchild asked CISOs what were their New Year's resolution. Most said obvious stuff about visibility, being a business enabler, work on human element, and privacy. But I was most intrigued by Jason Haward Grau, CISO of PAS Global, who said he wanted to make security a little more fun. Keeping it fun and interesting is my obsession with this show. If you want to attract, and more importantly retain, security talent, a little bit of fun is critical. So what is currently fun about cybersecurity and what can CISOs do to make it more fun? What's Worse?! First time Mike Johnson admits to being wrong! Looking down the security roadmap On LinkedIn, Mike recommended that security professionals line up tools with their comparable threat models, and then compare that list with their company's actual threat models. Mike admittedly offered the advice but never actually had done itself until he wrote the post and then he started. We delve into what actually happened and how one could actually do it. The Cyber Defense Matrix is a handy, yet easy to use grid plan that helps IT and cybersecurity professionals formulate a plan of proactive defense and effective response. Devised by security specialist Sounil Yu and discussed in detail on the October 17, 2019 episode of Defense in Depth, the matrix continues to gain ground as a vital tool for not only understanding the required spread of technologies, people and process, but also in performing gap analysis and crisis planning. The matrix creates a logical construct across two axes, creating a five by five fill-in grid. Although some experts debate whether it is sufficiently broad in scope, cybersecurity organizations such as OWASP tend to agree that its role in organizing a jumble of concepts products and terminologies into a coherent inventory helps cybersecurity specialists measure their security coverage, discover gaps in their IT strategy, and create a better project plan. More from our sponsor ExtraHop. And now, a listener drops some serious knowledge "Sandor Slijderink (SLY-DUR-INK), CISO at undisclosed company, offered a quick tip on a new phishing scam. Type in some text that looks like a foreign language, then create a hyperlink that reads: ""See translation"" We discuss some attack vectors that we think others may not be fully aware of but need to pay attention.
All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-lower-the-security-and-pass-the-savings-on-to-you/) We're racing to the bottom in terms of price and security on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Seth Rosenblatt (@sethr), editor-in-chief, The Parallax. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Are we making the situation better or worse? Are big Internet giants' privacy violations thwarting startup innovation? That's been presidential candidate Elizabeth Warren's argument, and it's why she wants to break up companies like Facebook and Google for what she sees as anti-competitive practices. According to Seth Roseblatt's article, it appears all of a sudden Facebook and Google are very concerned about privacy. Nine years ago, I remember seeing Eric Schmidt, then CEO of Google, proudly admit that they tracked people's movements so thoroughly that they can accurately predict where you're going to go next. Nobody blinked about the privacy implications. But today, users are upset but they don't seem to be leaving these services at all. Is it all talk on both sides? Have you seen any movement to improve privacy by these companies and would regulation be the only answer? And heck, what would be regulated? Here's some surprising research Over the past 15 years, home WiFi routers have been manufactured to be less secure. Seth reported on this study by the Cyber Independent Testing Lab, which we also discussed on an episode of Defense in Depth. The most notorious weakening is the use of default passwords, but there's a host of other firmware features that don't get updated. Is there any rationale to why this happens? And has this study done anything to turn things around? Is this a cybersecurity disinformation campaign? Fighting "fake news" like it's malware. In Seth's story, he noted there are structural and distribution similarities. I envision there are some similarities between fake news and adware which isn't necessarily designed for negative intent. Fake news appears to be an abuse of our constitutional acceptance of free speech. How are security tactics being used to thwart fake news and how successful is it? When you set up your new home assistant, try not to position it close to a window, because someone across the street might be preparing to send voice commands, such as “open the garage door” by way of a laser beam. Researchers from the University of Michigan and The University of Electro-Communications in Tokyo have successfully used laser light to inject malicious commands into smart speakers, tablets, and phones across large distances and through glass windows. They use standard wake commands modulated from audio signals and pair them with brute forcing of PINS where necessary. They have also been successful in eavesdropping, and in unlocking and starting cars. Their research shows how easy it is and will be to use lasers to not only penetrate connected devices but to deploy acoustic injection attacks that overwhelm motion detectors and other sensors. More information including access to the white paper is available at lightcommands.com. More from our sponsor ExtraHop. Look at this, another company got breached Tip of the hat to Malcolm Harkins at Cymatic for posting this story on Forbes by Tony Bradley of Alert Logic who offers a rather pessimistic view of the cybersecurity industry. It's broken, argues Bradley. We spend fortunes on tools and yet still get hacked year over year using the same tools. The article quotes Matt Moynahan, CEO, Forcepoint, who said we wrongly think of security as an "us" vs. "them" theory or "keeping people out" when in actuality most hacks are because someone got access to legitimate user credentials, or a user within our organization did something unintentional or potentially malicious. Are we wrongheaded about how we envision cybersecurity, and if so, is there a new overarching philosophy we should be embracing?