CISO Series Podcast

All links and images for this episode can be found on CISO Series https://cisoseries.com/do-we-have-to-let-the-ciso-sit-with-us/ I guess because it's a pandemic, and we really need them, just this one time, we'll let the CISO hang out at the cool kids' table. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Jadee Hanson (@jadeehanson), CISO, Code42. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Apparently, CIOs have become really hot commodities within the organization Do compliance checkboxes to third party surveys provide any security for the supply chain? Insider risk should look more at mistakes as well as intentional acts The real value of vendor white papers

All links and images for this episode can be found on CISO Series https://cisoseries.com/why-commute-when-you-can-stay-home-and-be-overworked/ Work from home seemed ideal until you realized you were working at all hours with people all over the world. It would actually be a nice respite to have to commute and leave work at a reasonable hour. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Adam Glick, CISO, Rocket Software. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Work-from-home – the joys and the sorrows What do we want the board and C-Suite to know about cybersecurity? Are you a cybersecurity or infosec hiring manager? What kind of interview questions do you ask? CISOs working with young cybersecurity entrepreneurs      

All links and images for this episode can be found on CISO Series https://cisoseries.com/pushing-this-to-the-top-of-your-inbox-so-you-can-delete-it-again/ We're following up on our previous email because we love to engage in self-defeat. We assume you don't want to hear from me again, but just to make sure, I've delivered another email for you to delete. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Rinki Sethi (@rinkisethi), CISO, Twitter. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode It takes a while to hire an awesome cybersecurity team. It takes even more work to keep them. Breaches are bad, but handling them badly might be worse The unique aspects of work from anywhere security that take time to discover More of "what not to do" as a vendor pitching a cybersec prospect  

All links and images for this episode can be found on CISO Series https://cisoseries.com/ok-i-get-it-youre-all-special-snowflakes/ This department manager thinks their data is the most important. But then this department manager thinks their data is the most important. Can there really be so many crown jewels in your company that are all equally important? How's a CISO supposed to prioritize? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), executive vp, consumer products and engineering, and CISO, Fox Thanks to our podcast sponsor, Herjavec Group Herjavec Group excels in complex, multi-technology environments and keeps enterprise organizations secure with best of breed products and comprehensive service offerings. With 5 global Security Operations Centers, emerging technology partners, and a dedicated team of security specialists, we are well-positioned to be your organization’s trusted advisor in cybersecurity. Let’s connect! On this week's episode Hey, you're a CISO, what's your take? Recently, we did a Friday video chat on "Hacking the Crown Jewels" where we talked about what's really important, where it resides, and who's accessing it and when. One of the questions that came up from consultant Ian Poynter was how do you handle the conflicts from the different department leaders as to what the crown jewels are? And Jakub Kaluzny of SecuRing asked, "What's harder, identifying your crown jewels, or protecting them?" Can you change Mike's mind? Our guest, Melody Hildebrandt mentioned that as of recently she was in a pro-vendor mood Only three months into the year she has taken more new vendor meetings than in all of 2020. What changed? And can she convince Mike to do the same? "What's Worse?!" As always, this will be a surprise on the show. And no one will like the options. If you haven’t made this mistake, you’re not in security Even if you've configured your email security platform correctly, you can still fail early and often as our guest Melody discovered. But she actually published her findings on Tech Insiders, along with Paul Cheesbrough. Examples she provided included email account compromises that resulted in full evasion of standard email defenses. And given that her business is often an early target for new attacks, protection through threat analysis has become essentially useless. Her solution for enterprise email is to adopt an API-based solution instead of gateways, along with deep machine learning, and continuous protection of email rather than initial scanning and approval. Let's look at how difficult this shift was and how Melody is managing it. There’s got to be a better way to handle this On Twitter I asked, "Since security people don’t get applause when nothing happens, how do you let the rest of the company know how well the security team is doing?" One mentioned a slide on reports that says "X days without a breach" others suggested showing improvements to metrics like vulnerability and mean time to response. So what do we say to the whole company, not just the board?    

