CISO Series Podcast

All links and images for this episode can be found on CISO Series (https://cisoseries.com/great-security-program-too-bad-we-cant-implement-it/) Security theory only goes so far. If you want your security program to work, everyone has to do their part. This week's episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our sponsored guest is Scott McCormick, CISO, Reciprocity. Thanks to this week's podcast sponsor, Reciprocity. ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com. On this week's episode How CISOs are digesting the latest security news The Wall Street Journal has a story about cybersecurity budgets during the COVID-19 crisis. Many companies are dealing with budget cuts across the board. One issue mentioned was that the first items to go from the cybersecurity budget would probably be big projects that require a lot of integration. So as to avoid getting left on the cutting room floor, what would be your advice to vendors on how better to situate themselves, prepare, and prove to potential buyers that they can help with the ease of that integration? Also, for those security leaders, how do they best show compassion to the rest of the business and don't just fight for their slice of the budget pie? It's time for "Ask a CISO" On reddit, countvonruckus states and then asks, "It's great to see CISOs giving back through mentorship. As a younger professional looking to become a CISO someday, it can be difficult to get a minute of a senior leader's time even for critical work decisions. How should someone looking to find a mentor or to benefit from the mentorship of a particular leader go about asking in a respectful but effective way? Is there anything a mentee can do to provide value in exchange that will make it more worthwhile for mentors?" It's time to play, "What's Worse?!" Two "What's Worse?!" scenarios nobody likes but many have faced especially now. Please, Enough. No, More. Operationalizing GRC. What have you heard enough about operationalizing GRC, and what would you like to hear a lot more? Looking down the security roadmap On Quora, the question was asked, "Do cloud providers implement governance, risk management and compliance (GRC) well?" I didn't know how one would define "well" and what we should expect from cloud providers to help with GRC efforts. This harkens back to our last segment, because we would hope that cloud providers could actually help us operationalize GRC. What are cloud providers doing to help in GRC efforts?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-promoted-the-competition-and-still-won/) If you're having a problem getting people to discover your space, then maybe you have to do a better job promoting the space even when it involves the competition. This week's episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Zohar Rozenberg, former head of cyber department in the Israel Defense Force, and current CSO of Elron Electronic Industries. Thanks to this week's podcast sponsor, Reciprocity. ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com. On this week's episode Why is everybody talking about this now? On this podcast we have sponsored guest episodes in which we dedicate a segment of the show for the sponsor to talk about their category. I was just given the heads up by a listener that a competitor of one of our sponsored guests, actually promoted that episode via an email marketing campaign. I asked the community why they thought that happened. Did the company know they were promoting a direct competitor's solution, or were they of the philosophy of let's promote the space. The more people who know about this problem that benefits the entire industry and in turn that helps our competitor and us. Most people on LinkedIn agreed with the latter and actually thought it was a savvy marketing move possibly demonstrating that the competitor was confident with their product. It's time for "Ask a CISO" Tip of the hat to Sounil Yu, CISO in residence at YL Ventures for bringing up Mike's comment in a Slack channel of your frustration with cybersecurity startups who end up having an "us too" attitude towards creating the next cybersecurity solution. It seemed their only credentials was a successful exit, but not presenting a unique solution to an actual problem. You claimed a criteria that you would only meet with a founder who had a committed idea to a product. But how do you differentiate between an "also ran" and a unique solution? What's Worse?! One of our most challenging debates ever Close your eyes. Breathe in. It's time for a little security philosophy On our CISO Series Video Chat, Bob Henderson of Intelligence Services Group asked, "Has measuring risk itself become a risk? Since risk is primarily arbitrary depending on who defines the risk wouldn't the solutions be arbitrary and thus add complexity and uncertainty. Which are contributors to risk." Let's dig a little deeper What are the intrinsic training elements of Israel's elite 8200 that results in so many of the graduates going on to become cybersecurity entrepreneurs? What if anything can other organizations, military units or schools learn from this?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/three-years-experience-required-for-sub-entry-level-positions/) Our motto for hiring: We never give up on our unreasonable expectations. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Brandon Traffanstedt, global director of systems engineering, CyberArk. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. Are we making the situation better or worse? On LinkedIn, Gabriel Friedlander of Wizer asked, "Should we be doing home risk assessments?" Could we create bigger problems if we do that? Gabriel's post generated a debate on what actions can significantly reduce risk. Is there value in a home risk assessment and if so, what's it going to reveal? It's time for "Ask a CISO" On reddit, crossfire14 asks, "Why are helpdesk roles requiring 2-3 years experience? I thought they were entry level friendly? Im trying to start at lower positions to work my way into infosec yet I cant seem to qualify for any helpdesk roles because of exp?" I looked and actually these entry level positions are often asking for 3-5 years experience. Is this required? If not, what IS required for an entry level help desk role and what's the best way to show that? "What's Worse?!" Two horrible company debilitating options that have happened in real life. How would you survive either one? Please, Enough. No, More Our topic is Privileged Access Management, or PAM. What have Mike and Brandon heard enough about with PAM, and what would they like to hear a lot more? The great CISO challenge Outsider attacks, insider attacks, your assets, networks, people, and controls - what DOESN'T always change in security? If we assume that consistency is synonymous with simplicity, is it always an uphill battle to try to keep security simple especially if we're expanding into new services and cloud environments? Could this be why the foundations are still a struggle for everyone?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/look-freshmen-cisos-get-ready-to-pounce/) What could possibly be a better way to welcome newly hired CISOs to the security community than with a shiny new sales pitch? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Wayne Reynolds, CISO, Toyota Financial Savings Bank. Thanks to this week's podcast sponsor, AppOmni. AppOmni is the leading provider of SaaS security and management platform for the enterprise. AppOmni provides unprecedented data access visibility, management and security of SaaS, enabling organizations to secure mission-critical and sensitive data. With AppOmni, organizations can automatically and continuously enforce rules for data access, data sharing and third-party applications. On this week's episode Why is everyone talking about this now? Our guest, Wayne Reynolds posted the good news about his new CISO role. While he got the expected kudos, he also got lots of sales emails. In the short conversation we had in preparation for this episode, six pitches came in. He counted 731 vendor pitches in just five days. Given the situation, we have all seen an uptick in pitches, across all industries, not just cybersecurity. Vendors want to make some type of connection. If they weren't pitching, what would be a more acceptable outreach? It's time for "Ask a CISO" What can security startups do to prepare for and prove to prospects that their solution won't slow down operations? Thanks to John Prokap, CISO, HarperCollins for pointing me to this great article on CIO.com by Yoav Leitersdorf of YL Ventures on mistakes security startups make. One concern was on the issue of startups losing this specific focus. From the article, Peter Bodine, AllegisCyber Capital said, "I cannot stress how much of a difference productivity makes to the CISOs we consult with. So, as an investor, our attention is immediately piqued when we learn that a POC took fewer resources than a regular POC, because it often means that they developed their process early enough with a customer satisfaction person. We really don't see that very often, but when we have, we've written a check almost right on the spot, just because they take so much sand out of the gears and make it so much easier for a yes decision to occur." "What's Worse?!" Do you want to be the one to reveal the cybersecurity incident or do you want somebody else to reveal it? What's a CISO to do? In the world of DevOps I'm constantly seeing the desire for developers to be security aware. But the point of DevOps is to be aggressively competitive. That's something I often don't see security people understanding or literally being aware of. Nicolas Valcarcel of NextRoll gave me heads up on a post by Mike Sherma of Square about having dev champions on the security team to advocate for the software engineering experience and design principles. Is this a good idea, and if so how would it be rolled out and what would be the benefits? How to become a CISO Prior to the unfortunate COVID-19 crisis we at the CISO Series were planning on hosting our very own one-day event to train security leaders. That event will happen eventually, but right now it's on hold. The whole idea is we were going to have a group of CISOs training a group of wannabe CISOs to be CISOs. Wayne is a strident mentor for wannabe CISO. At any time he's got 4 or 5 security professionals you're mentoring. We discuss the core skills security professionals are lacking to become CISOs, and what mentorship does to help you get those skills.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/cleaning-those-tough-to-reach-digital-identity-stains/) We're trying to erase our past and it's becoming harder and harder to clean that history. This week's episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Davi Ottenheimer (@daviottenheimer), vp of trust and digital ethics, Inrupt. Thanks to this week's podcast sponsor, Reciprocity. ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com. On this week's episode Why is everybody talking about this now? On Quora, the question was asked, "What are some ways to protect identities on the Internet?" Mike and Davi offer their advice. It's time for "Ask a CISO" The Three As: Authentication, Authorization, and Auditing or Accounting. How do they interrelate? What's the order? And have we been doing it wrong? It's time to play, "What's Worse?!" How are you going to handle having a very well known exploit? Close your eyes, breathe in. It's time for a little security philosophy. On Quora, the question was asked, "What should I do to completely erase my digital identity for good?" It seems impossible, and probably is, but how what steps would one need to get rid of our online identities? It's time to play, "What Is It and Why Do I Care?" We're introducing a brand new game today called "What Is It and Why Do I Care?" Here's how the game is played. I have three pitches from three different vendors who are all in the same category, application security. I have asked the reps to first, in 25 words or less, just explain their category. So give me a simple explanation of application security. That's the "What Is It?" and then for the "Why Do I Care?" I asked them to explain what differentiates them or makes them unique also in 25 words or less. It is up to Mike and Davi to pick your favorite of each and explain why. I only reveal the winning contestants and their companies. If you would like to be a contestant for "What Is It and Why Do I Care?" just go here and fill out the simple SurveyMonkey form.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-just-dump-on-zooms-security-and-offer-no-solutions/) Sure, we're all in this together, but isn't it fun just to trash a popular product's really bad security? This week's episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our sponsored guest is Brian Johnson, CEO and co-founder, DivvyCloud. Thanks to this week's podcast sponsor, DivvyCloud. DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what's in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes. On this week's episode Why is everybody talking about this now? Yaron Levi, CISO, Blue Cross Blue Shield of Kansas City a frequent and recent guest of the podcasts, had an incendiary post on LinkedIn where he challenged the long held belief in cybersecurity that "we're all in this together." Well that theory was put to the test with the outcries of Zoom's security and privacy flaws. Levi believes the security industry failed. Instead of trashing Zoom we should be offering suggestions of how they could fix a now universally used application. His challenge exploded online with over 200 comments. How could we/can we handle this situation better? Look at this, another company breached Oh Marriott. You blew it again. Two massive data breaches in two years. This one just gave too much access to too many customers from a branch office. Years ago this would be a front page story we'd be talking about for weeks if not months. Now they're just another breach and it doesn't seem that the affected users seem to care. How much damage are these breaches doing to companies if the customers have breach fatigue and can't see the damage immediately or even directly? And what percentage of these breaches do you believe are the result of poorly architected or implemented security programs? It's time to play "What's Worse?!" We get a chance to talk about Mike's favorite topic, toxic team members. Please, Enough. No, More. Today's topic is Identity Access Management or IAM. We discuss what we've heard enough about with IAM and what would we'd like to hear a lot more. It's time for "Ask a CISO" We have a question from a listener, a college student. Here's her question: "I'm a college student interested in majoring in cybersecurity. However I'm more of a people person and I'm afraid cybersecurity is just dealing with computers and having no people interaction. I'm just wondering what I should expect if I continue to pursue a cybersecurity major."

