CISO Series Podcast

All links and images for this episode can be found on CISO Series https://cisoseries.com/one-day-youll-grow-up-to-know-less-than-you-do-now We know so little when we're born. We're just absorbing information. But then we get older, and get the responsibility to secure the computing environment of a large company, we actually see that knowledge we absorbed start slipping away. What we thought we knew of what's in our network is so far afield from reality. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Tomás Maldonado (@tomas_mald), CISO, NFL. Thanks to our podcast sponsor, Nucleus Security Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo It’s time to measure the risk Outside of security basics and popular controls like SSO, MFA, and password management, what are the most effective means (or security control) to reduce risk? People have been offering some great suggestions on LinkedIn such as reducing attack surface, knowing what you're protecting, education, more conversations about risk, and actually having someone in charge of security and risk. All reduce risk, but what truly gives the biggest bang for the buck in terms of risk reduction? Are we making this situation better or worse? When things break, what's the best tactic to remediation? A bigger/better version of the last thing, or critical thinking? Both actually have serious costs associated to them. The first being equipment and maintenance, and the second having the talent that's able to think of unique and innovative soluitons. In a post on LinkedIn, Greg van der Gaast of cmcg argues that bigger walls just result in continued security problems at a more expensive, yet slower rate. He argues many issues could be avoided with critical examination, especially in IT. It's time to play, "What's Worse?!" Ross Young asks how badly do you need to measure your security program. How would you handle this situation? Our guest, Tomás Maldonado, describes what's unique about being a CISO for the NFL - the specific security concerns that aren't necessarily on the radar at his previous organizations, and the security issues around huge global events like the Super Bowl. Well that didn’t work out the way we expected Perception vs. reality in security. On LinkedIn, Ross Young, CISO at Caterpillar Financial Services said, "In April 2018, McAfee published a survey asking 1,400 IT professionals to estimate the number of cloud services in use within their organization. The average response was 31, with only 2% of respondents believing that they had more than 80—yet the real average is 1,935." This supports the great need of asset inventory. There are many instances CISOs have to make an estimate of what they have given the best information. We look at examples of when the reality of a situation was far from the initial perception, and how to manage this.

All links and images for this episode can be found on CISO Series https://cisoseries.com/would-you-look-at-that-unrealistic-licensing-deal/  CISOs know that salespeople want to make the best licensing deal they can possibly get. But unpredictability in the world of cybersecurity makes one-year licensing deals tough, and three-year licensing deals impossible. This episode is hosted by David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Mark Eggleston, (@meggleston) CISO, Health Partners Plans. This recording was recorded live in front of a virtual audience at the "SecTalks - Leading with grit in security" virtual conference brought to you by our sponsor, Cobalt. Thanks to our podcast sponsor, Cobalt Cobalt offers a faster more effective pentesting solution through its Pentest as a Service (PtaaS) platform. With it, you can schedule a pentest in as little as 24 hours for all kinds of assets. The platform also connects you with a global pool of pentesters called the Cobalt Core, whose skills can match what you need. And instead of sending you a huge PDF that raises more questions you can’t answer, they engage with your team throughout the pentest. Findings can land straight into Jira and GitHub, helping you fix vulnerabilities as soon as they’re discovered. Cobalt makes pentesting easy, quick to deploy, scalable, and simple to remediate. On this week's episode Why is everybody talking about this now? A redditor is struggling and overwhelmed! The person is in school studying, working, and loving cybersecurity, but has completely and utterly failed the foundations course and is on academic probation. The person told their story to the cybersecurity subreddit community, and the support came out in droves. We've seen this before. People hit a major wall professionally and they just reach out to the anonymous masses for support. The story hits a nerve and the community is eager to show encouragement. In fact, just this past week, the New York Times had an article about the unemployment subreddit offering advice and information to those struggling. We'll take a look at this tactic of reaching out for support and guidance through discussion boards. What do you think of this vendor marketing tactic? "Pro tip to vendors: don’t claim that you can’t do a one-year licensing deal. You might end up with a zero-year license deal", said Ian Amit, CSO, Cimpress on LinkedIn. We'll look at the art of negotiating a contract with a vendor: What is it ultimately you want? What are you willing to concede on and what must you have? And what are the situations that cause this to change? It's time to play, "What's Worse?!" Jason Dance of Greenwich Associates suggests two scenarios that others believe is security, but actually isn't. If you haven’t made this mistake, you’re not in security On Twitter, the CISO of Twitter, Rinki Sethi, said, "A career mistake I made, I rolled out a phishing testing program before the company was ready for it. The HR team said it was against the company culture and if I tried a trick like that again, I would be fired. Lesson - communication is important in #cybersecurity." Rinki asked for others' stories of failure. Let's explore a few. What Is It and Why Do I Care? For this week's game, the topic is vulnerability management. We look at four pitches from four different vendors. Contestants must first answer what "vulnerability management" is in 25 words or less, and secondly must explain what's unique about their vulnerability management solution. These are based on actual pitches - company names and individual identities are hidden. The winners will be revealed at the end.  

