Redefining CyberSecurity

Way too often, we think of cybersecurity professionals as if they come from another galaxy; Aliens, with no understanding of the business and not much to contribute to it. Well, it's not true. In this series, we explain why.There are exciting intersections between law, compliance, security, privacy, contracts, and business. It's time we talk about the value of building a strong relationship between information security and the legal team.Suppose things were not already uneasy; to make things even more interesting, let's consider policy differences around the world. These can impact how organizations define and run their business, collect and store their data, protect their information and systems, and demonstrate that they are doing the "right thing." Toss in the 3rd-party vendor ecosystem, and now we're having fun. Unless, of course, the InfoSec and legal teams are working in silos, unknowingly causing the other team angst and pain—or worse—actively working against each other, bringing disruption to operational efficiencies and harm to the overall business.Legal processes have been around for donkeys years. InfoSec practices, not so much. So, how do two lawyers familiar with security and privacy law (among other things)—and that also have a hand in information security practices—view the relationship between the two roles?We're glad you asked. Have a listen to find out.GuestsCody Wamsley, Associate at Dorsey & Whitney LLP (@codywamsley on Twitter)Diego Fernández, Partner IP, IT & Privacy - RegTech- Marval, O'Farrell & Mairal (@DferDiego on Twitter)This Episode’s Sponsors:Nintex: https://itspm.ag/itspntwebImperva: https://itspm.ag/imperva277117988RSA Security: https://itspm.ag/itsprsaweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

Many organizations leverage regulations and standards to help them define their security and privacy programs, and in doing so, spend time and money creating policies, implementing controls, and monitoring for exceptions. But what happens when the regulation or standard changes?There's a seemingly constant barrage of change in the law and standards—and even in the supporting management/controls frameworks. Depending on where the company is headquartered, where it does business. Also, where its customers reside, where the customers' data resides, what type of customer data the company holds and interacts with—and what industry sector(s) the company operates in. All of this determines which of these regulations and standards they must adhere to. A change in any of these elements means a re-evaluation of the organization's risk profile and implementation of the mitigating controls.This probably makes sense to many reading this. But what's missing from this equation? More than you may think.To uncover the potential impact of the business operations, risk management program, security operations, and ultimately the business's bottom line, Sean Martin has a 1:1 chat with Indiana University Health CISO, Mitch Parker. The two look at the  v4 PCI-DSS update, currently in development and due to release sometime in the middle of 2021, as the driver for this conversation.There's a lot to consider—and plan for—when changes occur. Don't get caught with a surprise if you can avoid it. Prepare yourself, your staff, and your peers at the executive level for what's to come.GuestMitch Parker, CISO, Indiana University Health (@mitchparkerciso on Twitter)Resources3 blogs related to the pending v4 PCI-DSS standard:https://blog.pcisecuritystandards.org/pci-dss-looking-ahead-to-version-4.0https://blog.pcisecuritystandards.org/pci-dss-v4-0-anticipated-timelines-and-latest-updateshttps://blog.pcisecuritystandards.org/3-things-to-know-about-pci-dss-v4-0-developmentThis Episode’s Sponsors:Nintex: https://itspm.ag/itspntwebImperva: https://itspm.ag/imperva277117988____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

