CISO Series Podcast

All links and images for this episode can be found on CISO Series (https://cisoseries.com/when-should-you-stop-trusting-your-ciso/) How technically capable does my CISO need to be? If they lose their technical chops, should we stop trusting them? Should they even be a CISO if they had no technical chops to begin with? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is James Dolph, CISO for Guidewire Software. Thanks to our sponsor, Dtex. Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com. On this week’s episode We mentioned past guest, Kelly Shortridge's new book with Aaron Rinehart, "Security Chaos Engineering". First 90 days of a CISO It's time for a CISO do-over. One of the great things about being a CISO is you get a chance to actually apply everything you learned from past jobs. Our guest, James, worked in product security with Salesforce before becoming a CISO. When we recorded the episode, James wasn't yet a full 90 days into his job. And Mike also came from Salesforce as well (they worked together) and working at Lyft was his first CISO job directly from Salesforce as well. Did they both have the same viewpoints of applying product security principles to the CISO role? How do you go about discovering new security solutions What criteria do you use to evaluate phishing solutions? GigaOM Research released a report earlier this year of the key criteria for evaluating phishing platforms. Some of the criteria they mentioned were phishing solutions that do and do not impede workflows, a security edge solution that's in-band vs. out-of-band, and do you need detonation chambers for potentially malicious emails. What criteria do Mike and James use to evaluate, and have they seen those criteria change from company to company? What criteria are not as important? What's Worse?! Failing as a professional or being a mediocre professional? What’s a CISO to do On Defense in Depth, my co-host Allan Alford said, "I think the lack of technical skills in a CISO is expected to a certain degree. You have to have the foundation, but I don't expect my CISOs to be rolling up their sleeves and doing a lot of the hands on work." I turned that quote into a meme image and it caused a flurry of response from the community. How much of applying of security controls that your staff currently does, could a CISO do themselves today? Let’s dig a little deeper What are our passion projects that are tangentially related to cybersecurity? Are we adopting any and how is it helping us stay mentally healthy during COVID? Tony Jarvis of Check Point brought this up. He suggested that we should be sharing our passion projects. What have been our passion projects? How have they helped our mood and our work? And have we been able to keep up with them?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/why-is-pay-the-ransom-in-next-years-budget/) With 25 percent of ransomware victims paying the ransomware, have we waved the white flag to the attackers? Should we just budget for it? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Les McCollum (@doinmorewithles), managing vp, CISO, ICMA-RC. Thanks to our sponsor, BitSight. BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach. On this week’s episode Why is everybody talking about this now Are culture fit and diversity mutually exclusive? Allan Alford, co-host of Defense in Depth podcast, brought up the conversation of needing diversity in all areas: age, gender, ethnicity, city vs. country, country of origin, military vs. civilian, college educated vs. self-taught, socioeconomic status, and disabilities. But at the same time, I'm thinking we NEVER see those types of groups hanging out together or getting along. So how do you create a culturally sane group among such a diverse group? People are tribal by nature and even if you're successful creating diversity on your team they're going to bond with people of similar types. Won't this introduce new problems? If you haven’t made this mistake you’re not in security At the end of the year when you look at your security budget, what are the costs you didn't expect or budget appropriately at the beginning of the year? On CSO Online, John Edwards has an article about seven overlooked cybersecurity costs that may bust your budget. He mentioned items such as staff acquisition and retention, incident response, third-party analysis, and replacement costs. What has been a surprise for you and has adjusting things for the next year helped, or is there always a surprise? Which is the one everyone should prepare for but they don't? More bad security advice Over a quarter of companies that fall victim to ransomware, pay the ransom, according to a study by Crowdstrike. In a discussion thread on reddit, user yourdigitalmind said they had a client who remarked, "WHEN we get hit, it will force us to start doing things right, but right now, it's cheaper'" So he's accepted being hit by ransomware is inevitable. That falls in line with Crowdstrike's study that found after a ransomware attack 75 percent of the victims do increase their security spend on tools and hiring. Humor for me a moment. Most of us do not want to pay the ransom, but sometimes you can't think of the greater good and you have to think of the survival of the business. Is this where I should put my marketing dollars? What types of vendor stories do you respond to? I bring this up because Mike O'Toole, president of PJA Advertising wrote a great piece about how to build a cybersecurity brand story. In the article, he offers up some really good advice such as "Position yourself against the category, not just your direct competitors," "Fear gets attention, but opportunity can drive purchase behavior," and "The strongest brand stories are about market change." Which advice most resonates with how you're pitched, and can you think of either a customer story or offering that you overheard that pushed you into exploring a vendor's solution?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/were-90-confident-weve-lost-all-confidence/) I don't think we're doing enough to protect ourselves against cyberattacks and I'm also pretty sure we're clueless as to what our third party vendors are doing. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Stephen Boyer (@swboyer), co-founder and CTO, BitSight. Thanks to our sponsor, BitSight. BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach. On this week’s episode There’s got to be a better way to handle this How confident are your employees in your cybersecurity efforts? And how does employee confidence affect corporate security? Tip of the hat to Tor Swanson of Premier IT for posting this survey from Nulab. The survey found that employees felt that their company's ability to secure digital data was a major to moderate problem. That percentage jumped up dramatically for companies with less than 100 employees. In addition, employees don't feel they're being heard with their cybersecurity concerns. For companies with less than 50 employees, 44 percent felt their employers were slightly or not at all responsive. Perception is a huge part of successful cybersecurity. If you were to let these perceptions continue, how does it affect your overall security program? Question for the board Ross Young, CISO, Caterpillar Financial Services asked, "What are the cyber metrics that should be reported to the board each month or quarter? Is this standardized (example does the financial industry say we want these five metrics), and where would you go to see how you benchmark against the industry?" I'll skip to one important metric we've mentioned on this show multiple times and that's "dwell time" or the time between an incident happening, discovering it, and then remediating it. How do you go about finding benchmarks, and what other metrics tell a good story to the board so they can better wrap their heads around the security program's effectiveness? What's Worse?! Third party issues? We've got 'em. Please, Enough. No, More. Topic is third party risk management. What have we heard enough about third party risk management, and what would we like to hear a lot more? Close your eyes and visualize the perfect engagement We're all getting bombarded with virtual events. Interested to know what virtual events have you attended that you've really enjoyed. Also, what virtual events are the most engaging where you find yourself NOT multi-tasking while watching. Plus, what does a virtual event need to offer for you to take time out in your day to attend?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/networks-wobble-but-they-dont-fall-down/) Eager cyberprofessional looking to really impress a CISO? Create a home network lab and show how you can handle incidents on that network without shutting it down. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Steve Zalewski, deputy CISO, Levi Strauss. Thanks to our sponsor, BitSight. BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach. On this week’s episode Why is everybody talking about this now Following the horrible terrorist attack in Vienna, the EU has proposed a ban on encryption, requiring companies like WhatsApp and Signal to provide backdoor keys to decipher their end-to-end encryption. It's questionable whether this attack could have been thwarted had the data they couldn't see been read, but regardless, it appears this ban is going to be approved. As you might imagine, the cybersecurity community blew up... on reddit. This is obviously a complicated and thorny issue. What's at play here are authorities being blocked from doing their job because of technology. The loss of human life. And the loss of democratized privacy. Are there any checks and balances that can provide some benefit to any side of this equation? What would you advise? On a previous episode Mike mentioned that if you're an aspiring cybersecurity professional, one way to really impress a CISO is to setup a network and show how you can deal with incidents without taking down the network. I get Mike to talk specifics of that. What if he was in the shoes of that aspiring cyberprofessional. If he were to set one up, what would it have on it and how would he do it? "What's Worse?!" Do you need experience or communications? Close your eyes and visualize the perfect engagement On CSO Online, Jaikumar Vijayan wrote a best practices guide to negotiating SaaS contracts for risk and security. It's a good primer. He mentioned know your risks, state what's non-negotiable, insist on early breach notifications, and be clear on terms for termination. What is the most important concern when negotiating a SaaS contract, and what has been the most difficult to manage? "What Is It and Why Do I Care?" The panoply of security products is very confusing. There are so many product categories and then there are so many companies delivering solutions for all these categories. As a security vendor, how do you know if your pitch is landing with CISOs? That's why we play "What Is It and Why Do I Care?" I ask vendor listeners to submit to our game which you can find under the Participate menu option and then "Challenge Us". Today's category is penetration testing. We have four challengers. First, I will read four 25-word descriptions from four unnamed security vendors. That's our "What Is It?". Then I will read four 25-word differentiators from the same unnamed vendors. That's the "Why Do I Care?" It's up to our CISOs to pick their favorite. At the end I will announce the winners, and only the winners. Losers are not announced. YES, it's the only risk-free opportunity in cybersecurity. Ready to play? Submit your pitches to "What Is It and Why Do I Care?" I'm looking for vendors in the following categories to submit: Data loss prevention, human-layer security, MSSPs, third party vendor assessment, and managed detection and response.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/why-dont-cybercriminals-attack-when-its-convenient-for-me/) Hey cybercrooks, I've got a really great weekend planned, so could you do us all a favor and cool it this Friday and just let all of us enjoy the weekend? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Margarita Rivera, vp of information security, LMC. Thanks to our sponsor, Netskope. The Netskope security cloud provides unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Only Netskope understands the cloud and takes a data-centric approach that empowers security teams with the right balance of protection and speed they need to secure their digital transformation journey. On this week’s episode Is this the best solution? Geoff Belknap, CISO, LinkedIn asks, "If you could only buy one off the shelf security tool / product. What would it be and why?" Here’s some surprising research We've discussed a lot of how COVID is changing security. Well Eli Migdal, CEO of Boardish sent me some interesting research his company conducted regarding the last six months since the start of COVID. According to Boardish's report the top three threats now are: Immobility (not being able to work remotely) Ransomware Accidental Sharing And the top 3 solutions now are: User Awareness training Remote conferencing IAM (identity access management) Solutions Does this track with your current threats and solutions? What's Worse?! Two guaranteed bad things will happen. But one will cost far more damage. Which one? Pay attention. It’s security awareness training time. Jackson Muhiwre, deputy CISO at UC Davis said his cyber team "Are now extra vigilant on Fridays or call it the new Monday for cyber folks." The reason for this increased awareness is the number of cyber incidents that happen on a Friday or just before a holiday seems to go up. Past cyber incidents seem to show that pattern said Muhiwre who believes that malicious hackers know that users have their guard down at these times and it's the easiest time to attack. Are our CISOs of similar thinking and if so how do they prepare/warn/keep staff vigilant? What can be done on top of your existing protections if your staff lets its guard down? What’s the best way to handle this? On LinkedIn, Caitlin Oriel, wrote a very emotional post about her being unemployed for six months and how the non-stop stream of rejection has become overwhelming. The community response was equally overwhelming with nearly 80,000 reactions and 7,500 comments. Caitlin works in tech, not cyber, but the post was universal. The feelings she expressed about being rejected continuously and ghosted by companies left her sobbing in her car. All of this rejection made her question if she's doing the right thing and where she belongs. I have been in this position myself, as have my friends and family. I wish I knew the right things to say to someone or how to keep them moving. What are positive ways to combat ongoing rejection and get a sense you're still heading in the right direction?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/archaeologists-dig-up-the-remains-of-an-optimistic-ciso/) It it believed that in ancient times cybersecurity was successfully fought with a glass half full approach. Today's pessimistic CISOs have yet to confirm the findings. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is George Finney (@wellawaresecure), CISO, Southern Methodist University and author of "Well Aware: The Nine Cybersecurity Habits to Protect Your Future". Thanks to our sponsor, Netskope. The Netskope security cloud provides unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Only Netskope understands the cloud and takes a data-centric approach that empowers security teams with the right balance of protection and speed they need to secure their digital transformation journey. On this week's episode Vendors have questions our CISOs have answers Neil Saltman of Anomali runs a CISO meetup group and he asks, "A common topic is CISOs going back to platform vendors versus best of breed because they are overwhelmed. When do you buy best of breed vs. just add it to the stack from Microsoft or other large vendors… When I worked at Bromium I had a CISO tell me 'I’ll buy your product when Microsoft buys you.'" Mike Johnson leans more to best-of-breed or in some cases build it yourself. Can Mike sympathize with these other CISOs and what would his situation have to be to make a platform play? What I learned from a CISO One of the main tenets of George's new book, "Well Aware: The Nine Cybersecurity Habits to Protect Your Future" is that optimists outperform pessimists in productivity, wealth, and longevity. The "Department of No" cybersecurity people are just hurting themselves. You argue that the more positive attitude can be garnered by learning from people who have successfully protected their communities. What are examples of watching another's success, and what can you learn? What's Worse?! Both are going to cause problems. It's tough to say which one's worse. It's time for "Ask a CISO" We've got a request for career