All links and images for this episode can be found on CISO Series https://cisoseries.com/this-is-the-year-im-going-to-lose-weight-and-care-about-security/ Every year I say I'm going to do it. I'm going to get healthy and be much better about securing my digital identity and my data. But then after about two weeks I give up, use the same password across multiple accounts, and eat a pint of Häagen-Dazs. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Dan Walsh, CISO, VillageMD. Our sponsored guest this week is Drew Rose, (@livsecaware)CSO, Living Security Thanks to our podcast sponsor, Living Security Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers. On this week's episode What would you advise? Over on the AskNetSec subreddit, a pentester wants out. The redditor is looking for exit opportunities into another job in cybersecurity. Other redditors suggested IT audit, SOC operations, incident response, forensics. What would be an ideal next step for a pentester? We don’t have much time. What’s your decision? What happens when a previous employer of yours gets hacked and your information is potentially stolen. This happened to a redditor who asked this question on the cybersecurity subreddit. If nothing has actually happened, what can they do and what can potentially happen? Is a warning of "I may be compromised" to anyone going to do anything? "What's Worse?!" Jason Dance of Greenwich Associates delivers a really annoying "What's Worse?!" scenario. Please, Enough. No, More. The topic is "Security Awareness Training". David prefaces this with a top finding from a Forrester report that said, "Unless You Capture Hearts And Minds, No Amount Of Training Will Work". So with that said, what have people heard enough about with regard to security awareness training and what would they like to hear a lot more? Pay attention. It’s security awareness training time What if security behavior was rated as a performance score, suggested Ashish Paliwal of SONY. In his LinkedIn article, he agreed you can't train yourself to better security. It requires positive reinforcement. He suggested psychometric tests and a scoring system where you would gain points for good security behavior and lose points for bad security behavior (-10 for clicking on a phish, +10 for reporting). Creative ideas that he acknowledges have lots of challenges. The focus here is changing human behavior, possible the hardest feature to implement. What user experience does change behavior? And why would or why wouldn't Ashish's suggestions work?

All links and images for this episode can be found on CISO Series https://cisoseries.com/please-accept-this-not-a-bribe-gift-as-an-act-of-desperation/ Offering me a gift for a meeting was definitely not Plan A. Or was this a situation that you ran out of creative ideas and it's actually more cost efficient to buy your way into meeting with me? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is John Overbaugh, (@johnoverbaugh) vp, security, CareCentrix. Thanks to our podcast sponsor, Nucleus Security Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo. On this week's episode OK, what’s the risk? People hear all too often that risk security isn't compliant security and vice versa, but isn't compliance just another form of risk? Shouldn't it be given quantitative and qualitative ratings like any other risk, prioritized, and remediated especially in highly regulated environments? Why is everyone talking about this now? On LinkedIn, LinkedIn CISO, Geoff Belknap asked, "Tech Vendors: Please, stop offering cash or gift cards for meetings. It throws into question the entire basis for a relationship and It's not ethical." Vendors take CISOs out for lunch all the time. That is a form of a gift. One vendor said because they can't take a CISO out they send a Starbucks card in lieu of the coffee they were going to purchase. Then there are the gifts that arrive for attending an event. Edward Kiledjian at OpenText, said, "I recently had a vendor get upset with me that I wasn't willing to accept his gifts. He said others in my position accept it and he couldn't understand why I was being so 'stubborn.'" How should this situation be handled and does a CISO's opinion of the vendor change as a result? "What's Worse?!" David tried to second guess Mike and was wrong on this bad idea from Jesse Whaley, CISO, Amtrak. If you haven’t made this mistake you’re not in security When Zero Day bugs arrive, security flaws just keep perpetuating. Garrett Moreau of Augury IT posted an article from MIT Technology Review about Google's research finding that when patches are released for zero days, they're often incomplete. Hackers can actually find the vulnerability sitting on the next line of code right next to the patched line of code, making it very easy for a hacker to reignite the zero day vulnerability. How can this problem stop perpetuating itself? Someone has a question on the cybersecurity subreddit A frustrated redditor eager to learn cybersecurity is getting stuck on CTFs (Capture the Flags ) and is losing the motivation as a result. The person is worried that relying on walkthroughs will be harmful. Responses from the reddit community were that the walkthroughs are there to help people learn, and that most CTFs don't resemble real life. They're there to teach a few tricks. So, is that the case?