All links and images for this episode can be found on CISO Series https://cisoseries.com/what-to-expect-when-youre-expecting-a-network-breach/ Are you expecting a little intrusion into your network any day now? You better be prepared. Are there some vulnerabilities you should have managed, but didn't? Don't worry, first time security professionals are always scared about their first incident. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Scott Kuffer, co-founder and COO, Nucleus Security Thanks to our podcast sponsor, Nucleus Security Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo On this week's episode There’s got to be a better way to handle this We constantly hear security leaders talk about "people, process, and technology". Overwhelmingly, most security vendors are selling technology, then after a very steep drop there is the sale to managing people, and then "process" feels like a neglected stepchild. Let's talk about one process change made in the past year that had a significant impact on security posture? AND what is the "process" in security that needs the most help? Is there an opportunity in this area for security vendors or this just a combination of project management and increased automation? What do you think of this vendor marketing tactic Are security vendors eating their own dog food? The next time a security vendor pitches you, Chris Roberts of Hillbilly Hit Squad said on LinkedIn, "Ask them if they are using their own systems to protect themselves OR if they’re relying on someone else’s technology to protect their arses." An excellent question and HOW a vendor answers that question is very telling. So, is our sponsored guest using his own product to protect his business? "What's Worse?!" Jeremy Kempner, BT Americas offers up two really crappy communications options for Scott and Mike to wrestle with. Please, Enough. No, More. This week's topic: Risk-based vulnerability management, which can be defined as prioritizing your vulnerability remediation based on the risk it poses to your organization. What have we heard enough about with risk-based VM and what should we hear more about? How have you actually pulled this off? One of the key parts of a successful pentest is the reconnaissance phase where the necessary background information is generated. Let's walk through that process. How much involves planning vs. discovering? It's assumed that a lot of creativity goes into making a successful pentest. What are some of the techniques and information needed to increase success?    

All links and images for this episode can be found on CISO Series https://cisoseries.com/we-recommend-a-know-the-right-people-certification/ There are so many fantastic certifications out there for security professionals. But we've found the one certification that will really help you land the right job really quickly, is to provide proof that you know some people at our company who can vouch for you. Remember, we are a business that operates on trust, not giving people their first chances in cybersecurity. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Jesse Whaley, CISO, Amtrak Thanks to our podcast sponsor, Adaptive Shield Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats. In this week's episode Why is everybody talking about this now? Should cybersecurity professionals fight back rather than block and tackle? former US government cyber security chief Chris Krebs, has called on law enforcement and others to fight back against ransomware attackers. Krebs, suggested posting private information of the hackers, with malicious intent, AKA doxxing. "Hacking back" is dangerous as it's hard to determine the attacker, and you're essentially taking the law into your own hands, but Chris Krebs is recommending this, seeing that ransomware is the biggest threat. Dan Lohrmann of Security Mentor shared this article from the Financial Times and it drove a lot of debate. We've heard this before, but from someone like Chris Krebs, that's astonishing. What level of fighting back should people be comfortable with? Are we having communication issues? "I push back [on vendors] because I want depth and context from first contact," said John Keenan, director of Information Security, at Memorial Hospital at Gulfport. In this post on LinkedIn he said he's annoyed with vendors' generic first outreach and when he declines their response is "Well, I had to give it a shot". If they want a real connection, include "What's In It for Me". A generic response of "I think you'll really like what we've got to show," does not qualify. Let's talk about who has ever received a first (or heck any) contact that did have depth and context and could clearly articulate the "what's in it for you" message. "What's Worse?!" This week's challenge is from Nir Rothenberg, CISO, Rapyd. How have you actually pulled this off? Hiring in cybersecurity is a bear. As we've discussed before on this show, there's actually plenty of supply and demand in cybersecurity, yet jobs are not getting filled, possibly because of unreasonable requirements. Let's talk about what percentage of all the ideal skills people are willing to accept in a new hire, and situations where someone was hired who didn't possess that must have-skill for the job. ? And also let's look at the most effective training or mentoring technique used to get employees to adopt those skills. Hey you’re a CISO. What’s your take? On Twitter, Alyssa Miller AKA @alyssaM_InfoSec asked: "You're the CISO, rank the priority of the following list from a security perspective and explain your reasons: A. A well-defined vulnerability management program B. A reliable configuration management database/Asset Inventory C. A comprehensive metrics and reporting practice. A slight majority voted BAC or asset management, vulnerability management, then metrics. But there was plenty of disagreement. Let's look at that.        