All links and images for this episode can be found on CISO Series (https://cisoseries.com/weve-got-a-dozen-features-only-two-work/) If you don't focus too much on quality you'll really be impressed with the quantity of features our product has. This week's episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Yaron Levi (@0xL3v1), CISO, Blue Cross Blue Shield of Kansas City. Thanks to this week's podcast sponsor, DivvyCloud. DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what's in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes. On this week's episode Hey, you're a CISO. What's your take on this? What's the value of a vendor-derived security meter? I sat down for a vendor presentation that was chock full of dashboards with meters. Some made sense and others appeared they were derived through some mysterious black box. When do you trust a vendor-derived meter? Can you? If not you, who are they for? Is it possible to ignore the absolute numbers in a vendor-derived formula and value only the changes over time? If you don't trust a vendor-derived meter, what meters do you create for yourself that you do trust? How do you go about discovering new security solutions? Tip of the hat to John Prokap, CISO, HarperCollins for forwarding me this excellent CIO.com article by Yoav Leitersdorf of YL Ventures. How feature rich should a startup product be? In the article, Richard Rushing, CISO, Motorola Mobility talks about the need to trust a startup and the quality of each feature. "It's not enough to just focus on three out of five. All five have to be spot on because I can't miss, which means you can't miss." How does a vendor avoid the classic case of trying to be everything to everybody and really you're serving no one? What's Worse? What's better for the business, compromised security occasionally, or unnecessary overhead that grows over time? Close your eyes and visualize the perfect engagement There's a well-known paradox in the healthcare industry when it comes to working with third party vendors. Because of HIPAA regulations there's a desire to keep information private, but at the same time, what about all these wonderful third party tools. Let them have access to our data. What's the advice for vendors eager to work with a healthcare organization? How should they demonstrate their awareness of this paradox (e.g., scope of responsibilities, efficacy of controls, attestation, accountability)? Why is everyone talking about this now? We recorded this episode on March 30th as we talk about this next topic and that is should companies challenge their employees with a COVID-19 phishing test? Tip of the hat to Louisa Vogelenzang of Kroll who pointed me to this active discussion started by Grant McKechnie, Telstra, who asked this very question. There was a lot of debate. We debate both sides and offer an ultimate recommendation.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-ask-cisos-if-theyre-concerned-about-data-security/) I'm just learning about cybersecurity and I just realized that data security is really important. I don't know if everybody knows this. Do CISOs know? I should email all of them and ask. This week's episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Steve Zalewski, deputy CISO, Levi Strauss & Co. Thanks to this week's podcast sponsor, DivvyCloud. DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what's in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes. On this week's episode Why is everyone talking about this now? On Quora, the question was asked, "What is the most common unaddressed cybersecurity risk at companies?" Looking through the list, we've talked about all of these issues: people (malicious and negligence), program maturity, data privacy, and just basic network. They're all important, but we discuss which one we believe is least addressed. There's got to be a better way to handle this What happens when a cloud provider breaks a service level agreement or SLA? On a recent episode of Defense in Depth, Taylor Lehmann, CISO, athenahealth said that putting ultimatums in SLAs just doesn't work in reality. No one really pulls the plug just because a cloud provider fell short on providing a certain level of uptime. We walk through the steps of the SLA. What's needed? What's too much? What do you do when something is violated? How do you right the ship and maintain the relationship? What's Worse? What happens when there's a political motivation to select a vendor? What do you think of this pitch? and Why is this a bad pitch? We put a good one and a bad one back to back so you can hear the range of what comes in a CISO's inbox. Um… maybe you shouldn't have done that As a security vendor, how do you catch yourself if you're cybersplaining? Brian Haugli of Sidechannel Security offered the following definition: "When a salesperson or company representative explains in detail how a basic attack, ransomware, BEC, or other threat works to a CISO or current cybersecurity expert in order to push a sale." From what I see, it appears that cybersplaining is the norm mostly for those who are very green in cybersecurity. I'll also say I've seen the complete opposite where someone at a much higher level assumes you're already in their head and agree to the same assumptions they have about cybersecurity as well. This plays out that they'll state an issue in cybersecurity and conclude with "right?" not waiting for an answer but just assuming you're on the same page so that they can go on with their rant. What are ways to check yourself on both sides of the spectrum and what's the happy medium?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/i-dont-need-anymore-advice-on-how-to-work-remotely/) It appears everyone has tips on how to work remotely. And after the deluge the past two weeks, most people have hit their wall. We don't care. We're pushing through with even more advice, just for security professionals. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Brendan O'Connor, CEO, AppOmni. Thanks to this week's podcast sponsor, AppOmni. AppOmni is the leading provider of SaaS security and management platform for the enterprise. AppOmni provides unprecedented data access visibility, management and security of SaaS, enabling organizations to secure mission-critical and sensitive data. With AppOmni, organizations can automatically and continuously enforce rules for data access, data sharing and third-party applications. On this week's episode Why is everyone talking about this now? Adapting a line from Wendy Nather of Duo Security, what's the security poverty line for remote work? Gabriel Friedlander of Wizer started a thread of best advice for employees working at home. And then he compiled a list of the best tips. We talk about our favorite tips and add a few of our own. There's got to be a better way to handle this Mike and our sponsored guest, Brendan, are both security leaders who have been thrust into managing their entire team virtually for an extended period of time. On top of that, their teams are going to have new pressures on them (e.g., kids at home) that are going to conflict with their ability to be efficient employees. We talk about what they're doing to adapt and their greatest concerns. What's Worse?! How are you dealing with patch management when you've got an all-remote workforce? Please, Enough. No, More. Our topic security cloud or specifically SaaS apps. What have we heard enough about on this topic and what would we like to hear a lot more? A serious confounding feature of public activities like elections and climate change discussions is the proliferation of actual fake news – stories created by bad actors and distributed by bots and which include deepfaked video and propaganda that lead audiences into a state of not knowing who to believe anymore. Security experts including the International Security Forum categorize this as a cyberthreat called Distortion, the loss of trust in the integrity of information. As threat actors continue to hammer away at the cyber defenses however they can, it is extremely likely that Distortion attacks will be yet one more way of bringing organizations to a point of extreme vulnerability, just like ransomware and siegeware. Though the Distortion content may be generated externally, it has the potential to be implanted in a company's environment through phishing, MFA fraud and hacking, leading to media crises, drops in market valuation, destruction of public credibility and of internal stability. More from our sponsor, ExtraHop. Um… maybe you shouldn't have done that Some really well-intentioned people are responsible for some really bad data practices. When I was in Tel Aviv I ran into a number of companies offering discovery solutions to show you where your data is, identify the sensitive data, the PII, and who has access. We learn a lot about sensitive data after it's breached, but there are also plenty of bad data practices happening internally which lend themselves to misuse or greater damage when there is a breach.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-department-of-no-thank-you/) Just go to the front desk, sign in, and then the receptionist will say "no" in the most polite way possible. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Nina Wyatt, CISO, Sunflower Bank. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this week's episode There's got to be a better way to handle this The hot new cybersecurity threat is the Coronavirus. Not the virus itself or the possible fake phishing emails connected to it, but our overall fear and its impact on work. According to data from Boardish, there is a 42% increase over baseline in fear of immobility, or staff not being able to operate effectively remotely. To put that number in perspective, phishing and ransomware have each seen an 8% threat increase. I read immobility's huge number to mean companies are simply not prepared for how their staff may need to operate. What we've got here is failure to communicate What's the best way to say 'no' to a vendor? This was a question that was asked of me by Eric Gauthier, CISO at Scout Exchange. He wants to say no because his cloud business has no need for certain services, and he doesn't want to be rude, but just saying no doesn't seem to work. What are the most successful techniques of saying no to a security vendor? And what different kinds of "no" are there? "What's Worse?!" A tough decision on a company built on acquisitions. Walk a mile in this CISO's shoes For many CISOs, there is a "What's Next?" as they don't necessarily expect "CISO" to be their final resting place professionally. Gary Hayslip, a CISO for Softbank Investment Advisers and frequent guest, wrote on both LinkedIn and Peerlyst about next steps for CISOs who want to move out of the role. The recommendations were other C-level positions, going independent, and starting a new company. On January 2 of this year, parking meters in New York City stopped accepting credit and parking cards. At fault? Security software that had expired on the first day of 2020. Reminiscent of Y2K, this draws attention to the next two time-related bugs predicted for 2036 and 2038. The 2038 problem affects 32-bit systems that rely on timecodes that max out on January 19 of that year. A similar rollover is expected in 2036 for Network Time Protocol systems. In all likelihood, affected systems either have been or will be replaced over the next 18 years, but the dangers still exist, in situations where vulnerable devices remain buried in a legacy system or in cases where advanced calculation of expiry dates are needed, or like New York City, where the upgrade was apparently overlooked. It serves as a reminder that data security must look to its past while it plans for the future. More from our sponsor ExtraHop. Hey, you're a CISO. What's your take on this? What's the impact of Europe's Right to Be Forgotten (RTFB)? It's been five years and Google has received ~3.2 million requests to delist URLs, from ~502,000 requesters. Forty five percent of those URLs met the criteria for delisting, according to Elie Bursztein, leader of Google's anti-abuse research team. Search engines and media sites hold the greatest responsibility, but what responsibility are companies forced to deal with and do they have the capacity to meet these requests?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-pick-the-best-security-awareness-programs-for-your-staff-to-ignore/) It doesn't matter which security awareness training program you purchase. Your staff is going to do whatever they can to either tune out or get out of this annual compulsory exercise. This week's episode of CISO/Security Vendor Relationship Podcast was recording in front of a live audience at athenahealth in Watertown, Massachusetts. The recording features me, David Spark (@dspark), producer of CISO Series, my guest co-host, Taylor Lehmann (@BostonCyberGuy), CISO, athenahealth, and guest Marnie Wilking, global head of security & technology risk management, Wayfair. David Spark, producer of CISO Series, Taylor Lehmann, CISO, athenahealth, Marnie Wilking, global head of security & technology risk management, Wayfair Check out all the photos from our recording. Thanks to this week's podcast sponsors, Check Point and Skybox Security. It's no secret that today's cyber attacks are targeted and sophisticated. Leaving even one point of entry vulnerable to a cyber attack endangers your entire organization. Check Point created the Secure Your Everything Resource Center to help you develop a comprehensive approach to prevent cyber attacks. At Skybox, we remove complexities from cybersecurity management. By integrating data, delivering new insights and unifying processes, we help you control security without restricting business agility. Our comprehensive solution unites security perspectives into the big picture, minimizes risk and empowers security programs to move to the next level. On this week's episode Pay attention, it's security awareness training time Jinan Budge of Forester finished a report on security awareness training programs. She found a trend that supported both the need for compliance and the need to actually train employees to be more security aware. We discuss what actually works to get people to be more aware of cybersecurity. What do you think of this vendor marketing tactic? At RSA, I talked to a vendor who told me about their new solution. It was so unique that Gartner was creating a new category for their product with yet another acronym. UGGH, another category for which you have to educate the market? And now you have to convince buyers to create a new line item for this category? And now what is that going to do to your marketing budget? It didn't take much convincing for me to point out that their product was just third-party risk management. Admittedly, cybersecurity professionals love the new and shiny, but where do we draw the line about learning something new in cybersecurity and adding confusion to the marketplace? It's time to play, "What's Worse?!" Two rounds, lots of debate. Where does a CISO begin? When we hear about digital transformation, it is being done for purposes of speed, accuracy, and business competitiveness. Scott McCool, former CIO at Polycom was on our show Defense in Depth, disputed the common notion that security serves the business. Instead, he believes that security IS the business. And if you deem that to be true, then security can no longer can take a consultative role. It must take the role of brand and value building. This is more than just a discussion of "shifting left." What are actions that security must take to make it clear that they are part of making the business fast, innovative, and competitive? Um... maybe you shouldn't have done that We tell talks of the worst proof of concept (POC) efforts. Audience question speed round We close out the show with a series of quick answers to audience questions.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/buy-our-product-we-have-no-idea-what-were-selling/) What do you think of our confusing non-descriptive ad copy? We think it's brilliant. We're patting ourselves on the back on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience in NYC at the coworking space, Rise NYC. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and JJ Agha, vp, head of information security at WeWork. Our guest is Mike Wilkes (@eclectiqus), CISO, ASCAP. David Spark, producer, CISO Series, JJ Agha, vp, head of information security, WeWork, and Mike Wilkes, CISO, ASCAP Thanks to this week's podcast sponsor, Check Point It's no secret that today's cyber attacks are targeted and sophisticated. Leaving even one point of entry vulnerable to a cyber attack endangers your entire organization. Check Point created the Secure Your Everything Resource Center to help you develop a comprehensive approach to prevent cyber attacks. On this week's episode There's got to be a better way to handle this How well are you configuring your controls today and tomorrow? At RSA, I chatted with Adam Glick, CISO, Rocket Software. He said what he'd like is a tool to test the maturity of his deployed controls. How are his controls optimized over time? What does it looks like today vs. a year from now? How are we currently trying to solve that problem and what could be done to improve it? Hey, you're a CISO, what's your take on this? "Which cybersecurity certification should I get?" It's a question I see repeated often, especially on Quora and Peerlyst. Your best bet would probably be the one that most employers are looking for. And according to job board searches, conducted by Business News Daily, CISSP is the overwhelming favorite. Do our CISOs prefer certain certifications over others? Is it a requirement for hiring? And what does a security professional with certifications vs. experience tell us about that person? What's Worse?! Split decisions on both and the audience plays along as well. Is this the best use of my money? "One of the common complaints I repeatedly hear is that cybersecurity vendors are not solving real problems. They're just looking to make money. I think that's a rather unfair blanket statement, but regardless, I hear it a lot. I think why I hear that so often is that we're all in the cybersecurity fight together and we need to help each other. Helping each other is often done by participating in the open source community. Why is it critical to contribute to the open source community? Um... What do they do? I read copy that appeared on various booths at RSA 2020. Most are confusing and non-descriptive and don't appear to assume a pre-existing understanding of cybersecurity. The expo hall at RSA is filled with security professionals who are already security minded. I honestly don't know exactly the reaction they're looking to get or what type of information these vendors are trying to convey. Audience question speed round We close out the show with a series of quick answers to audience questions.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/were-market-leaders-in-customer-confusion/) We could offer a simpler explanation of our technology, but if we confuse you we can charge a lot more. This episode was recorded in front of a live audience at BsidesSF 2020 in San Francisco. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Olivia Rose, former CISO, Mailchimp. Look at that screen! We were in a movie theater. Those small people in the lower right are David Spark, producer, CISO Series, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, and Olivia Rose, former CISO, Mailchimp. Photo credit to @ash1warya. Thanks to this week's podcast sponsors, Vulcan Cyber and CyberArk. Vulcan is a vulnerability management platform built for remediation. By orchestrating the entire remediation process, Vulcan ensures that vulnerabilities aren't just found, they're fixed. Pioneering a remediation orchestration approach, the platform enables security, operational and business teams to effectively remediate cyber risks at scale. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this week's episode How to become a CISO What is some actionable "let's start today" advice. What could an individual do right now to develop the skills to be a cyber leader and make it clear to management, that's what they're gunning for? What we've got here is failure to communicate If all vendors stopped sending cold emails, which is what we constantly hear CISOs say they should do, how should they spend their time and money instead to greatly improve their success? If a CISO played the role of a vendor, which happens often, what should you do, to get to you? What's Worse?! We play TWO rounds. What do you think of this vendor marketing tactic? According to a recent study by Valimail, CISOs are very suspect of security vendors' claims. In general, the numbers are horrible for vendor credibility. Close to half of security professionals claim the following: Vendors' tech and explanation are confusing Practitioners have a hard time seeing and measuring value Practitioners don't know how a vendor's product will stay valid on their security roadmap. What could cybersecurity vendors do to make their claims more believable? Close your eyes and visualize the perfect engagement Rafal Los, Armor Cloud Security asked, "If you could implement one thing in your organization that would receive universal adoption without push-back, what would it be?" The question, which seems reasonable, but in the security world often feels impossible, generated a ton of responses on both LinkedIn and Twitter. Many wanted company-wide adoption of one solution, such as MFA or vulnerability management. Others wanted widespread and ongoing security education. Our CISOs debate the one pushback-free solution that would yield the greatest results.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/last-chance-to-vote-for-most-stressed-out-ciso/) Think you or your CISO has what it take to shoulder all the tension, risk, and security issues of your organization? You may be a perfect candidate for "Most Stressed Out CISO". This episode was recorded in person at Zenefits' offices in San Francisco. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Keith McCartney (@kmflgator), CISO, Zenefits. Keith McCartney, CISO, Zenefits and Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast Thanks to this week's podcast sponsor, CyberArk At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this week's episode There's got to be a better way to handle this CISO Stress. We've talked about it before on the show, and now Nominet just released a new study that claims stress levels are increasing. 8% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year (27%). 31% of CISOs said that stress had affected their ability to do their job. Almost all surveyed CISOs (90%) said they'd take a pay cut if it improved their work-life balance. How could a CISO negotiate better work/life balance upfront and have either of our CISOs done it? Hey, you're a CISO. What's your take on this? Gary Hayslip shared this Peerlyst article by Ian Barwise of Morgan Computer Services about the incredible array of OSINT tools. What OSINT tools do our CISOs find most valuable and for what purposes. What's Worse?! A little too much agreement on this week's "What's Worse?!" Here's some surprising research Why are cloud security positions so much harder to fill? Robert Herjavec of the Herjavec Group posted a number of disturbing hiring statistics. Most notably was one from Cyber Seek that stated jobs requesting public cloud security skills remain open 79 days on average — longer than almost any other IT skills. Why isn't supply meeting demand? Why is it such a difficult security skill to find? And how easy and quickly can you train for it? EKANS is the backward spelling of SNAKE. It is also the name of new ransomware code that targets the industrial control systems in oil refineries and power grids. Not only does it extort a ransom, it also has the ability to destroy software components that do things like monitor the status of a pipeline, or similar critical functions in a power grid or utility. A recently documented attack on Bahrain's national oil company reveals the architecture and deployment of EKANS not to be the work of a hostile nation-state, but of cybercriminals. The chilling message behind that, of course, is that penetrating and sabotaging critical components of a country's infrastructure is no longer exclusive to sophisticated national intelligence agencies. Lower level criminal agencies may have motives that are far less predictable and trackable, and when combined with the complexities of an industrial control system, these may have cascading effects beyond the wildest dreams of the instigators themselves. More from our sponsor ExtraHop. What do you think of this pitch? We get a pitch with some suggestions on how best to improve the pitch. We want more pitches!