We've had enough conversations about the relationship between technology, cybersecurity, and technology to know that people have different expectations, hopes, and visions. Some utopian, some dystopian, and some are Marcus J. Ranum.We met Marcus J. Ranum a few years ago during an ISSA Los Angeles Summit, where we had an inspiring and thought-provoking conversation about the idea of needing the equivalent of a Geneva Convention for cybersecurity. Given the many twists and turns the conversation had, it was at that point that we knew Marcus had a different perspective on cyber life, as many other professionals do.Jump ahead a few years to our partnership with ISSA International and we find ourselves with the opportunity to have an extended Luminaries Series chat with Marcus—this time looking at things through the lens of our Redefining Security channel. We take a look at the past, where Marcus was instrumental in bringing to life the first information security firewalls, and from there, we leaped into the present and the future. Buckle up, because it is not a pleasant stroll in the park, and it got pretty dark, very quickly.In 1976, when Marcus "got into computing," the deployment of systems involved running a wire to a terminal, plugging it in, and enabling the operating system. And, when we say "enabling the operating system" we mean actually building a kernel for your system that you were going to run it on, configuring the hardware, and configuring the device drivers that you needed in the operating system for the hardware that you were going to run everything on."We didn't have all these gigantic driver frameworks as we do nowadays. Everything was kind of low and slow, and lean and mean… it had to be because there wasn't infinite amounts of memory nor infinite amounts of processing power. And that had a direct effect on the way security evolved." —Marcus J. RanumFast forward 40+ years—where have we landed—where are we headed?As you will hear, Marcus has a very dark view of the future of security; a future that involves software engineers, hardware engineers, increased complexity, ongoing abstraction, and an overall lack of comprehension of how things work. This story may be ripe for the picking for a Hollywood flick to hit your favorite streaming service. However, it may not be the traditional Hollywood ending that you might expect.Come on, join us for this journey. It's one you won't want to miss being part of. Is there hope for the future of technology and humanity?Maybe. Maybe not.Guest(s)Marcus J. RanumResourcesBook: The Myth of Homeland Security by Marcus Ranum: https://www.amazon.com/Myth-Homeland-Security-Marcus-Ranum/dp/0471458791Book: Huawei and Snowden Questions: https://openlibra.com/en/book/the-huawei-and-snowden-questionsThis Episode’s Sponsors:Nintex: https://itspm.ag/itspntwebImperva: https://itspm.ag/imperva277117988____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

Cybersecurity and business haven't played the same game — mostly because they did not understand each other. Thankfully, these days, security can not only be the business protector but a driving force for growth.We often hear stories about digital transformation and moving on-premises data centers to the cloud, but seldom get to listen to some of the specifics for many of these business-defining projects. Who's involved and how are these critical relationships established and maintained are essential factors to understand the real value an InfoSec team can bring to the business.CISOs and their business peers that fail to connect the dots between cyber risk management and the business objectives can actually be doing the business a disservice, namely with the language, the jargon, and the mysteriousness about what both sides are trying to accomplish. Let's face it, many organizations don't realize it, but they are making things too complicated.Listen to today's story to hear how our guest, Joshua Scott (former Realtor.com’s CISO), supported the business, making things really simple to understand while providing quick feedback that allowed the organization to move things along and grow.Ultimately, it was about establishing relationships and open communications across the organization that reduced operational burden while also reducing the potential impact of a threat."Really getting the organization to care about security was hard; it was really hard. That's why I started focusing on understanding what was important to them."—Joshua Scott.GuestJoshua Scott, former CISO, Realtor.comThis Episode’s Sponsors:RSA Security: https://itspm.ag/itsprsaweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

Zero Trust sounds impressive and futuristic, but it isn't really a new concept — and what does it actually mean? It is not that different from past trust models such as Trust But Verify and Least Privilege.So, here we are once again, stating the obvious: if we don't think differently about the problems we face, we're not going to be able to solve them.Security practitioners and managers are bombarded by marketing messages that require decoding and interpretation, and how to make a decision is more than a matter of trust v literally. Do they listen to analysts, vendors, auditors, their peers, or their gut?Security professionals and their teams are expected to keep up with the changes as new industry reports come out and new technologies are brought to market. Still, they are often forced to continuously think differently about the problems they face in a confusing, distracting, and counterproductive way. This is simply not good for our industry nor our businesses' security.In today's episode, we muse and question the status quo that has characterized our industry for the past 20 years. We go beyond this debate and beyond the Zero Trust concept to look at how organizations should evaluate not just their tech stack but also their teams, operations, and processes. We reflect on where trust fits in, how it plays a crucial role in a security program, and why it isn't binary in nature.Yes, you must think differently, but it's not a good idea to rely on others to think differently for you. Think for yourself and your organization — as you are the one that knows what matters the most for your business.Then, put your thinking cap on and enjoy this episode of Redefining Security."You have this perfect plan, but then you hit the real world and no plan survives contact with the enemy." —Dr. Zulfikar Ramzan"Why do we keep doing this? We continue to chase technology. Why do we not think about the human? Why do we think about the process and procedures? Zero Trust would be great if we could actually know where the hell all the data was inside an environment." —Chris Roberts"We are our own worst enemy. We produce something that is beautiful in our head, but it doesn't work in practice."  —Francesco Cipollone"We're always looking for the easy button as an industry and then blame vendors when they buy the easy button and it doesn't work." —Siân JohnGuest(s)Siân John | Zulfikar Ramzan | Chris Roberts | Francesco CipolloneThis Episode’s Sponsors:Nintex: https://itspm.ag/itspntweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