All links and images for this episode can be found on CISO Series https://cisoseries.com/foul-that-interview-question-is-unfair/ Pick a side. You either want your employees to have a work/life balance, or you want them to be obsessed with security 24/7. You can't have both. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Arpita Biswas, (@0sn1s) senior incident response engineer, Databricks Thanks to our podcast sponsor, StackRox StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle. What would you advise? People speak a lot about the importance of integrating security and DevOps. Now it's time to learn some specifics, like how to energize developers to be more security minded in their development. What works? What hasn't worked? "What's Worse?!" You just learned something was breached. Uggh. (Thanks to Mike Toole, Censys) What’s the best way to handle this ? What questions should be asked to see if a security team is cloud incident ready? A good article over on F5 by Sara Boddy, Raymond Pompon, and Sander Vinberg, provides some suggestions such as "Can you describe our attack surface and how have you reduced it to the bare minimum?" and "How are we managing access control?" and "What do we do when systems or security controls fail?" Which of the questions is the most revealing to cloud security readiness and why? Should you ignore this security advice? On the AskNetSec subreddit someone inquired about a good hiring question. One redditor suggested asking "What do you do on your own home network with respect to security?" to which another redditor argued that the question was unfair. He left the security and networking for work. He had other hobbies and interests for home life. Another person said, yes it is unfair, but there are plenty of candidates who do breathe security 24/7 and if given a choice, the redditor would take that person. The politically correct thing to say is you want the person with the work-life balance, but wouldn't we be more impressed with the person who has security in their blood day and night? Close your eyes and visualize the perfect engagement Another question on AskNetSec subreddit asked "What are the most important skills you see missing among other coworkers or your team?" The two most common answers I saw on the thread were communications and critical thinking. Are these correct. or should something else go there? ? And if those two did improve, what would be the resulting effect to a company's security program?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/why-do-we-fire-the-ciso-tradition/) Yes, firing the CISO probably won't solve our security issues. But our community has a multi-generational heritage of relying on scapegoats to make them feel good about their decisions. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Kirsten Davies (@kirstendiva), CISO, Estee Lauder Companies. Thanks to our podcast sponsor, Kenna Security With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer’s unique environment across infrastructure, applications and IoT. Why is everybody talking about this now? On the AskNetSec subreddit one redditor asked, "Why do people always get fired over a breach?" to which one responded, like many others, "it’s just tradition. Military, government, corporations. It’s an old-fashioned thing really, but a lot of people still believe a 'blood sacrifice' is required to restore faith from the public or the shareholders." How tenable is it to keep doing this with so many breaches? After a breach what are the different actions needed to appease shareholders, executives, employees, and customers? And when is blood letting warranted? How to become a CISO Over on the CISOseries subreddit, a hopefully soon-to-be-CISO asked, "What should I ask before being a CISO at a startup?" This startup is pre-IPO. 2000 employees. About $1B in valuation. The redditor is looking for advice beyond asking what's the current security strategy and what the reporting structure would look like. What would you want to ask in such a situation? "What's Worse?!" Probably the ultimate "What's Worse?!" scenario. Hey you’re a CISO. What’s your take? On LinkedIn, Kris Rides asked, "If you can only do one thing to retain your staff what would that be?" What have you done and has any of your staff let you know that certain actions you took meant a lot to them. According to research from leadership consulting firm DDI, 57 percent of employees who walk out the door, do so because they can't stand their boss. For that reason, the pressure is heavily on the CISO to make sure they're well-liked by their staff. There’s got to be a better way to handle this Can you think of a moment you had to make a significant shift in your security program? What did you do and why? Was there a specific event that triggered it?  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/click-this-link-to-fail-a-phishing-test/) Our phishing tests are designed to make you feel bad about yourself for clicking a link. We're starting to realize these tests are revealing how insensitive we are towards our employees. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Yaron Levi, (@0xL3v1) former CISO, Blue Cross Blue Shield of Kansas City. Thanks to this week’s podcast sponsor, Stackrox StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle. Is this a cybersecurity disinformation campaign? On reddit, an explosive discussion formed around a ComputerWeekly.com article by Saj Huq of Plexal about the importance of making disinformation a security issue. The problem though has primarily fallen into the hands of social media companies mostly because that's where disinformation spreads. While we've seen disinformation being used as a political tool, for businesses, it can tarnish your corporate brand, consumer trust, and ultimately the value of your product. It's also used in phishing campaigns. Breaches are compromising your data. Disinformation is questioning the validity and value of data without even stealing it. How do you combat that? Are we having communication issues? We're recording this episode shortly after GoDaddy sent its infamous phishing test email that promised employees a $650 bonus check. Those who clicked on the email were rewarded with additional security training. It took the entire Internet to point out how insensitive this was, GoDaddy's response was "We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologized." They argued that while it may be insensitive, these types of well-timed phishing emails do happen. A lot of people do not like phishing tests and Yaron has proven that if creative enough, anyone can fall for a phish. How can the company and security be more sensitive to employees, respect them, while also letting them know they may receive a malicious email just like this? "What's Worse?!" An international What's Worse conundrum. How do you go about discovering new security solutions? Julia Wool, Evolve Security said, "I just finished a Splunk course and wanted to explore other SIEM platforms and I am having a difficult time understanding how an enterprise should choose a vendor in this space. I couldn't imagine being the guy at an enterprise that has to consider all these different vendors that seem to be doing the same thing." Julia brings up a really good concern: If you were completely green, didn't have CISO connections, and were going to choose a SIEM for the first time how would you go about determining your needs and then researching and deciding? What sources would you use? And how do you limit this effort so you're not overwhelmed? There’s got to be a better way to handle this Brian Fanny, Orbita, asks, "Vendor scope can change over time within a project or the start of another and harder to control than the initial evaluations. They start off when non-critical requirements/needs eventually grow into handing assets of greater value and/or gaining access to more critical systems. How do you keep up with vendor/project scope creep from the security sidelines?"

All links and images for this episode can be found on CISO Series https://cisoseries.com/our-hope-it-doesnt-happen-to-me-security-strategy/  We're thinking it just might be possible to wish our security problems away. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Steve Giguere, (@_SteveGiguere_) director of solution architecture and community, StackRox. Thanks to this week’s podcast sponsor, Stackrox StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle. On this week's episode That’s something I would like to avoid Security theater is a security placebo. We're being told that it's effective, and we may fool ourselves into believing it is, but the reality is there's no real security medicine there. Over on Infosecurity Magazine, Danny Bradbury has identified a few key ones I want to call out. In particular, technology buzzwords - like getting a solution with AI, data collection - more data, more insights, right?, and endless security alerts - for practitioners and end users. All of these seem to be in regular practice today. Does calling out security theater result in pushback? And if so, how do you handle calling it out and how would you shift each of these security placebos into a more medicated version? There’s got to be a better way to handle this On reddit, kautica0 asks, "If a company becomes aware of a 0-day vulnerability and it impacts their production web application serving customers, what actions should be taken? Should it even be considered an incident?" Just because it's a 0-day vulnerability does that make it more threatening than any of the known vulnerabilities? There was a lot of logical advice that was akin to how we would handle any vulnerability, but the 0-day nature had the looming feeling of this could be an incident very quickly and would require an incident response plan. "What's Worse?!" A "What's Worse?!" entry from our youngest listener. Please, enough. No, more. The topic is Kubernetes Security. We discuss what we have heard enough about when it comes to Kubernetes security and what we would like to hear more. Where does a CISO begin Is being cloud first a security strategy? Over on the UK's National Cyber Security Centre, an article argues that we should not ask if the cloud is secure, but whether it is being used securely. What does that mean? And is there an argument for and against cloud first being a valid security strategy?  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/hey-reseller-whats-the-value-youre-adding/) It seems that you're offering so much more when you add the VA ("value added") in front of your title. What is that? Why am I working with you rather than buying directly from the vendor? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Doug Cahill (@dougcahill), vp, and group director, cybersecurity, Enterprise Strategy Group. Thanks to this week’s podcast sponsor, Dtex Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com. On this week's episode How a security vendor helped me this week From Trevor Marcatte, The SCE Group, asks a question about the "value added reseller" or VAR vs. the "large account reseller" or LAR. I'm paraphrasing, but Trevor wants to know what we're seeing as the value of this middleman. Trevor said, "Being the middle man is tough and battling the big guys is tough. CDW's, SHI's of the world. The smaller guys have so much more to offer than a price. Price is dictated by the vendor anyways." What do the smaller VARs have to offer that the larger LARs can't offer? How do you go about discovering new security solutions How do we evaluate DevSecOps solutions? Mike hates the term, so I'll say how do we evaluate solutions that will improve the security of the DevOps pipeline? GigaOM Research has a report where they evaluate these solutions, but they also have another report that goes into detail on evaluation criteria. There is a lot of criteria such as seamless integration into tools, process, and dashboards, plus role-based access controls, automation driven by policy, management of secrets, and dependency analysis. What criteria do we look at? How does it change from company to company? And how do we supplement when a solution looks great, but misses a key criteria? "What's Worse?!" A question about DevSecOps. What’s the best way to handle this? Is cloud identity management going to stick? According to David Vellante over at Wikibon and The Cube, the pandemic has forced that shift for everyone and there's probably no turning back. For cloud-first companies this was business as usual before the pandemic. But what about all the new businesses that are going to the cloud and doing business with you. It's a very broad field and there are a lot of industry players, so actually skip the obvious stuff and just mention the items that have become sticking points or are still in need of development. Is this the best solution The "X" in XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors. We talked about this on our other podcast, Defense in Depth, and one of the issues came up was the disruptive nature of XDR. How much was real. David Thomas, Computacenter, said, "The aspiration to get fully integrated insights of all your tools and create the ultimate feedback loop responsive system is a worthy aim... Current vendor XDR pitches are up selling opportunities but customers have a challenge to adopt or shift to a single vendor platform due to a vast array of displace/replace challenges. It’s a great marketing story but the pragmatic reality is it’s a tough and long journey to realise the platform / single (pain) pane promise, unless you are a greenfield organisation." Is XDR a worthy goal and what is the marketing hype buyers should question?  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-people-closest-to-you-will-hurt-you/) Insider threats. We know some are malicious, and sometimes it's the unwitting result of someone trying to do their job. Aren't you supposed to trust the people you hire? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Dr. Deanna Caputo, chief scientist for behavioral sciences and cyber security capabilities, senior principal behavioral psychologist for MITRE. Thanks to our sponsor, Dtex. Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com. On this week’s episode What we've got here is failure to communicate Breaking News! The cybersecurity skills shortage is growing. The ISSA and Enterprise Strategy Group released a report claiming the reason that 70 percent of companies feel that they're at risk is because of the increased workload for cyber professionals, unfilled open job requisitions, and poor education on the relevant technologies. This discussion appeared on the cybersecurity subreddit and complaints ranged from entry level jobs asking for 3+ years experience (something we've discussed many times before), and people with many more years of experience struggling to find a job. Others who were contemplating entering cybersecurity said the discussion was turning them off from entering the field. There's supply and demand, yet there's frustration on both ends. Why aren't they connecting? What's going on?" Are we making this situation better or worse? What defines "usable security". We've discussed obvious things like trying to make it invisible to the user and just basic user experience. But what's unique to cybersecurity design that many don't consider when creating usable security. For example, for phishing there are an endless number of email programs AND we have lots of security awareness training. Could we do away with the awareness training if security was more usable? What's Worse?! Insider threats are no fun, but which one is the worst? Please, Enough. No, More. Topic is Insider Threats. What have we heard enough about with insider threats, and what would we like to hear a lot more? There’s got to be a better way to handle this What do you do after you get the certification? What are the next steps? Mo Shami reached out to me and mentioned that he was going to announce that he passed his CISSP or Certified Information Systems Security Professional exam. He wanted to share the excitement and I said when you post to LinkedIn ask everyone else what they did right after they passed. Most people ended up just saying congratulations, but a couple suggested more certifications or just research job openings (seems obvious). What should one do after you get the certification?