advice, from an anonymous listener. We'll call him Steve. Steve has been with his company 14 years and they were recently acquired and the new company was calling the shots. After the acquisition, the CISO and Steve were working on bringing the merged companies up to compliance standards and dealing with audits: SOC 2, Sarbanes-Oxley, PCI, etc. CISO was planning on leaving the company in 2021 and grooming Steve to replace him. Then COVID hit and the company gave the CISO a beautiful severance package leaving Steve with all the CISO's responsibilities, but not the title change or salary. Steve asked the CIO about plans to replace the CISO and the CIO said Steve could apply once the position was announced. That was 5 months ago. Steve likes his job and the people he's working with but he's frustrated with no clear vision of future plans. We offer up some advice for Steve. What’s the best way to handle this Can we opt-in to cybersecurity awareness? At one of our live shows I asked the audience, "Who has gone through security awareness training?" Every hand went up with a loud audible groan. Most of us would like to opt-out of this mandated training. What if our coworkers could be enticed to opt-in? It's the end of cybersecurity awareness month. What have you done or seen others do that's actually worked? And now the far trickier question, what has worked over a long time?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/can-a-robot-be-concerned-about-your-privacy/) I want AI to be efficient, but I also want my space. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Rebecca Weekly (@rebeccalipon), senior director of hyperscale strategy and execution, senior principal engineer, Intel. Thanks to this week's podcast sponsor, Intel. Intel’s new suite of security features in the upcoming Xeon Scalable platform improves data confidentiality and integrity in a world that increasingly relies on it. Features like Intel SGX further enable confidential computing scenarios — crucial for organizations in regulated industries to meet growing security requirements and protect sensitive data. On this week's episode Why is everybody talking about this now "The lack of women in cybersecurity leaves the online world at greater risk," stated Naomi Schalit of The Conversation. Mollie Chard of Capgemini shared the article that generated a lot of conversation. Naomi hit many issues we've discussed before like diversity offers different viewpoints, which is critical for building a cybersecurity program. I would like to focus on the dynamic of the security team. I've been in testosterone-fueled environments and things change dramatically when just one woman enters the room. And it changes even more when there are more women. What is that dynamic, why is it valuable, and what's the danger of the all-male environment? Well that didn’t work out the way we expected At the end of every show I ask our guests, "Are you hiring?" And prior to COVID, almost everyone said desperately, "YES, we're hiring." That has changed dramatically for the worse since COVID started. Emma Brighton has a story on InfoSecurity Magazine about the real shortage that's happening. Problems she points to are the need to secure more communications channels, security people being offloaded to do IT support, and the competition for skilled talent. What is COVID doing to our security environment and our staff? What's Worse?! Everyone in the loop or out of the loop? Please, Enough. No, More. Today's topic is security on the chipset. We have never talked about this on the show, but now we've got someone from Intel and it seemed appropriate now would be the time to do just that. What have we heard enough about chip-level security, and what would we like to hear a lot more? Are we having communication issues Will the fight to maintain privacy always be in conflict? The people who collect data always want more information so they can get greater insights. Outside of regulations, they have no incentive to maintain privacy. As we're collecting more and more information automatically and artificial intelligence systems are making decisions for us, can AI systems be made privacy aware while still being effective at gaining insights? What would that even look like?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/bonus-episode:-innovators-spotlight/) What makes a security solution innovative? Where do you think security desperately needs innovation? And what do you look for in a security vendor's presentation? On this very special bonus episode of CISO/Security Vendor Relationship Podcast, I invite two special guests, David Tyburski, CISO, Wynn Resorts and Matt Crouse (@mattcrouse), CISO, Taco Bell to answer that very question AND determine if any of the three competing security vendors during the Evanta 2020 Global CISO Virtual Executive Summit were in fact innovative. Our three competitors (and also sponsors) were: John Worrall (@jworrall), CEO, ZeroNorth Nick Halsey (@nickhalsey), CEO, Okera Demetrios Lazarikos, CEO and co-founder, Blue Lava Thanks to these sponsors and Evanta for their support on this episode.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/a-phish-so-insidious-you-cant-help-but-be-jealous/) Wait, that's a phish even I'd fall for. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Matt Crouse, CISO, Taco Bell. Huge thanks to our sponsor, CloudKnox. CloudKnox Security is the market leader within Gartner’s newly defined Cloud Infrastructure Entitlement Management (CIEM) segment. CloudKnox transforms how organizations implement the principle of least privilege in the cloud and empowers security teams to proactively address accidental and malicious credential misuse by continuously detecting and mitigating insider risks. On this week's episode Here’s some surprising research Here's a depressing statistic. Ninety four percent of security and business leaders say they've suffered "one or more business-impacting cyberattacks in the last year — that is, an attack resulting in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property." This according to a Forrester Consulting study sponsored by Tenable. Do we accept the sobering fact that a business-impacting cyberattack is an annual inevitability? And if so, what percentage of a CISO's job is putting systems in place to minimize damage, and what are ways you do that? If you're not paranoid yet here’s your chance Get ready for a really nasty phishing attack. Craig Hays, bug bounty hunter particularly interested in phishing, tells a story of a wormable phish that after taking over one user's email account began to reply to legitimate email threads from that account. The phisher would actually read the thread and create a relevant response, but with a phishing link which would then compromise another user's email account in the same way. And the phisher would repeat the process from yet another account, causing this wormable phish to spread not just through the initially targeted company, but through their partners, suppliers, and their partners and suppliers. At the time Craig's company didn't have multi-factor authentication (MFA) implemented to which Craig realizes that would stop such an attack. Yet, in the end he was very impressed with this type of attack because it has so many indicators of legitimacy. Have we experienced a similar attack and/or do we have a "favorite" phishing attack in terms of its effectiveness? What's Worse?! Audit season is about to begin. What would you advise? On the Cybersecurity subreddit, GenoSecurity asks, "What types of projects would look good on a resume since I have no work experience. I am also open to projects that might not look as good but are good for beginners since I’m currently working on my Net+ cert." Close your eyes and visualize the perfect engagement Last Friday we had an online after party using a new tool called Toucan which simulates a real party in a virtual setting. We've also used a platform called Icebreaker that allows for one-on-one random meetups. And last week I participated in a table top cyberthreat exercise with Bruce Potter of Expel and Shmoocon that ran like a Dungeons and Dragons role playing game. All were fun and had their value. Since the launch of the pandemic, how have we been able to socialize and stay connected in fun and unique ways?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/whether-its-vulnerabilities-or-children-we-like-to-pick-favorites/) While you do have to claim all of your vulnerabilities and your children, you don't have to like all of them. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Ben Sapiro, global CISO, Great-West LifeCo. HUGE thanks to our sponsor, Kenna Security. With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer’s unique environment across infrastructure, applications and IoT. On this week's episode Why is everybody talking about this now Do you have a clear overall picture of how you're protecting your environment? The Cyber Defense Matrix, an open source tool created by Sounil Yu, a former guest, offers a simple five-by-five grid with the x-axis being the five operational functions of the NIST Cybersecurity Framework and the Y-axis are the five asset classes cyber professionals are trying to secure (devices, applications, networks, data, users). The idea is you are supposed to fill in all 25 squares as best as possible to see where you might have gaps in your security program. Ross Young, CISO, Caterpillar Financial Services Corporation, and a recent guest on this show, has adapted the matrix, by changing the Y-axis to four risks of phishing, ransomware, web app attacks, third party risks. So what's a better way of building out at your security program: by the assets that you're trying to protect or the risks that you're facing? What are the pros and cons of each method? Can you change Mike's mind On a previous show Mike said he is NOT a fan of security through obscurity. Utku Sen of HackerOne argues that security through obscurity is underrated. His argument was that adding "obscurity" is often costless and it adds another layer in your defense in depth program. It is far from bulletproof, but obscurity reduces the likelihood which lowers your overall risk. Examples he included were obfuscating your code in your program, and/or using random variables in the code. Can we change Mike's mind? Is there a level of security through obscurity he has deployed and/or would consider? What's Worse?! What's better? Good and bad data or no data? Please, enough! No, more. Today's topic is vulnerability management, or specifically, vulnerability remediation. What have you heard enough of on vulnerability management, and what would you like to hear a lot more? Question for the board What misconceptions does the board have of the role of the CISO? On LinkedIn, Amar Singh of Cyber Management Alliance Limited, listed off what the CISO is and, isn't, and what inappropriate demands are made on them. He said the CISO is -NOT a super-being or a magician -NOT there to fix IT blunders -NOT the only guardian of the realm -Unable to STOP all cyber-attacks. -NOT a scapegoat/sacrificial lamb -NOT accountable but responsible We often get the sense that CISOs do play these roles as they come in and out. What can be done to temper these beliefs? "