Once upon a time—not that long ago—the Information Security field had no rules, definitions, tools, or framework, and it was a new frontier to be discovered and conquered. Now, looking back, we sure have come a long way.In this episode of the Business of Security channel, we travel in time with Matthew Rosenquist. Together we take a look back to understand how we got to today and what the future of Security and the CISO role is going to be.Back then, individuals and teams were undoubtedly working on risk mitigation, controls implementation, and fraud management, but it was a reactive and binary approach to problem-solving. As we compare and contrast the past to the present, it's hard to imagine the similarities from a security program definition and execution perspective; many today complain that their teams are overwhelmed with data, events, and incidents, creating burnout. Looking back, being overwhelmed by data wasn't really possible as the sources of data, types of data, and quantity of data can't even compare to what teams are dealing with today.As complexity, experience, business models, and technology solutions grew, philosophy and methodology had to change and mature with the technology and the business drivers that have transformed the security field in today's reality.Today's Security Management must be driven by business values and a proactive mentality. We are starting to see that in many industry verticals, advanced technologies, privacy, policies, etc.We will never win or even catch up when we're reactive."That's the first challenge, I think, in anyone's career. Where are you passionate? What are you good at? How are you going to contribute? You're not going to solve the world. Right? But you play a role. You're a piece in a bigger puzzle; find out where you fit and go with it." —Matthew Rosenquist"We never catch up when we're reactive. And, unfortunately, there's an axiom in our industry: security's never relevant until it fails. We need to break that axiom. We need to start thinking about the risks. And we're starting to do that." —Matthew RosenquistGuestMatthew Rosenquist, CISO at Eclipz.ioThis Episode’s Sponsors:RSA Security: https://itspm.ag/itsprsaweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

In today's episode, we get to connect with Ramy Katrib, Founder & CEO, and Nancy Jundi, COO - both of DigitalFilm Tree in Los Angeles.How do CEOs and their executive-level peers make decisions about their cybersecurity investments and how do the project and measure what is the outcome for that investment?Ramy and Nancy recognized the value of information security early on in the company’s development and found that investments in a combination of traditional infosec technologies and customized in-house-developed cybersecurity capabilities proved to be a competitive differentiator viewed as a luxury service by their clients.Join us for a great story about telling — and protecting — the stories we see on TV, the big screen, and connected devices.Guest(s)Ramy Katrib, CEO | Nancy Jundi, COOThis Episode’s Sponsors:RSA Security: https://itspm.ag/itsprsaweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships

Are you ready to "geek out" on 5G with my guests and me? Good!Put your thinking caps on and get ready to explore the world of 5G connectivity and all of the benefits it brings to society. Don't worry, though; we also take a good, hard look at how it changes the way we look at connectivity, data transport, data storage, data sovereignty, integrity, and more—all through the double lens of security and privacy.We don't hold back during this conversation as we cover the following topics, and more:We get a brief history of 1G to 5G: what's changed and what have we learned sinceWhat makes 5G so unique, and why are "odd G's" something of which to take notice?What are some use cases and case studies in play today, and what can we expect to see in the near future?Have we baked enough security and privacy into 5G to make a difference as we enter the world of "everything connected" in IT, OT, IoT, and beyond?If you can’t tell from this list, I’m very serious; we do get into some of the technical aspects of this, which makes it a fascinating conversation while also setting the stage to understand the full impact 5G will have on the security CIA triad: Confidentiality, Integrity, and Availability.Now, it's time to use your (likely 5G-connected) device and have a listen.Ready? Go! Press play!GuestsPatrick English, British TelecomJason Hoffman, MobiledgeX, Deutsche TelekomChris Novak, Verizon Enterprise SolutionsThis Episode’s Sponsors:Nintex: https://itspm.ag/itspntweb____________________________To see and hear more podcasts and webcasts about Redefining CyberSecurity for your business, tune in to ITSPmagazine at:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in advertising on ITSPmagazine?👉 https://www.itspmagazine.com/sponsorship-introductionAre you interested in sponsoring an ITSPmagazine podcast?👉 https://www.itspmagazine.com/podcast-series-sponsorships