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-blow-our-entire-marketing-budget-at-rsa/) Security professionals only think about security one week out of the year, right? So let's drop every single dollar we have budgeted for marketing on the last week of February. Whaddya say? This episode was recorded in person at Intel's offices in Santa Clara, California. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Tom Garrison (@tommgarrison), vp and gm of client security strategy at Intel (@IntelNews). David Spark, CISO Series, Tom Garrison, Intel, and Mike Johnson, CISO/Security Vendor Relationship Podcast. Thanks to this week's podcast sponsor, Intel. The globalization of technology has created an environment of complicated supply chains with limited transparency. Intel's Compute Lifecycle Assurance (CLA) initiative solves this through a range and tools and solutions that deliver assurances of integrity throughout the entire lifetime of a platform --from build to retire. On this week's episode There's got to be a better way to handle this Next week is RSA and by podcast law we're required to talk about it. We offer up tips on maximizing the following: education, engagement, and follow up. What's the return on investment? On Peerlyst, John Mueller, a security architect with the US Navy, suggested ways to use incident response metrics to help determine whether your cybersecurity program is improving. But as Mueller points out, it's not easy as you could fool yourself into believing you're doing well if you don't valuable discovery tools. We discuss methods to measure improvements in security programs. What's Worse?! A really tough one that delivers a split decision. Please, enough. No, more. Our topic is trust and hardware manufactures. We discuss what we've heard enough about with trusting hardware manufacturers of tech products, and then we discuss what we'd like to hear a lot more. The fable of Walt Disney having been cryogenically frozen to be revived in an age where the science to do so existed is just that – a fable. But there is still something to be taken from that when it comes to documents archived on the cloud or consigned to data landfills. Just because encrypted data cannot be easily decrypted by hackers using today's tools, that doesn't mean tomorrow's tools can't do the job and revive the information stored inside. When threat actors take it upon themselves to steal data, through hacking, ransomware, or AI, they might, of course be searching for material that is immediately exploitable, such personal data, or data that has immediate value in being returned or unlocked as in the case of ransomware. But other players are in it for the long game, counting on the fact that the inexorable momentum of progress will lead to a decryption solution in time for stolen archived data to still be of use for future crimes, frauds and deep fakery. More from our sponsor ExtraHop. Close your eyes. Breathe in. It's time for a little security philosophy. I got back from Tel Aviv where cybersecurity professionals find themselves innovating out of necessity. They're often short on resources. We discuss the kinds of exercises we've tried to help ourselves and our team to think creatively about cybersecurity. One suggestion is the interrogation technique of "Five Whys" to get at the root reason of why we make our choices.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/empowered-working-together-to-pile-on-the-cyber-guilt/) We can all be more secure if we work together as a team to shame those who don't agree with how we approach security. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Chris Hatter, CISO, Nielsen. On this week's episode Mike's confused. Let's help him out. Mike inspired this brand new segment with his question to the LinkedIn community, asking what's the big deal with 5G security? The story I heard about 5G is just sheer volume over unsecured networks. But Mike said, we've been dealing with unsecured networks since 2G and 3G and we dealt with them using Transport Layer Security or TLS, and implementing other services such as multi-factor authentication or MFA. Mike called out to the community to clue him in as to why we should be more concerned with 5G. Does shaming improve security? Thanks to Mark Eggleston, CISO, Health Partners Plans for alerting me to Chris Castaldo, CISO of Dataminr, and his post about Rob Chahin's "Single Sign-On or SSO Wall of Shame". Chahin, who is the head of security at Eero, purports that SSO should be a standard feature in applications and websites that allow for secure sign on through third party identity services, such as Google and Okta. Single sign-on is a significant boon for security and management simplicity and Chahin argues that many companies force users to pay dearly to enable SSO. What's Worse?! A grand financial decision in this scenario. Is this the best solution? According to a recent article in the Wall Street Journal, there is an ever slight trend of CISOs moving away from reporting to the CIO, opting instead to report directly to the CEO. Why is this trend happening? What are the benefits and disadvantages? With hacks and breaches becoming all too commonplace and even encrypted data still vulnerable to hackers who can read and copy it, focus is now being placed on Quantum Communication as a potential next option. This is a technique that encodes data into photons of light, each of which can carry multiple copies of ones and zeroes simultaneously, but which collapses into a single one-and-zero if tampered with. Basically, the scrambling of data to an unusable format. Although Quantum communication has been development for a few years, researchers in China have apparently already outfitted a fleet of drones that will soon be able to communicate upwards to its already launched Quantum satellites and downwards to ground stations while remaining stable in flight. This paves the way for the field of quantum teleportation, a glamorous term whose uses and actual development are no longer just the realm of science fiction. For data at least. More from our sponsor ExtraHop. Close your eyes. Breathe in. It's time for a little security philosophy. Simon Goldsmith, adidas, said, "I've been having some success in replacing risk with uncertainty. By which I mean not having a threat, vulnerability or impact made tangible creates uncertainty which is next to impossible to factor into any modern decision making process. If I make it tangible, it becomes a risk and I can help you make a better decision. Puts value on turning uncertainty to risk and fights FUD."

All links and images for this episode can be found on CISO Series (https://cisoseries.com/youre-mistaken-im-not-annoying-its-chutzpah/) We're pushing just to the edge of irritation on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience in Tel Aviv on the eve of the 2020 Cybertech conference. Special thanks to Glilot Capital for hosting this event. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and my special guest co-host, Bobby Ford, global CISO for Unilever. Our guest is John Meakin, veteran financial CISO, and currently CISO for Equiniti. David Spark, producer, CISO Series, Bobby Ford, CISO, Unilver, and John Meakin, CISO, Equiniti. Thanks to this week's podcast sponsors, Polyrize and Intsights. As newly adopted SaaS and IaaS services add an additional layer of risk for security teams, Polyrize provides a cloud-centric approach to simplifying the task of protecting user identities and their access across the public cloud by right-sizing their privileges and continuously protecting them through a unified authorization model. IntSights is revolutionizing cybersecurity operations with the industry's only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous monitoring of an enterprise's external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response. To learn more, visit intsights.com. On this week's episode How do you go about discovering new security solutions? In an article on LinkedIn entitled, "Why do CISOs take a vendor meeting?" Dutch Schwartz, of AWS said that they take meetings per a recommendation of their staff, their peers, or they have an explicit problem that they've already researched, or they have known unknowns. Are those the reasons to take a meeting with a security vendor? We discuss what meetings CISOs take, and which ones are the most attractive. It's time for "Ask a CISO" Israel is known for a thriving startup community. But what I always see is cross pollination between Israel and Silicon Valley when it comes to startups. We discuss what Israeli startups can learn from Silicon Valley and vice versa. What's Worse?! We've got two rounds. One agreement and one split vote. It's time to measure the risk Five years ago I wrote an article for CIO.com about the greatest myths of cloud security, The first myth was the cloud is inherently insecure. And the other 19 are ones I'm still hearing today. My conclusion for the whole article was if you can overcome these myths about cloud security, you can reduce risk. In this segment we dispel cloud security myths and explain how the cloud helps reduce risk possibly in ways many of us are not aware. Close your eyes. Breathe in. It's time for a little security philosophy. On this podcast we talk a lot about CISOs needing to understand the business. In a thought-provoking post on Peerlyst, Eh-den Biber, a student of information security at Royal Holloway, University of London, noted that the job of cybsecurity is more than that. It's about understanding the flow of business and being present in the individuals' lives and their stories. We discuss the importance of being present in your users' lives. It's time for the audience question speed round The audience has questions and our CISOs have answers. We get through a lot really quickly.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/revisiting-a-whole-career-of-cyber-screw-ups/) This episode was recorded in front of a live audience at Malwarebytes' offices in Santa Clara, California for the Silicon Valley ISSA chapter meeting. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Peter Liebert, former CISO, state of California. Peter is now an independent consultant and commander of cyber operations for California State Guard. (left to right) David Spark, producer, CISO Series, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, and Peter Liebert, commander, cyber operations, California State Guard Thanks to this week's podcast sponsor, Malwarebytes. Malwarebytes secures endpoints, making workplaces resilient. Our adaptive cyber protection predicts and detects attacks with multi-layer detection across the kill chain. We enable active threat response with machine learning that is actionable and automated, allowing for full recovery when a compromise occurs. We empower enterprise endpoint orchestration across siloed IT and Security organizations, simplifying security management and making responses effective. Malwarebytes makes endpoints resilient so workplaces can protect and remediate, and employees can regain control of their digital lives. On this week's episode Why is everybody talking about this now? Chris Roberts of Attivo Networks posted about his video game addiction as he admitted one certain game ate up 475 hours of his life. He really struck a chord with the community as he got hundreds of comments of people admitting to the same but also recognizing that video games are great stress relievers and that the problem solving in games actually helps keep your mind sharp. There is the obvious need for a break, but is there a correlation between how gaming in any form can help someone with their job in cybersecurity? Hey, you're a CISO, what's your take on this?' Are we doing a good job defining the available jobs in cybersecurity? The brand that we see out there is the image of the hacker and the hoodie. In a post on Peerlyst, Nathan Chung lists off eleven other cybersecurity jobs that don't fall under that well known cybersecurity trope. Jobs such as data privacy lawyers, data scientists developing AI and machine learning algorithms, law enforcement, auditors who work on compliance, and even project managers. We discuss some of the concrete ways to explain the other lesser known opportunities in cybersecurity. What's Worse?! We play two rounds with the CISOs. Um… maybe you shouldn't have done that In an article on Peerlyst, cybersecurity writer Kim Crawley, asked her followers on Twitter, "What mistakes have you made over the course of your career that you would recommend newbies avoid?" There was some great advice in here. We discuss our favorite pieces of advice from the list and our CISO admit what is the mistake they've made in their cybersecurity career that they specifically recommend newbies avoid. We've got listeners, and they've got questions Chris Hill of Check Point Software, asked, "How can non-technical people working their way up in the security industry improve their knowledge and abilities from a CISO perspective." Chris is a newbie and he wants advice on being a "trusted advisor" and he's trying to figure out the best/most efficient way to get there. It's time for the audience question speed round We go through a ton of questions the audience has for our CISOs