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/ah-heres-the-problem-youve-got-a-leaky-ceo/) We're waking up the C-suite to the realization that they're the prime target for cyberattacks. This episode was recorded in front of a live audience at Evanta's CISO Executive Summit in Los Angeles. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. CISO/Security Vendor Relationship Podcast live at Evanta CISO Executive Summit in Los Angeles 12/11/19 PLUS, joining us live was Jewels Nation, the voice of the CISO Series. You hear her voice on all the bumpers on our podcasts. Jewels Nation, the voice of the CISO Series podcasts, and David Spark, producer of CISO Series Thanks to this week's podcast sponsor Evanta. Evanta, a Gartner Company, creates exclusive communities of C-level executives from the world’s leading organizations. These invaluable networks are built by and for C-level executives to share innovative ideas, validate strategies and solve critical leadership challenges through peer-to-peer collaboration. Evanta’s trusted communities serve CISOs and their C-suite peers around the world. On this week's episode Where does a CISO begin? Gary recently brought up an excellent discussion pointing out that executives are the backdoor into your organization. Do they understand that they're critical cogs? Do they and are they willing to take on responsibility? What is the patching process? Walk a mile in this CISO's shoes Gary, talked a lot about the importance of work/life balance with cyber professionals. Robert Carey of RSA Security said your actions do most of the talking, "As a CISO, you're a model of work life balance. If you stay 14 hours a day, that's what is expected of employees. If you leave at 5pm they'll realize that's ok for them to do." How do our CISOs handle presenting to their staff what is and isn't OK, when they're in the office or when their employees are remote? What's Worse?! You've got a new hire. Which one do you choose? Is this the best solution? Does the email pitch still serve a function? On a recent CISO Series video chat, we talked about how CISOs get 50-80% of their information about products from other CISOs and that yeah maybe sometimes they read an email pitch. Is there still room for the email pitch or should it just die? And if it should die, what should it be replaced with? Security Squares: Where CISOs Put Vendors in Their Place A brand new game that asks CISOs how well do they know the vendor landscape? This one was a nail biter. It’s time for the audience question speed round Our audience has questions, and our CISOs will have answers.
All links and images for this episode can be found on CISO Series (https://cisoseries.com/trust-me-were-using-advanced-ai/) We're looking for a good reason to trust your AI on the latest CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience at Evanta's CISO Executive Summit in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week, is Jimmy Sanders (@jfireluv), head of information security, Netflix DVD. Mike Johnson, Jimmy Sanders, head of information security, Netflix DVD, and David Spark Thanks to this week's podcast sponsors: Trend Micro, SentinelOne, and FireMon.  FireMon provides persistent network security for hybrid environments through a powerful fusion of real-time asset visibility, continuous compliance and automation. Since creating the first-ever network security policy management solution, FireMon has delivered command and control over complex network security infrastructures for more than 1,700 customers. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. Are you looking to leave legacy antivirus? Proactively protect every device in realtime with AI. Deploy SentinelOne for EPP, EDR, IoT, and container security today. Autonomous technology is the future. We deliver it now across your endpoints, servers, cloud workloads, and IoT devices. What we’ve got here is failure to communicate Is the privacy message getting out to the right people? I argue we need to go to the source and we're not. I was at Dreamforce, the Salesforce conference, and I got the sense I was the only person of the 100K people there that didn't want to be scanned. This crowd is obsessed with the collection of personal data given this conference is mostly about how do I create greater understanding from personal data. Are we as security people in a bubble in this privacy conversation? We need to go to the source of the people who are actually collecting the data and I'm getting the sense we're not getting through. Are we making the situation better or worse? We've talked a lot about AI on this show, and many vendors are selling intelligent solutions, but the factor that seems to hang up usage is trust. Cyber professionals don't think twice about trusting their AI-powered spam filter, but so many other tools are met with skepticism. What's missing from the vendor side and what trust barriers are practitioners putting up? What should the barometers be for trusting AI? What's Worse?! Two bad types of people wanting to do you harm. Which one is worse? Is this the best solution? Should you hire staff from companies that have fallen victim to cybercrime? According to a study by Symantec and Goldsmiths, University of London, as reported by ZDNet, more than half of respondents said they don't discuss breaches or attacks with peers. And more than a third said they fear that sharing breach information on their organization would negatively impact their future career prospects. I would think that asking a prospect, "Have you lived through a breach and how did you handle it?" would be very revealing. Mike? Security Squares: Where CISOs Put Vendors in Their Place A brand new game that asks CISOs how well do they know the vendor landscape? It’s time for the audience question speed round Our audience has questions, and our CISOs will have answers.  
