Nach Genre filtern
- 405 - Should CISOs Be More Empathetic Towards Salespeople?
All links and images for this episode can be found on CISO Series.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Emily Heath, general partner, Cyberstarts.
In this episode:
How do CISOs feel about sales pitches?
Do they have legitimate complaints?
When do these legitimate complaints cross the line to sounding entitled?
Do CISOs need to show a little more empathy to sales?
Thanks to our podcast sponsor, SquareX
SquareX helps organizations detect, mitigate and threat-hunt web attacks happening against their users in real-time, including but not limited to malicious sites, files, scripts, and networks. Find out more at sqrx.com.
Thu, 25 Apr 2024 - 34min - 404 - Managing Data Leaks Outside Your Perimeter
All links and images for this episode can be found on CISO Series.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our sponsored guest, Mackenzie Jackson, developer advocate, GitGuardian.
In this episode:
How to manage data leaks outside your perimeter?
When data leaks increasingly come from third-parties, what can you do to protect your organization?
How do we even begin to address this problem?
Is there a one size fits all fix?
Thanks to our podcast sponsor, GitGuardian
GitGuardian is a Code Security Platform that caters to the needs of the DevOps generation. It provides a wide range of code security solutions, including Secrets Detection, Infra as Code Security, and Honeytoken, all in one place. A leader in the market of secrets detection and remediation, its solutions are already used by hundreds of thousands of developers in all industries. Try now gitguardian.com
Thu, 18 Apr 2024 - 29min - 403 - What Are the Risks of Being a CISO?
All links and images for this episode can be found on CISO Series.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Phil Davis, attorney, healthcare cybersecurity and privacy, Hall Render.
In this episode:
In today's current climate, is the role of the CISO still worth it?
Does the position carry a lot of potential liability?
Do the upsides still outweigh the risks?
Do CISOs tend to have more responsibility than authority?
Thanks to our podcast sponsor, Sonrai Security
A one-click solution that removes excessive permissions and unused services, quarantines unused identities, and restricts specific regions within the cloud. Later, maintain this level of security by automatically enforcing policies as new accounts, roles, permissions, and services are added to your environment.
Start a free trial today! sonrai.co/ciso
Thu, 11 Apr 2024 - 35min - 402 - Onboarding Security Professionals
All links and images for this episode can be found on CISO Series.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Paul Connelly, former CISO, HCA HealthcareGot feedback?
In this episode:
How important is onboarding new cyber talent?
Does it set the tone for their tenure with your organization?
What should CISOs do to make sure onboarding is effective for both sides?
What are the mistakes CISOs should avoid, and what are the best ways to excel?
Thanks to our podcast sponsor, OffSec
OffSec helps companies like Cisco, Google, and Salesforce upskill cybersecurity talent through comprehensive training and resources. With programs ranging from red team and blue team training and more, your team will be ready to face real-world threats. Request a free trial for your team to explore OffSec’s learning library and cyber range.
Thu, 04 Apr 2024 - 31min - 401 - How to Improve Your Relationship With Your Boss
All links and images for this episode can be found on CISO Series.
Check out this post Monte Pedersen of The CDA Group for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Jerry Davis, division director for cyber defense at Truist Bank.
In this episode:
Why does advancing your career require more than just technical skills?
Does it require you to build relationships within your organizations, particularly with your boss?
How can you consciously build these relationships with an eye to leveling up your career?
How do you develop soft skills?
Thanks to our podcast sponsor, OffSec
OffSec helps companies like Cisco, Google, and Salesforce upskill cybersecurity talent through comprehensive training and resources. With programs ranging from red team and blue team training and more, your team will be ready to face real-world threats. Request a free trial for your team to explore OffSec’s learning library and cyber range.
Thu, 28 Mar 2024 - 29min - 400 - Improving the Responsiveness of Your SOC
All links and images for this episode can be found on CISO Series.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining me is our sponsored guest, Spencer Thompson, CEO, Prelude.
In this episode:
Why does it take so long to integrate new tools and get them up to speed?
Are we always in a state where we are always lacking readiness?
What should we be measuring?
Do we focus too much on singular events?
Thanks to our podcast sponsor, Prelude
Prelude Detect is the world's only production-scale detection and response testing platform. Automatically transform your threat intelligence into validated detections and preventions in less than five minutes. Integrate with CrowdStrike, Microsoft Defender, SentinelOne, and more to enable machine speed detection and response engineering 🏎️ Learn more at preludesecurity.com.
Thu, 21 Mar 2024 - 27min - 399 - The Demand for Affordable Blue Team Training
All links and images for this episode can be found on CISO Series.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining me is our guest, Ron Gula, president and co-founder, Gula Tech Adventures.
In this episode:
Why is it so darn expensive to get any training on the defender side?
Why is there a mountain of free education for red teaming?
Shouldn’t blue team training should be free or less expensive as well?
Is this the firewall that's preventing us from having all those cyber experts we so desperately need?
Thanks to our podcast sponsor, Query
Query Federated Search gets to your security relevant data wherever it is - in data lakes, security tools, cloud services, SIEMs, or wherever. Query searches and normalizes data for use in security investigations, threat hunting, incident response, and everything you do. And we plug into Splunk. Visit query.ai.
Thu, 14 Mar 2024 - 29min - 398 - Why are CISOs Excluded from Executive Leadership?
All links and images for this episode can be found on CISO Series.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Ben Sapiro, head of global cyber security services, Manulife.
In this episode:
Why do we see a dearth of CISOs listed in executive leadership?
Is this just a factor of company reporting structure?
Or do CISOs really not have a seat at the table with the business?
How do we convince the C-suite?
Thanks to our podcast sponsor, Query
Query Federated Search gets to your security relevant data wherever it is - in data lakes, security tools, cloud services, SIEMs, or wherever. Query searches and normalizes data for use in security investigations, threat hunting, incident response, and everything you do. And we plug into Splunk. Visit query.ai.
Thu, 07 Mar 2024 - 33min - 397 - What Is Your SOC's Single Search of Truth?
All links and images for this episode can be found on CISO Series.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Matt Eberhart, CEO, Query.
In this episode:
Isn't the whole point of a single pane of glass making sense of your data?
But when these dashboards are limited to a single platform, how useful are they?
Does it seem like all they've led to is more browser tabs or more monitors crowding your analysts?
We know we want to take action based on our data, so how do we get there?
Thanks to our podcast sponsor, Query
Query Federated Search gets to your security relevant data wherever it is - in data lakes, security tools, cloud services, SIEMs, or wherever. Query searches and normalizes data for use in security investigations, threat hunting, incident response, and everything you do. And we plug into Splunk. Visit query.ai.
Thu, 29 Feb 2024 - 30min - 396 - When Is Data an Asset and When Is It a Liability?
All links and images for this episode can be found on CISO Series.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is my guest, Mario Trujillo, staff attorney, Electronic Frontier Foundation.
In this episode:
Data is the life blood of an organization but what happens when you collect too much?
Do you put risk on both your organization and for any individuals that data belongs too?
Is it still wise to collect as much data as possible?
How can CISOs embrace data minimization that doesn't clash with the needs of the business?
Thanks to our podcast sponsor, Material Security
Material Security is purpose-built to stop attacks and reduce risk across Microsoft 365 and Google Workspace with unified cloud email security, data loss prevention, and posture management. Learn more at material.security.
Thu, 22 Feb 2024 - 34min - 395 - Tracking Anomalous Behaviors of Legitimate Identities
All links and images for this episode can be found on CISO Series.
The Verizon DBIR found that about half of all breaches involved legitimate credentials. It’s a huge attack surface that we’re only starting to get a handle of.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining me is our guest, Adam Koblentz, field CTO, Reveal Security.
In this episode:
Where are we in terms of monitoring anomalous behavior of our users?
Why are we still struggling to understand what happens after threat actors are in our networks?
How are new AI-based tools helping us to scale efforts?
What's working and where do we need to improve?
Thanks to our podcast sponsor, Reveal Security
Reveal Security ITDR detects identity threats - post authentication - in and across SaaS applications and cloud services. Powered by unsupervised machine learning, it continuously monitors and validates the behavior of trusted human users, APIs and other entities, accurately detecting anomalies that signal an in-progress identity threat. Visit reveal.security
Thu, 15 Feb 2024 - 34min - 394 - Why Do Cybersecurity Startups Fail?
All links and images for this episode can be found on CISO Series.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Mike Levin, deputy CISO, 3M.
In this episode:
Why do security startups fail?
All startups are an inherently risky proposition, but what are the specific challenges for startups in our industry?
What's unique about cybersecurity startups?
What's the most common reason you've seen a cyber startup not succeed?
Thanks to our podcast sponsor, RevealSecurity!
Reveal Security ITDR detects identity threats - post authentication - in and across SaaS applications and cloud services. Powered by unsupervised machine learning, it continuously monitors and validates the behavior of trusted human users, APIs and other entities, accurately detecting anomalies that signal an in-progress identity threat. Visit reveal.security
Thu, 08 Feb 2024 - 31min - 393 - Making Cybersecurity Faster and More Responsive
All links and images for this episode can be found on CISO Series
Knowing is only one-third the battle. Another third is responding. And the last third is responding quickly. It’s not enough to just have the first two thirds. We need to be faster, but how?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Jason Elrod (@jasonelrod), CISO, MultiCare Health System.
Thanks to our podcast sponsor, Eclypsium
Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants.
In this episode:
What can we do as a pragmatic first step to make our cybersecurity teams quicker and more responsive? Would continuous authorization and real time emergency messaging help? Should we improve test automation? What about people - better teaching & work conditions?Thu, 13 Jan 2022 - 30min - 392 - Promises of Automation
All links and images for this episode can be found on CISO Series
Automation was supposed to make cybersecurity professionals’ lives simpler. And it was supposed to solve the talent shortage. Has any of that actually happened?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Brian Lozada (@brianl1775), CISO, HBOMax.
Thanks to our podcast sponsor, deepwatch
Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.
In this episode:
Should we be disappointed with what automation has actually delivered? Is it a tools vs people thing? Should we be better at assessing the impact of automation? Should we change the way we hire to help with automation?Thu, 06 Jan 2022 - 26min - 391 - When Social Engineering Bypasses Our Cyber Tools
All links and images for this episode can be found on CISO Series
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Josh Yavor (@schwascore), CISO, Tessian.
Thanks to our podcast sponsor, Tessian
95% of breaches are caused by human error. But you can prevent them. Learn how Tessian can stop “OH SH*T!” moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data.
In this episode:
What do you do for the attacks your rule sets can't catch? Would it help if we eliminated email systems as the standard b2b toolset for communications? Are there any better ways to handle spearphishing? Are you ready to add BCC - Business communications compromise to your threat list?Thu, 16 Dec 2021 - 28min - 390 - How Can We Simplify Security?
All links and images for this episode can be found on CISO Series
Why is cybersecurity becoming so complex? What is one thing we can do, even if it's small, to head us off in the right direction of simplicity?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Leda Muller, CISO at Stanford, Residential and Dining Enterprises.
Thanks to our podcast sponsor, Eclypsium
Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants.
In this episode:
Is cybersecurity becoming too complex? Should we change the way we talk about security to management? Maybe it's time to reframe the argument?Thu, 09 Dec 2021 - 28min - 389 - Convergence of Physical and Digital Security
All links and images for this episode can be found on CISO Series
Security convergence is the melding of all security functions from physical to digital and personal to business. The concept has been around for 17 years yet organizations are still very slow to adopt. A company's overall digital convergence appears to be happening at a faster rate than security convergence.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest is Anne Marie Zettlemoyer (@solvingcyber), business security officer, vp, security engineering, MasterCard.
Thanks to our podcast sponsor, Tessian
95% of breaches are caused by human error. But you can prevent them. Learn how Tessian can stop “OH SH*T!” moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data.