All links and images for this episode can be found on CISO Series (https://cisoseries.com/debunking-the-misused-chased-by-bear-cybersecurity-metaphor/) We don't want anyone to be caught by the bear on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Elliot Lewis (@ElliotDLewis), CEO, Encryptics. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Is this the best solution? On LinkedIn, Rich Malewicz of Wizer opened up a discussion of security is really just about making the lives difficult for attackers, or more difficult than another target. Rui Santos summed Rich's theory succinctly, "you don't have to be Fort Knox, just make it not worth the effort of hacking your organization." Let's dive into the specifics of this. Provide some examples of how you architect a security program that makes it too difficult or too costly for an attacker. Obviously, this would change given the asset you're trying to protect. The great CISO challenge Brad Green, Palo Alto Networks, asks, "What are the most important functions of the SOC (security operations center), and what are the most important activities that support them? What's Worse?! As always, both options stink, but one is worse. Please, Enough. No, More. Today's topic is data security. What have you heard enough about with data security, and what would you like to hear a lot more? Mike? Communicating cyberthreats to the general public has always been a challenge for cybersecurity specialists, especially when it comes to eliciting cooperation in areas like cyberhygiene. Sometimes it helps to give people an awareness that the need for proactive security doesn't exist only on screens, but everywhere. One fascinating example of this can be seen in the research of Dina Katabi of MIT, who has shown how WiFi signals can be monitored – not for their content, but as a form of radar that can see through walls, and which can accurately observe people physically moving around, or even detecting heartbeats and sleep patterns. Remote espionage opens up all kinds of opportunities for bad actors to build ergonomic profiles of anyone and then deploy AI and ML enabled analysis to influence and impersonate them. Showing people just how many different dimensions can be used in cybercrime may one day shift public perception of cybersecurity into the center spotlight where it belongs. More from our sponsor ExtraHop. There's got to be a better way to handle this For years security professionals have talked about trying to secure the exponentially expanding surface area. One way to simplify, that we've all heard before, is driving security to the data level. Could we let networks run wild, within reason, and just have a data-security first approach? How is that different from zero trust, if at all? To what extent does this work/not work? We've all been having conversations about encryption for decades. It's not a new story. But it's still not universally used. There are billions of user accounts available in open text. After decades, why has the encryption story still not been getting through? What's holding back universal usage?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-put-the-fun-in-infunsec/) We're cranking up the entertainment value on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Adrian Ludwig, CISO, Atlassian. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Close your eyes and visualize the perfect engagement What should a CISO's relationship with the board be and how much should a CISO be involved in business decisions? According to a Kaspersky survey, 58% of CISOs say they're adequately involved in business decision making. 34% say they're summoned by the board for data/security related manners. 74% of CISOs are not part of the board and of that group, Of that group, 25% think they should be. What are the pros and cons of a CISO being heavily involved in the business? The great CISO challenge On Dark Reading, Joan Goodchild asked CISOs what were their New Year's resolution. Most said obvious stuff about visibility, being a business enabler, work on human element, and privacy. But I was most intrigued by Jason Haward Grau, CISO of PAS Global, who said he wanted to make security a little more fun. Keeping it fun and interesting is my obsession with this show. If you want to attract, and more importantly retain, security talent, a little bit of fun is critical. So what is currently fun about cybersecurity and what can CISOs do to make it more fun? What's Worse?! First time Mike Johnson admits to being wrong! Looking down the security roadmap On LinkedIn, Mike recommended that security professionals line up tools with their comparable threat models, and then compare that list with their company's actual threat models. Mike admittedly offered the advice but never actually had done itself until he wrote the post and then he started. We delve into what actually happened and how one could actually do it. The Cyber Defense Matrix is a handy, yet easy to use grid plan that helps IT and cybersecurity professionals formulate a plan of proactive defense and effective response. Devised by security specialist Sounil Yu and discussed in detail on the October 17, 2019 episode of Defense in Depth, the matrix continues to gain ground as a vital tool for not only understanding the required spread of technologies, people and process, but also in performing gap analysis and crisis planning. The matrix creates a logical construct across two axes, creating a five by five fill-in grid. Although some experts debate whether it is sufficiently broad in scope, cybersecurity organizations such as OWASP tend to agree that its role in organizing a jumble of concepts products and terminologies into a coherent inventory helps cybersecurity specialists measure their security coverage, discover gaps in their IT strategy, and create a better project plan. More from our sponsor ExtraHop. And now, a listener drops some serious knowledge "Sandor Slijderink (SLY-DUR-INK), CISO at undisclosed company, offered a quick tip on a new phishing scam. Type in some text that looks like a foreign language, then create a hyperlink that reads: ""See translation"" We discuss some attack vectors that we think others may not be fully aware of but need to pay attention.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-lower-the-security-and-pass-the-savings-on-to-you/) We're racing to the bottom in terms of price and security on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Seth Rosenblatt (@sethr), editor-in-chief, The Parallax. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Are we making the situation better or worse? Are big Internet giants' privacy violations thwarting startup innovation? That's been presidential candidate Elizabeth Warren's argument, and it's why she wants to break up companies like Facebook and Google for what she sees as anti-competitive practices. According to Seth Roseblatt's article, it appears all of a sudden Facebook and Google are very concerned about privacy. Nine years ago, I remember seeing Eric Schmidt, then CEO of Google, proudly admit that they tracked people's movements so thoroughly that they can accurately predict where you're going to go next. Nobody blinked about the privacy implications. But today, users are upset but they don't seem to be leaving these services at all. Is it all talk on both sides? Have you seen any movement to improve privacy by these companies and would regulation be the only answer? And heck, what would be regulated? Here's some surprising research Over the past 15 years, home WiFi routers have been manufactured to be less secure. Seth reported on this study by the Cyber Independent Testing Lab, which we also discussed on an episode of Defense in Depth. The most notorious weakening is the use of default passwords, but there's a host of other firmware features that don't get updated. Is there any rationale to why this happens? And has this study done anything to turn things around? Is this a cybersecurity disinformation campaign? Fighting "fake news" like it's malware. In Seth's story, he noted there are structural and distribution similarities. I envision there are some similarities between fake news and adware which isn't necessarily designed for negative intent. Fake news appears to be an abuse of our constitutional acceptance of free speech. How are security tactics being used to thwart fake news and how successful is it? When you set up your new home assistant, try not to position it close to a window, because someone across the street might be preparing to send voice commands, such as "open the garage door" by way of a laser beam. Researchers from the University of Michigan and The University of Electro-Communications in Tokyo have successfully used laser light to inject malicious commands into smart speakers, tablets, and phones across large distances and through glass windows. They use standard wake commands modulated from audio signals and pair them with brute forcing of PINS where necessary. They have also been successful in eavesdropping, and in unlocking and starting cars. Their research shows how easy it is and will be to use lasers to not only penetrate connected devices but to deploy acoustic injection attacks that overwhelm motion detectors and other sensors. More information including access to the white paper is available at lightcommands.com. More from our sponsor ExtraHop. Look at this, another company got breached Tip of the hat to Malcolm Harkins at Cymatic for posting this story on Forbes by Tony Bradley of Alert Logic who offers a rather pessimistic view of the cybersecurity industry. It's broken, argues Bradley. We spend fortunes on tools and yet still get hacked year over year using the same tools. The article quotes Matt Moynahan, CEO, Forcepoint, who said we wrongly think of security as an "us" vs. "them" theory or "keeping people out" when in actuality most hacks are because someone got access to legitimate user credentials, or a user within our organization did something unintentional or potentially malicious. Are we wrongheaded about how we envision cybersecurity, and if so, is there a new overarching philosophy we should be embracing?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/ah-heres-the-problem-youve-got-a-leaky-ceo/) We're waking up the C-suite to the realization that they're the prime target for cyberattacks. This episode was recorded in front of a live audience at Evanta's CISO Executive Summit in Los Angeles. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. CISO/Security Vendor Relationship Podcast live at Evanta CISO Executive Summit in Los Angeles 12/11/19 PLUS, joining us live was Jewels Nation, the voice of the CISO Series. You hear her voice on all the bumpers on our podcasts. Jewels Nation, the voice of the CISO Series podcasts, and David Spark, producer of CISO Series Thanks to this week's podcast sponsor Evanta. Evanta, a Gartner Company, creates exclusive communities of C-level executives from the world's leading organizations. These invaluable networks are built by and for C-level executives to share innovative ideas, validate strategies and solve critical leadership challenges through peer-to-peer collaboration. Evanta's trusted communities serve CISOs and their C-suite peers around the world. On this week's episode Where does a CISO begin? Gary recently brought up an excellent discussion pointing out that executives are the backdoor into your organization. Do they understand that they're critical cogs? Do they and are they willing to take on responsibility? What is the patching process? Walk a mile in this CISO's shoes Gary, talked a lot about the importance of work/life balance with cyber professionals. Robert Carey of RSA Security said your actions do most of the talking, "As a CISO, you're a model of work life balance. If you stay 14 hours a day, that's what is expected of employees. If you leave at 5pm they'll realize that's ok for them to do." How do our CISOs handle presenting to their staff what is and isn't OK, when they're in the office or when their employees are remote? What's Worse?! You've got a new hire. Which one do you choose? Is this the best solution? Does the email pitch still serve a function? On a recent CISO Series video chat, we talked about how CISOs get 50-80% of their information about products from other CISOs and that yeah maybe sometimes they read an email pitch. Is there still room for the email pitch or should it just die? And if it should die, what should it be replaced with? Security Squares: Where CISOs Put Vendors in Their Place A brand new game that asks CISOs how well do they know the vendor landscape? This one was a nail biter. It's time for the audience question speed round Our audience has questions, and our CISOs will have answers.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/trust-me-were-using-advanced-ai/) We're looking for a good reason to trust your AI on the latest CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience at Evanta's CISO Executive Summit in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week, is Jimmy Sanders (@jfireluv), head of information security, Netflix DVD. Mike Johnson, Jimmy Sanders, head of information security, Netflix DVD, and David Spark Thanks to this week's podcast sponsors: Trend Micro, SentinelOne, and FireMon. FireMon provides persistent network security for hybrid environments through a powerful fusion of real-time asset visibility, continuous compliance and automation. Since creating the first-ever network security policy management solution, FireMon has delivered command and control over complex network security infrastructures for more than 1,700 customers. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. Are you looking to leave legacy antivirus? Proactively protect every device in realtime with AI. Deploy SentinelOne for EPP, EDR, IoT, and container security today. Autonomous technology is the future. We deliver it now across your endpoints, servers, cloud workloads, and IoT devices. What we've got here is failure to communicate Is the privacy message getting out to the right people? I argue we need to go to the source and we're not. I was at Dreamforce, the Salesforce conference, and I got the sense I was the only person of the 100K people there that didn't want to be scanned. This crowd is obsessed with the collection of personal data given this conference is mostly about how do I create greater understanding from personal data. Are we as security people in a bubble in this privacy conversation? We need to go to the source of the people who are actually collecting the data and I'm getting the sense we're not getting through. Are we making the situation better or worse? We've talked a lot about AI on this show, and many vendors are selling intelligent solutions, but the factor that seems to hang up usage is trust. Cyber professionals don't think twice about trusting their AI-powered spam filter, but so many other tools are met with skepticism. What's missing from the vendor side and what trust barriers are practitioners putting up? What should the barometers be for trusting AI? What's Worse?! Two bad types of people wanting to do you harm. Which one is worse? Is this the best solution? Should you hire staff from companies that have fallen victim to cybercrime? According to a study by Symantec and Goldsmiths, University of London, as reported by ZDNet, more than half of respondents said they don't discuss breaches or attacks with peers. And more than a third said they fear that sharing breach information on their organization would negatively impact their future career prospects. I would think that asking a prospect, "Have you lived through a breach and how did you handle it?" would be very revealing. Mike? Security Squares: Where CISOs Put Vendors in Their Place A brand new game that asks CISOs how well do they know the vendor landscape? It's time for the audience question speed round Our audience has questions, and our CISOs will have answers.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/isnt-that-adorable-our-little-ciso-has-an-opinion/) We're spoon-feeding "respect" to the CISO on this week's CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week, thanks to Trend Micro, is Jim Shilts, founder, North American DevOps Group. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? Gary Hayslip, CISO, Softbank Investment Advisers and regular guest, posted an article about a growing trend of CISO frustration and why they don't last at an organization. This article addresses many issues around burnout, but I want to focus on this one stat from an ISC(2) study which states, "Sixty three percent of respondents said they wanted to work at an organization where their opinions on the existing security posture were taken seriously." Hard to keep any security staff in place if they're not respected. We talk a lot about being able to talk to the board, but the communications has to be two way. How clear are executives in understanding that respect and listening to their cyberstaff is in their best interest? What annoys a security professional Deidre Diamond of CyberSN, asks this very pointed question, "We are short 500k cyber professionals in the US and 89% of our current cyber professionals are open to new opportunities; why are jobs taking on average 4-9 months to fill?" That last stat is CyberSN's data estimates. She's arguing there is plenty of supply. Why is this taking so darn long? Nobody's happy. What's Worse?! We've got a question tailored for our DevOps guest this week. Please, enough. No, more. DevOps and security. This is a topic that has grown over time, evolved in branding, and Mike has spoken out about how much he don't like the term DevSecOps. As we regularly do in this segment, what have you heard enough of on the DevOps and security debate and what would you like to hear a lot more? Two factor authentication is a smart step towards more secure password management but what happens the moment after you have convinced the employees of your company to adopt 2FA, when you then say, "Oh yes, don't forget your SIM PIN." 2FA might stop hackers from using easily searchable information like someone's mother's maiden name, but these bad actors have already discovered the weak link in this particular chain. They call the phone provider, pretend to be that specific victim and ask to swap the victim's SIM account information to a new SIM card – one that is in their possession. That way, everything the victim did with their phone – texting, banking, and receiving 2FA passcodes – all goes to this new phone. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Hey, you're a CISO, what's your take on this? Nigel Hedges, CISO, CPA Australia, asked, "Should security operations exist in infrastructure/operations teams?" Nigel asked this questions to colleagues and got mixed results. One CISO said it was doomed to fail, others said its up to leadership and a CISO doesn't need to own secops. "Other people were adamant that the focus required to manage secops, and streamlined incident response cant work within infra because the primary objectives of infra are towards service availability and infra projects," said Nigel who went on to ask, "Is this important prior to considering using a security vendor to provided managed security operations? Is it important to 'get the house in order' prior to using managed secops vendors? And is it easier to get the house in order when secops is not in infra?"