All links and images for this episode can be found on CISO Series https://cisoseries.com/my-backup-plan-is-hoping-my-cloud-provider-has-a-backup-plan/ I think maybe I should check to see if we paid for cloud backup protection. Or maybe, we're doing it. Who knows? This episode is hosted by me, David Spark (@dspark), producer of CISO Series, and Mike Johnson. Our guest this week is Ty Sbano (@tysbano), chief security and trust officer, Sisense Thanks to our podcast sponsor, Adaptive Shield Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats. On this week's episode Why is everybody talking about this now? Is your cloud service provider backing up your data, or should you be doing that? Many users of OVHcloud realized they should have been doing it because they didn't realize what they had bought. OVH suffered a fire that destroyed one of its data centers making some of the customer data unrecoverable. They had backup of some services, but no backups of other data. As of now, OVH is backing up all customer data for free, but this speaks to a big problem with trusting cloud providers, noted Enrico Signoretti of GigaOm in a post on LinkedIn. Did you pay for backups? How are they being provided? Where physically are they? And how often do you test restoring? Everyone knows they should do this, but how often is it actually being done? Someone has a question on the AskNetSec subreddit On the AskNetSec subreddit, the question was asked, "What's the advantage of reporting bugs to official sources over brokers?" Some really good pro and con discussions of both ranged from brokers usually pay more, to going straight to the source seems "the right thing to do." But there were so many variances that it wasn't that cut and dry. As a bug bounty hunter, if you find a significant bug, where should you go first?  "What's Worse?!" Rick Woodward from Gibbs & Cox asks, "which kind of dishonesty is the worst?" Hey you’re a CISO, what’s your take? Another redditor on the AskNetSec subreddit asks, what kinds of questions should the interviewee ask about a company's environment so they know they're not walking into a giant mess? There were a ton of good suggested questions in the thread. If you could only ask three, which three would you ask that would give you the most information about both the stability and challenge of the security environment? What would you advise? Ross Young asked, I want to be a board advisor, how am I going to be paid? How much effort do I want to spend on this? What compensation should I expect? What do companies expect a CISO as an advisor to do? You both are advisors, so what's your experience, advice, and what have you heard from others?  

All links and images for this episode can be found on CISO Series https://cisoseries.com/patches-yes-we-need-stinkin-patches/ There was a time we could trust a patch, but now our adversaries are actually looking at the patches to find even more vulnerabilities. And we keep patching those as well. Our patches' patches need patches. When does it stop?! This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Travis Hoyt (@travisehoyt), managing director, exec cybersecurity technology, TIAA Thanks to our podcast sponsor, Adaptive Shield Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats. On this week's episode What’s the best way to handle this The vulnerability landscape is changing, according to a new report from Rapid7. One issue, as Rob Lemos of DarkReading reports, is that you can't necessarily trust patches. They're often incomplete, and attackers look at existing patches as an opportunity to find more flaws, which they do. And the threats come from different angles: they're widespread, targeted, often using a zero-day, and there are other vulnerabilities that are impending threats. It seems that the portion of the threats you know about and can defend against is shrinking, and you're battling more of the unknown. Have you seen similar, and if so how has your security program shifted as a result? That’s something I would like to avoid The NSA recently provided guidance on creating a Zero Trust security model. In the piece, the NSA says, "transitioning to a [zero trust] system requires careful planning to avoid weakening the security posture along the way." So what is the NSA talking about? What are common transitioning moves to zero trust that can make you vulnerable? "What's Worse?!" Jonathan Waldrop from Insight Global delivers a challenge specifically tailored for Mike. Please, Enough. No, More. Let's look at SaaS posture management, or just the ongoing management of potential issues that may come across SaaS platforms - and consider what we have heard enough about with regard to SaaS posture management, and what we would like to hear a lot more about. Umm is this a good idea OSINT should go beyond finding out a security practitioner's email and phone number, argued Alyssa Miller of S&P Global Ratings. Alyssa received an email pitch from a vendor offering a gift and she declined. That same vendor then followed up and called her. The vendor was pitching her something that wasn't in her department, that she had no control of, and she couldn't accept gifts because her company is in a heavily regulated market. In summary, Alyssa said if you're going to use OSINT, understand the person's business, their role, and if making such a request would be counterproductive. What types of vendor OSINT tactics work well and what types work poorly?      