All links and images for this episode can be found on CISO Series (https://cisoseries.com/isnt-that-adorable-our-little-ciso-has-an-opinion/) We're spoon-feeding "respect" to the CISO on this week's CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week, thanks to Trend Micro, is Jim Shilts, founder, North American DevOps Group. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? Gary Hayslip, CISO, Softbank Investment Advisers and regular guest, posted an article about a growing trend of CISO frustration and why they don't last at an organization. This article addresses many issues around burnout, but I want to focus on this one stat from an ISC(2) study which states, "Sixty three percent of respondents said they wanted to work at an organization where their opinions on the existing security posture were taken seriously." Hard to keep any security staff in place if they're not respected. We talk a lot about being able to talk to the board, but the communications has to be two way. How clear are executives in understanding that respect and listening to their cyberstaff is in their best interest? What annoys a security professional Deidre Diamond of CyberSN, asks this very pointed question, "We are short 500k cyber professionals in the US and 89% of our current cyber professionals are open to new opportunities; why are jobs taking on average 4-9 months to fill?" That last stat is CyberSN's data estimates. She's arguing there is plenty of supply. Why is this taking so darn long? Nobody's happy. What's Worse?! We've got a question tailored for our DevOps guest this week. Please, enough. No, more. DevOps and security. This is a topic that has grown over time, evolved in branding, and Mike has spoken out about how much he don't like the term DevSecOps. As we regularly do in this segment, what have you heard enough of on the DevOps and security debate and what would you like to hear a lot more? Two factor authentication is a smart step towards more secure password management but what happens the moment after you have convinced the employees of your company to adopt 2FA, when you then say, “Oh yes, don’t forget your SIM PIN.” 2FA might stop hackers from using easily searchable information like someone’s mother’s maiden name, but these bad actors have already discovered the weak link in this particular chain. They call the phone provider, pretend to be that specific victim and ask to swap the victim’s SIM account information to a new SIM card – one that is in their possession. That way, everything the victim did with their phone – texting, banking, and receiving 2FA passcodes – all goes to this new phone. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Hey, you're a CISO, what's your take on this? Nigel Hedges, CISO, CPA Australia, asked, "Should security operations exist in infrastructure/operations teams?" Nigel asked this questions to colleagues and got mixed results. One CISO said it was doomed to fail, others said its up to leadership and a CISO doesn't need to own secops. "Other people were adamant that the focus required to manage secops, and streamlined incident response cant work within infra because the primary objectives of infra are towards service availability and infra projects," said Nigel who went on to ask, "Is this important prior to considering using a security vendor to provided managed security operations? Is it important to 'get the house in order' prior to using managed secops vendors? And is it easier to get the house in order when secops is not in infra?"
All links and images for this episode can be found on CISO Series (https://cisoseries.com/rest-assured-were-confident-our-security-sucks/) We may not have the protection you want, but what we lack in adequate security we make up in confidence. Sleep better at night after you listen to this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Billy Spears (@billyjspears), CISO, loanDepot. Thanks to this week's podcast sponsor, CyberInt. The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505’s latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. On this week’s episode Why is everybody talking about this now? Tip of the hat to Eduardo Ortiz for forwarding this discussion Stuart Mitchell of Stott and May initiated on LinkedIn asking if there should be a "golden bullet" clause in a CISO's contract. He was referring to the CISO of Capital One who had to step down and take on a consulting role after the breach. What are arguments for and against? Ask a CISO Nir Rothenberg, CISO, Rapyd asks, "If you were given control of company IT, what would be the first things you would do?" What's Worse?! Should a CISO be closing sales or securing the company? Hey, you're a CISO, what's your take on this? According to Nominet's Cyber Confidence Report, 71 percent of CISOs say their organization uses the company's security posture as a selling point, even though only 17% of CISOs are confident about their security posture. There are probably many factors that contribute to this disparity. Is it a gap that will ever close, or is this just the nature of security people vs. sales? Bluetooth is a convenient and easy method of sharing data between devices, which, of course, qualifies it as a prime target for exploitation. A trio of researchers has discovered a vulnerability that has the potential of attacking billions of Bluetooth-enabled devices, including phones, laptops, IoT and IIoT technologies. In short, this Key Negotiation of Bluetooth vulnerability, which has been given the acronym KNOB, exploits the pairing encryption protocol within the Bluetooth Classic wireless technology standard, which supports encryption keys with entropy between 1 and 16 bytes/octets. It inserts between the pairing devices forcing both to agree to encryption with 1 byte or 8 bits of entropy, after which it simply brute-forces the encryption keys. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. What do you think of this pitch? How targeted should your pitch have to be?  