All links and images for this episode can be found on CISO Series (https://cisoseries.com/rest-assured-were-confident-our-security-sucks/) We may not have the protection you want, but what we lack in adequate security we make up in confidence. Sleep better at night after you listen to this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Billy Spears (@billyjspears), CISO, loanDepot. Thanks to this week's podcast sponsor, CyberInt. The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505's latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. On this week's episode Why is everybody talking about this now? Tip of the hat to Eduardo Ortiz for forwarding this discussion Stuart Mitchell of Stott and May initiated on LinkedIn asking if there should be a "golden bullet" clause in a CISO's contract. He was referring to the CISO of Capital One who had to step down and take on a consulting role after the breach. What are arguments for and against? Ask a CISO Nir Rothenberg, CISO, Rapyd asks, "If you were given control of company IT, what would be the first things you would do?" What's Worse?! Should a CISO be closing sales or securing the company? Hey, you're a CISO, what's your take on this? According to Nominet's Cyber Confidence Report, 71 percent of CISOs say their organization uses the company's security posture as a selling point, even though only 17% of CISOs are confident about their security posture. There are probably many factors that contribute to this disparity. Is it a gap that will ever close, or is this just the nature of security people vs. sales? Bluetooth is a convenient and easy method of sharing data between devices, which, of course, qualifies it as a prime target for exploitation. A trio of researchers has discovered a vulnerability that has the potential of attacking billions of Bluetooth-enabled devices, including phones, laptops, IoT and IIoT technologies. In short, this Key Negotiation of Bluetooth vulnerability, which has been given the acronym KNOB, exploits the pairing encryption protocol within the Bluetooth Classic wireless technology standard, which supports encryption keys with entropy between 1 and 16 bytes/octets. It inserts between the pairing devices forcing both to agree to encryption with 1 byte or 8 bits of entropy, after which it simply brute-forces the encryption keys. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. What do you think of this pitch? How targeted should your pitch have to be?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/what-security-advice-will-your-family-ignore/) This Thanksgiving we wish you lots of luck convincing your family members to use a password manager. Would getting them to switch political allegiances be easier? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Jeff Hudesman, head of information security, DailyPay. Thanks to this week's podcast sponsor Tenable. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. On this week's episode Why is everybody talking about this now? Rich Malewicz, CIO, Livingston County, started a thread of common threats and scams we should warn family and friends about over the holidays. Lots of great advice. We discuss our favorites, whether we turn into family tech support, and if you had one cyber holiday wish for every family member, what would it be? Hey, you're a CISO, what's your take on this? When is the right time and WRONG time to start red teaming? (the process of letting ethical hackers loose on your business to test your defenses, your blue team.) What exactly is it you're testing? Are you testing your network's resiliency or your business' resiliency? "What's Worse?!" Three options in this "What's Worse?!" scenario. The great CISO challenge We have repeatedly touted on the podcast the benefits of multi-factor authentication or MFA. Our guest implemented an MFA solution at his company. We talk about the challenges, criteria, and roll out like? And did they see any visible evidence of security improvements? Casey from accounting is getting frustrated, waiting for client files being held up by the firewall. Jordan is trying to join a video conference that needs a plugin, but the firewall won't let it through. So they call the IT manager who then disables it. This happens a lot. Maybe not in large companies, but small law firms, medical clinics, or small businesses that might use an old-school administrator who will either turn off the firewall or opt out of using one altogether, believing in the power of a cheap antivirus product to keep things safe. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. What do you think of this pitch? There is lots of disagreement over whether this pitch is any good.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/dos-and-donts-of-trashing-your-competition/) We want to malign our competitors, but just don't know how mean we should be. Miss Manners steps in on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and special guest co-host, Mark Eggleston (@meggleston), CISO, Health Partners Plans, and our guest is Anahi Santiago (@AnahiSantiago), CISO, ChristianaCare Health System. We recorded in front of a live audience at Evanta's CISO Executive Summit in Philadelphia on November 5th, 2019. Recording CISO/Security Vendor Relationship Podcast in front of a live audience at Evanta's CISO Executive Summit in Philadelphia (11-05-19) Thanks to this week's podcast sponsors Trend Micro, Thinkst, and Secure Controls Framework. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. The Secure Controls Framework (SCF) is a meta-framework – a framework of frameworks. This free solution is available for companies to use to design, implement and manage their cybersecurity and privacy controls in an efficient and sustainable manner. Our approach provides a comprehensive solution to manage complex compliance needs. Most companies find out way too late that they've been breached. Thinkst Canary changes this. Find out why the Thinkst Canary is one of the most loved products in the business and why the smartest security teams in the world run Canary. Visit https://canary.tools. On this week's episode Why is everyone talking about this now? Greg van der Gaast, former guest who runs security at The University of Salford, initiated a popular LinkedIn discussion on the topic of human error. According to his colleague Matthew Trump of the University of Sussex, in critical industries, such as aerospace, oil & gas, and medical, "human error" is not an acceptable answer. You simply have to prevent the incident. If not, a mistake can be both a regulatory violation and lethal. But people are a part of the security equation. It's unavoidable. We know zero erros is impossible, but can you accept "human error" as a fail point? Hey, you're a CISO, what's your take on this? Listener David said, "One thing I have experienced at my last two jobs is integrating with a 'global' security team whose security program is effectively and functionally inferior to our own. In these occasions, the global security team wanted us to remove current safeguards, processes/procedures and tooling that reduced the preparedness and effectiveness of our security program and introduced risk(s) that we have not been exposed to in years. All of these changes were always touted as a 'one team' initiative but never once was due diligence on security posture taken into account. "What is the best way to go about a consolidation like this? Do you not mess with a good thing and ask the 'better' security program to report up incidents, conform to compliance check boxes etc. or as a CISO do you sign off on a risk acceptance knowing that the operating company is now in a worse state of security." "What's Worse?!" We've got two rounds of really bad scenarios. What annoys a security professional Geoff Belknap, former guest and CISO of LinkedIn, appreciates a vendor's desire to "bring like minds" together around food or drink, but the invite is not welcome on a weekend. Belknap feels that the weekend intrudes into a CISO's personal/family space. There was a lot of debate and disagreements on this, but there were some solutions. One mentioned a vendor invite that included round trip Lyft rides and childcare. Oh, they did something stupid on social media again Jason Hoenich, CEO of Habitu8 posted on LinkedIn that he didn't appreciate Fortinet writing about security training for CSO Online, something for which Jason's business does and for which he believes Fortinet does not have any expertise. It appears this was a sponsored article, but Jason didn't point to the article nor did he isolate specifically what he felt was wrong with Fortinet's advice. Here at the CISO Series, we like Jason and Habitu8. They've been strong contributors to the community. But complaining and not pointing to any concrete evidence is not the best way to convince an audience. Earlier this year we saw something similar with the CEO of Crowdstrike going after the CEO of Cybereason claiming an underhanded sales tactic that was not specified nor anyone at Cybereason knew what he was talking about. Is it OK to go after your competition in a public forum? If so, what's the most professional and respectful way to handle it? It's

All links and images for this post can be found on CISO Series (https://cisoseries.com/get-out-the-fud-is-coming-from-the-inside/) On this week's CISO/Security Vendor Relationship Podcast, we're pointing fingers at practitioners, not vendors, for promoting the FUD (fear, uncertainty, and doubt) scare-a-thon. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Eddie Contreras (@CISOEdwardC), CISO, Frost Bank. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? On LinkedIn, Ron C. of CoreSolutions Software said, "Cybersecurity is no longer just a technical problem. It's now more of a people problem! So why aren't businesses prioritizing security awareness training for their staff?" There was a massive response and mixed agreement. Regardless, are we falling short on security awareness training? Is it not effective? Is it too complicated to pull off? Is the cost not justified? More importantly, has security awareness training had any impact? Hey, you're a CISO, what's your take on this? accidentalciso on our reddit channel, r/cisoseries, asks, How does a security professional know if "CISO truly is the right career goal for them? I don't think the reality of the role is consistent with what one might think early on in their career." What was it about the CISO role that makes a security professional want to pursue it and how does that previous perception of what a CISO did counter or align with what was really experienced? It's time to play, "What's Worse?!" Is there a worst type of attack? Ask a CISO James Dobra, Bromium, asks, "Are security organizations guilty of using FUD internally, e.g. with the board and with users, while complaining that vendors use it too much?" Does FUD happen internally? Do security teams do it to get the money they want and/or shame users into submission? On August 30, 2019, white hat hacker Tavis Ormandy discovered a vulnerability in a LastPass browser extension. This was a vulnerability, not a breach and was very quickly remedied without damage. But it still causes chills when the last bastion of password security reveals its Achilles heel. It's like seeing your family doctor contract a terminal disease. But for CISOs, this might be a good thing. Password complacency and sloppy security hygiene are the scourge of security specialists everywhere. A SaaS-based password manager that uses hashes and salts to remove the existence of physical passwords in their own vaults, is still a highly proactive solution. More found on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 Days of a CISO Both Mike and our guest, Ed, are second time CISOs in their first 90 days at the role. We review what mistakes they made the first time as a CISO that they're actively avoiding this time. Are there any hurdles that are simply unavoidable and they're just going to have to face it like any new CISO would.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/say-it-loud-i-didnt-read-the-privacy-policy-and-im-proud/) If we don't understand the purpose of a privacy policy, why should we bother reading it? We're claiming the cyber ignorance defense on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Roger Hale (@haleroger), CISO in residence, YL Ventures. Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Roger Hale, CISO in residence, YL Ventures, David Spark, producer, CISO Series. Thanks to this week's podcast sponsor Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix's gold standard 24/7/365 support. On this week's episode How CISOs are digesting the latest security news We're blowing it with general cybersecurity education. According to a study by the Pew Internet Research Center, most Americans don't understand or can't identify basic cybersecurity concepts such as two-factor authentication, private browsing, or the purpose of a privacy policy. We talk a lot about the important of education and it appears we're not doing a good job. What are some creative ways we can dramatically improve these numbers? Hey, you're a CISO, what's your take on this? Cai Thomas, Tessian, has an article on TechRadar on the dangers of sending corporate work via personal email accounts. He outlines the issues. As per the previous story, chances are very high people are completely unaware of the risk their placing the company in by forwarding corporate email to personal accounts. No amount of education is going to solve this problem. What are the systems that companies can and should setup to give people a better alternative than sending emails to personal accounts? What's Worse?! How damaging can not having a seat on the board be? Ask a CISO Nick Sorensen, Whistic, asks, "What do you see the most proactive vendors doing to prepare for vendor security reviews from their customers?" "Your bank account has been frozen." That's now an old chestnut in the scamming world, but it thrives through increasingly sophisticated spoofing activities that include a banks' real phone number and real-looking pop-up websites for password refresh requests. Even IT experts can get caught by these things occasionally, as some have even confessed on this very podcast series. This level of relentless innovation is worth keeping front of mind when considering the amounts of data that Internet of Things devices are creating but that organizations have no plan or space for. IBM, Forrester, and others have suggested that maybe 1 percent of data generated from IoT connectivity is being used, mostly for immediate learning or predictive activities. More available on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 days of a CISO Today is Roger's first official day as a CISO in residence at YL Ventures. What the heck does that mean, and how does that differ from being an operational CISO?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/ill-see-your-gated-whitepaper-and-raise-you-one-fake-email-address/) We're all in with not wanting "follow up email marketing" on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Ian Amit (@iiamit), CSO, Cimpress. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? To gate or not to gate. Mike posted on LinkedIn about how much he appreciated vendors who don't gate their content behind a registration wall. The post blew up on LinkedIn. The overwhelming response got some vendors willing to change their tune. Hey, you're a CISO, what's your take on this? Kevin Kieda of RSA Security asks, "For an initial meeting what are the things you want the sales person to know about your business that many of them don't." Kevin says he gets frustrated that he gets the sense a prospect wants them to know what tools they're using even though he knows he often can't find out that information. What is the must know, nice to know, and boy I'm impressed you know that? Mike Johnson recommends BuiltWith.com for basic OSINT on a company site. What's Worse?! Whose mistakes are worse? Your own or the vendor's? The great CISO challenge Factor Analysis of Information Risk (FAIR) is a risk framework (often laid ontop of others) that simplifies the understanding of risk by identifying the blocks that contribute to risk and their relationship to each other and then quantifying that in terms of money. Ian, can you give me an example of how you actually do this? Since its inception back in 2010, Zero Trust Architecture has been gaining traction. Much of the interest stems from the nature of work and data today – people working from anywhere on any device, and data racing around networks and to and from the cloud means there is no single fortress where everything can exist safely. Operating on a belief that everything inside the perimeter is safe because it's inside the perimeter is no match to today's hacking, penetration and inside sabotage. The establishment of new perimeter protections, including microtunnels and MFA is best applied to new cloud deployments but must still somehow be factored into a legacy architecture without becoming more inconvenient and vulnerable than what it is trying to replace. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Why is this a bad pitch? What's the polite way to hande the way too generic vendor request. We offer two examples of non-specific pitches that are obviously just begging for a CISO's time. Is there a polite way to refute the request and let them know without talking down to them and letting them know that this isn't a tactic they should pursue?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/rated-1-in-irresponsible-security-journalism/) No security alert is too small for us to completely misrepresent its severity. The sky is falling on the latest episode of CISO/Security Vendor Relationship Podcast. Thanks to this week's podcast sponsor, Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix's gold standard 24/7/365 support. On this week's episode Why is everybody talking about this now? Two recent stories showed some fallibility in multi-factor authentication or MFA. We repeatedly recommended MFA on this show. But, the FBI announced some technical and social engineering techniques that are being used to break multi-factor authentication. In addition, Twitter admitted that email addresses and phone numbers used to set up MFA might have been sent to third party advertisers. The FBI says its news shouldn't change our trust in MFA. William Gregorian, CISO, Addepar, posted on LinkedIn that the press is claiming that MFA is broken and that's irresponsible journalism. Let's dig a little deeper Security professionals thrive on hearing about and learning about the latest threats. It feeds the latest security headlines and conferences. While it's often fascinating and keeps everyone interested, to what level are security concerns based on well-known years old threats vs. the latest threats? "What's Worse?!" Whose mistakes are worse? Yours or the vendors'? Please, enough. No, more. We've talked a lot about machine learning on this show and the definition of it is broad. What's ML's value in threat protection. We discuss what we've heard enough about with regard to machine learning being used for threat protection And what would we like to hear a lot more. When companies in retail or enterprise remind their online visitors to change their passwords, are they doing them a favor or causing them grief? Password managers exist, of course, as do newer forms of passwordless authentication, multifactor authentication and behavioral and biometric data. But ultimately, whose responsibility is this? Should a merchant website place the onus of personal security back on the customer? And if so, how would this protect the merchant's own property? If this jeopardizes a sale or transaction, the cost of proactive security, at least for the short term appears too great. And it's obvious, from the avalanche of data breaches of recent years that stored data of any sort becomes a permanent liability. More available on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Ask a CISO Gina Yacone, a consultant with Agio, asks, "If you're performing a table top exercise. Who are the only three people you would want to have a seat at that table?"