All links and images for this episode can be found on CISO Series https://cisoseries.com/i-think-possibly-maybe-weve-solved-diversity-in-cybersecurity/ We're tired of hearing "we're trying" when it comes to the subject of how companies are trying to inject diversity into their organizations. It's a lopsided game and diverse candidates have to make ten times the number of attempts as their non-diverse counterparts. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Jimmy Sanders (@jfireluv), cybersecurity, Netflix DVD. Our guest this week is Jerich Beason (@blanketSec), svp, CISO, Epiq. Thanks to our podcast sponsor, Living Security Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers. On this week's episode How have you actually pulled this off? As discussed before on this show, being the next CISO at a company that was recently breached can be very lucrative. We've had guests that have very successfully negotiated huge salaries as the post-breach CISO. Are CISOs setting themselves up for far too much responsibility to be seen as a the company's digital savior? What are the responsibilities of a post breach CISO? Got a better answer than "we're trying?" Over the years we have interviewed dozens of business owners, security professionals, and hiring managers about diversity. Almost all their answers fall into the following buckets: We're trying but there's no pipeline. We're working with XXX group to improve. Diversity is needed because diversity of thought it needed to create a more secure organization. No one will admittedly say they're against diversity. Yet systemic racism, sexism, or just boys' clubism in general continues to exist. It appears most of the non-diverse business leaders are being pressured into admitting it's a problem. So they do it, and we even get token hires, but it all comes off as diversity theater and not the business actually making a shift. What is the story of diversity in cybersecurity many people don't get and need to actually be doing, not just giving lip service to? "What's Worse?!" Eugene Kogan, CSO at a confidential company sets it up: Who do you want on our side: executives or employees? And now a listener drops knowledge "Learn cybersecurity in public," suggests AJ Yawn of ByteChek who recommends joining a training program and then publishing what you've learned on a blog. As AJ explains, "Doing this will help you build relationships & prove to potential employers you’re applying your new knowledge." He concludes with the advice, "Don’t learn in silence." The community responded to AJ's advice. It's great advice, which everyone agreed to in the comments, but why then do so few people actually do it? There’s got to be a better way to handle this Zero trust is not a technology that can be purchases as a solution. It's an architecture, methodology, and framework that you have to consciously adopt, noted Stephen Lyons of F5 on a post on LinkedIn. Can solutions already in-house be rejiggered to adopt a zero trust methodology? And if so, what changes would need to be made to existing systems to have a more zero trust environment?

All links and images for this episode can be found on CISO Series https://cisoseries.com/unnecessary-research-reveals-cisos-hate-cold-calls/ In a study we never actually conducted, our fellow security leaders said unequivocally that there never has been a time they welcome a phone call from someone they don't know trying to book a demo to see a product they have no interest in. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Andy Steingruebl (@asteingruebl), CISO, Pinterest. Our guest this week is Andy Purdy (@andy_purdy), CSO, Huawei Thanks to our podcast sponsor, Living Security Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers. On this week's episode Here’s some surprising research As compared to small and medium companies, big enterprises don't appear to trust the big telcos to execute their 5G strategy. This according to new research from Omdia as reported by Iain Morris of Light Reading. When asked, "do you trust a communications service provider, AKA big telco, to execute your security strategy," SMEs overwhelmingly supported the telcos over all other options, and big enterprises didn't. They trusted their own expertise or wanted to lean on a cloud service provider like Amazon or Google. Let's investigate this discrepancy. If you're not paranoid yet here’s your chance As if you didn't know it already, get ready for some sobering news about third-party risk: According to a survey by BlueVoyant, as reported by SC Magazine, 80 percent of those surveyed had at least one breach caused by a third party vendor within the past year. Most of those surveyed didn’t monitor third-party suppliers for cyber risk. But, even if they wanted to, it's often a point in time measurement, sometimes only yearly, and organizations have an average of 1409 vendors. UK's National Cyber Security Center puts the focus of securing against third party risk squarely on the development of the software supply chain, and the need for isolation and proven security checks throughout the development process. That may be good advice, but it still seems so overwhelming given the volume and how much you can't control. "What's Worse?!" A vulnerability response and incident detection conundrum from Jonathan Waldrop, Insight Global What’s the best way to handle this Lessons learned from a big security incident and how these will be applied to the next big security incident. What do you think of this vendor marketing tactic Very few, if any, security leaders like cold calls. Yet, even with all the expressed distaste of them, they still exist, and that's probably because they still work, and still deliver significant ROI. But when these companies calculating that ROI, are they calculating all the people they've annoyed? One vendor sales rep who said after searching their CRM for "Do Not Call" there was a slew of vitriol from CISOs screaming to never contact them again. And as we all know, CISOs talk to other CISOs. So if you've angered one CISO sufficiently to never consider you, they've probably told a few friends as well. Let's discuss getting pushed over the edge by a vendor's aggressive sales tactics and what was done to essentially shut them off, including telling others about their actions.