Redefining CyberSecurity

Geopolitical winds of change are upending global supply chains at an unprecedented pace and scope. There are challenges and opportunities.GuestAndrea Little LimbagoOn Twitter 👉 https://twitter.com/limbagoaOn Linkedin 👉https://www.linkedin.com/in/andrea-little-limbago/This Episode’s SponsorsEdgescan: https://itspm.ag/itspegwebKey Resources Security: https://itspm.ag/keyresources-2876____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

The CISO role has always been challenging. The last year brought the meaning of RESILIENCE to an all new level.GuestDr Reem Faraj AlShammariOn Twitter 👉  https://twitter.com/Q8ThundersOn Linkedin 👉  https://www.linkedin.com/in/dr-reem-faraj-alshammari-b6324159/This Episode’s SponsorsBlue Lava: https://itspm.ag/blue-lava-w2qsKey Resources Security: https://itspm.ag/keyresources-2876____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

Pushing the Panic or the Not Panic button may as well just be a difference in company culture. Planning, readiness, and experience are part of it, but not all of it. It all starts with how we define a crisis and how we react to it.Successfully leading an organization through a crisis is one of the most challenging – and rewarding – experiences a leader will face in their career. Effective executives understand that the foundation for crisis management planning begins long before the problem arises and is grounded in developing cultures of trust and integrity.This episode explores the role of communication, relationships, accountability, humility, kindness, and confidence in navigating a crisis, giving listeners insight into how to lead their teams and organizations through adversity.If you are looking for ways to balance risk management with incident management... Have a listen.If you want to find the best path forward to escape the chaos that often surrounds a crisis... Have a listen.If you are wondering how to come out of a disaster, recovered as opposed to broken... Have a listen.GuestParham Eftekhari, S.V.P. & Executive Director | The Cybersecurity CollaborativeThis Episode’s SponsorsImperva: https://itspm.ag/imperva277117988Archer: https://itspm.ag/rsaarchwebEdgescan: https://itspm.ag/itspegweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

Unless there's a plan that's been practiced, one's gut reaction is probably how things will roll when an incident occurs. #TableTopTuesday on Twitter from Meg Hargrove captures some of those "moments" — let's discuss.Before we do, though, do any of these sound like your go-to first step during a cyber incident?- “Brown alert”- “Cry for a minute”- “Update resume”While there may get a chuckle from someone looking in on a fake situation presented on social media, incident response is no joking matter when real life is at stake. And that's why I wanted to have a conversation with @cybersecmeg — what she is doing with #TableTopTuesday on Twitter is nothing short of brilliant: present an incident use case and get feedback from the community for how they would respond.There's no single right nor wrong answer, of course. And, the conversation doesn't just stop abruptly with an answer either — there's some good dialog from the community, presenting some solid options and some meaningful back-and-forth as the scenario unfolds.Take this scenario, for example:Credentials for your AWS cloud environment have been accidentally left hard coded into a PUBLIC GitHub repository. You check your cloud portal and find $75K worth of spend not created by your org. What do you do?Well, time us up. The incident is happening. What do you do? What should you do?First, listen to this chat with Meg and then check out the #TableTopTuesday threads to start planning and practicing.GuestMeg Hargrove, Cybersecurity Incident Response Manager (@cybersecmeg on Twitter)This Episode’s SponsorsImperva: https://itspm.ag/imperva277117988Archer: https://itspm.ag/rsaarchwebEdgescan: https://itspm.ag/itspegweb____________________________ResourcesInspiration for this conversation:https://twitter.com/cybersecmeg/status/1384603498323582976https://twitter.com/cybersecmeg/status/1379523065999155201https://twitter.com/cybersecmeg/status/1376981399719321604____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

A lot can be done by CSOs/CISOs to maximize value and reduce risks when working with PR/media. However, the path forward is not always straightforward. What are the common hiccups, screw-ups, and give-ups?As part of our ongoing "CISO functional relationships" series, in today's episode, we look at the role of PR and the media as a function of establishing and maintaining trust internally with the executives, the board, the partners, and externally with the customers and the public.There's an old saying, "There is no such thing as bad press. All press is good press," but that is precisely an "old" saying. Nowadays, branding and reputation matter, which is even more true in information security. The impact of a breach on the company's reputation and bottom line can cause some severe damage, but the story is more complex than that. Nowadays, there is an entire system that needs to change to manage reputation in the right way. The conversation with the media and the public can be more positive, constructive, and transparent.In this podcast, we talk about this and much more.GuestsMelanie Ensign, Founder & CEO, Discernible (@iMeluny on Twitter)Ed Amoroso, Founder and CEO of TAG Cyber (@hashtag_cyber on Twitter)This Episode’s SponsorsHITRUST: https://itspm.ag/itsphitwebSemperis: https://itspm.ag/semperis-1roo____________________________ResourcesMedium Post by Melanie: https://medium.com/discernible/security-privacy-incident-hiccups-f-ck-ups-and-give-ups-e972ef46c3d____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