Why are we still holding back on security convergence? Is it a matter of "if" or "when"? What happens when physical and info security are run by different departments? How can we measure the risks?Thu, 02 Dec 2021 - 30min - 388 - How Do You Measure Cybersecurity Success?
All links and images for this episode can be found on CISO Series
In most jobs there’s often a clear indicator if you’re doing a good job. In security, specifically security leadership, it’s not so easy to tell. “Nothing happening” is not an effective measurement. So how should security performance be graded?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest is Deneen DeFiore (@deneendefiore), CISO, United Airlines.
Thanks to our podcast sponsor, Tessian
In this episode:
How should security performance be graded? Is "keeping it simple" the best option? What's the best measurement option?Thu, 18 Nov 2021 - 29min - 387 - How Do We Turn Tables Against Adversaries?
All links and images for this episode can be found on CISO Series
If we’re going to turn the tables against our adversaries, everything from our attitude to our action needs to change to a format where attacks and breaches are not normalized, and we know the what and how to respond to it quickly.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Scott Scheferman (@transhackerism), principal strategist, Eclypsium.
Thanks to our podcast sponsor, Eclypsium
Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants.
Moving from a reactive to a proactive attitude Accelerating teams' ability to respond before damage happens Stopping marketing informing your strategy Patching "fast enough to matter"Thu, 11 Nov 2021 - 26min - 386 - Ageism in Cybersecurity
All links and images for this episode can be found on CISO Series
Is it too much experience? Is it that they're difficult to work with? Do they want too much money? Will they not be motivated? Are cyber professionals over the age of 40 being discriminated in hiring practices?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ben Sapiro, head of technology risk and CISO at Canada Life.
Thanks to our podcast sponsor, Qualys
Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.
In this episode:
Are cyber professionals over the age of 40 being discriminated in hiring practices? Is "older experience" a threat to younger managers? Do older professionals have too much attitude? What other work options exist for the 40+ expert?Thu, 04 Nov 2021 - 31min - 385 - Proactive Vulnerability Management
All links and images for this episode can be found on CISO Series
How do we turn the tide from reactive to proactive patch management? Does anyone feel good about where they are with their own patch management program? What would it take to get there?
Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Sumedh Thakar (@sumedhthakar), CEO, Qualys.
Thanks to our podcast sponsor, Qualys
Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.
In this episode:
How do we turn the tide from reactive to proactive patch management? Do cultural differences make a difference? Do we need a new framework or template?Thu, 28 Oct 2021 - 32min - 384 - Why Is Security Recruiting So Broken?
All links and images for this episode can be found on CISO Series
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Tony Sager (@sagercyber), svp, and chief evangelist, Center for Internet Security.
Thanks to our podcast sponsor, Qualys
In this episode:
What role should HR play in the hiring process of cybersecurity candidates? What happens when HR's algorithms don't see the right keywords? What are some better ways to get noticed by a human decision maker?Thu, 21 Oct 2021 - 32min - 383 - How to Be a Vendor that CISOs Love
All links and images for this episode can be found on CISO Series
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Andy Ellis (@csoandy), operating partner, YL Ventures.
Thanks to our podcast sponsor, Varonis
What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn’t stand a chance. Get a free risk assessment.
In this episode:
What are some "positive vendor engagement" characteristics? What tips can we share with vendors who want to build a lasting good impression? How can a vendor go about building trust?Thu, 14 Oct 2021 - 30min - 382 - The "Are We Secure?" Question
All links and images for this episode can be found on CISO Series
When a senior person at your company asks you, "Are we secure?" how should you respond?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Paul Truitt, principal US cyber practice leader, Mazars.
Thanks to our podcast sponsor, Varonis
Still in the news is REvil’s ransomware attack on Kaseya VSA servers. Varonis is here to help mitigate the blast radius of such attacks. Want a step-by-step guide on what you should be looking for? Learn more about how to prevent ransomware.
In this episode:
When a senior, non-technical person asks, "Are we secure?" how do you respond?" What does this question say about an executive's engagement level? Why are they asking this now? How relevant/accurate is this question anyway?Thu, 07 Oct 2021 - 28min - 381 - Ransomware Kill Chain
What are the tell tale signs you've got ransomware before you receive the actual ransomware threat?
Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Brian Vecci (@BrianTheVecci), field CTO, Varonis.
Thanks to our podcast sponsor, Varonis
What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn’t stand a chance. Get a free risk assessment.
In this episode:
How to catch the ransomware threat earlier The individual capabilities needed in a full anti-ransomware stack Honeypots and anomalous behavior Back to basics: look at how ransomware worksThu, 30 Sep 2021 - 31min - 380 - Can Technology Solve Phishing?
All links and images for this episode can be found on CISO Series
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Robert Wood (@holycyberbatman), CISO at Centers for Medicare & Medicaid Services.
Thanks to our podcast sponsor, Living Security
Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers.
In this episode:
Will there be a day that phishing can be solved by technology? Does more training lower risk? Is it enough just to protect "inside" the environment? What can we do to change the culture?Thu, 23 Sep 2021 - 30min - 379 - Convergence of SIEM and SOAR
All links and images for this episode can be found on CISO Series
SIEM tools that ingest and analyze data are ubiquitous in security operations centers. But just knowing what's happening in your environment is not enough. For competitive reasons, must SIEM tools expand and offer more automation, intelligence, and the ability to act on that intelligence?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Chris Grundemann (@ChrisGrundemann), category lead, security, GigaOm.
Thanks to our podcast sponsor, Keyavi
Cyber criminals who attack healthcare systems know medical record information has tremendous value for stealing identities. If you infuse personally identifiable information with geographical awareness and intelligence, you dramatically reduce the risk of patient identity theft. Join a live demo session on www.keyavi.com/sessions to learn more.
In this episode:
Will products from these two categories just merge as one product? Or will they NEED to merge? Are there advantages for them to stay separate? Where does “trust” fit into this merger?Thu, 16 Sep 2021 - 27min - 378 - Cybersecurity Is Not Easy to Get Into
All links and images for this episode can be found on CISO Series
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Adam Keown, director, information security, Eastman.
Thanks to our podcast sponsor, VMware
In this episode:
What's more valuable to get hired: degrees or experience? What's better: narrow focus or broad skill range? What's more attractive: knowledge or drive? What's the deal: is there even such a thing as "entry level"?Thu, 09 Sep 2021 - 31min - 377 - Preventing Ransomware
All links and images for this episode can be found on CISO Series
What is the most critical step to preventing ransomware? Security professionals may be quick to judge users and say it's a lack of cyberawareness. Could it be something else?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Rebecca Harness (@rebeccaharness), CISO, St. Louis University.
Thanks to our podcast sponsor, VMware
In this episode:
What is the one critical step to preventing ransomware? The importance of leadership and employee buy-in How to make training and education actually work Should backups be included on this list? What about the supply chain?Thu, 02 Sep 2021 - 27min - 376 - Managing Lateral Movement
All links and images for this episode can be found on CISO Series
For four years in a row, Verizon's DBIR, has touted compromised credentials as the top cause of data breaches. That means bad people are getting in yet appearing to be legitimate users. What are these malignant users doing inside our network? What are the techniques to both understand and allow for good yet thwart bad lateral movement?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our sponsored guest Sandy Wenzel (@malwaremama), cybersecurity transformation engineer, VMware.
Thanks to our podcast sponsor, VMware
In this episode:
Why are bad people getting inside our networks? Can machine learning help find them? How can we separate lateral movement from credential stuffing? Would using threat modeling and going passwordless help?Thu, 26 Aug 2021 - 29min - 375 - First Steps as a CISO
All links and images for this episode can be found on CISO Series
You've just joined a company as CISO, what's the very first step you would take to improve the security posture of your new company?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Olivia Rose, vp of IT and security, Amplitude.
Thanks to our podcast sponsor, Proofpoint
Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint's 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report.
In this episode:
How can new CISOs fast-track their learning process to make better decisions sooner? How much does the CISO need to know about the environment before they start pentesting? Using a " Power Interest Matrix" to help manage the people who influence your work Why aligning with HR is a key moveThu, 19 Aug 2021 - 30min - 374 - How Does Ransomware Enter the Network?
All links and images for this episode can be found on CISO Series
How is ransomware getting into your network? Is the path direct, like via email, or does it take a more circuitous route?
Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our sponsored guest Ryan Kalember (@rkalember), evp, cybersecurity strategy, Proofpoint.
Thanks to our podcast sponsor, Proofpoint
Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint's 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report.
In this episode:
What role do email and phishing actually play? Has working from home really increased the threat? How dwell time has changed things Getting up to speed on sufficient backupsThu, 12 Aug 2021 - 28min - 373 - What's the Value of Certifications?
All links and images for this episode can be found on CISO Series
Why should security professionals get certifications? Do they actually teach you what you need to know to solve cybersecurity challenges? OR do they act as gateways or approval checks to be admitted into the field of cybersecurity?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Will Gregorian (@willgregorian), head of IT and security, Rhino and our guest Shawn M. Bowen (@smbowen), CISO, World Fuel Services.
Thanks to our podcast sponsor, Palo Alto Networks
First, every company became a software company. Now, every company needs to be a cybersecurity company too. Prisma Cloud from Palo Alto Networks a single security platform that delivers comprehensive protection from code through app, so your company can keep doing what it's supposed to do. Learn more at paloaltonetworks.com/prisma/cloud.
In this episode:
Are certifications like the CISSP necessary? Even if they are necessary to get hired, are they relevant? Let's say something good about certs. Who benefits most from certs? The candidate or the hiring manager?Thu, 05 Aug 2021 - 30min - 372 - Measuring the Success of Cloud Security
All links and images for this episode can be found on CISO Series
How are you measuring your progress and success with cloud security? How much visibility into this are you providing to your engineering teams?
Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our sponsored guest Matthew Chiodi (@mattchiodi), CSO, public cloud, Palo Alto Networks.
Thanks to our podcast sponsor, Palo Alto Networks
If you're doing cloud security right, no one knows if you've done anything. When you do it wrong, well, you end up on Cybersecurity Headlines. Prisma Cloud from Palo Alto Networks helps ensure your security stays in the quietly appreciated group. It's a single security platform that delivers comprehensive protection from code to cloud. Learn more at paloaltonetworks.com/prisma/cloud.
In this episode
What requirements need to be measured? Measuring against compliance Building a company-specific guardrails framework Measuring team performance by number of opened and closed issuesThu, 29 Jul 2021 - 27min - 371 - How do I get my first cybersecurity job?
All links and images for this episode can be found on CISO Series
What does a young person, eager to get into cybersecurity, have to show or prove to land their first help desk, tech support role?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our guest Bryan Zimmer (@bryanzimmer), head of security, Humu.
Thanks to our podcast sponsor, Palo Alto Networks
In 1666, Sir Isaac Newton famously used a prism to disperse white light into colors. Today, cloud security professionals use Prisma Cloud from Palo Alto Networks to disperse full lifecycle security and full stack protection across their multi- and hybrid-cloud environments. We think Sir Isaac would approve. Learn more about Prisma Cloud paloaltonetworks.com/Prisma/cloud.
In this episode
Balancing out certifications and experience If we train you, will you stay, or will you leave? What's your compelling story that shows what you can do? Researching the competition: what are other candidates doing?Thu, 22 Jul 2021 - 28min - 370 - Educating the Board About Cybersecurity
All links and images for this episode can be found on CISO Series
What do we want the Board and C-Suite to know about cybersecurity? If you could teach them one thing about cybersecurity that would stick, what would that be?
Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our guest Phil Huggins (@oracuk), CISO, NHS Test & Trace, Department of Health and Social Care.
Thanks to our podcast sponsor, Proofpoint
Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint's 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report.