All links and images for this episode can be found on CISO Series (https://cisoseries.com/what-security-advice-will-your-family-ignore/) This Thanksgiving we wish you lots of luck convincing your family members to use a password manager. Would getting them to switch political allegiances be easier? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Jeff Hudesman, head of information security, DailyPay. Thanks to this week's podcast sponsor Tenable. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. On this week’s episode Why is everybody talking about this now? Rich Malewicz, CIO, Livingston County, started a thread of common threats and scams we should warn family and friends about over the holidays. Lots of great advice. We discuss our favorites, whether we turn into family tech support, and if you had one cyber holiday wish for every family member, what would it be? Hey, you're a CISO, what's your take on this? When is the right time and WRONG time to start red teaming? (the process of letting ethical hackers loose on your business to test your defenses, your blue team.) What exactly is it you're testing? Are you testing your network's resiliency or your business' resiliency? "What's Worse?!" Three options in this "What's Worse?!" scenario. The great CISO challenge We have repeatedly touted on the podcast the benefits of multi-factor authentication or MFA. Our guest implemented an MFA solution at his company. We talk about the challenges, criteria, and roll out like? And did they see any visible evidence of security improvements? Casey from accounting is getting frustrated, waiting for client files being held up by the firewall. Jordan is trying to join a video conference that needs a plugin, but the firewall won’t let it through. So they call the IT manager who then disables it. This happens a lot. Maybe not in large companies, but small law firms, medical clinics, or small businesses that might use an old-school administrator who will either turn off the firewall or opt out of using one altogether, believing in the power of a cheap antivirus product to keep things safe. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. What do you think of this pitch? There is lots of disagreement over whether this pitch is any good.
All links and images for this episode can be found on CISO Series (https://cisoseries.com/dos-and-donts-of-trashing-your-competition/) We want to malign our competitors, but just don't know how mean we should be. Miss Manners steps in on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and special guest co-host, Mark Eggleston (@meggleston), CISO, Health Partners Plans, and our guest is Anahi Santiago (@AnahiSantiago), CISO, ChristianaCare Health System. We recorded in front of a live audience at Evanta's CISO Executive Summit in Philadelphia on November 5th, 2019. Recording CISO/Security Vendor Relationship Podcast in front of a live audience at Evanta's CISO Executive Summit in Philadelphia (11-05-19) Thanks to this week's podcast sponsors Trend Micro, Thinkst, and Secure Controls Framework. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. The Secure Controls Framework (SCF) is a meta-framework – a framework of frameworks. This free solution is available for companies to use to design, implement and manage their cybersecurity and privacy controls in an efficient and sustainable manner. Our approach provides a comprehensive solution to manage complex compliance needs. Most companies find out way too late that they’ve been breached. Thinkst Canary changes this. Find out why the Thinkst Canary is one of the most loved products in the business and why the smartest security teams in the world run Canary. Visit https://canary.tools. On this week’s episode Why is everyone talking about this now? Greg van der Gaast, former guest who runs security at The University of Salford, initiated a popular LinkedIn discussion on the topic of human error. According to his colleague Matthew Trump of the University of Sussex, in critical industries, such as aerospace, oil & gas, and medical, “human error” is not an acceptable answer. You simply have to prevent the incident. If not, a mistake can be both a regulatory violation and lethal. But people are a part of the security equation. It’s unavoidable. We know zero erros is impossible, but can you accept “human error” as a fail point? Hey, you’re a CISO, what’s your take on this? Listener David said, “One thing I have experienced at my last two jobs is integrating with a ‘global’ security team whose security program is effectively and functionally inferior to our own. In these occasions, the global security team wanted us to remove current safeguards, processes/procedures and tooling that reduced the preparedness and effectiveness of our security program and introduced risk(s) that we have not been exposed to in years. All of these changes were always touted as a ‘one team’ initiative but never once was due diligence on security posture taken into account. “What is the best way to go about a consolidation like this? Do you not mess with a good thing and ask the ‘better’ security program to report up incidents, conform to compliance check boxes etc. or as a CISO do you sign off on a risk acceptance knowing that the operating company is now in a worse state of security.” “What’s Worse?!” We’ve got two rounds of really bad scenarios. What annoys a security professional Geoff Belknap, former guest and CISO of LinkedIn, appreciates a vendor’s desire to “bring like minds” together around food or drink, but the invite is not welcome on a weekend. Belknap feels that the weekend intrudes into a CISO’s personal/family space. There was a lot of debate and disagreements on this, but there were some solutions. One mentioned a vendor invite that included round trip Lyft rides and childcare. Oh, they did something stupid on social media again Jason Hoenich, CEO of Habitu8 posted on LinkedIn that he didn’t appreciate Fortinet writing about security training for CSO Online, something for which Jason’s business does and for which he believes Fortinet does not have any expertise. It appears this was a sponsored article, but Jason didn’t point to the article nor did he isolate specifically what he felt was wrong with Fortinet’s advice. Here at the CISO Series, we like Jason and Habitu8. They’ve been strong contributors to the community. But complaining and not pointing to any concrete evidence is not the best way to convince an audience. Earlier this year we saw something similar with the CEO of Crowdstrike going after the CEO of Cybereason claiming an underhanded sales tactic that was not specified nor anyone at Cybereason knew what he was talking about. Is it OK to go after your competition in a public forum? If so, what’s the most professional and respectful way to handle it? It’s time for the audience question speed round Our Philadelphia audience has questions and our CISOs had some answers. We rattle off a quick series of questions and answers to close the show.
All links and images for this post can be found on CISO Series (https://cisoseries.com/get-out-the-fud-is-coming-from-the-inside/) On this week's CISO/Security Vendor Relationship Podcast, we're pointing fingers at practitioners, not vendors, for promoting the FUD (fear, uncertainty, and doubt) scare-a-thon. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Eddie Contreras (@CISOEdwardC), CISO, Frost Bank. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? On LinkedIn, Ron C. of CoreSolutions Software said, "Cybersecurity is no longer just a technical problem. It’s now more of a people problem! So why aren’t businesses prioritizing security awareness training for their staff?" There was a massive response and mixed agreement. Regardless, are we falling short on security awareness training? Is it not effective? Is it too complicated to pull off? Is the cost not justified? More importantly, has security awareness training had any impact? Hey, you're a CISO, what's your take on this? accidentalciso on our reddit channel, r/cisoseries, asks, How does a security professional know if "CISO truly is the right career goal for them? I don’t think the reality of the role is consistent with what one might think early on in their career." What was it about the CISO role that makes a security professional want to pursue it and how does that previous perception of what a CISO did counter or align with what was really experienced? It's time to play, "What's Worse?!" Is there a worst type of attack? Ask a CISO James Dobra, Bromium, asks, "Are security organizations guilty of using FUD internally, e.g. with the board and with users, while complaining that vendors use it too much?" Does FUD happen internally? Do security teams do it to get the money they want and/or shame users into submission? On August 30, 2019, white hat hacker Tavis Ormandy discovered a vulnerability in a LastPass browser extension. This was a vulnerability, not a breach and was very quickly remedied without damage. But it still causes chills when the last bastion of password security reveals its Achilles heel. It’s like seeing your family doctor contract a terminal disease. But for CISOs, this might be a good thing. Password complacency and sloppy security hygiene are the scourge of security specialists everywhere. A SaaS-based password manager that uses hashes and salts to remove the existence of physical passwords in their own vaults, is still a highly proactive solution. More found on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 Days of a CISO Both Mike and our guest, Ed, are second time CISOs in their first 90 days at the role. We review what mistakes they made the first time as a CISO that they're actively avoiding this time. Are there any hurdles that are simply unavoidable and they're just going to have to face it like any new CISO would.  