All links and images for this episode can be found on CISO Series (https://cisoseries.com/cybercrimes-solved-in-an-hour-or-your-next-ones-free/) In the real world, cybercrimes just don't get solved as fast as they do on CSI. So we're offering a guarantee. If we don't catch the cyber-perpetrator in an hour (including commercial breaks) we'll make sure you're attacked again. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Jason Hill (@chillisec), lead researcher at CyberInt Research Lab. Thanks to this week's podcast sponsor, Cyberint. The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505's latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. On this week's episode What annoys a security professional Question on Quora asks, "What does everybody get wrong about working in the field of forensics?" There were a handful of answers from looking to TV and film dramas to that it's only a post mortem analysis. What are the biggest misconception of digital forensics? Why is everybody talking about this now? Tip of the hat to Stu Hirst of Just Eat who posted this Dilbert cartoon that got a flurry of response. Read for yourself, but in essence, it's a boss that thought technology would solve all his problems. Not realizing that people and process are also part of the equation. All too familiar. The "I've been hearing a lot about __________" phenomenon. What causes this behavior and how do you manage it? "What's Worse?!" How much flexibility to you require in your security team and the business? Please, Enough. No, More. How far can AI go? Where does the human element need to exist? What are the claims of the far reaching capabilities of AI? We discuss what we'd like to hear regarding the realistic capabilities and limitations of AI. Every year, the Fall season sees billions of dollars being spent on home-based IoT devices. The back-to-school sales are the starting point, Cyber Monday is the clubhouse turn and the year-end holiday season is the finish line. As usual, these devices – printers, DVRs, IP cameras, smart home assistants, are relatively inexpensive and provide plug and play convenience, to satisfy an impatient customer base. For the rest of the cloud tip, head to CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. We don't have much time. What's your decision? What are the best models for crowdsourcing security? There are entire businesses, such as bug bounty firms, that are dedicated to creating crowdsourced security environments. Our guest this week is passionate about investigative work. We asked him and Mike what elements they've found that inspire and simplify the community to participate in a crowdsourced security effort.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/mapping-unsolvable-problems-to-unattainable-solutions/) We're busting out the Cyber Defense Matrix to see what our security program we'll never be able to achieve. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Sounil Yu (@sounilyu), former chief security scientist for Bank of America and creator of the Cyber Defense Matrix. David Spark, producer, CISO Series, Sounil Yu, creator, Cyber Defense Matrix, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast Thanks to this week's podcast sponsor, Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix's gold standard 24/7/365 support. On this week's episode Why is everybody talking about this now? Mike asked the LinkedIn community, "What's bad security advice that needs to die?" We had an entire episode of Defense in Depth on this very topic called "Bad Best Practices." The post got nearly 300 responses, so it's obviously something many people are passionate about. Is there a general theme to bad security advice? The great CISO challenge Sounil Yu is the creator of a very simple problem-to-solution chart for security professionals called the Cyber Defense Matrix. This simple chart allows a cyber professional to see how their tools, processes, and people are mapped to all different levels of security protection. We discuss the purpose of the matrix and all the real world applications. "What's Worse?!" We have a real world "What's Worse?!" scenario and Mike and Sounil compete to see if they answered the way the real world scenario actually played out. Hey, you're a CISO, what's your take on this? Last week on Defense in Depth we talked about a discussion initiated by Christophe Foulon of ConQuest Federal on cyber resiliency. Some people argued that it should be a security professional's primary focus because its action is in line with the interests of the business. Should a cyber professional shift their focus to resiliency over security? Would that facilitate better alignment with the business? Exploitable weaknesses measured in decades. Not a comforting thought. But this is a reality that exists in at least two major IT ecosystems. The first is Microsoft and the second is firmware. Teams belonging to Google's Project Zero have found exploitable security flaws affecting all versions of Windows going back to Windows XP – which presents a logistical nightmare for admins the world over. Sarah Zatko, Chief Scientist at the Cyber Independent Testing Lab spoke recently at Red Hat and DEF CON in Las Vegas about deficiencies in the security of firmware, including those from companies that manufacture the world's best-known routers. More available at CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Ask a CISO Thanks to Chris Castaldo, CISO at Dataminr, for this post on new research from the firm Marsh and Microsoft. According to the study, half of the respondents didn't consider cyber risk when adopting new tech. A full 11 percent did no due diligence to actually evaluate the risk a new technology may introduce. Does it take that much effort to understand the basic risks of introducing a new technology? What are some first level research efforts that should be done with any new tech consideration or adoption?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/wait-what-good-news-in-cybersecurity/) On this episode of CISO/Security Vendor Relationship Podcast, cybercrime fails and we brag about it. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Geoff Belknap, CISO, LinkedIn, and David Spark, producer, CISO Series. Thanks to this week's podcast sponsor Trend Micro. On this week's episode How CISOs are digesting the latest security news We simply don't hear enough good news cybersecurity stories that make those involved proud. What are the cybersecurity stories that aren't being told publicly that should be? First 90 Days of a CISO Michael Farnum, Set Solutions, said, "If you come into the job and aren't willing to critically review existing projects AND put a stop to the ones that are questionable, then you are going to cause yourself problems later. It might seem like an unwise political move when new to the company, but you have to be willing to swing the axe (or at least push the pause button) on anything that doesn't make sense." Not so easy, but where's the line where you can actually push and say, "We're changing course"? It's time to play, "What's Worse?!" We've got a split decision! Hey, you're a CISO, what's your take on this? On a previous episode of Defense in Depth, we talked about employee hacking or getting the staff on the same page as the CISO and the security program. I quoted instructor Sarah Mancinho who said, "I am a firm believer that CISOs/CIOs should have their own dedicated IT strategic communications person(s) that report to them, and not any other office. Most comms roles I've seen...had to report to HR/PR/General Comms....none of whom really knew anything about technology/technical comms/infosec....and had little to no interaction with the IT/security team." My co-host, Allan Alford, loved this idea, never had it, but would love to have it. What value could a dedicated PR person bring to the security team? The devious new Android malware called Cerberus steals credentials by using a downloaded fake Adobe Flash player. That is not really innovative in itself, but what's interesting is the way it seeks to avoid detection by using the phone's accelerometer to confirm that the infected target is a real device and not on the screen of a security analyst. According to ESET researcher Lukas Stefanko, quoted in Forbes, the app actually counts a number of physical footsteps taken by the phone's owner, and deploys once the required number has been reached. For more, check out the full tip on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Why is everybody talking about this now? What's behind the cybersecurity skills shortage? In an article on the Forbes Council, Mark Aiello, president of cybersecurity recruiting firm CyberSN, pointed out some ugly truths as to why it's so difficult to hire cybersecurity talent. He pointed to low pay, the desire to find unicorns, poor job descriptions, training and growth. Is the core issue that the cybersecurity industry just does a very poor job welcoming new entrants? Today, what does a cybersecurity professional need walking in the door? And what are CISOs willing to accept no knowledge of, yet willing to train?

All images and links for this episode can be found on CISO Series (https://cisoseries.com/serious-hackers-wear-two-black-hoodies/) We're doubling down and embracing the absolute worst of hacker tropes. Put on your black hoodie and then a second one. Boot up your Matrix screensaver and listen to the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Bruce Potter (@gdead), CISO, Expel. Here are the links to the items Bruce mentioned on the show: Expel's third-party assessment framework NIST CSF (and soon to be PF) self assessment tool Oh Noes! The incident response role playing game Thanks to this week's podcast sponsor Expel Expel is flipping today's managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have. On this week's episode We've got listeners, and they've got questions A listener, who wishes to remain anonymous asks, "I am a one person security organization, and I get frustrated reading industry news and even listening to the CISO Series (love the show). My frustration is that so very often articles, blogs and podcasts assume that you/your organization has a security TEAM... How do you thrive and not just survive as a security shop of one?" What can a one-person shop expect to do, and not do? Let's dig a little deeper Bruce is also the founder of the Shmoo Group and his wife is the organizer for the annual ShmooCon which is a hacker conference held in DC every year. I'm stunned that his 2200-person event sells out in less than 20 seconds. There is obviously huge demand to attend and speak at your event. This year's event he had 168 submitted talks and 41 were accepted. Bruce tells us what makes a great ShmooCon submission and what were the most memorable talks from ShmooCon. "What's Worse?!" Today's game probably speaks to the number one problem with every company's security program. Hey, you're a CISO, what's your take on this? An issue that comes up in security all the time is "how do you do more with less." Are there ways to advance your security program when you don't have more budget or more people to do so? Study after study shows a top priority for cloud users is having visibility into application and data traffic. But most are not getting it. Nine out of ten respondents believe that access to packet data is needed for effective monitoring. So even though the cloud providers maintain the fortress, the enterprise still needs to see what's going on. They're ultimately responsible, after all. Cloud needs its own approach to monitoring, more closely based on how cloud customers interact with their data. It needs its own tools and greater level of communication between them and their providers. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Why is everybody talking about this now? We have talked in the past about the tired and negative image of the hacker in the black hoodie. It's pretty much all you see in stock photos. And since that's all any media outlet uses, that image just keeps getting reinforced. Poking fun and I think truly trying to find a better hacker image meme, Casey Ellis, founder of Bugcrowd, challenged others on LinkedIn to find a better "hacker stock photo" than the one he posted of hands coming out of a screen and typing on your keyboard with a cat looking on. We debate the truly worst hacker images we've seen and we propose a possible new stock image of the hacker.

Links and images for this episode can be found on CISO Series (https://cisoseries.com/ciso-confessions-its-not-you-its-me-/) Vendors are trying to understand why CISOs are ghosting them and sometimes, it really isn't their fault. CISOs accept the blame on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and joining me is special guest co-host Betsy Bevilacqua (@HEALTHeSECURITY), CISO, Butterfly Network. Our guest will be Matt Southworth (@bronx), CISO of Priceline. This episode was recorded live in WeWork's Times Square location on September 5th, 2019. Here are all the photos. Enormous thanks to WeWork for hosting this event. They're hiring! Contact JJ Agha, vp of information security at WeWork. Also, huge thanks to David Raviv and the NY Information Security Meetup group for partnering with us on this event. Thanks to this week's podcast sponsor Tehama, Tenable, and Devo. Tehama provides secure and compliant virtual desktops on the cloud, and all the IT infrastructure needed for enterprises to connect and grow global and remote teams. Tehama's built-in SOC 2 Type II controls reduce the risk of malware intrusion from endpoint devices, data breaches, and other vulnerabilities. Learn more at tehama.io. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. SOC teams have been struggling with many of the same issues for years – lack of visibility, too much noise – all while the threat landscape grows more complex. Devo Security Operations is a next-gen cloud SIEM that enables you to gain complete visibility, reduce noise, and focus on the threats that matter most to the business. On this week's episode How are CISOs digesting the latest security news? An article on Bloomberg and an ensuing discussion on LinkedIn pointed out that costs after a breach go beyond fines and lost reputation. It also includes the cost to keep top cybersecurity talent. Salaries for a CISO post-breach can range from $2.5-$6.5 million, that includes stock. What could a security professional show and demonstrate in this time of crisis that they are the one to hire to garner such a salary? Hey, you're a CISO, what's your take on this? Michael Mortensen of Risk Based Security asks a question about when there's considerable dialogue with a prospect, and they go cold. Michael wants to know what causes this? He has theories on sales people being impatient or wrong set of expectations, but he's interested in the CISO's viewpoint. Assuming you have had conversations with a vendor, have you gone cold on their outreach? If so, what was the reason? It's time to play, "What's Worse?!" Two rounds lots of agreement, but plenty of struggle. Why is everybody talking about this now? Cryptography firm Crown Sterling has sued Black Hat for breaching its sponsorship agreement and also suing 10 individuals for orchestrating a disruption of the company's sponsored talk at the conference in which the CEO presented a finding on discovering prime numbers which are key to public-key encryption. The crowd didn't like it and they booed him. You can see a video of one individual yelling, "Get off the stage, you shouldn't be here." Crown Sterling argued that Black Hat was in violation of their sponsorship agreement because they didn't do enough to stop it. At Black Hat and related parties I saw many printed signs about codes of conduct. It doesn't appear anyone had a plan to enforce those rules. What has happened in the security community that some security professionals feel they have the right to shout down a speaker like this? If one of these 10 disruptors was your employee, how would you respond? What's a CISO to do? So much of a job of a CISO is to change behavior. How do CISOs change behavior to a more secure posture? Where should a CISO start? What's the low hanging fruit? It's time for the audience question speed round Our audience has questions, and our CISOs tried to come up with as many answers as possible. Our closing question put my guest co-host in the hot seat.

Links and images for this episode can be found on CISO Series (https://cisoseries.com/getting-over-our-security-%e2%89%a0-compliance-obsession/) We repeat "Security ≠ Compliance" so often it's become our mantra. Does anyone pay attention to it anymore? We're unpacking our compulsion to keep saying it on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Chris Hymes (@secwrks), head of information security, enterprise IT, and data protection officer, Riot Games, makers of League of Legends. Thanks to this week's podcast sponsor Expel Expel is flipping today's managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have. On this week's episode Why is everyone talking about this now? On LinkedIn, Omar Khawaja, CISO, Highmark Health, argued that every time a security person repeats the "Security does not equal compliance" trope, it translates to a belief that compliance is useless. This caused a flurry of discussion. Is compliance useless? If not, Omar asks what should "Security does not equal compliance" be replaced with? Essentially, how should compliance be viewed in an overall security program? Ask a CISO Scott Holt, sales engineer, cmd, asked our CISOs how they're balancing keeping their information and infrastructure private while at the same time working with vendors to fill security needs? "What's Worse?!" We've got a question based on the build vs. buy debate. Hey, You're a CISO, what's your take on this? Paul Makowski, Polyswarm, asks a question that's very relevant to their business. He said, "Enterprises often subscribe to multiple feeds [of threat intelligence]. They learn their strengths and weaknesses and develop weighting algorithms to divine highest quality intelligence in the context of what's being analyzed. How can the industry close the feedback loop with threat intelligence providers, providing them with an opportunity to improve coverage and efficacy (false positive / false negative rates)?" The Shared Responsibility Model for cloud is, as Amazon and others describe it, the difference between the "security OF the cloud" and "security IN the cloud," with cloud service providers taking care of the OF, and clients taking care of the IN. "In the cloud" means the data, the access – especially guest access, and the usage. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Close your eyes. Breathe in. It's time for a little security philosophy. Steven Trippier, Group CISO, Anglian Water Services, asked, "What are the right metrics to use to illustrate the success / performance of the security team?" We've asked this question before and one of the most popular answers was "mean time to identify and remediate." But here's the philosophical question that Steven asks, "How does this change in an environment where breaches/malware outbreaks are uncommon and stats such as mean time to identify and mean time to contain are not relevant?"