In this episode
What the Board needs to know to make the CISO’s job more effective It’s not about the Board understanding cyber – but it is about mitigating risk Security is a shared responsibility: Board & CISOs Using other companies’ breaches as Board learning opportunitiesThu, 15 Jul 2021 - 25min - 369 - CISO Recruiting Is Broken
All links and images for this episode can be found on CISO Series
The demand for CISOs is growing due to increased regulations and cyber threats. Yet, while the demand is there, the supply keeps rotating. Companies think the next CISO is going to fix the problems of the last one. Why is a CISO's tenure so short and why is the hiring process for CISOs so disjointed?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, Steve Zalewski, and Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers
Thanks to our podcast sponsor, RevCult
On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you’re protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses.
In this episode:
Why a CISO's tenure is so short and why they leave The value of keeping risk management in the CISO’s sights The need to clarify the CISO role in the mind of the executive The need to clarify the CISO role in the mind of the CISOMon, 05 Jul 2021 - 28min - 368 - Retaining Cyber Talent
All links and images for this episode can be found on CISO Series
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Liam Connolly, CISO, Seek. and our guest Ben Sapiro (@ironfog), head of technology risk and CISO, Canada Life.
Thanks to our podcast sponsor, RevCult
On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you’re protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses.
In this episode:
What actions can a manager take to retain staff? What do team members/employees want? How important is team chemistry? Establishing a creative thinking cultureThu, 01 Jul 2021 - 34min - 367 - Salesforce Security
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-salesforce-security/
Thanks to our podcast sponsor, RevCult
On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you’re protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses.
In this episode:
Where is Salesforce delivering in security controls and where is it falling short? Salesforce security is more than just a single topic Working with 3rd party SalesForce appsThu, 24 Jun 2021 - 23min - 366 - Cloud Configuration Fails
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-cloud-configuration-fails/
Why do we hear so many stories about incidents related to poor or misconfigured cloud services?
Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our sponsored guest, Brendan O'Connor, CEO, AppOmni.
Thanks to our podcast sponsor, AppOmni
AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data.
In this episode:
Why configuration drift and 3rd party access are still significant issues Are cloud providers to blame? The dynamic nature of cloud over time – we can’t keep up! Who is ultimately responsible?Thu, 17 Jun 2021 - 24min - 365 - Starting Pay for Cyber Staff
All links and images for this episode can be found on CISO Series
https://cisoseries.com/starting-pay-for-cyber-staff/
What should an entry level cybersecurity person be paid? And what level of education and training should be expected of them?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Naomi Buckwalter (@ineedmorecyber), director of information security and IT at Beam Technologies, and our guest Dan Walsh (@danwalshciso), CISO, VillageMD.
Thanks to our podcast sponsor, AppOmni
AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data.
In this episode:
Discussing the $15/hour entry level position Why are qualified people applying for low paying entry level jobs? The classic: This entry level position needs prior experience Assessing the value that interns can bringThu, 10 Jun 2021 - 30min - 364 - Fear of Automation
All links and images for this episode can be found on CISO Series.
https://cisoseries.com/fear-of-automation/
Why are security professionals so darn afraid of automation? We continue to hold on to the idea that people have to be integral in the real-time decision process to protect ourselves from the technology we deploy to protect us.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and Steve Zalewski, CISO, Levi Strauss, with our guest Edward Frye (@edwardfrye), CISO, Aryaka Networks and president of Silicon Valley chapter of ISSA.
AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data.
In this episode:
Is it a fear of heavy lifting or not knowing what to lift? Is it a fear of change or a fear of cost? Is it a fear of automating human judgment?Thu, 03 Jun 2021 - 24min - 363 - Hiring Talent with No Security Experience
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-hiring-talent-with-no-security-experience/
Should you look for the ideal candidate that has all the security talent you want, or should you find the right person and train them with the security talent you want. And if the latter, what is the right person to work in security who doesn't have security experience?
Check out this post and this Twitter discussion for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Dev Akhawe (@frgx), CISO, Figma.
Thanks to our podcast sponsor, Sonatype
With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code.
Is there a cyber talent shortage? If so, does the shortage come from the hiring side? The dangers of leaving positions open too long The dangers of focusing on checklists vs. candidate potentialThu, 27 May 2021 - 27min - 362 - Security Hygiene for Software Development
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-security-hygiene-for-software-development/
How do we improve the quality of our software? In the rush to be competitive, security has often taken a back seat to be first to market. What's the formula for fast and secure applications?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, and sponsored guest Wayne Jackson, CEO, Sonatype.
Thanks to our podcast sponsor, Sonatype
In this episode:
Are we working too fast and under too much pressure to be secure? What types of scanning should we do, and how often? What about open source/third party software in the pipeline? What are the dangers inherent in purchasing "secure software"?Thu, 20 May 2021 - 25min - 361 - How Much Do You Know About Your Data?
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-how-much-do-you-know-about-your-data/
Do cybersecurity professionals even know what they're protecting? How aware are they of the data, its content and its sensitivity? What happens to your security posture when you do understand the data you're protecting? What can you do that you weren't able to do before?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and Steve Zalewski, CISO, Levi Strauss, with our sponsored guest, Aidan Simister (@aidansimister), CEO, Lepide.
Thanks to our podcast sponsor, Lepide
Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide’s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats – fast.
In this episode:
How much do you know about the data you are being asked to protect? Equating the value of the data to be protected with the cost of protection How to find out how data is being used Moving beyond the bare minimum of protectionThu, 13 May 2021 - 26min - 360 - Do Startups Need a CISO?
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-do-startups-need-a-ciso/
Startups are all about proving the value of their product and growth. At the beginning, all of their money is funneled into product and market development. When do they need a CISO, if at all?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and guest co-host Jimmy Sanders (@jfireluv), head of cybersecurity for Netflix DVD and our guest is Bryan Zimmer (@bryanzimmer), head of security for Humu.
Thanks to our podcast sponsor, Lepide
Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide’s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats – fast.
In this episode:
Should a company get a CISO right away, or wait until the security program matures? If they get a CISO should they go for "on-prem" or on-demand? Or.... should they just go and seek CISO-level advice from the security community?Thu, 06 May 2021 - 28min - 359 - Insider Risk
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-insider-risk/
By just doing their jobs, your employees are introducing risk to the business. They don't mean to be causing issues, but their simple actions and sometimes mistakes can cause great harm. Is it their fault, or is it security's fault for not creating the right systems?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Steve Zalewski, CISO, Levis, and our sponsored guest Mark Wojtasiak (@markwojtasiak), vp, portfolio strategy & product marketing, Code42 and author of Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore.
Thanks to our podcast sponsor, Code42
Redefine data security standards for the hybrid workforce. Check out Code42.
In this episode:
Distractions and fatigue causing split-second mistakes The need for tailored education and training Making it easier for people to make the right choice Identify ways damage could happen, in order to mitigateThu, 29 Apr 2021 - 29min - 358 - What’s the Obsession with Zero Trust?
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-whats-the-obsession-with-zero-trust/
Why is everyone obsessed with Zero Trust? Is it just a marketing ploy that vendors are using to sell their products? Or, is it truly a methodology that provides better security, especially in today's environment.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, Melody Hildebrandt (@mhil1), evp, product & engineering and CISO, Fox.
Thanks to our podcast sponsor, Code42
Redefine data security standards for the hybrid workforce. Check out Code42.
In this episode
Does Zero Trust obscure the core principles it's supposed to serve?
How does Zero Trust affect the assumptions around cybersecurity’s control and ownership of a network
What are the real Zero Trust best practices?
Thu, 22 Apr 2021 - 28min - 357 - Mentoring
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-mentoring/
Companies want security people with experience and they want to grow cybersecurity leaders. It's often hard to find that experience, and while there are certification courses aplenty, courses in cybersecurity leadership are hard to find. One possible solution is mentoring, but that has its own hurdles.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, and our guest Sean Catlett, CSO, Slack.
In this episode
The mutual value of being a mentor What obligations does a mentee have? Mentorship: large-scale concepts or day-to-day or both?Thu, 15 Apr 2021 - 27min - 356 - Securing the Super Bowl and Other Huge Events
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-securing-the-super-bowl-and-other-huge-events/
How do cybersecurity professionals secure a huge event like the Olympics, the Superbowl, or a city's New Year's Eve party? What are the unique considerations that come into play?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Tomás Maldonado (@tomas_mald), CISO, NFL
Thanks to our podcast sponsor, Lepide
Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide’s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats - fast.
In this episode
Protecting large events starts long before, like years before How threat actors targeting events differ from than those targeting companies It's not just the target - there's also public safety When it goes live, it GOES LIVEThu, 08 Apr 2021 - 30min - 355 - Cybersecurity Isn’t That Difficult
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-cybersecurity-isnt-that-difficult/
What are you security people complaining about? As compared to 10, 15, 20 years ago, the technical aspects of cybersecurity are not that difficult. We've got the control frameworks, tools, and training that are predecessors didn't have.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Naomi Buckwalter (@ineedmorecyber), director of information security and IT at Beam Technologies, and our guest, John Overbaugh (@johnoverbaugh), vp, security, CareCentrix
Thanks to our podcast sponsor, Trend Micro as bold
Threat actors want what you’re storing in the cloud. Trend Micro’s Cloud One platform provides cloud security from a single console, keeping you at your most resilient. Let what happens in the cloud, stay in the cloud.
In this episode
What infosec was like "back in the day" What's out of alignment: the technology or the culture? Can we really stand on the shoulders of giants amid so much change? Where is individual cyberhygiene in all of this?Thu, 01 Apr 2021 - 26min - 354 - Cloud Security Myths
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-cloud-security-myths/
The cloud is inherently insecure! The cloud will handle all your security needs. More data breaches happen in the cloud. These are just some of the many many myths of cloud security. Listen as we debunk as many as we possibly can.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, CISO, Levis, and our sponsored guest Mark Nunnikhoven (@markna), vp, cloud research, Trend Micro.
Thanks to our podcast sponsor, Trend Micro
Threat actors want what you’re storing in the cloud. Trend Micro’s Cloud One platform provides cloud security from a single console, keeping you at your most resilient. Let what happens in the cloud, stay in the cloud.
In this episode
How many cloud myths from years back still endure? Is cloud less secure or more secure now? Who has the responsibility for security? Just because you're in the cloud, does that mean you're protected?
Thu, 25 Mar 2021 - 28min - 353 - What Is Security's Mission?
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-what-is-securitys-mission/
What's the mission of your security program? Is it to proactively SECURE THE COMPANY against a compromise of the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY, OR, is it to PROTECT THE COMPANY BRAND by effectively PREVENTing, DETECTING and RESPONDING to cyber-threats? These are the two options for security's mission that we discuss on this week's show.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest, Johna Till Johnson (@JohnaTillJohnso), CEO, Nemertes Research.
Thanks to our podcast sponsor, Trend Micro
The conversation between you and your board of directors is not always a walk in the park. With more cloud projects coming your way, it’s time to change the conversation to speak their language and start paving the way for a secure future. For more, go to http://trendmicro.com/CISO
In this episode
Security mission option 1: protecting the company Security mission option 2: protecting the brand & revenue stream Does one lead to/support the other? Does the degree of cloud presence make a difference? How much of this is technical vs philosophical?
Thu, 18 Mar 2021 - 25min - 352 - Vendor CISOs
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-vendor-cisos/
It's hard to be a CISO. But, what's it like to be a CISO at a security vendor, doing the hard work while carrying the stigma of being a "vendor"?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Allan Alford (@AllanAlfordinTX), CTO/CISO, TrustMAPP, and host of The Cyber Ranch Podcast.
Thanks to our podcast sponsor, TrustMAPP
Does your board want to see yet more heat maps? No, they do not. They want to see that security investments align with business goals, and that their costs are objectively justified. TrustMAPP’s data visualization helps you communicate with your board in a way they can understand – and approve.
In this episode
How to balance being an advocate, an evangelist and an operator Are there really "stigmas" to being a security vendor? What's unique to practicing security while being a security vendor?Thu, 11 Mar 2021 - 27min - 351 - How Much Log Data Is Enough?