All links and images for this episode can be found on CISO Series (https://cisoseries.com/say-it-loud-i-didnt-read-the-privacy-policy-and-im-proud/) If we don't understand the purpose of a privacy policy, why should we bother reading it? We're claiming the cyber ignorance defense on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Roger Hale (@haleroger), CISO in residence, YL Ventures. Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Roger Hale, CISO in residence, YL Ventures, David Spark, producer, CISO Series. Thanks to this week's podcast sponsor Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support. On this week's episode How CISOs are digesting the latest security news We're blowing it with general cybersecurity education. According to a study by the Pew Internet Research Center, most Americans don't understand or can't identify basic cybersecurity concepts such as two-factor authentication, private browsing, or the purpose of a privacy policy. We talk a lot about the important of education and it appears we're not doing a good job. What are some creative ways we can dramatically improve these numbers? Hey, you're a CISO, what's your take on this? Cai Thomas, Tessian, has an article on TechRadar on the dangers of sending corporate work via personal email accounts. He outlines the issues. As per the previous story, chances are very high people are completely unaware of the risk their placing the company in by forwarding corporate email to personal accounts. No amount of education is going to solve this problem. What are the systems that companies can and should setup to give people a better alternative than sending emails to personal accounts? What's Worse?! How damaging can not having a seat on the board be? Ask a CISO Nick Sorensen, Whistic, asks, "What do you see the most proactive vendors doing to prepare for vendor security reviews from their customers?" “Your bank account has been frozen.” That’s now an old chestnut in the scamming world, but it thrives through increasingly sophisticated spoofing activities that include a banks’ real phone number and real-looking pop-up websites for password refresh requests. Even IT experts can get caught by these things occasionally, as some have even confessed on this very podcast series. This level of relentless innovation is worth keeping front of mind when considering the amounts of data that Internet of Things devices are creating but that organizations have no plan or space for. IBM, Forrester, and others have suggested that maybe 1 percent of data generated from IoT connectivity is being used, mostly for immediate learning or predictive activities. More available on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 days of a CISO Today is Roger's first official day as a CISO in residence at YL Ventures. What the heck does that mean, and how does that differ from being an operational CISO?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/ill-see-your-gated-whitepaper-and-raise-you-one-fake-email-address/) We're all in with not wanting "follow up email marketing" on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Ian Amit (@iiamit), CSO, Cimpress. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? To gate or not to gate. Mike posted on LinkedIn about how much he appreciated vendors who don't gate their content behind a registration wall. The post blew up on LinkedIn. The overwhelming response got some vendors willing to change their tune. Hey, you're a CISO, what's your take on this? Kevin Kieda of RSA Security asks, "For an initial meeting what are the things you want the sales person to know about your business that many of them don't." Kevin says he gets frustrated that he gets the sense a prospect wants them to know what tools they're using even though he knows he often can't find out that information. What is the must know, nice to know, and boy I'm impressed you know that? Mike Johnson recommends BuiltWith.com for basic OSINT on a company site. What's Worse?! Whose mistakes are worse? Your own or the vendor's? The great CISO challenge Factor Analysis of Information Risk (FAIR) is a risk framework (often laid ontop of others) that simplifies the understanding of risk by identifying the blocks that contribute to risk and their relationship to each other and then quantifying that in terms of money. Ian, can you give me an example of how you actually do this? Since its inception back in 2010, Zero Trust Architecture has been gaining traction. Much of the interest stems from the nature of work and data today – people working from anywhere on any device, and data racing around networks and to and from the cloud means there is no single fortress where everything can exist safely. Operating on a belief that everything inside the perimeter is safe because it’s inside the perimeter is no match to today’s hacking, penetration and inside sabotage. The establishment of new perimeter protections, including microtunnels and MFA is best applied to new cloud deployments but must still somehow be factored into a legacy architecture without becoming more inconvenient and vulnerable than what it is trying to replace. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Why is this a bad pitch? What's the polite way to hande the way too generic vendor request. We offer two examples of non-specific pitches that are obviously just begging for a CISO's time. Is there a polite way to refute the request and let them know without talking down to them and letting them know that this isn't a tactic they should pursue?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/rated-1-in-irresponsible-security-journalism/) No security alert is too small for us to completely misrepresent its severity. The sky is falling on the latest episode of CISO/Security Vendor Relationship Podcast. Thanks to this week's podcast sponsor, Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support. On this week's episode Why is everybody talking about this now? Two recent stories showed some fallibility in multi-factor authentication or MFA. We repeatedly recommended MFA on this show. But, the FBI announced some technical and social engineering techniques that are being used to break multi-factor authentication. In addition, Twitter admitted that email addresses and phone numbers used to set up MFA might have been sent to third party advertisers. The FBI says its news shouldn't change our trust in MFA. William Gregorian, CISO, Addepar, posted on LinkedIn that the press is claiming that MFA is broken and that's irresponsible journalism. Let's dig a little deeper Security professionals thrive on hearing about and learning about the latest threats. It feeds the latest security headlines and conferences. While it's often fascinating and keeps everyone interested, to what level are security concerns based on well-known years old threats vs. the latest threats? "What's Worse?!" Whose mistakes are worse? Yours or the vendors'? Please, enough. No, more. We've talked a lot about machine learning on this show and the definition of it is broad. What's ML's value in threat protection. We discuss what we've heard enough about with regard to machine learning being used for threat protection And what would we like to hear a lot more. When companies in retail or enterprise remind their online visitors to change their passwords, are they doing them a favor or causing them grief? Password managers exist, of course, as do newer forms of passwordless authentication, multifactor authentication and behavioral and biometric data. But ultimately, whose responsibility is this? Should a merchant website place the onus of personal security back on the customer? And if so, how would this protect the merchant’s own property? If this jeopardizes a sale or transaction, the cost of proactive security, at least for the short term appears too great. And it’s obvious, from the avalanche of data breaches of recent years that stored data of any sort becomes a permanent liability. More available on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Ask a CISO Gina Yacone, a consultant with Agio, asks, "If you’re performing a table top exercise. Who are the only three people you would want to have a seat at that table?"
All links and images for this episode can be found on CISO Series (https://cisoseries.com/cybercrimes-solved-in-an-hour-or-your-next-ones-free/) In the real world, cybercrimes just don't get solved as fast as they do on CSI. So we're offering a guarantee. If we don't catch the cyber-perpetrator in an hour (including commercial breaks) we'll make sure you're attacked again. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Jason Hill (@chillisec), lead researcher at CyberInt Research Lab. Thanks to this week's podcast sponsor, Cyberint. The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505’s latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. On this week's episode What annoys a security professional Question on Quora asks, "What does everybody get wrong about working in the field of forensics?" There were a handful of answers from looking to TV and film dramas to that it's only a post mortem analysis. What are the biggest misconception of digital forensics? Why is everybody talking about this now? Tip of the hat to Stu Hirst of Just Eat who posted this Dilbert cartoon that got a flurry of response. Read for yourself, but in essence, it's a boss that thought technology would solve all his problems. Not realizing that people and process are also part of the equation. All too familiar. The "I've been hearing a lot about __________" phenomenon. What causes this behavior and how do you manage it? "What's Worse?!" How much flexibility to you require in your security team and the business? Please, Enough. No, More. How far can AI go? Where does the human element need to exist? What are the claims of the far reaching capabilities of AI? We discuss what we'd like to hear regarding the realistic capabilities and limitations of AI. Every year, the Fall season sees billions of dollars being spent on home-based IoT devices. The back-to-school sales are the starting point, Cyber Monday is the clubhouse turn and the year-end holiday season is the finish line. As usual, these devices – printers, DVRs, IP cameras, smart home assistants, are relatively inexpensive and provide plug and play convenience, to satisfy an impatient customer base. For the rest of the cloud tip, head to CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. We don't have much time. What's your decision? What are the best models for crowdsourcing security? There are entire businesses, such as bug bounty firms, that are dedicated to creating crowdsourced security environments. Our guest this week is passionate about investigative work. We asked him and Mike what elements they've found that inspire and simplify the community to participate in a crowdsourced security effort.
All links and images for this episode can be found on CISO Series (https://cisoseries.com/mapping-unsolvable-problems-to-unattainable-solutions/) We're busting out the Cyber Defense Matrix to see what our security program we'll never be able to achieve. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Sounil Yu (@sounilyu), former chief security scientist for Bank of America and creator of the Cyber Defense Matrix. David Spark, producer, CISO Series, Sounil Yu, creator, Cyber Defense Matrix, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast Thanks to this week's podcast sponsor, Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support. On this week's episode Why is everybody talking about this now? Mike asked the LinkedIn community, "What's bad security advice that needs to die?" We had an entire episode of Defense in Depth on this very topic called "Bad Best Practices." The post got nearly 300 responses, so it's obviously something many people are passionate about. Is there a general theme to bad security advice? The great CISO challenge Sounil Yu is the creator of a very simple problem-to-solution chart for security professionals called the Cyber Defense Matrix. This simple chart allows a cyber professional to see how their tools, processes, and people are mapped to all different levels of security protection. We discuss the purpose of the matrix and all the real world applications. "What's Worse?!" We have a real world "What's Worse?!" scenario and Mike and Sounil compete to see if they answered the way the real world scenario actually played out. Hey, you're a CISO, what's your take on this? Last week on Defense in Depth we talked about a discussion initiated by Christophe Foulon of ConQuest Federal on cyber resiliency. Some people argued that it should be a security professional's primary focus because its action is in line with the interests of the business. Should a cyber professional shift their focus to resiliency over security? Would that facilitate better alignment with the business? Exploitable weaknesses measured in decades. Not a comforting thought. But this is a reality that exists in at least two major IT ecosystems. The first is Microsoft and the second is firmware. Teams belonging to Google’s Project Zero have found exploitable security flaws affecting all versions of Windows going back to Windows XP – which presents a logistical nightmare for admins the world over. Sarah Zatko, Chief Scientist at the Cyber Independent Testing Lab spoke recently at Red Hat and DEF CON in Las Vegas about deficiencies in the security of firmware, including those from companies that manufacture the world’s best-known routers. More available at CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Ask a CISO Thanks to Chris Castaldo, CISO at Dataminr, for this post on new research from the firm Marsh and Microsoft. According to the study, half of the respondents didn't consider cyber risk when adopting new tech. A full 11 percent did no due diligence to actually evaluate the risk a new technology may introduce. Does it take that much effort to understand the basic risks of introducing a new technology? What are some first level research efforts that should be done with any new tech consideration or adoption?  
All links and images for this episode can be found on CISO Series (https://cisoseries.com/wait-what-good-news-in-cybersecurity/) On this episode of CISO/Security Vendor Relationship Podcast, cybercrime fails and we brag about it. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Geoff Belknap, CISO, LinkedIn, and David Spark, producer, CISO Series. Thanks to this week's podcast sponsor Trend Micro. On this week's episode How CISOs are digesting the latest security news We simply don't hear enough good news cybersecurity stories that make those involved proud. What are the cybersecurity stories that aren't being told publicly that should be? First 90 Days of a CISO Michael Farnum, Set Solutions, said, "If you come into the job and aren’t willing to critically review existing projects AND put a stop to the ones that are questionable, then you are going to cause yourself problems later. It might seem like an unwise political move when new to the company, but you have to be willing to swing the axe (or at least push the pause button) on anything that doesn’t make sense." Not so easy, but where's the line where you can actually push and say, "We're changing course"? It's time to play, "What's Worse?!" We've got a split decision! Hey, you're a CISO, what's your take on this? On a previous episode of Defense in Depth, we talked about employee hacking or getting the staff on the same page as the CISO and the security program. I quoted instructor Sarah Mancinho who said, "I am a firm believer that CISOs/CIOs should have their own dedicated IT strategic communications person(s) that report to them, and not any other office. Most comms roles I've seen...had to report to HR/PR/General Comms....none of whom really knew anything about technology/technical comms/infosec....and had little to no interaction with the IT/security team." My co-host, Allan Alford, loved this idea, never had it, but would love to have it. What value could a dedicated PR person bring to the security team? The devious new Android malware called Cerberus steals credentials by using a downloaded fake Adobe Flash player. That is not really innovative in itself, but what’s interesting is the way it seeks to avoid detection by using the phone’s accelerometer to confirm that the infected target is a real device and not on the screen of a security analyst. According to ESET researcher Lukas Stefanko, quoted in Forbes, the app actually counts a number of physical footsteps taken by the phone’s owner, and deploys once the required number has been reached.  For more, check out the full tip on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Why is everybody talking about this now? What's behind the cybersecurity skills shortage? In an article on the Forbes Council, Mark Aiello, president of cybersecurity recruiting firm CyberSN, pointed out some ugly truths as to why it's so difficult to hire cybersecurity talent. He pointed to low pay, the desire to find unicorns, poor job descriptions, training and growth. Is the core issue that the cybersecurity industry just does a very poor job welcoming new entrants? Today, what does a cybersecurity professional need walking in the door? And what are CISOs willing to accept no knowledge of, yet willing to train?
loading
Comments 
loading
Download from Google Play
Download from App Store