All images and links for this episode can be found on CISO Series (https://cisoseries.com/open-this-email-for-an-exclusive-look-at-our-clickable-web-links/) You'll be dazzled by the clickability of our web links on this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Aanchal Gupta (@nchlgpt), head of security for Calibra, Facebook. Aanchal Gupta, Head of Security for Calibra, Facebook, Mike Johnson, Co-Host, CISO/Security Vendor Relationship Podcast, David Spark, Producer, CISO Series Thanks to this week's podcast sponsor Expel. Expel is flipping today's managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have. On this week's episode Hey, You're a CISO, what's your take on this? Last month, Brian Krebs reported a breach from the 6th-largest cloud solutions provider PCM Inc. which let intruders rifle through Office365 email/documents for a number of customers. In response, listener Alexander Rabke, Unbound Tech, asked, "Would CISOs continue to do business with 'security' companies that are breached?" What's your recommendation for sales people who are at such an organization? How should they manage news like this? Ask a CISO We know there are plenty of pros and cons of telecommuting. I'm eager to hear from both of you how security leaders value telecommuting. What are the challenges to a CISO of managing a virtual staff? What's Worse?! We've got two extreme scenarios you'd never see in the real world. Why is everybody talking about this now? Mike, on LinkedIn you ranted about the term DevSecOps that it was a distraction and that "It's really no different (at a high level) than building security into an Agile development process, or a Waterfall process." I agree but I would argue that when DevOps was introduced it was about getting two groups working in tandem. At the time it was a mistake to omit security. Last year at Black Hat I produced a video where I asked attendees, "Should security and DevOps be in couples counseling together?" Everyone universally said, "Yes", but I was taken aback that many of the security people responded, "that they should just listen to me." Which, if you've ever been in couples counseling knows that the technique doesn't work. I argue that the term DevSecOps was brought about to say, "Hey everybody, you have to include us as well." Mike recommends Kelly Shortridge and Nicole Forsgren presentation at Black Hat 2019, "The Inevitable Marriage of DevOps and Security". Companies continue to take advantage of the economies of scale offered by multi-tenant cloud services, but complacency is dangerous. Multi-tenant cloud is often described as being like a big apartment building, but the big difference is that the walls that separate tenants from each other are not solid, but software. Software is built by humans which closes the circle: unpredictable humans in an unpredictable world. I'm not just talking about hacking here. What about compliance? GDPR's austere and perhaps old-world view that data on a German citizen must stay in Germany, is nonetheless the law, and carries substantial fines for transgression. This requires data centers to be run from multiple countries, but so long as they're connected by a cable no data is ever truly isolated. Future regulations affecting health records or patents or blockchain transactions might find themselves in limbo when it comes to coming to rest in a certain section of a certain cloud. For the moment, companies are focusing mostly on the cost-efficiencies of shacking up with other tenants in the same building, but very soon, this too might not be enough. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. The great CISO challenge Lauren Zink of Amtrust posted an article from Infosec Institute asking, "What are you to do with repeat offenders in social engineering exercises?" The article offers some helpful suggestions. In the discussion, there was some pointing fingers at security training designed to purposefully trick employees. Have either of you had to deal with repeat offenders? What did you do? What's your advice for other security leaders... and HR?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/like-fine-wine-our-vendor-bs-meter-gets-better-with-age/) The bouquet of this particular vendor BS is a mixture of FUD, unnecessary urgency, and a hint of pecan. Look to your left and grab the spittoon because we don't expect everyone to swallow what you're about to hear on this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Olivia Rose, CISO for MailChimp. Thanks to this week's podcast sponsor Remediant Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this week's episode Why is everyone talking about this now? One of the reasons we hate hearing security buzzwords is because it doesn't help us understand what it is a vendor is trying to sell. When a vendor says we have a "zero trust" product, what does that mean? We delve into some of the tell-tale signs that a vendor or consultant is trying to BS you. According to Olivia Rose, if you're going to pitch a CISO, make sure you can answer the following simply and succinctly: What does our product/service do? What specific security problem does it solve? How will it affect the typical strategic/business drivers for a company? It's time for "Ask a CISO" Fernando Montenegro, analyst for 451 Research, asked, "How can the CISO be a change agent for the security team so it can better align with the business?" What's Worse?! For this week's game I picked a question very apropos for our guest's current situation. Um… maybe you shouldn't have done that Unconscious bias towards women in professional settings is not always overt nor intentional, but it happens. We discuss some examples of unconscious bias for both women and men. And we discuss how too much of it can really push women out of the security industry. A distributed denial of service attack is the scourge of IT security. According to Verisign, one-third of all downtime incidents are attributed to DDoS attacks, and thousands happen every day. Are they created by sophisticated black hatted evil doers from an underground lair? Of course not. Welcome to the world of cybercrime-as-a-service. You too can silence a competitor or cause havoc for pretty much anyone for as low as $23.99 a month. Just have your credit card or Bitcoin ready. For more, go to CISOSeries.com. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 days of a CISO Being just six weeks in, our guest, Olivia Rose is living the first 90 days of a CISO. We asked her and Mike what it's like those first few weeks. And to no one's surprise, it's beyond overwhelming.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/if-capital-one-listened-to-our-podcast-they-still-would-have-been-breached/) We guarantee listening to our show would have done absolutely nothing to prevent the Capital One breach. We've consulted our lawyers and we feel confident about making that claim. It's all coming up on this week's episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in the ExtraHop booth during Black Hat 2019. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Tom Stitt (@BlinkerBilly), sr. director, product marketing - security, ExtraHop. Thanks to this week's podcast sponsor ExtraHop Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop. On this week's episode Why is everyone talking about this now? I have noticed an either disturbing or coincidental trend. Every year, just before either RSA or Black Hat conferences, there is some massive breach. This year it was Capital One. In the past we've had Ashley Madison, Target, Marriott - all within a few months of the shows. I know I know I know that CISOs absolutely hate being sold on FUD (fear, uncertainty, and doubt), but all conferences are affected by industry relevant news. You simply can't avoid it. Capital One was brought up multiple times during the Black Hat conference. We discuss the do's and don'ts of bringing up the most recent breach at a huge trade show. We don't have much time. What's your decision? On LinkedIn, you asked "When your risk and threat models all agree that this feature/product/decision is of low concern but your gut tells you otherwise, what do you do?" It appears most people said go with your gut to which Richard Seiersen of Soluble pointed out that guts are models too. What happens when you're faced with such a scenario and what causes the tools and threat models to be so off your gut? "What's Worse?!" We've got a split decision and a really fun scenario. Please, Enough. No, More. Today's topic is "network behavior analysis." In the world of anomaly detection, what have Mike and Tom heard enough about and what would you like to hear a lot more? It's been two weeks. Time to change your password again. How many times have we all bumped up against this wall – intended to help keep us secure, but extremely annoying when you have things do do? The battle for password security has been a long and arduous one, moving and evolving, sometimes ahead of, but more often lagging behind the activities of the hackers and bad guys, whose limitless resources seek out every possible weakness. Challenge questions and strings of letters, numbers and characters might soon be coming to the end of their functional life, as security companies start to roll out biometric and behavioral security protocols in their place. Paired with increased access to data and artificial intelligence, it will become easier for organizations to contemplate a switch from basic strings of words to something more esoteric – a retinal scan paired with an extensive ergonomic behavior database for every individual. These things are not new to the consumer marketplace of course. Apple iPhones are one of many devices that can be unlocked by a fingerprint, and credit card companies and web applications routinely call out unusual login behaviors. But the new secret sauce in all of this is the availability of huge amounts of data in real time, which can be used to analyze a much larger set of behavioral activity, not simply an unusually timed login. This can then be managed by an Identity-as-a-service (IDaaS) company that would take over the administration, upkeep and security of its clients using the as-a-service model. A retinal scan paired with a secure knowledge of which hand you carry your coffee in and where you bought it might very soon replace the old chestnut challenge of your mother's maiden name. That one should stay safe with Mom. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. And now, a listener drops some serious knowledge On LinkedIn, Ian Murphy of LMNTRIX put together an incredibly funny presentation with great graphics entitled the BS Cybersecurity Awards which included such impressive glass statuettes like the "It'll Never Happen to Us" Award and the "Cash Burner" Award. In general, they were awards for all the bad repeated behavior we see from vendors and users in cyb

All links and images for this episode can be found on CISO Series (https://cisoseries.com/improve-security-by-hiring-people-who-know-everything/) If you're having a hard time securing your infrastructure, then maybe you need to step up the requirements for expertise. Why not ask for everything? We're offering unreasonable advice on this week's episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience at ADAPT's CISO Edge conference in Sydney, Australia. This special episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Liam Connolly, CISO of Seek. Our guest is Matt Boon (@mattjboon), director of strategic research for ADAPT. Plus, we have a special sponsored guest appearance from John Karabin, vp, cybersecurity, Dimension Data. Thanks to this episode's sponsors Dimension Data/NTT and ADAPT By 1 October 2019, all 28 NTT companies, including Dimension Data, will be branded as NTT. Together we enable the connected future. Visit NTT at hello.global.ntt. ADAPT's mission is to equip IT executives with the knowledge, relationships, inspiration and tools needed to gain competitive advantage. ADAPT's membership platform provides business leaders with fact-based insights, actionable patterns of success and the collective experience of 3,000 peers to improve strategic IT, security, and business decisions. Visit ADAPT for more. On this week's episode Why is everyone talking about this now? Independent security consultant Simon Goldsmith sent this post from Stu Hirst, a security engineer at JUST EAT who posted a job listing that requested subject matter expertise on 12 different aspects of security. This highly demanding request resulted in well over 200 responses from the community. Is it laziness on the part of the company posting? Is it an attempt to just capture job seekers' search queries? Or is it simply an editorial mistake that they shouldn't have requested subject matter expertise but rather basic knowledge across 12 different aspects of security? Ask a CISO Mitch Renshaw, Fortinet, describes a problem that many vendors are having. He says: "Fortinet's broad portfolio makes it hard to give a concise yet effective overview of our value. As a result I'm worried my emails are going long. Customers know us for our firewalls – and a full firewall refresh is hard to come by as a sales rep. So if I get more targeted in my demand generation techniques, I'm met with an 'I'm all set, I've got Palo/checkpoint/juniper/etc.'" Mitch has got a conundrum. He's looking for the happy medium on how to sell a company with a wide variety of products, some of which are highly commoditized in the industry. How should he reach out to security professionals? "What's Worse?!" We play two rounds and the audience gets to play along as well. Hey, you're a CISO, what's your take on this?' My American co-host, Mike Johnson, asked this question of the LinkedIn community, and I ask you this as well. "Why do sites still **** out the password field on a login page?" It's designed to stop shoulder surfing. Is this really the main problem? What else is it helping or hurting, like password reuse? Passwords are a broken system that are easily hacked. We have solutions that add layers on top of it, like multi-factor authentication. What solutions do we have for the password process itself? OK, what's the risk? Ross Young of Capital One, asks this question about what risk should you be willing to take on? "What should cyber professionals do when they can't contract or outsource services like pen testing however they struggle to acquire the talent they need. If they train folks they find them poached sooner and if they don't they are stuck without the talent they need to survive." Why is this a bad pitch? We've got a pitch sent in to us from Eduardo Ortiz. It's not his pitch, but one he received. You may need to strap in when you hear this. It's time for the audience question speed round Yep, it's just like it sounds. I ask the panel to ask some questions submitted from our audience.

Find all images and links for this episode on CISO Series (https://cisoseries.com/just-click-accept-as-we-explain-informed-consent/) Even if you do give "informed" consent, do you really understand what we're doing with your data? Heck, we don't know what we're going to do with it yet, but we sure know we want a lot of it. It's all coming up on this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Francesco Cipollone (@FrankSEC42), head of security architecture and strategy, HSBC Global Banking and Markets. Thanks to this week's podcast sponsor ExtraHop Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop. On this week's episode Should you ignore this security advice? This is advice you should not ignore. It comes from an article by Jonathan Jaffe, director of information security at People.ai where he offered up a great recipe for startup security. We discussed standout tips and were there any disagreements or omissions? Close your eyes. Breathe in. It's time for a little security philosophy. Phil Huggins, GoCardless, said, "If we don't know what value is in our data until it has been enriched and analysed can we give informed consent as to its use?" What's Worse?! We're concerned with the state of data in this game. Ask a CISO Mike Baier, Takeda Pharmaceuticals, asks, "When faced with the scenario of the vendor providing a recent SOC 2 Type 2 report, and then tells you that their internal policies/procedures are considered 'highly confidential' and cannot be shared, what tips would you provide for language that could help cause the vendor to provide the required documentation?" The 1979 movie When a Stranger Calls gave us that unforgettable horror moment when the police informed Jill that the calls from the stalker were coming from inside the house. Nineteen years earlier, Hitchcock's Psycho did a similar type of thing with the shower scene. We humans have a real problem when danger pops up in the place we feel safest – our homes. A similar problem happens in corporate IT security. We place a great deal of attention on watching for external hackers, as well as those that seek to dupe our overstressed employees into clicking that spearfishing link. What was it that Edward Hermann's character, the vampire, said in the Lost Boys? "You have to invite us in." But what about internal bad actors? There are those who see great opportunity in accessing, stealing and selling company resources – data – like social security numbers, credit card numbers and medical files. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. OK, what's the risk? A question from Robert Samuel, CISO, Government of Nova Scotia that I edited somewhat. It's commonly said that the business has the authority for risk-trade off decisions and that security is there just to provide information about the risk and measurement of the risk. I'm going to push this a little. Is this always the case? Do you sometimes disagree with the business or is it your attitude of "I communicated the risk, it's time for me to tap out."

