Redefining CyberSecurity

The human resources department within any organization is well-positioned to feel the pulse and monitor a company's culture—teams, divisions, and the organization as a whole. Because of this, it could be the ideal ally to the InfoSec team. But is it? Let's find out.Consider the lifecycle of an employee. The initial company awareness, gaining familiarity with its brand, exploring its job opportunities, moving on to the next role, all the way to retirement—or perhaps even getting fired. Of course, there's everything in-between as well, including annual performance reviews, salary and compensation discussions, workplace behavior and related training, ongoing education, promotions, and more.At each stop along their journey and throughout each of the phases within the candidate/employee journey, HR has an opportunity to help shape the company's culture by reinforcing fundamental principles, operational ethics, and the related policies and actions. Just as we should be baking information security into the products—as early, and as often as possible—we should follow this same model for building our workforce and the company culture in which they exist.There's an opportunity for InfoSec and HR to collaborate to present and discuss the value of good information security hygiene: using a password manager, connecting through a VPN, paying attention to potential leaks or loss of data, and thinking critically during a security awareness training event—these are just a few examples.The importance of security shouldn't begin once the person becomes an employee; the organization can demonstrate their investment in InfoSec well before the jobs are posted and the interviews start.On the other side of the equation, there's an opportunity to maintain security and safety for the organization by encouraging a now-former employee to continue to carry with them the lessons they've learned as they move on to another company or retire into the sunset.Easy to say, but is it that simple? How are HR departments holding on with all the new responsibilities piling up on their desk lately? Can they take one more role without a fundamental redefinition of their role within a company?There's so much to be gained here. This is definitely a conversation worth listening to, especially if you are in HR, InfoSec, or are an employee (I think that captures everyone, doesn't it?).Enjoy!NOTE: This episode is part of our "Building Better Security Relationships" series. Catch the last episode with Legal Counsel here: http://itsprad.io/redefining-security-411GuestsDora Ross, Global Security Culture SpecialistThis Episode’s SponsorsImperva: https://itspm.ag/imperva277117988HITRUST: https://itspm.ag/itsphitwebKey Resources: https://itspm.ag/keyresources-2876____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

We know that SOC team members are burning out as they try to protect companies, yet many InfoSec programs repeat the same strategies expecting different results. Can we take insanity out of the incident response?That's a good question. One that we're not going to answer, but one that we will discuss and hopefully encourage you all to think about with us as we try to get to the root of the problem: what needs to change.In this podcast, we will shed some light on how SOC teams could modify their programs to embrace risk-based alerting and response enabled by information, and by doing so, filtering out as much noise as possible.To do so, Sean Martin is joined by two seasoned security operations and incident response professionals:Melissa Duncan, who is responsible for developing security content, incident response procedures, and response automation, and Kristy Westphal, who uses her hands-on experience to design, implement and manage security and operational risk programs by bringing her passion for trying to — YES! — take the insanity out of incident response.Join us for our journey as we explore how to pivot your SOC from the monotonous audit-based checking-of-boxes to a program that can manage real, high-priority, risk-based events to which your team can successfully respond.Yes, you better believe that it is actually possible to run a SOC free from insanity. It's time to break from the same 'ole routine to try something different. The real-life in-the-trenches SOC experiences recounted by Kristy and Melissa can help your program get a bit more creative and bring those needed changes to light—for the security team and for the business goals too.Perhaps a reset on one or more parts of your program will reinvigorate you and bring a renewed passion for what you do. Or, maybe not. In that case, we'll see you later as you tick that next checkbox.Let's see how you feel after listening to this one.GuestsMelissa Duncan, VP of Security Content and Response Automation at Union BankKristy Westphal, VP of CyberSecurity Incident Response Team at Union BankThis Episode’s SponsorsImperva: https://itspm.ag/imperva277117988Key Resources: https://itspm.ag/keyresources-2876____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Are technology patents helping us with innovation and collaborative creativity, or do they generate hyper complexity that is