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-how-much-log-data-do-you-need
You're a CISO struggling with an influx of log data into your SIEM. What's the data you want to keep, and for how long? You want insights, but you also want to keep costs down. Holding onto everything is going to cost a fortune.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, deputy CISO, Levis, and our guest Naomi Buckwalter (@ineedmorecyber), director of information security and IT at Beam Technologies .
Thanks to our podcast sponsor, TrustMAPP
Does your board want to see yet more heat maps? No, they do not. They want to see that security investments align with business goals, and that their costs are objectively justified. TrustMAPP’s data visualization helps you communicate with your board in a way they can understand – and approve.
In this episode
So, what is the sweet spot for retaining log files? 90 days? 1 year? Should you categorize according to business criticality? How do you separate the "junk" from the valuable data?
Thu, 04 Mar 2021 - 25min - 350 - Should Finance or Legal Mentor Cyber?
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-should-finance-or-legal-mentor-cyber
Cybersecurity leaders are constantly looking for ways to improve how they think about risk, and how they communicate risk. But they're not the only ones. Others have been managing risk long before CISOs existed. So, who could be the best mentor to help a CISO gain better insight into business risk and how to communicate about it: the chief financial officer, or the legal department's general counsel?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest, David Schellhase (@davidschellhase), general counsel, Slack.
Thanks to our podcast sponsor, TrustMAPP
TrustMAPP delivers Security Performance Management, giving CISOs a real-time view of the effectiveness of their security program. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP gives organizations the ability to manage security as a business, quantifying and prioritizing remediation actions and costs. To learn about the MAPP methodology, download the white paper at https://trustmapp.com/mapp-paper/
In this episode
Which executive could a CISO learn more about risk? Determining ROI of finance, legal and other execs Analyzing why its so important to establish the ideal mentorship relationshipThu, 25 Feb 2021 - 25min - 349 - Data Destruction
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-data-destruction
How do you deal with data at end of life? Holding onto data too long can be very costly and increase risk. So how do you get rid of it... safely?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Shawn Bowen, CISO, Restaurant Brands International (RBI), and our sponsored guest, Frank Milia, partner, (@ITAssetRecvry), IT Asset Management Group.
Thanks to our podcast sponsor, IT Asset Management
Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties. Is it clear who is responsible for the performance of your data disposition practice? IT Asset Management Group’s free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. Download the program guide today at itamg.com/CISO
In this episode
Is the risk of holding onto data greater than the value of keeping it? Should client data be considered a "toxic byproduct"? When disposing of client data, how much destruction is enough? What legal and regulatory requirements should be considered before destroying data?Thu, 18 Feb 2021 - 27min - 348 - How to Make Cybersecurity More Efficient
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-how-to-make-cybersecurity-more-efficient/
You're a new CISO told to hold headcount even and find the resources to do 20% more work. We're already maxed out. So how do we do more? Coming up next we're getting smart and more efficient with security.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest, Mike Morgan, (@theywerecones) head of information security, infrastructure director, Foster Farms
Thanks to our podcast sponsor, IT Asset Management Group
Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties. Is it clear who is responsible for the performance of your data disposition practice? IT Asset Management Group’s free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. Download the program guide today at itamg.com/CISO
In this episode
Improving processes right from the beginning of the pipeline Looking for waste - and knowing what "waste" is Doing more with less means at some point, something important will break Delegating and crossing over skills Watching out for IT sprawl and "new fangled" solutionsThu, 11 Feb 2021 - 25min - 347 - Does a CISO Need Tech Skills?
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-does-a-ciso-need-tech-skills
Does a CISO need technical skills to be an effective cybersecurity leader? Many CISOs don't have them. Are they still effective and does it affect their ability to lead?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and guest co-host Ben Sapiro, (@ironfog), CISO, Great-West LifeCo, and our guest, Zach Powers, CISO, Benchling.
Thanks to our episode sponsor, IT Asset Management Group
Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties. Is it clear who is responsible for the performance of your data disposition practice? IT Asset Management Group’s free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. Download the program guide today at itamg.com/CISO.
In this episode
Why having the skills helps with realistic expectations Being able to see through the nonsense The value of staying passionate about the professionThu, 04 Feb 2021 - 27min - 346 - How Do You Know if You're Good at Security?
All links and images for this episode can be found on CISO Series
https://cisoseries.com/defense-in-depth-how-do-you-know-if-youre-good-at-security/
What metrics or indicators signal to you that an organization is “good at security”?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Justin Berman (@justinmberman), former CISO, Dropbox.
Thanks to our podcast sponsor, Imperva
Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it’s stored and who’s accessing it. Start a free trial now.
In this episode
How do go about measuring risk Assessing the ratio of critical/high severity issues to issues closed The difference between a reactive or proactive threat management policy
Thu, 28 Jan 2021 - 25min - 345 - Building a Security Team
All links and images for this episode can be found on CISO Series
You're a new CISO at a new org given a headcount of ten to build a cybersecurity team. What's your strategy to build that team?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest JJ Agha (@jaysquaredx2), CISO, Compass.
Thanks to our podcast sponsor, Imperva
Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it’s stored and who’s accessing it. Start a free trial now.
In this episodeThe importance of assessments and gap analyses Why you need to leveraging your network Educating and empowering teams Introspection and self-awareness as a leader
Thu, 21 Jan 2021 - 31min - 344 - Are our Data Protection Strategies Evolving?
All links and images for this episode can be found on CISO Series
(https://cisoseries.com/defense-in-depth-are-our-data-protection-strategies-evolving/)
As we're evolving from putting data on premises to the cloud, are our data protection strategies evolving as well? There are issues of securing data, knowing where it travels, and privacy implications of data. How are we handling all of that?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest, Chris Brown, senior director, data security at Imperva.
Thanks to our podcast sponsor, Imperva.
Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it’s stored and who’s accessing it. Start a free trial now.
In this episode
Cloud platforms and exposure make it easier to deploy with less oversight, making mistakes easier. There's a need for a change of mindset of product and marketing leaders to consider consequences of taking in different data types in the design phase. There's also a need for SIEM tools and access management.
Thu, 14 Jan 2021 - 25min - 343 - Should CISOs Be Licensed Professionals?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-cisos-be-licensed-professionals/)
Many professionals are required to obtain a license before they can do their job legally. The demands of cybersecurity professionals, especially CISOs, has become more critical as evidenced by the increasing number of regulations demanding a person oversee security and privacy controls. Should CISOs be licensed to maintain a minimum standard?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Patrick Benoit (@patrickbenoit), vp, global head of GRC and BISO, CBRE.
Thanks to this week's podcast sponsor, F5
External threats to your organization’s security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial.
Highlights from this episode of Defense in Depth:
Almost universally, nobody liked the idea of requiring a CISO to have a license in order to practice. But, with that said, the subject stirred up a hornet's nest of discussion. Main complaint is the job changes so drastically depending on what industry you're in. Many argued that a license won't translate into success. Hard to tell how to put a license around someone who is managing risk, but doesn't own the risk.
Thu, 07 Jan 2021 - 26min - 342 - Inherently Vulnerable By Design
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-inherently-vulnerable-by-design/)
Much of what we do as practitioners is to prevent inadvertent security problems - oversights, zero-days, etc. What about inherent and unavoidable problems? When the very design of the thing requires a lack of security? What do you do then?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Dan Woods, vp of the Shape Intelligence Center, F5.
Thanks to this week's podcast sponsor, F5.
External threats to your organization’s security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial.
On this episode of Defense in Depth, you’ll learn:The mere act of conducting business requires you to have certain procedures that would make you vulnerable. Simple things like taking customer information to create user accounts and processing credit cards. That's inherent to doing business, and by opening that up, it makes you vulnerable. A lot of this inherent vulnerability comes down to having users or customers and needing to authenticate them. When you start a business you're also accepting the inherent vulnerability and you have to ask yourself to what level can the business function having that vulnerability abused? It's all about risk appetite. Two factor authentication sure is nice, but there has to be multiple "behind the scenes" authentications going on to verify identity continuously. As you're collecting all these additional data points you can use that information to ask the user to verify. Provide discounts to customers and users for good security practices. Insurance companies do this with people who prove safe driving practices. It could be a win-win for everybody. For example, with Mailchimp, they give you a discount if you enable 2FA. Why not offer a discount for a really long and complicated password? One of the major issues is the password reset process happens through email. Email wasn't designed for critical authentication. Many hacks happen through the reset process via email.Thu, 17 Dec 2020 - 26min - 341 - Imposter Syndrome
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-imposter-syndrome/)
For CISOs and other security leaders, suffering from imposter syndrome seems inevitable. How can you ever be really confident when there's an endless stream of threats and a landscape that changes without your knowledge?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest David Peach (@realdavidp), CISO and head of privacy, The Economist Group.
Thanks to this week's podcast sponsor, F5.
CISOs are dealing with the increasing sophistication of cyber attackers that are taking advantage of their applications. Find out how F5 helps organizations expand their security and see the unseen by watching the F5 Security Summit webinar. View it here.
On this episode of Defense in Depth, you’ll learn:Imposter syndrome is a feeling of not being as good as you purport to be or others perceive you to be. Almost all security professionals, especially CISOs, have moments of imposter syndrome. The root of the problem is underestimating your contributions. Imposter syndrome can debilitate a security professional. But the opposite is also dangerous. If you don't question your ability and think you alone can solve things and others perceive that you can do that as well, that's a disaster waiting to happen. The relentless change of technology and threats can overwhelm a professional and feel that they can't keep up. There's a sense of you will always be behind. It's not a sprint, nor a marathon. Security is an infinite game. There's no winning and no moment of relief, but looking at it as a journey you can see success along the way. There is an outside pressure that CISOs know more than they actually do, and at the same time they don't want to disappoint management, the business, or the team. Imposter syndrome can be seen as a positive when it leads to self awareness and improvement. Be smart enough to know how little you do know and accept it, but still stay on that journey to keep learning more. You can't teach the person who thinks they know it all. The flipside is you rarely get congratulated for your work as a security professional.Thu, 10 Dec 2020 - 28min - 340 - Why Don't More Companies Take Cybersecurity Seriously?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-why-dont-more-companies-take-cybersecurity-seriously/)
With every cybersecurity breach, we still don't seem to be getting through. Many companies don't seem to be taking cybersecurity seriously. What does it take? Obviously not scare tactics.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Ben Sapiro, global CISO, Great-West LifeCo.
Thanks to this week's podcast sponsor, Sonatype.
On this episode of Defense in Depth, you’ll learn:Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy. Problem with the "I'm too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses. Watching other companies survive a breach makes one feel as if they'll be just as resilient. Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis. A company in a highly regulated industry has no choice but to take cybersecurity seriously. Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk. Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort. Many people simply don't feel attached to any type of cybersecurity effort. If you're not vested in it, why care about it? Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity.On this episode of Defense in Depth, you’ll learn:Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy. Problem with the "I'm too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses. Watching other companies survive a breach makes one feel as if they'll be just as resilient. Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis. A company in a highly regulated industry has no choice but to take cybersecurity seriously. Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk. Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort. Many people simply don't feel attached to any type of cybersecurity effort. If you're not vested in it, why care about it? Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity.Thu, 03 Dec 2020 - 27min - 339 - Data Protection and Visibility
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-protection-and-visibility/)
Where is your data? Who's accessing it? You may know if you have an identity access management solution, but what happens when that data leaves your control. What do you do then?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Elliot Lewis (@elliotdlewis), CEO, Keyavi Data.
Thanks to this week's podcast sponsor, Keyavi Data.
Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com.
On this episode of Defense in Depth, you’ll learn:
In general, all of security is based on detecting threats and stopping threats. When those two fail, and they do, what's your recourse to protect your data? What if when your data leaves your control either accidentally or through a malicious breach, you were still able to see your data wherever it went and your data could communicate back to you its status, allowing you to control access to your data? There are so many scenarios when data leaves you, it's impossible to protect for all scenarios. Asset inventory is first step in the CIS 20. Just trying to get an asset inventory of equipment is difficult. An inventory of data is near impossible especially when you may be pumping out a terabyte of data a day. Ideal situation is to protect data proactively, as it's being created. The ultimate goal is to have visibility of your data in perpetuity, for the life of the data, and you can decide when to destroy it even when it's no longer within the confines of your greater network and ecosystem. Governing your network, your applications, the rules, and the data is half the battle. Data visibility also allows you to make informed decisions as a business and can provide the answers your legal team will need in case there's a breach. You want the data protection and visibility schema to be platform and ecosystem independent. If data is taken out of the ecosystem, then the protection and visibility is moot. A good precursor to this is digital rights management or DRM. They have figured out how to manage data from being copied and manipulated and they can place controls on it. The limiting factor though is it's platform dependent.
Thu, 19 Nov 2020 - 33min - 338 - What's an Entry Level Cybersecurity Job?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-whats-an-entry-level-cybersecurity-job/)
Naomi Buckwalter, director of information security at Energage analyzed one thousand random information security job posts on LinkedIn. The most notable trend she found was that 43% of the posts had CISSP and 5-year experience requirements for entry level positions. Are companies trying to lowball cybersecurity professionals, or do they simply not know what an entry level cybersecurity job is.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Joseph Carrigan (@JTCarrigan), senior security engineer at Johns Hopkins University Information Security Institute, and co-host Hacking Humans podcast.
Thanks to this week's podcast sponsor, Keyavi Data.
Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com.
On this episode of Defense in Depth, you’ll learn:
There has been an ongoing trend for companies to post "entry level but experience required" job listings for cybersecurity professionals. This is self-defeating for companies because the positions don't get filled. And for true entry level people, they get discouraged. They feel it's impossible to get into the industry. This can drive them away from cybersecurity which hurts the entire industry. Others would argue that we shouldn't even have this conversation because there is no such thing as an entry level position. Like there are no entry-level doctors. You must have some type of training or experience to do this job. There's no doubt that CISOs fight more for headcount than they do overall dollars. And if they get a limited headcount, they're going to want to get as much talent as they possibly can with that limited number of positions they can fill. Security is a layer on top of IT, engineering, or development. For that reason it can be seen as mid-level experience or above, simply because security is a specialization. Is this behavior of shooting so high for an entry-level cybersecurity role causing the cybersecurity skills gap? Best way to prove your value to a hiring cybersecurity professional is to setup your own home lab. The skill that is hard to put on a resume or to explain in a job listing is non-linear thinking. But that's essentially what you're looking for with an entry-level cybersecurity hire.
Thu, 12 Nov 2020 - 28min - 337 - Securing Digital Transformations
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-securing-digital-transformations/)
Digital transformation. It's definition is broad. Meaning securing it is also broad. But there are some principles that can be followed as companies undergo each step in a deeper dive to make more and more of their processes essentially computerized.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Paul Asadoorian (@securityweekly), founder & CTO, Security Weekly, and chief innovation officer, Cyber Risk Alliance.
Thanks to this week's podcast sponsor, Keyavi Data.
Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com.
On this episode of Defense in Depth, you’ll learn:
Digital transformation is about relying on computing technology for more integral processes and aspects in our daily work lives. Lots of debate on the definition of digital transformation and as well securing digital transformations. Definition: A targeted change to process and technology for the benefit of the people. Definition: increasing levels of interoperability of information. We heard the recurring argument of the need for security to have a seat at the table at the beginning of a digital transformation, and not at the end. But at the same time reality sunk in and it was argued that security doesn't get to dictate that. And if security tried to, it would create a greater wedge with the business. When security is brought in at the end though, security has no option but to disrupt the business. Then no one is happy. Digital transformation simply introduce new risks, often greater risk. If the point is to integrate more of your processes, then that integrates the risk as well. If you're undergoing a true transformation, you are looking at core processes and saying, "What new tech facilitates, streamlines, and/or actualizes these core processes?" You no longer have to settle for shopping for a solution and then smashing your processes up against it. Your security tools should also undergo a transformation. That includes a transformation in monitoring as well.
Thu, 29 Oct 2020 - 29min - 336 - Leaked Secrets in Code Repositories
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-leaked-secrets-in-code-repositories/)
Secrets, such as passwords and credentials, are out in the open just sitting there in code repositories. Why do these secrets even exist in public? What's their danger? And how can they be found and removed?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Jérémy Thomas, CEO, GitGuardian.
Thanks to this week's podcast sponsor GitGuardian.
GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline.
On this episode of Defense in Depth, you’ll learn:
Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out. Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub. Exposed credentials can appear in SIEMS as it's being exported from the developers' code. There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility. Scanning public code repositories should be your first step. You don't want to be adding code that has known issues. Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills. Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn't eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.
Thu, 22 Oct 2020 - 28min - 335 - Measuring the Success of Your Security Program
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-measuring-the-success-of-your-security-program/)
How does a CISO measure the performance of their security program? Sure, there are metrics, but what are you measuring against? Is it a framework or the quality of protection? How do you tell if your program is improving and growing?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Chad Boeckmann (@SDS_Advisor), CEO, TrustMAPP.
TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs.
On this episode of Defense in Depth, you’ll learn:
The process is very systematic. Start with knowing your risks, how you're going to track them, and the controls you're going to put them in place to manage them. Simple to say, hard to do. Security risk is just one of a multitude risks a business faces. Data's whereabouts is a moving target. Having confidence in its location and protections is key to managing overall risk. Constantly be asking who has access to the data and what communications processes are you using to share that information between humans and machines. Discuss with leadership as to how you will judge success and what metrics you will use. C-suite will need to lead the discussion with security providing guidance as to what they can and can't measure. If you're measuring security's performance this is a great opportunity for security to tell its story and prove its value, ultimately setting it up for increased budget and participation from others. An informal metric for success could be how often is security getting invited to informal meetings. Overall positive sentiment of security by non-security employees. How well are you able to build (are people eager to work with you?) and maintain your staff? Another "out of the box" metric to consider are opportunity costs. How many contracts are you losing because you were incapable of meeting a potential customer's security standards? Strong debate as to what is the goal of a security program: Risk reduction or risk management? It's very possible that you are currently managing risk well and the additional cost to reduce risk is not necessary.
Thu, 15 Oct 2020 - 27min - 334 - Privacy Is An Uphill Battle
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-privacy-is-an-uphill-battle/)
Privacy is an uphill battle. The problem is those gathering the data aren't the ones tasked with protecting the privacy of those users for whom that data represents.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Dave Bittner (@bittner), host, The CyberWire Podcast.
Thank to our episode sponsor, TrustMAPP.
TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs.
On this episode of Defense in Depth, you’ll learn:
Marketers, the ones often collecting the data, have no incentive to not gather more. The only thing holding them back, barely, are newly growing privacy regulations. Security professionals are tasked with protecting privacy but they're not usually on the front lines of data collection and are often brought in after the data has been collected. The public has become numb to the abuse of their privacy. A little is being chipped away at the time that they either don't know they're being abused or it appears to be so slight they don't even care. They see the benefits of sharing far outweighing the negatives. GDPR is large and very difficult to comply with. And although it only affects site visitors from Europe, most site owners are deploying GDPR controls system-wide for all visitors for fear of making a mistake while at the same time realizing that similar regulations will launch in other parts of the world.
Thu, 08 Oct 2020 - 28min - 333 - Legal Protection for CISOs
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-legal-protection-for-cisos/)
What's the legal responsibility of a CISO? New cases are placing the liability for certain aspects of security incidents squarely on the CISO. And attorney-client privilege has been overruled lately too. What does this mean for corporate and for CISO risk?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Evan Wolff, partner at Crowell & Moring.
Thank to our episode sponsor, TrustMAPP.
TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs.
On this episode of Defense in Depth, you’ll learn:We repeatedly joke about Davi Ottenheimer's comment that the CISO has held the moniker of "designated felon" in American risk mitigation. Big piece of advice that was repeated throughout the episode is to have an employment contract. In the employment contract you want an exit strategy that allows you to leave if you think a situation is not tenable or the company is asking you to do something that you believe to be unethical. It gives you an opportunity to leave without any blame assigned. The cc field is your friend. If you don't want to be seen as the only one "in the know" take advantage of making sure key people are also in the loop. We heard one unbelievable story of an employment contract where it was clear that the CISO would be the "designated felon" should there be any breach. This was put in place to protect the executive team. The contract offered financial security for two years post breach. We all agreed this was insane and had never heard of anything like that before. Be wary of being forced to take on personal ownership of security issues. A CISO is responsible, not accountable.Thu, 01 Oct 2020 - 29min - 332 - XDR: Extended Detection and Response
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-xdr-extended-detection-and-response/)
Is XDR changing the investigative landscape for security professionals? The "X" in XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors. Having this full breadth, XDR can contextualize alerts to tell a more cogent story as to what's going on in your environment.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Dave Bittner (@bittner), host, The CyberWire.
Thanks to our sponsor, Hunters.
Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.
On this episode of Defense in Depth, you’ll learn:XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors. XDR is viewed as a comprehensive solution that rolls up all your critical feeds, sensors, and analytics. Having this full breadth, XDR can contextualize alerts to tell a more cogent story as to what's going on in your environment. If you've got a greenfield security program (essentially it's non existent), XDR is a no-brainer. But for everyone else, which is most of us, rolling out XDR is not as clear cut a decision. How does it integrate with your existing tech stack? Lots of question as to why do you need a SIEM if you have XDR? But, most responded that the two technologies are complimentary. Where XDR becomes redundant is if you have SIEM + SOAR + XDR + NDR. XDR's real power is the ability to give you some of the investigative details rather than just telling you that somebody breached a certain endpoint. But it can connect the dots and explain that a certain breach also resulted in a certain action. This greatly reduces the time your SOC needs to spend investigating cases. Don't though be fooled with solutions that sell purely on reducing time and effort. You're only going to have that if you have useful integrations.Thu, 24 Sep 2020 - 25min - 331 - Calling Users Stupid
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-calling-users-stupid/)
Many cybersecurity professionals use derogatory terms towards their users, like calling them "dumb" because they fell for a phish or some type of online scam. It can be detrimental, even behind their back, and it doesn't foster a stronger security culture.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Dustin Wilcox, CISO, Anthem.
Thanks to our sponsor, Hunters.
Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.
On this episode of Defense in Depth, you’ll learn:Security people have notoriously had a "better than them" attitude towards their users who they view as the ones causing all the problems and making their lives more difficult. Calling users stupid for making a "mistake of effort" even if it's behind their back does not foster a bond with the security team. It fosters the us vs. them attitude. Security professionals will have a lot more success if they understand why users do the things they do. Once there is that understanding, then cybersecurity will better be able to design systems that accommodate users. About a third of your users confidently believe they're following the right cybersecurity procedures. That discrepancy is not the fault of the users, it's the fault of cybersecurity's education of users. Security can always be more effective in offering up the right tools and the correct education. Security awareness must begin with good service and process design. Phishing tests are pointless to determine security effectiveness. That's because no matter how low your click rates go, someone can always create a more creative test that will send them soaring back up again. If your defense in depth strategy is so poorly designed that your company can be compromised by the simple click of a phish, then you've got a poorly configured security stack. Security professionals' jobs exist because of their users. If there was no organization and users, then there would be no need for security professionals. Quoting Albert Einstein: "If you judge a fish by his ability to climb a tree, he will live his whole life thinking he is stupid.” Look at user mistakes as an education moment, not an opportunity to put them down. If you educate them, they'll go onto educate others as well. Mistakes can actually be very beneficial.Thu, 17 Sep 2020 - 27min - 330 - Is College Necessary for a Job in Cybersecurity?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-college-necessary-for-a-job-in-cybersecurity/)
Where is the best education for our cyber staff of the future? Where does college fit in or not fit in?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Dan Walsh, CISO, Rally Health.
Thanks to our sponsor, Hunters.
Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.
On this episode of Defense in Depth, you’ll learn:
Years ago most would say a college degree is necessary, but it appears the ROI for exorbitant college education simply doesn't deliver like it used to. Tons of valuable online courseware can deliver a targeted education for individuals wanting to start a career in cybersecurity. If organizations believe these first two statements to be true, then why are they putting down a college degree as a requirement for jobs in cybersecurity? Is requiring a college degree a false and elitist narrative that doesn't drive better cybersecurity talent? With such a stringent requirement, it detracts many people, including women and minorities, who may not have college degrees to pursue cybersecurity roles. Most college courseware in computer science is often quickly outdated. But that doesn't speak to all colleges. Some that specialize in cybersecurity are doing their best to stay current. Those arguing the need for college explain it teaches critical thinking and the desire to always keep learning. Does the lack of having a college degree prevent an individual from moving up the ranks in cybersecurity leadership? The college degree requirement may be arbitrary or it may be there because of management's jealousy. They had to have a college degree when they joined so everyone else should as well. A college degree doesn't necessarily mean you'll be a great technician.
Thu, 10 Sep 2020 - 28min - 329 - When Red Teams Break Down
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-when-red-teams-break-down/)
What happens when red team engagements go sideways? The idea of real world testing of your defenses sounds great, but how do you close the loop and what happens if it's not closed?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest, Dan DeCloss, founder and CEO, PlexTrac.
Thanks to this week’s podcast sponsor, PlexTrac.
PlexTrac is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time.
On this episode of Defense in Depth, you’ll learn:
Don't make the mistake of red teaming too early. If you don't have your fundamental security program in place, you'll be testing out non-existing defenses. If you're just starting to build up your security program, conduct a vulnerability scan and do some basic patch management. A red team exercise exists to discover risks you didn't even know about and couldn't have predicted in your threat model exercises. Have a plan of what you're going to do after the red team exercise. Just discovering you've got problems with no plan to remediate them will not only be a waste of money, but will also breed discontent. Don't red team just to fill out an audit report. You can do a vulnerability scan for that. Consider moving the red team to purple to actually help the blue team remediate the findings. If you don't have a plan for remediation you'll find yourself running the same red team and filling out the same report. Prioritize! The red (now purple) team can greatly help along with those who've assessed business risks. First to remediate are the ones that are high impact and easy to execute. The rest is determined by an analysis of likelihood and impact.
Thu, 03 Sep 2020 - 25min - 328 - What Cyber Pro Are You Trying to Hire?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-what-cyber-pro-are-you-trying-to-hire/)
Do companies hiring cybersecurity talent even know what they want? More and more we see management jobs asking for engineering skills, and even CISO jobs with coding requirements. What's breaking down?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Liam Connolly, CISO, Seek.
Thanks to this week's podcast sponsor, Salt Security.
Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy.
On this episode of Defense in Depth, you’ll learn:
The poor focus of cybersecurity job listings often exposes either the poor understanding or lack of maturity of a company's information security program. We often see management cyber jobs asking for engineering skills and vice versa. Job listings can also portray the "last guy" syndrome. Those are the job listings that tack on desired skills the last person did not have. When you see too many requirements it comes off as a wish list. It's not what is required, it's more of a question as to how many boxes can a candidate check off. There can be serious harm to a company's ability to hire if they throw down too many requirements or even optional items. People who are truly required for the position you want may never apply because they'll be scared off by the other skills required or desired. CISOs are often hired by non security people and as a result they don't have a full understanding of what type of CISO they want. As a result it's often hard to find two similar CISO job listings. While CISO technical competencies are desired, it's clear that once hired a CISO will not be showing off their technical expertise. As a result, there's a lot of debate as to how much technical skill a CISO really needs. The job requires management, influencing, and communications. Many hiring teams have a hard time parsing out the types of security people they need to build out a security team. That's why you get a single job listing that appears to want to hire five different types of security people. If a CISO isn't given the budget and authority to hire a staff to fill all the necessary gaps for the company's security program, they will become fed up and leave. That starts the whole process again. Many debate that job titles in job listings are just there to massage the ego. But if compensation doesn't match the title, then they realize the title is just for show.
Thu, 27 Aug 2020 - 28min - 327 - Junior Cyber People
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-junior-cyber-people/)
There are so few jobs available for junior cybersecurity professionals. Are these cyber beginners not valued? Or are we as managers not creating the right roles for them to improve our own security?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Naomi Buckwalter (@ineedmorecyber), director of information security & privacy at Energage.
Thanks to this week's podcast sponsor, Salt Security.
Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy.
On this episode of Defense in Depth, you’ll learn:There are tons of newbies eager to work in cybersecurity. The shortcoming is not the available pipeline, but a lack of headcount and managers' willingness to train and find appropriate assignments. Because headcount is often the limitation to hiring, leaders will opt to hire the most senior person they can get. Common feeling is hire one experienced person and stress them out rather than hire three junior people and train them. Problem with the former is if you stress that experienced person they will leave and tell others not to work there. There is plenty of good junior-level cybersecurity work, such as asset management cleanup, PII discovery, procedure documentation, filling out security questionnaires, scrubbing and tuning out false positives from alerting systems, reviewing vendor contracts, patch verification, following up on vulnerability management with other teams, launching and managing vulnerability scans, interviewing for shadow IT installations, working with help desk for user account remediation, and scanning logs for anomalies.Thu, 20 Aug 2020 - 29min - 326 - Trusting Security Vendor Claims
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-trusting-security-vendor-claims/)
Do security vendors deliver on their claims and heck, are they even explaining what they do clearly so CISOs actually know what they're buying?
Check out this post and the Valimail survey for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Lee Parrish (@LeeParrish), CISO, Hertz.
Thanks to this week's podcast sponsor, AttackIQ.
AttackIQ, the leading independent vendor of breach and attack simulation solutions, built the industry’s first Security Optimization Platform for continuous security control validation and improving security program effectiveness and efficiency. AttackIQ is trusted by leading organizations worldwide to plan security improvements and verify that cyberdefenses work as expected, aligned with the MITRE ATT&CK framework. On this episode of Defense in Depth, you’ll learn:From those surveyed by Valimail survey, a third to a half didn't believe that vendors did a good job explaining what their product does, or that the product actually performed, or there was any way to actually measure that performance. Many questioned those numbers because they feel many security buyers still fall for security vendors' boastful claims. Both can actually be true. Stunned behavior at a trade show is not the indicator of knowledge and susceptibility to vendor pitches. When you're under the gun as a security professional to produce results you often become victim to security vendor claims because you want to deliver on demands from the business. By nature, CISOs should be skeptical about vendor claims and information within their own environment. There's a battle between those vendors truly trying to deliver value and those who are using their marketing savvy to sway industry thinking. Don't place all the blame on the vendors. CISOs still have trouble understanding their requirements, risk, and priorities. Many are guilty of engaging in "random acts of security". Claims can often be more trustworthy if the vendor is willing to explain what they can't do.Thu, 13 Aug 2020 - 27min - 325 - How Vendors Should Approach CISOs
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-how-vendors-should-approach-cisos/)
"How do I approach a CISO?" It's the most common question I get from security vendors. In fact, I have another podcast dedicated to this very question. But now we're going to tackle it on this show.
Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Ian Amit (@iiamit), CSO, Cimpress.
Here also is my original article with Allan Alford when he first launched this engage with vendors campaign.
Thanks to this week's podcast sponsor, Sonrai Security.
Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.
On this episode of Defense in Depth, you’ll learn:
All CISOs are different so any advice we provide will vary from CISO to CISO. Plus, we have an entire other show, CISO/Security Vendor Relationship Podcast, dedicated to this very topic. We acknowledge that this is tough because to be really on target you need to know what the CISO has, what their mix of products are, and how your product could work in their current security maturity and mix of security products and processes. It's all a very tall order for a security vendor. Vendors must stop thinking of themselves as point solutions, but rather how they fit into the overall makeup of a security program. You're not coming in with a blank slate. How do you interoperate with what's existing? There's unfortunately the trend of the people who make the contact, then initiate a meeting, and hand off to someone else. CISOs do not welcome that kind of engagement, although it may be very cost effective for security vendors to hire junior people to make those contacts and hand offs. Lots of argument about the efficacy and the acceptance of cold calling. Those who claim they don't like it are often working at organizations that do it repeatedly to great success. The pushy salesperson who eventually gets through after repeated attempts even when they're told no may show success, but they don't calculate all the people they've angered and the word-of-mouth negativity that has resulted from that behavior. If you push beyond a request to stop, the worse that can happen is your reputation will be destroyed. CISOs are more receptive to market pull into your organization. That can happen through traditional marketing, content marketing, podcasts, analyst reviews, and word-of-mouth. Problem is these techniques don't leave any room for salespeople to operate.
Thu, 06 Aug 2020 - 30min - 324 - Secure Access
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-secure-access/)
What is the Holy Grail of secure access? There are many options, all of which are being strained by our new work from home model. Are we currently at the max?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Rohini Kasturi, chief product officer, Pulse Secure.
Thanks to this week’s podcast sponsor, Pulse Secure.
Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 24,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance.
On this episode of Defense in Depth, you’ll learn:
Multiple technologies, such as VPN, split-tunnel VPN, VDI, SASE, EDR, and secure management, are used in attempts to insure secure access. But given that secure access isn't just about managing endpoints, but users, you also have to look at IAM. We look to conditional access to provide more support than just full VPN access. Argument that we are moving away from endpoints to identity as that's the new perimeter. SASE solution blocks by default, instead of allows by default, and requires permission for access. User is secured dynamically based on a combination of identity and device. Would be great if secure access solutions were universal, but they vary country by country based on costs, availability, and regulations. Secure access models must be user experience first. One possible play that works in this way is IAM + SASE + EDR + secure management. Another factor that prevents the one-size fits all model for secure access is the complexity of stacks.
Thu, 30 Jul 2020 - 22min - 323 - InfoSec Fatigue
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-infosec-fatigue/)
Have we reached peak InfoSec fatigue? Revolving CISOs and endless cyber recruitment OR the fact that we're spending more money to reduce even greater risk. Is it all leaving our grasp?
Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Helen Patton (@OSUCISOHelen) CISO, The Ohio State University.
Thanks to this week's podcast sponsor, Sonrai Security.
Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.
On this episode of Defense in Depth, you’ll learn:
Are we sliding in our effort to get ahead of security issues? There's a sense the tools and our ability isn't keeping up with the onslaught. Are we able to prove risk reduction to show that our efforts are successful? Those people who don't burn out are the ones who thrive on the technical and political challenges of cybersecurity. Disagreement on how you lead a discussion. Should it be story-based or data-based? Classic complaint about cybersecurity is success is measured by the absence of activity. Preventative security is not easily quantifiable as reactive security. CISOs have to step up and show evidence of security's success in the most understandable and digestible format. Suggested measures and metrics: likelihood and impact, business impact analysis, security program maturity curve, framework compliance, pen test results, and threat modeling. FUD (fear, uncertainty, and doubt) may be effective in the short run, but it's exhausting. It never works in the long term. Approach cybersecurity altruistically. If it benefits you and those around you, then it's worth doing. Lean on security vendors to help you show the value of their product. The business impact will be on the CISO's shoulder, but the vendor should help build the case.
Thu, 23 Jul 2020 - 28min - 322 - Securing a Cloud Migration
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-securing-a-cloud-migration/)
You're migrating to the cloud. When did you develop your security plan? Before, during, or after? How aware are you and the board of the cloud's new security implications? Does your team even know how to apply security controls to the cloud?
Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Sandy Bird, CTO and co-founder, Sonrai Security.
Sandy was the co-founder and CTO of Q1 Labs, which was acquired by IBM in 2011. At IBM, Sandy became the CTO for the global security business and worked closely with research, development, marketing, and sales to develop new and innovative solutions to help the IBM Security business grow to ~$2B in annual revenue.
Thanks to this week's podcast sponsor, Sonrai Security.
Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.
On this episode of Defense in Depth, you’ll learn:You can't just migrate to public cloud and secure things like you secure your on-premise servers and applications. You have to think cloud-native in all security decisions. Cloud migrations intensify the focus between data and identity. "Security as an afterthought" is never a good plan. Those who succeed build security into the migration. Don't let IT broker a deal to migrate to cloud and then bring in cyber after the fact. In the cloud, knowing where your data is one step, securing the data is another. There's a multitude of variances with data. There are the API controls on data, who has access through those APIs, is the data cloned or cached, and how are permissions being adjusted to that data? Start by knowing who and what should access your data and build your controls from there. The people side of securing cloud migration is critical. If your staff is not properly trained, a single mistake can be extremely expensive. Speeds in the cloud, especially if you've got a DevOps and CI/CD approach, can make problems move at lightening speed. There's a need for automation and to continuously monitor your controls and coverage. Get ahead of problems. DevOps learned the fail fast technique, but also the ability to recover quickly. If security wants to play as well, they have to develop the same strategy and tools.Thu, 16 Jul 2020 - 25min - 321 - API Security
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-api-security/)
APIs are gateways in and out of our kingdom and thus they're also great access points for malicious hackers. How the heck do we secure them without overwhelming ourselves?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Roey Eliyahu, CEO, Salt Security.
Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy.
On this episode of Defense in Depth, you’ll learn:The skill set needed to secure APIs is different than web security. The move towards the cloud, DevOps, and the need to have security tools talk to each other has brought a lot more attention to the need for API security. Like in all areas of security, just knowing what you've got is a struggle. Same is true with APIs. Just knowing what APIs you have is not enough. You must know their functionality. Map your APIs to the systems and the data their transmitting. How aware are your developers of the pitfalls of API misuse? There's a myriad of security options but start with strong authenticate using hash-based message authentication. Much of the advice we got was simply shrinking the API attack surface. This can be done by either limiting the functionality of the API or removing unused APIs. The "review the code" advice that we heard often is sadly not realistic. APIs are resistant to both automatic and manual code review. API security seems like a 300 or 400 level security effort. Smaller companies that don't have a security operations center (SOC) may simply not be able to handle it and will need to outsource their API security and SOC needs to a third party or managed security service.Thu, 09 Jul 2020 - 23min - 320 - Shared Threat Intelligence
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-shared-threat-intelligence/)
We all know that shared intelligence has value, yet we're reticent to share our threat intelligence. What prevents us from doing it and what more could we know if shared threat intelligence was mandated?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Joel Bork (@cincision), senior threat hunter, IronNet Cybersecurity.
Thanks to this week's podcast sponsor, IronNet Cybersecurity.
To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity.
On this episode of Defense in Depth, you’ll learn:We all benefit from sharing threat intelligence, so why don't we do it? If threat data is public, is it useful? The argument is that if the good guys know about the threat intelligence, then all the bad guys know as well. But that's if it's in a public forum. If threat intelligence was shared in a more rapid, comprehensive, and secure manner it would have more utility. Sometimes the "intelligence" a company first gets is just a data feed. There has to be a greater discussion of the risks of sharing as compared to the upside. Often, it's so easy to shut the doors and not share with the benefit never calculated into the equation. When an organization is in the middle of their security maturity curve, they hold all their data as close to their chest as possible. As they continue on their journey and continue to learn lessons along they way, they begin to understand that collaboration will help the community as a whole - including themselves. Threat data is really not what professionals need. What they need is intelligence. And this requires a way to onboard and make sense of the data on its own and in aggregate and over time. Each of us are collecting different pieces of the threat landscape puzzle. If someone doesn't provide their piece, then we have an incomplete puzzle and there are now holes in our knowledge and ability to protect ourselves. Threat intelligence does not hold the same weight for every user. What's valuable to someone may not be of value to another. And you may be holding onto that data that you don't necessarily think is valuable. You want threat intel to be actionable, not necessarily responding automatically. We spoke of threat intel with the analogy of animals traveling in herds for protection. The attackers often pick off the weak ones, but when everyone is working together, the stronger animals can actually protect the weak. Even with everything we know and value with shared threat intel, there is still a ton of paranoia around sharing. While there is lots of discussion about data not being identifiable, most choose to opt out of sharing threat intel.Thu, 02 Jul 2020 - 27min - 319 - Drudgery of Cybercrime
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-drudgery-of-cybercrime/)
Why does the press persist on referring to all cyber breaches as sophisticated attacks? Is it to make the victim look less weak, or do they simply not know the tedium that's involved in cybercrime?
Check out this post by Brian Krebs for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Steve Zalewski, deputy CISO, Levi Strauss.
Thanks to this week's podcast sponsor, IronNet Cybersecurity.
To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity.
On this episode of Defense in Depth, you’ll learn:There's a dichotomy between how the press glorifies cybercrime as being "sophisticated" when the reality is much of cybercrime is drudgery. Most cybercrime is under a pay-for-hire or a web-based service model. Cybercriminals have to deal with many of the same business-related issues we all do, such as support, infrastructure, customer relations, and sales. Given that the cybercriminals are usually doing work for someone else, they have customers and those customers will often complain if they are not getting the expected service. There was question if cybercrime does pay. It seemed that if you had some basic technical talents then legitimate InfoSec was a far more lucrative field that would probably offer benefits that cybercrime couldn't offer. The paper states that low-skilled administrators often don't know much about the systems they maintain. This would lead one to believe they're also far removed from the criminal activity. Many of these claims of the boredom of cybercrime can be made of the InfoSec community as well. Once you understand that cybercrime is a business with a need for ROI like any other business, the goal in protecting oneself is to simply make it too costly and not financially attractive to be hacked.Thu, 25 Jun 2020 - 26min - 318 - Security Budgets
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-security-budgets/)
How do you calculate a security budget? Is it a percentage of the IT budget? Something else? And why does it grow so drastically after a breach?
Thanks to this week's podcast sponsor, IronNet Cybersecurity.
To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity.
On this episode of Defense in Depth, you’ll learn:The general consensus among the community is cybersecurity is a spend it now or spend more later decision. While everyone wants to find a metric to determine how much to spend on cybersecurity, there doesn't seem to be any that are useful. The CISO's job is to provide data about risks so the business can make the decision about cybersecurity spending. Most assume that after a breach there's more cybersecurity budget, but what you get first is cooperation. Look at security as a market differentiator. What if you could withstand a cyber attack but your competition couldn't? Or possibly you could deliver a higher level of reliability to your customers. How would your business be perceived by the market? A business impact analysis calculator can help understand your risk levels. Allan Alford has one his site. Many felt the biggest cost to a company suffering a breach isn't loss of data or the regulatory fines, but the damage to the company brand. The cost of proactive protection always beats the cost of suffering a data breach. One listener recommended that MBA programs should have a breach case study as part of their curriculum.Thu, 18 Jun 2020 - 25min - 317 - Role of the BISO
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-role-of-the-biso/)
What is a business information security officer or BISO? Do you need one? Is it just an extension of the CISO or is it simply taking on the business aspect of the CISO role?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Nicole Dove (@IssaUrbanGirl), BISO, ADP, and host of Urban Girl Corporate World podcast.
Thanks to this week's podcast sponsor, Deep Instinct.
Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play.
On this episode of Defense in Depth, you’ll learn:
A BISO becomes very valuable where they can be mapped to a specific business unit (by locale or business line). The BISO role has become important because practically all companies are reliant on data and technology. The BISO must have power to do their job. That requires autonomy and decision making ability. Another way to describe a BISO is as a senior business analyst with a security focus. From CISO to project manager, roles change often for a BISO. Geo-aligned positions for BISOs have become extremely valuable in light of different and growing territorial regulations. BISO is a good role for a wannabe CISO. Only large companies have room for a BISO. A BISO who can cozy up to a particular business units sales strategy is of enormous value. Make sure the BISO is actually bringing value and not just acting as a gatekeeper between security and the business.
Thu, 11 Jun 2020 - 28min - 316 - Shared Accounts
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-shared-accounts/)
As bad as all security professionals know, shared accounts are a fact in the business world. They still linger, and from an operational standpoint they're hard to secure and get accountability. Why are they still around and what can be done about them?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Jake King (@jakeking), CEO, Cmd.
Thanks to this week's podcast sponsor, Cmd.
Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems.
On this episode of Defense in Depth, you’ll learn:
As much as it makes security professionals cringe, shared accounts are a business reality that can't be avoided. Certain business processes force shared accounts to exist, but that doesn't mean as a security professional you shouldn't grill to find out why the shared account exists and if there's a way you can remove that shared privilege. Get an inventory of your shared accounts. Also, you can do this with mapping credentials with location information. Time pressures in a physical environment often force shared accounts. You need to shine a light on shared accounts even if they're not going to go away. It's part of your GRC (governance, risk, and compliance) program. There are compensating controls one can put around shared accounts such as password rotation, monitoring usage, and alerts. Privileged access management (PAM) is the favorite solution for dealing with shared accounts. Often you don't need compensating controls if you have a dynamic PAM solution in place. The need for accountability is key here. If you don't have an equal understanding of its importance then those eventual issues are simply going to magnify.
Thu, 04 Jun 2020 - 26min - 315 - Bug Bounties
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-bug-bounties/)
What is the successful formula for a bug bounty program? Should it be run internally, by a third party, or should you open it up to the public? Or, maybe a mixture of everything?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Justin Berman (@justinmberman), head of security, Dropbox.
Thanks to this week's podcast sponsor, Cmd.
Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems.
On this episode of Defense in Depth, you’ll learn:
Like red teaming, you need outside eyes looking at your environment and vulnerabilities. There was much debate between internal, private, and public bug bounty programs. But it was agreed that if you do them, that you do them in that order. There was another concern regarding the cost of a bug bounty program. Whether you do them or not, you're still going to pay for coding errors and vulnerabilities one way or another. It's either upfront or later. Those new to bug bounty programs are not aware of the additional costs of management and engaging with the researchers and white hat hackers. That is a critical part of the bug bounty program. Before you begin, set up a system to manage the flow of problems reported. If not, you and your staff could very quickly be overwhelmed. Having a consistent and clear way you handle the findings is often more important than the findings. Have you allocated budget to remediate the findings? Are you going to need to make cases as each weakness is found? Keep in mind that companies don't go into bug bounty programs for the same reason. Some go into it for reasons of publicity or forming relationships with researchers. Communications between your engineers and the bug bounty researchers is critical. If your team is non-responsive, the bug bounty program could backfire. Most people are wary of public bug bounty programs because of the low signal-to-noise ratio. As there is a rush for attention and money, the whole effort may implode.
Thu, 28 May 2020 - 29min - 314 - Data Classification
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-classification/)
The more data we horde, the less useful any of it becomes, and the more risk we carry. If we got rid of data, we could reduce risk.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Nina Wyatt, CISO, Sunflower Bank.
Thanks to this week's podcast sponsor, Cmd.
Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems.
On this episode of Defense in Depth, you’ll learn:Usable, user-friendly, viable-in-every-scenario data protection that is invisible, seamless, and always on does not exist, but could exist, and should exist. Classification tools that tout automation, really aren't. There is still a good amount of manual intervention. Another way to solve the data protection issue is to get rid of data. Our data protection problem amplifies as we find ourselves protecting more data. But a lot of data simply doesn't need to be protected. It could be classified for non-protection or just destroyed. Data is mostly unstructured and it needs to be structured to the sense that you know how data is flowing, and that is extremely difficult to do. We spend more time on hardware and networking diagrams but what we should be doing is diagramming data flow. Mandate retention limits on data. People don't like it, but it's going to make you a lot safer. Just mandate the lifespan of data. If it's not needed or accessed in a certain period of time, archive it or possibly kill it. People think holding onto data is costless, but reality is the more you hold onto it becomes very costly from a security perspective. Utility to you vs. utility to the bad guys is relative. For example, a bank statement from five years ago has little utility to you now, but if a bad guy is looking for information, that has the same value as a bank statement from today. The questions you need to be asking: Is your data sensitive, does it have open permissions, how long has it been since the data was accessed? Data with PII is both an asset and a liability. Classifying data also has a major problem with consistency. Often data can be put into multiple categories or classes. Security of data is usually not the factor many consider. We are often thinking about the security around data.Thu, 21 May 2020 - 24min - 313 - Prevention vs. Detection and Containment
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-prevention-vs-detection-and-containment/)
We agree that preventing a cyber attack is better than detection and containment. Then why is the overwhelming majority of us doing detection and containment?
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Steve Salinas (@so_cal_aggie), head of product marketing, Deep Instinct.
Thanks to this week's podcast sponsor, Deep Instinct.
Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play.
On this episode of Defense in Depth, you’ll learn:
A recent Ponemon study notes that most security professionals agree that prevention is a better security strategy than detection and containment. Even with the acceptance that prevention is a better security posture, most security spending goes into detection and containment. By implementing firewalls, patching, and security training, many of us are already doing prevention, but may not classify it as such. Prevention is not nearly as expensive as creating a detect and respond security program. The two halves work in concert together. No prevention program can be perfect, and that's why you always need a detect and contain program as well. The reason you don't only go with detect and respond without prevention is that the flood of valid information will be too much for a security program to handle. There was a strong argument for detect and respond because it shows the products you spent money on are actually working. This is not just to humor the security professional, but also to give some "evidence" to the senior executives. A lot of prevention comes down to the individual. But since it's so tough to get people to change behavior, there's less friction to just purchase another prevention tool to protect people from their own behavior. Prevention tools won't stop the attackers who sit dormant on a network waiting to attack. Their behavior has to be spotted with the use of detection and containment.
Thu, 14 May 2020 - 26min - 312 - Asset Valuation
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-asset-valuation/)
What's the value of your assets? Do you even understand what they are to you or to a criminal looking to steal them? Do those assets become more valuable once you understand the damage they can cause?
Check out this post for the basis for our conversation on this week’s episode which features me and Allan Alford. Our guest is Bobby Ford, global CISO, Unilever.
Thanks to this week's podcast sponsor, CyberArk.
At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.
On this episode of Defense in Depth, you’ll learn:
Allan revised the well known formula for risk (Risk = Likelihood x Impact) to reflect an asset's importance. So instead, Risk = Threat plus Vulnerability as aimed at an Asset. It's hard to get a stakeholder to tell you the value of their assets. Instead, ask them the reverse. Describe the absolute worst breach scenario. What's the second worse? And then on down until you have an understanding of the hierarchy of the assets. A business impact analysis (BIA) will also help uncover asset valuation. Allan Alford has a BIA calculator on his site. The simple question of "What are you defending?" is one that most business leaders struggle to answer. They need to be able to answer that question often. Once you know what to defend the question is how much to defend and then after that is there anything that doesn't need to be defended. You may actually not be able to start this process if you doing know what your asset inventory is. This should be managed with a discovery tool and multiple iterations of discovery. While you're valuing your own assets, try to make sense of what these assets mean to an attacker. That will help you answer the question of "how much to defend".
Thu, 07 May 2020 - 28min - 311 - DevSecOps
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-devsecops/)
We know that security plays a role in DevOps, but we've been having a hard time inserting ourselves in the conversation and in the process. How can we get the two sides of developers and security to better understand and appreciate each other?
Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Sumedh Thakar (@sumedhthakar), president and chief product officer, Qualys.
Thanks to this week’s podcast sponsor, Qualys.
Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.
On this episode of Defense in Depth, you’ll learn:
It's debatable whether the term "DevSecOps" should even exist as a term. The argument for the term is to just make sure that security is part of the discussion, but security people feel that's redundant. Security is not an additional process. It should be baked in. It's an essential ingredient. But should it really be seen as "embedding" or rather a partnership? Developers and operations operate as partners. Instead of dumping security tools on developers and just demanding "implement this" security needs to go through the same transition development had to go through to be part of "Ops". As DevOps looks forward to what's next, how can security do the same? Security is unfortunately seen as an afterthought, and that's antithetical to the DevOps philosophy. Security is an innate property that imbues quality in the entire DevOps effort. Security will slow down DevOps. It's unavoidable. Not everything can be automated. But, if you deliver the security bite-sized chunks you can get to an acceptable level of speed. Business needs to specify the security requirements since they were the ones who specified the speed requirements. That's how we got to DevOps in the first place.
Thu, 30 Apr 2020 - 26min - 310 - Fix Security Problems with What You've Got
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-fix-security-problems-with-what-youve-got/)
Stop buying security products. You probably have enough. You're just not using them to their full potential. Dig into what you've got and build your security program.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Brent Williams (@brentawilliams), CISO, SurveyMonkey.
Thanks to this week's podcast sponsor, Deep Instinct.
Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play.
On this episode of Defense in Depth, you’ll learn:
It's very possible you're not using the tools you've purchased to their full potential. What would happen if you completely stopped buying security products and tried to fix your problems with the tools you've already purchased? The reason this is such a popular discussion is that as an industry we're still struggling with managing the fundamentals of security. Shelfware happens because we buy before we're ready. Purchase decisions should be made in conjunction with knowing if you have the staff and understand the integration points to implement the solution. Tooling for the few layers must be dealt with first. You don't need a solution selling a higher layer of security if you don't have the foundation built. Much of this argument is based on the messaging we hear from vendors. They're understandably in the business of selling product. Be cognizant of how you're absorbing information. We need to also focus on the people who unfortunately are fallible and can make non-malicious, but poor decisions. If there was going to be any additional spending, the argument was to invest in your people - from the entire staff to specific training for your security staff.
Thu, 23 Apr 2020 - 28min - 309 - Should Risk Lead GRC?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-risk-lead-grc/)
Defining risk for the business. Is that where a governance, risk, and compliance effort should begin? How does risk inform the other two, or does calculating risk take too long that you can't start with it?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our guest is Marnie Wilking (@mhwilking), global head of security & technology risk management, Wayfair.
Thanks to this week’s podcast sponsor, Qualys.
Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.
On this episode of Defense in Depth, you’ll learn:
The model of risk = likelihood x impact doesn't take into account the value of assets. Assets have to be valued first before you calculate risk. Is the reason risk isn't used to lead governance, risk, and compliance (GRC) because it's so darn hard to calculate? Many CISOs say their toughest job starting out is trying to understand what the crown jewels are and what the board's risk tolerance is. Risk management allows the board to know when you have enough security. Some assets may require eight layers where others may only require one or two. Determining likelihood of an attack involves a good amount of guesswork. We've discussed on a previous episode of CISO/Security Vendor Relationship Podcastthat we don't go back to see how good our risk predictions were. If you want to get better at it, you should. Otherwise, it will always be guesswork. Even if you can get someone to agree what their risk tolerance is, or what asset is of importance, trying to get agreement among a group can be a blocker. Keep in mind that each person is going to have a different viewpoint and concerns. Knowing risk appetite is critical. You can apply security controls without knowing it, but that's providing a unified security layer across all data, people, and applications when they are all not equal when it comes to asset valuation.
Thu, 16 Apr 2020 - 24min - 308 - Responsible Disclosure
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-responsible-disclosure/)
Security researchers and hackers find vulnerabilities. What's their responsibility in disclosure? What about the vendors when they hear the vulnerabilities? And do journalists have to adhere to the same timelines?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Tom Merritt (@acedtect), host, Daily Tech News Show.
Thanks to this week’s podcast sponsor, Qualys.
Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.
On this episode of Defense in Depth, you’ll learn:
Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure. Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure. While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor's Hippocratic Oath, the goal is to minimize harm. You can't announce a vulnerability without offering a fix. It's opening the door to the bad guys to come in and cause havoc. There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities. One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure." There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they're not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn't a good fix yet.
Thu, 09 Apr 2020 - 25min - 307 - Internet of Things
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth:-internet-of-things/)
When Internet of Things or IoT devices first came onto the market, security wasn't even a thought, let alone an afterthought. Now we're flooded with devices with no security and their openness and connectivity are being used to launch malicious attacks. What are methods to secure environments today and how should these IoT devices being secured in the future?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Josh Corman (@joshcorman), founder of I Am The Cavalry.
Thanks to this week’s podcast sponsor, Pulse Secure.
Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance.
On this episode of Defense in Depth, you’ll learn:
For years, manufacturers didn't consider device security. As a result, attackers have used insecure devices like connected webcams to gain entry into a corporate network. If you're manufacturing devices, then make security and patches a top concern even after end of life support. Big gap between public trust and the reality. Almost all people trust manufacturers to secure their devices. The reality is most manufacturers aren't securing their devices. While we've seen webcams used to launch distributed denial of service (DDoS) attacks, the greatest concern is of a similar style attack being launched against industrial IoT. The discussion of IoT security goes beyond security of devices. We know there are devices with zero security connected to our network. This is where a larger discussion of zero trust and defense in depth style security programming comes into play. We have a growing number of unmanaged devices. Devices that are just always on and connected to the Internet providing simple functions like reading their environment. How much responsibility do manufacturers have for the security of their devices after they've been purchased and shipped? They can create updates and patches, but they can't enforce them.
Thu, 02 Apr 2020 - 29min - 306 - Is Governance the Most Important Part of GRC?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-governance-the-most-important-part-of-grc)
Your policy should rarely change. But your ability to achieve that policy is found in procedures or governance that should inform, steer, and guide your team. Those procedures should change often and others should follow. Are they?
Check out this post for the basis for our conversation on this week’s episode which features me and Allan Alford. Our guest is Mustapha Kebbeh (@mustaphake), CISO, Brinks.
Thanks to this week's podcast sponsor, CyberArk.
At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.
On this episode of Defense in Depth, you’ll learn:
By leading with governance, how do you make a governance, risk, and compliance (GRC) program meaningful? Without the right governance it will be hard to accomplish the bigger picture. GRC requirements have to adhere to the three A's: actionable, accountable, and achievable. GRC programs require strong leaders. Without them, nobody will follow a governance effort. There was debate on whether risk or governance should lead the GRC effort. But everyone appeared to agree that leading with compliance is very dangerous. A list of rules, or governance, is completely pointless if it's not enforced. Enter risk, compliance, and a good leader and you've got the opportunity for enforcement. Governance that's not tied to risk will probably be ignored and therefore useless. The argument to lead with risk is because it has applicability to the business where it's questionable with governance and compliance. But for the purpose of this episode's argument, we were making a case for governance leading the conversation. The main argument for governance over risk is that you can't truly understand the risk if there isn't some type of structure to understand what you're dealing with.
Thu, 26 Mar 2020 - 27min
Podcasts ähnlich wie Defense in Depth
- Global News Podcast BBC World Service
- El Partidazo de COPE COPE
- Herrera en COPE COPE
- The Dan Bongino Show Cumulus Podcast Network | Dan Bongino
- Es la Mañana de Federico esRadio
- La Noche de Dieter esRadio
- Hondelatte Raconte - Christophe Hondelatte Europe 1
- Curiosidades de la Historia National Geographic National Geographic España
- Dateline NBC NBC News
- 財經一路發 News98
- La rosa de los vientos OndaCero
- Más de uno OndaCero
- La Zanzara Radio 24
- L'Heure Du Crime RTL
- El Larguero SER Podcast
- Nadie Sabe Nada SER Podcast
- SER Historia SER Podcast
- Todo Concostrina SER Podcast
- 安住紳一郎の日曜天国 TBS RADIO
- アンガールズのジャンピン[オールナイトニッポンPODCAST] ニッポン放送
- 辛坊治郎 ズーム そこまで言うか! ニッポン放送
- 飯田浩司のOK! Cozy up! Podcast ニッポン放送
- 吳淡如人生實用商學院 吳淡如
- 武田鉄矢・今朝の三枚おろし 文化放送PodcastQR