Nowadays, every company is pretty much a technology company, and as such, they all should have some understanding of quality assurance (QA). Also, an understanding of information security would be nice. The question is, how and where do these two worlds collide?And, is that security world AppSec or DevSecOps? Or is it something completely different?The QA role often approaches testing an application through user stories and use cases, working toward verifying that it does everything it is supposed to do. On the other hand, an application security team often comes to the situation from a different perspective; they try to get the system to do something it is not supposed to do, going beyond the user interface and breaking free from documented user scenarios.While these two perspectives may differ significantly, there is still a ton of shared vision for reaching the end goal: rooting out as many bugs as they can to deliver the best possible product. They also share some common challenges as they try to connect and work with the line-of-business owners, architects, IT, operations, and engineering teams. With this in mind, what, specifically, are the synergies, and how can these two teams help each other succeed? Should they be working together, or does it make sense for them to remain separate?Tune in to this episode with guests: Tom Morrissey (a long-time QA and engineering director) and Cassio Goldschmidt (a very active application security expert and OWASP leader) reach back to the past to help us understand how QA has evolved and what lessons the application security professionals can learn from their history.GuestsTom Morrissey, Director of Software EngineeringCassio Goldschmidt, Sr. Director & CISO at ServiceTitan | OWASP Chapter Leader (@CassioGold on Twitter)This Episode’s SponsorsImperva: https://itspm.ag/imperva277117988Archer: https://itspm.ag/rsaarchwebEdgescan: https://itspm.ag/itspegweb____________________________ResourcesLearn more about OWASP: https://owasp.org/ (@owasp on Twitter)____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

The human resources department within any organization is well-positioned to feel the pulse and monitor a company's culture—teams, divisions, and the organization as a whole. Because of this, it could be the ideal ally to the InfoSec team. But is it? Let's find out.Consider the lifecycle of an employee. The initial company awareness, gaining familiarity with its brand, exploring its job opportunities, moving on to the next role, all the way to retirement—or perhaps even getting fired. Of course, there's everything in-between as well, including annual performance reviews, salary and compensation discussions, workplace behavior and related training, ongoing education, promotions, and more.At each stop along their journey and throughout each of the phases within the candidate/employee journey, HR has an opportunity to help shape the company's culture by reinforcing fundamental principles, operational ethics, and the related policies and actions. Just as we should be baking information security into the products—as early, and as often as possible—we should follow this same model for building our workforce and the company culture in which they exist.There's an opportunity for InfoSec and HR to collaborate to present and discuss the value of good information security hygiene: using a password manager, connecting through a VPN, paying attention to potential leaks or loss of data, and thinking critically during a security awareness training event—these are just a few examples.The importance of security shouldn't begin once the person becomes an employee; the organization can demonstrate their investment in InfoSec well before the jobs are posted and the interviews start.On the other side of the equation, there's an opportunity to maintain security and safety for the organization by encouraging a now-former employee to continue to carry with them the lessons they've learned as they move on to another company or retire into the sunset.Easy to say, but is it that simple? How are HR departments holding on with all the new responsibilities piling up on their desk lately? Can they take one more role without a fundamental redefinition of their role within a company?There's so much to be gained here. This is definitely a conversation worth listening to, especially if you are in HR, InfoSec, or are an employee (I think that captures everyone, doesn't it?).Enjoy!NOTE: This episode is part of our "Building Better Security Relationships" series. Catch the last episode  with Legal Counsel here: http://itsprad.io/redefining-security-411GuestsDora Ross, Global Security Culture SpecialistThis Episode’s SponsorsImperva: https://itspm.ag/imperva277117988HITRUST: https://itspm.ag/itsphitwebKey Resources: https://itspm.ag/keyresources-2876____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