slowing our societies' advancement? Listen up, and maybe you will decide on your own.By awarding and defending technological patents, we promote innovation by offering intellectual property protection to the invention and the inventors for what they've created. However, while patents may help achieve this specific goal, we must also wonder if we may be reaching the opposite results in particular situations.Suppose companies can do research that can be used for good but is locked away in a patent (or any other intellectual property protection vehicle, for that matter). Are we really achieving what we want and what is ultimately good for humanity?Since most systems are comprised of multiple parts, how can things get built while components of the bigger system remain protected under IP law? How do we balance promoting innovation, protecting innovation, and protecting society from ourselves?What if Superman goes bad?Do great responsibilities really come with great power?If artificial intelligence invents something, does it also own the patent for it?Of this, and many other exceptional things, we ponder—all in today's podcast.GuestsJoanna Chen, Patent Attorney at Polsinelli (@chenjoanna on Twitter)Puya Partow, Partner at Seyfarth Shaw LLP (@PuyaPatent on Twitter)This Episode’s Sponsors:Nintex: https://itspm.ag/itspntwebImperva: https://itspm.ag/imperva277117988RSA Security: https://itspm.ag/itsprsaweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

The amount of work security teams have to handle is increasing exponentially and takes a severe toll on their ability to keep up with the threats. Thankfully, there is technology. Bring on security automation!Automation sounds simple enough, right? But is it? And do security teams automate the right things?When considering security automation, it's natural to look at the opportunity purely from a security operations perspective: responding to an incident, taking care of alerts, and looking into threat intelligence. But there's much more to it than that.What are some of the basics of automation that teams get right?What impact does that automation have on protection, detection, monitoring, and response?How can security automation drive value not only for the InfoSec team but for the business overall?When you dive deeper into this, you'll hopefully realize there are many IT- and business-related processes that you can—and should—be automating and integrating into your InfoSec program regularly. That's what we do in this episode with Dolby Labs' Tomasz Bania.Tomasz presents some examples for how organizations can take a set of single actions, bringing them all together to potentially get to a point where you are doing the entire end-to-end process, leveraging a fully-automated—or, at least, a mostly-automated—implementation.In this episode, we get into some real-world cases that InfoSec teams can take and operationalize. We also take the opportunity to talk about the relationship amongst business types, their level of maturity, and whether or not there is such thing as "automation culture." If there is, can we actually automate that too?If you want, even more, be sure to catch Tomasz's RSAC 365 session (link below).GuestTomasz Bania, Cyber Defense Manager at Dolby LaboratoriesThis Episode’s Sponsors:Nintex: https://itspm.ag/itspntwebImperva: https://itspm.ag/imperva277117988RSA Security: https://itspm.ag/itsprsaweb____________________________ResourcesRSAC 365 Session: Scaling Your Defenses: Next Level Security Automation for Enterprise____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Way too often, we think of cybersecurity professionals as if they come from another galaxy; Aliens, with no understanding of the business and not much to contribute to it. Well, it's not true. In this series, we explain why.There are exciting intersections between law, compliance, security, privacy, contracts, and business. It's time we talk about the value of building a strong relationship between information security and the legal team.Suppose things were not already uneasy; to make things even more interesting, let's consider policy differences around the world. These can impact how organizations define and run their business, collect and store their data, protect their information and systems, and demonstrate that they are doing the "right thing." Toss in the 3rd-party vendor ecosystem, and now we're having fun. Unless, of course, the InfoSec and legal teams are working in silos, unknowingly causing the other team angst and pain—or worse—actively working against each other, bringing disruption to operational efficiencies and harm to the overall business.Legal processes have been around for donkeys years. InfoSec practices, not so much. So, how do two lawyers familiar with security and privacy law (among other things)—and that also have a hand in information security practices—view the relationship between the two roles?We're glad you asked. Have a listen to find out.GuestsCody Wamsley, Associate at Dorsey & Whitney LLP (@codywamsley on Twitter)Diego Fernández, Partner IP, IT & Privacy - RegTech- Marval, O'Farrell & Mairal (@DferDiego on Twitter)This Episode’s Sponsors:Nintex: https://itspm.ag/itspntwebImperva: https://itspm.ag/imperva277117988RSA Security: https://itspm.ag/itsprsaweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Many organizations leverage regulations and standards to help them define their security and privacy programs, and in doing so, spend time and money creating policies, implementing controls, and monitoring for exceptions. But what happens when the regulation or standard changes?There's a seemingly constant barrage of change in the law and standards—and even in the supporting management/controls frameworks. Depending on where the company is headquartered, where it does business. Also, where its customers reside, where the customers' data resides, what type of customer data the company holds and interacts with—and what industry sector(s) the company operates in. All of this determines which of these regulations and standards they must adhere to. A change in any of these elements means a re-evaluation of the organization's risk profile and implementation of the mitigating controls.This probably makes sense to many reading this. But what's missing from this equation? More than you may think.To uncover the potential impact of the business operations, risk management program, security operations, and ultimately the business's bottom line, Sean Martin has a 1:1 chat with Indiana University Health CISO, Mitch Parker. The two look at the v4 PCI-DSS update, currently in development and due to release sometime in the middle of 2021, as the driver for this conversation.There's a lot to consider—and plan for—when changes occur. Don't get caught with a surprise if you can avoid it. Prepare yourself, your staff, and your peers at the executive level for what's to come.GuestMitch Parker, CISO, Indiana University Health (@mitchparkerciso on Twitter)Resources3 blogs related to the pending v4 PCI-DSS standard:https://blog.pcisecuritystandards.org/pci-dss-looking-ahead-to-version-4.0https://blog.pcisecuritystandards.org/pci-dss-v4-0-anticipated-timelines-and-latest-updateshttps://blog.pcisecuritystandards.org/3-things-to-know-about-pci-dss-v4-0-developmentThis Episode’s Sponsors:Nintex: https://itspm.ag/itspntwebImperva: https://itspm.ag/imperva277117988____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

We've had enough conversations about the relationship between technology, cybersecurity, and technology to know that people have different expectations, hopes, and visions. Some utopian, some dystopian, and some are Marcus J. Ranum.We met Marcus J. Ranum a few years ago during an ISSA Los Angeles Summit, where we had an inspiring and thought-provoking conversation about the idea of needing the equivalent of a Geneva Convention for cybersecurity. Given the many twists and turns the conversation had, it was at that point that we knew Marcus had a different perspective on cyber life, as many other professionals do.Jump ahead a few years to our partnership with ISSA International and we find ourselves with the opportunity to have an extended Luminaries Series chat with Marcus—this time looking at things through the lens of our Redefining Security channel. We take a look at the past, where Marcus was instrumental in bringing to life the first information security firewalls, and from there, we leaped into the present and the future. Buckle up, because it is not a pleasant stroll in the park, and it got pretty dark, very quickly.In 1976, when Marcus "got into computing," the deployment of systems involved running a wire to a terminal, plugging it in, and enabling the operating system. And, when we say "enabling the operating system" we mean actually building a kernel for your system that you were going to run it on, configuring the hardware, and configuring the device drivers that you needed in the operating system for the hardware that you were going to run everything on."We didn't have all these gigantic driver frameworks as we do nowadays. Everything was kind of low and slow, and lean and mean… it had to be because there wasn't infinite amounts of memory nor infinite amounts of processing power. And that had a direct effect on the way security evolved." —Marcus J. RanumFast forward 40+ years—where have we landed—where are we headed?As you will hear, Marcus has a very dark view of the future of security; a future that involves software engineers, hardware engineers, increased complexity, ongoing abstraction, and an overall lack of comprehension of how things work. This story may be ripe for the picking for a Hollywood flick to hit your favorite streaming service. However, it may not be the traditional Hollywood ending that you might expect.Come on, join us for this journey. It's one you won't want to miss being part of. Is there hope for the future of technology and humanity?Maybe. Maybe not.Guest(s)Marcus J. RanumResourcesBook: The Myth of Homeland Security by Marcus Ranum: https://www.amazon.com/Myth-Homeland-Security-Marcus-Ranum/dp/0471458791Book: Huawei and Snowden Questions: https://openlibra.com/en/book/the-huawei-and-snowden-questionsThis Episode’s Sponsors:Nintex: https://itspm.ag/itspntwebImperva: https://itspm.ag/imperva277117988____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.