All images and links for this episode can be found on CISO Series (https://cisoseries.com/who-are-the-perfect-targets-for-ransomware/) If you've got lots of critical data, a massive insurance policy, and poor security infrastructure, you might be a perfect candidate to be hit with ransomware. This week and this week only, it's an extortion-free episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Walls (@sean_walls2000), vp, cybersecurity, Eurofins. Thanks to this week's podcast sponsor Core Security Assigning and managing entitlements rapidly to get employees the access they need is critical, but it can come at the cost of accuracy and security. Core Security's identity governance and administration (IGA) solutions provide the intelligent, visual context needed to efficiently manage identity related security risks across any enterprise. On this week's episode How CISOs are digesting the latest security news An article in the NYTimes points to a new trend in ransomware that is specifically attacking small governments with weak computer protections and strong insurance policies. Payments from $400-$600K. Lake City, Florida, population 12K paid $460K to extortionists. They got some of their information back but they have been set back years of what will require rescanning of paper documents. Mike, I know your standard philosophy is to not pay the ransom, but after a ransomware attack against the city of Atlanta, the mayor refused to pay $51,000 in extortion demands, and so far it's cost the city $7.2 million. Probably more. These payments by the small cities must be incentivizing more attacks. Does this information change the way you're willing to approach ransomware. What can a small city with zero cybersecurity staff do to create a program to reduce their risk to such a ransomware attack? Ask a CISO Bindu Sundaresan, AT&T Consulting Solutions, asks a very simple question, "How is each security initiative supporting the right business outcome?" Do you find yourself selling security into the business this way? If not, would you be more successful selling security to the business if you did do this? What's Worse?! We've got a split decision on what information we prefer after a breach. Listen up, it's security awareness training time Jon Sanders, Elevate Security, said, "Security awareness involves A LOT of selling… there's no cookie cutter approach in security awareness or sales!" Is the reason security training is so tough because so many security people are not born salespeople? I've interviewed many and there's a lot of "just listen to me attitude," which really doesn't work in sales. Cloud Security Tip, sponsored by OpenVPN We talk a lot about penetration testing here, given that it remains a staple of proactive IT security. But not everyone feels it's all it's cracked up to be. Or should that be, all it's hacked up to be?" More than one cybersecurity organization points out there are a few flaws in the pen testing concept that make it worth a second look. Pen testing often consists of a small collection of attacks performed within a set time period against a small sample of situations. Some experts doubt the efficacy of testing against a limited field of known vulnerabilities, without knowing what other weaknesses exist in plain sight, or merely invisible to jaded eyes. More on CISO Series... What do you think of this pitch? We have a pitch from Technium in which our CISOs question what exactly are they selling?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/passwords-so-good-you-cant-help-but-reuse-them/) We've just fallen in love with our passwords we just want to use them again and again and again. Unfortunately, some companies more interested in security aren't letting us do that. We discuss on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is William Gregorian (@WillGregorian), CISO, Addepar. Thanks to this week's podcast sponsor Cyberint The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505's latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. How CISOs are digesting the latest security news Chris Castaldo of 2U and a former guest on the show posted this great story of TripAdvisor invalidating user credentials if a member's email and password were found in publicly leaked data breach databases. Is this a great or bad move by TripAdvisor? Ask a CISO On LinkedIn, Chad Loder, CEO, Habitu8 posted an issue about the easy deployment and ubiquity of cloud applications. He argues it's no longer Shadow IT. It's just IT. And securing these cloud tools you don't manage nor know about requires a lot of education. Is Shadow IT inevitable. Should we lose the name? And is education the primary means of securing these services? It's time to play, "What's Worse?!" One of the toughest rounds of "What's Worse?!" we've ever had. Close your eyes. Breathe in. It's time for a little security philosophy. Mike posed a "What's Worse?!" scenario to the LinkedIn community and got a flurry of response. The question was "Would you rather have amazing, quality cybersecurity incident response in 24 hours or spotty, unreliable response in one hour?" I wanted to know what was Mike's initial response and did anyone say anything in the comments to make him change his mind? For quite a while, IT security experts have been touting the value of two factor authentication (2FA) as a better way to keep data safe than simply using passwords alone. We have even spoken about it here. In its most popular form, 2FA sends a confirmation code to your phone, which you must then enter into the appropriate log-in confirmation window within a short amount of time. This is like having a second key to the safe, like many bank vaults used to have. (more on the site) It's time to measure the risk Chelsea Musante of Akamai asks, "What would you say to someone who thinks their risk for credential abuse / account takeover has decreased because they've implemented MFA (multi-factor authentication)?"

All links and images for this episode can be found at CISO Series (https://cisoseries.com/please-dont-investigate-our-impeccable-risk-predictions/) It's easy to calculate risk if no one ever checks the accuracy of those predictions after the fact. It's all coming up on CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Bob Huber (@bonesrh), CSO, Tenable. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. On this week's episode What's the ROI? Do we analyze how good we are at predicting risk? Phil Huggins, GoCardless said, "We conduct detailed rigorous risk assessments to support security transformation business cases and identify a series of mitigation actions and then declare success if those actions are completed on time and on budget... We never revisit our risk assessments a year later and see how good we were at predicting risk occurrence. I worry that the avoidance of feedback contributes to the underperformance of security." Are we looking back and seeing how good we are at analyzing risk? Close your eyes. Breathe in. It's time for a little security philosophy. We have evolved from an unchecked "Cloud first" model to a more thoughtful "cloud smart" strategy. Are these just PR slogans apparently implemented by the last two administrations, or is there something to them? Looking ten years ago vs. today, have we really become smarter about implementing cloud technologies? In what way have we made the greatest strides? How are we falling short and where would you like us to be smarter? What's Worse?! What would you sacrifice to get all the training you could get? Please, Enough. No, More. Our topic is DevSecOps. It's a big one. Mike, what have you heard enough of on the topic of DevSecOps, what would you like to hear a lot more? What do you think of this pitch? Shazeb Jiwani of Dialpad forwarded me this pitch from Spanning Cloud Apps. He asks, "how they feel about vendors using an availability issue from a partner (not even a competitor) as a sales pitch." Parkinson's Law states that "work expands to fill the time available," and any IT specialist knows this applies equally to data and can be stated as "Data expands to fill the storage available." As cloud service providers – and the cloud itself both continue to expand, the opportunity to transport and store all of your data seems to be a great convenience. But data management requires oversight, control and governance. The more data – and daily data flow –one has, the greater the potential for misuse, redundancy, errors, and costly maintenance. More at https://openvpn.net/latest/security-tips/

Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-series-one-year-review/) The CISO/Security Vendor Relationship Podcast is now more than a year old. On this episode, the hosts of both podcasts, reflect on the series and we respond to listeners critiques, raves, and opinions. Check out this post and this post for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is the co-host of the CISO/Security Vendor Relationship Podcast, Mike Johnson. Thanks to this week's podcast sponsor, Trend Micro On this episode of Defense in Depth, you'll learn: We provide the definitive story of how the CISO/Security Vendor Relationship Podcast started and how David, Allan, and Mike all connected. We've been challenging many of the sales techniques that have essentially irked CISOs. The podcast has become a validation tool for sales people to show to their management and say, "We need to change direction." One of the critiques we've heard is the desire to understand more of the sales process. We are actually very much in the dark as to the different levels of incentives are for sales staff. A security sale is often a long and involved process and we know the incentives are more involved than just a sales commission. We've actually done webinars that take a look behind the scenes of sales and we plan to do more. Those who feel isolated with their company enjoy hearing the different viewpoints. There is actually a real return on investment to listening to our show. Sales people say that they've changed their strategy based on advice on the show and it has proved to be fruitful.

Images and links for this episode can be found at CISO Series (https://cisoseries.com/worst-question-award-goes-to-how-secure-are-we/) We've got better ways to determine the overall quality of your security posture than asking this unanswerable question. It's all coming up on CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Helen Patton (@osucisohelen), CISO, Ohio State University. Thanks to this week's podcast sponsor Trend Micro. On this week's episode Why is everyone talking about this now? Jamil Fashchi, CISO, Equifax, "In speaking with a CEO the other day, I was asked, 'As someone who isn't technical, what questions should I ask to determine if my security team is effective?'" This caused a flurry of discussion. What's your advice, and do you agree it's a lot better question than "How secure are we?" Hey, you're a CISO, what's your take on this? One issue that comes up a lot in cybersecurity is the lack of diversity. We have discussed the value of diversity, in that it avoids "one think" and brings in the critical need of different viewpoints. The problem is we're often attracted to people like us, and we ask for referrals which if you hired people like you is probably going to deliver more people like you. We focus this discussion on actionable tips that CISOs can take to bring in a diverse workforce. What's Worse?! What's it like to work with the business and their acceptance or lack of acceptance of risk? First 90 days of a CISO Steve Luczynski, just became CISO of T-Rex Corporation. In the past the CIO has handled both IT and security at the company. "Now with a CISO onboard, the struggle is figuring out who does what with the expected reluctance by the CIO to let go of certain things and trust me, the new CISO to maintain the same standards. For example, I wanted to change our password policy when I first showed up to match the new NIST guidance of not changing based on a set time period. There was disagreement and it did not change even when I showed the NIST verbiage," said Luczynski. How should Steve deal with such disagreements? Ask a CISO For a while, FUD (fear, uncertainty, and doubt) worked on the average person, to get them to install basic security measures, like an anti-virus. But it appears that's all changed. The cause could be apathy. When there's so many breaches happening the average person feels powerless. Are we marketing cyber-awareness wrong to non-security people? What would get them to be true advocates? The Pre-nup. It's a difficult thing for most people to talk about in their personal lives, but it's something that should always be considered when setting up a relationship with a cloud service provider. Not all business relationships last, and if your organization needs to move its data to another provider, it's not like packing up your furniture and saying goodbye to your half of the dog.

The images and links for this episode can be found at CISO Series (https://cisoseries.com/youre-not-going-anywhere-until-you-clean-up-that-cyber-mess/) Our CISOs and Miss Manners have some rules you should follow when leaving your security program to someone else. It's all coming up on CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is newly free agent CISO, Gary Hayslip (@ghayslip). Thanks to this week's podcast sponsor Trend Micro On this week's episode Why is everyone talking about this now? Mike, you asked a question to the LinkedIn community about what department owns data privacy. You asserted it was a function of the security team, minus the legal aspects. The community exploded with opinions. What responses most opened your eyes to the data privacy management and responsibility issue you didn't really consider? Hey, you're a CISO, what's your take on this?' Someone who is writing a scene for a novel, asks this question on Quora, "How does a hacker know he or she has been caught?" Lots of good suggestions. What's your favorite scenario? And, do you want to let a hacker know he or she has been caught, or do you want to hide it? What circumstances would be appropriate for either? What's Worse?! Mike decides What's Worse?! and also what's good for business. First 90 days of a CISO Paul Hugenberg of InfoGPS Networks asks, "What fundamentals should the CISO leave for the next, as transitions are fast and frequent and many CISOs approach their role differently. Conversely, what fundamentals should the new CISO (or offered CISO) request evidence of existence before saying YES?" Mike, this is a perfect question for you. You exited and you will eventually re-enter I assume as a CISO. What did you leave and what do you expect? Ask a CISO Fernando Montenegro of 451 Research asks, "How do you better align security outcomes with incentives?" Should you incentivize security? Have you done it before? What works, what doesn't? Imagine how hard it would be to live in a house that is constantly under attack from burglars, vandals, fire ants, drones, wall-piercing radar and virulent bacteria. Most of us are used to putting a lock on the door, cleaning the various surfaces and keeping a can of Raid on hand for anything that moves in the corner. But could you imagine keeping a staff of specialists around 24/7 to do nothing but attack your house in order to find and exploit every weakness?

All pictures and links for this episode can be found on CISO Series (https://cisoseries.com/we-take-privacy-not-our-ciso-seriously/) We're looking for the one company brave enough to say they don't care about privacy on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded live on June 6th at The B.O.B. in Grand Rapids, Michigan at the 2019 West Michigan IT Summit, hosted by C3 Technology Advisors. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@allanalfordinTX), principal consultant at Side Channel Security. Our guest for this special live recording is the former CISO/CSO/CTO of the state of Michigan, Dan Lohrmann (@govcso). David Spark and Allan Alford, co-hosts of Defense in Depth on the CISO Series network, and Dan Lohrmann, former CISO/CSO/CTO for the State of Michigan. Thanks to this week's podcast sponsors C3 Technology Advisors, Fuze, and Assured Data Protection. C3 Technology Advisors is a technology consulting firm that helps midsize to enterprise organizations make better technology buying decisions. With technology quickly changing, let C3 help you shift through all the disruption, noise, and sales pitches to allow you to make better technology buying decisions for your organization. Fuze is the #1 cloud communications and collaboration platform for the enterprise, combining calling, meeting, chatting, and sharing into a single, easy-to-use application. Designed for the way people work, Fuze allows the modern, mobile workforce to seamlessly communicate anytime, anywhere, across any device. Assured Data Protection provides backup and disaster recovery solutions utilizing Rubrik 'as a Service'. They offer 24/7 global support, with expertise that truly sets them apart from other back up and DR service providers. On this week's episode Should you ignore this security advice? Yaron Levi, CISO of Blue Cross Blue Shield of Kansas City posed an interesting question, "Many people in security follow best practice without questioning them but in fact there are many BAD security best practices." Levi asks the LinkedIn community and I also ask our guests, "What do you consider a 'Bad Best Practice?'" How to become a CISO Aaron Weinberg, Kirlin Group, asks, "What would a CIO need to do to switch career tracks to being a CISO?" I'll add why would you want to do that? What's Worse?! We've got two rounds of questions and conflict on at least one of them. I tell ya, CISOs get no respect Brian Krebs of Krebs Security asked, "Why aren't CISOs often not listed on the executive page of a company website?" Krebs looked at the top 100 global companies and only found 5 that had a CISO listed. Of the NASDAQ 50, there were only three listed with a security title. But plenty had chief of human resources or chief marketing officers listed. One argument for the lack of front page visibility for CISOs is that companies value revenue centers over cost centers. Another argument is the reporting structure. That CISOs often report to CIOs. Is that why it's happening, or is it something else? Close your eyes. Breathe in. It's time for a little security philosophy. A question on Quora asks you to participate in this little thought exercise, "If you knew all computers would be erased tomorrow by a worldwide virus, what steps would you take to protect yourself?" It's a little more involved than just unpluging your computer from the Internet. Why is this a bad pitch? I read a cringeworthy bad pitch and our CISOs respond. Listen to the end as I reveal something surprising about this very bad pitch. And now this… I burn through a stack of questions from the audience as we go into a cybersecurity speed round.

Full episode with images and links available at CISO Series (https://cisoseries.com/do-these-jeans-make-my-vulnerabilities-look-too-big/) We're starting to get a little self-conscious that our vulnerabilities are starting to show. People we don't even know are telling us we have them on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Fredrick Lee (AKA "Flee") (@fredrickl), CSO of Gusto. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. What's a CISO to do? Chris Romeo, CEO of Security Journey, wrote a post where he asked, "What if I had to develop an application security program with a budget of zero dollars?" What he presented was a means to lean on the OWASP open source community and tools to build an application security program. You're a CISO, what's your take on this? I was chatting with a pentester, Benjamin McEwan, from Scotland, who reaches out to CISOs trying to responsibly disclose, not expose, a credible security vulnerability. It's his effort to get recognized. He's frustrated though in his ability to find permanent work because those hiring only see him as an independent researcher. Is his exercise the right approach? What can a talented security person in his position do to make himself more attractive to CISOs? What's Worse?! We've got a couple of scenarios that shocked our guest at the sheer InfoSec horror. Breathe In, It's Time for a Little Security Philosophy On Quora, a question right out of the Matthew Broderick movie WarGames asks, "If a student hacked into university computers and changed his grade in cyber security to an A, does he actually deserve the A?" Except for one person, everyone said, "No," but for different reasons. Mike, are you saying no, and if so, what reason? What do you think of this pitch? We've got two pitches from vendors this week. One came directly to me. Cloud Security Tip, by Steve Prentice - Sponsored by OpenVPN. The idea behind an Advanced Persistent Threat is both intriguing and a little distracting. It sounds like the title of a Tom Clancy novel – maybe a sequel to Clear and Present Danger. Designed to penetrate a network, operate while hidden for a long time, all the while receiving commands from an outside agent, an APT is more sophisticated than everyday malware and tends to be deployed against large targets.