We know that SOC team members are burning out as they try to protect companies, yet many InfoSec programs repeat the same strategies expecting different results. Can we take insanity out of the incident response?That's a good question. One that we're not going to answer, but one that we will discuss and hopefully encourage you all to think about with us as we try to get to the root of the problem: what needs to change.In this podcast, we will shed some light on how SOC teams could modify their programs to embrace risk-based alerting and response enabled by information, and by doing so, filtering out as much noise as possible.To do so, Sean Martin is joined by two seasoned security operations and incident response professionals:Melissa Duncan, who is responsible for developing security content, incident response procedures, and response automation, and Kristy Westphal, who uses her hands-on experience to design, implement and manage security and operational risk programs by bringing her passion for trying to — YES! — take the insanity out of incident response.Join us for our journey as we explore how to pivot your SOC from the monotonous audit-based checking-of-boxes to a program that can manage real, high-priority, risk-based events to which your team can successfully respond.Yes, you better believe that it is actually possible to run a SOC free from insanity. It's time to break from the same 'ole routine to try something different. The real-life in-the-trenches SOC experiences recounted by Kristy and Melissa can help your program get a bit more creative and bring those needed changes to light—for the security team and for the business goals too.Perhaps a reset on one or more parts of your program will reinvigorate you and bring a renewed passion for what you do. Or, maybe not. In that case, we'll see you later as you tick that next checkbox.Let's see how you feel after listening to this one.GuestsMelissa Duncan, VP of Security Content and Response Automation at Union BankKristy Westphal, VP of CyberSecurity Incident Response Team at Union BankThis Episode’s SponsorsImperva: https://itspm.ag/imperva277117988Key Resources: https://itspm.ag/keyresources-2876____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

Are technology patents helping us with innovation and collaborative creativity, or do they generate hyper complexity that is slowing our societies' advancement? Listen up, and maybe you will decide on your own.By awarding and defending technological patents, we promote innovation by offering intellectual property protection to the invention and the inventors for what they've created. However, while patents may help achieve this specific goal, we must also wonder if we may be reaching the opposite results in particular situations.Suppose companies can do research that can be used for good but is locked away in a patent (or any other intellectual property protection vehicle, for that matter). Are we really achieving what we want and what is ultimately good for humanity?Since most systems are comprised of multiple parts, how can things get built while components of the bigger system remain protected under IP law? How do we balance promoting innovation, protecting innovation, and protecting society from ourselves?What if Superman goes bad?Do great responsibilities really come with great power?If artificial intelligence invents something, does it also own the patent for it?Of this, and many other exceptional things, we ponder—all in today's podcast.GuestsJoanna Chen, Patent Attorney at Polsinelli (@chenjoanna on Twitter)Puya Partow, Partner at Seyfarth Shaw LLP (@PuyaPatent on Twitter)This Episode’s Sponsors:Nintex: https://itspm.ag/itspntwebImperva: https://itspm.ag/imperva277117988RSA Security: https://itspm.ag/itsprsaweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

The amount of work security teams have to handle is increasing exponentially and takes a severe toll on their ability to keep up with the threats. Thankfully, there is technology. Bring on security automation!Automation sounds simple enough, right? But is it? And do security teams automate the right things?When considering security automation, it's natural to look at the opportunity purely from a security operations perspective: responding to an incident, taking care of alerts, and looking into threat intelligence. But there's much more to it than that.What are some of the basics of automation that teams get right?What impact does that automation have on protection, detection, monitoring, and response?How can security automation drive value not only for the InfoSec team but for the business overall?When you dive deeper into this, you'll hopefully realize there are many IT- and business-related processes that you can—and should—be automating and integrating into your InfoSec program regularly. That's what we do in this episode with Dolby Labs' Tomasz Bania.Tomasz presents some examples for how organizations can take a set of single actions, bringing them all together to potentially get to a point where you are doing the entire end-to-end process, leveraging a fully-automated—or, at least, a mostly-automated—implementation.In this episode, we get into some real-world cases that InfoSec teams can take and operationalize. We also take the opportunity to talk about the relationship amongst business types, their level of maturity, and whether or not there is such thing as "automation culture." If there is, can we actually automate that too?If you want, even more, be sure to catch Tomasz's RSAC 365 session (link below).GuestTomasz Bania, Cyber Defense Manager at Dolby LaboratoriesThis Episode’s Sponsors:Nintex: https://itspm.ag/itspntwebImperva: https://itspm.ag/imperva277117988RSA Security: https://itspm.ag/itsprsaweb____________________________ResourcesRSAC 365 Session: Scaling Your Defenses: Next Level Security Automation for Enterprise____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships