CISO Series Podcast

All links and images for this episode can be found on CISO Series If you're happy with your best practice of rotating passwords, that's great for you. Just don't lay your old-timey "rules for better security" on me boomer. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Robb Reck (@robbreck), CISO on sabbatical and co-founder Colorado=Security, a podcast and Slack community. Thanks to our podcast sponsor, VMware In this episode: Who is supposed to put "security" into the shifted left SDLC? What's the scarcest resource to a CISO? Is it headcount or money? What's the hardest part about being a CISO? How to choose the "best" best practices.

All links and images for this episode can be found on CISO Series https://cisoseries.com/how-cisos-make-it-worse-for-other-cisos/ Are CISOs inappropriately putting pressure on themselves and is that hurting the rep of all CISOs as a result? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Andy Ellis (@csoandy), operating partner, YL Ventures. Thanks to our podcast sponsor, Orca Security Orca Security provides instant-on security and compliance for AWS, Azure, and GCP － without the gaps in coverage, alert fatigue, and operational costs of agents or sidecars. Orca detects and prioritizes risk in minutes ﹣ not months ﹣ and is trusted by global innovators, including Databricks, Lemonade, Gannett, and Robinhood. In this episode: Is the hiring process for CISOs broken? Why CISOs aren't willing to share samples of their risk assessments Working with a vCISO through an MSSP What are the biggest misconceptions cybersecurity people have about CISOs?

All links and images for this episode can be found on CISO Series https://cisoseries.com/excuse-me-what-bribes-do-you-accept/ The security vendor/practitioner sales cycle would go a lot faster and smoother if CISOs would just take an "incentive" for a meeting. Just tell me what "incentive" you would like. I'm sure it'll cost me a lot less than what I'm spending on marketing and sales. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Allison Miller (@selenakyle), CISO, reddit. Allison is available on reddit at /u/UndrgrndCartographer. Thanks to our podcast sponsor, Living Security Why We're Breaking Security Awareness (And You Should Too) Attend This Free, Virtual Conference From Your Home, Office, Or Even Your Couch. Living Security is breaking the mold of security awareness to wage war on the human risk factor with evolved strategies for the way we live, work, and play today. Join cybersecurity industry thought leaders for fresh, modern perspectives designed to help you change behaviors and reduce your organization's risk in a world where life happens online. This year's sessions will cover: Human Risk Management Social Engineering DEI In Cybersecurity Enterprise Security Awareness Remote Working Security Ransomware In this episode: Relying on the end-user to make an app secure is, in essence, shipping insecure software It's official: mandatory password changes are no longer in vogue What incentives would you accept to take a meeting with a vendor

All links and images for this episode can be found on CISO Series https://cisoseries.com/holy-crap-weve-been-doing-this-for-three-years/ On this day three years ago, Mike Johnson and I released the first episode of CISO Series' CISO/Security Vendor Relationship Podcast. Our primary goal was to talk about the strained yet much needed relationship between security practitioners and vendors. With the help of our guest Dan Walsh, CISO, VillageMD and plenty of contributors we look back and ask ourselves, "What's changed and has anything improved?" If you're interested in hearing the full story of how CISO Series started, listen to this episode of Defense in Depth with Mike Johnson and Allan Alford where we walk through the origins of what has become a rather sizable media network. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company's Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode: What listeners get out of the show & what has changed in the industry How communication has changed among CISOs in three years Is there more compassion for vendors now? How is the vendor landscape changing?

All links and images for this episode can be found on CISO Series https://cisoseries.com/something-stinks-in-here-i-think-it's-your-code/ The problem isn't our users, it's you and your past due code. Something happened. It's either been tainted or expired, but whatever it is, it smells and you need to clean it up. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Brian Fox (@brian_fox), co-founder and CTO, Sonatype. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company's Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode: How do you know if your DevSecOps effort is going to fail? How does an analyst justify their existence? Managing malicious intruders in code libraries Managing cybersecurity hygiene in the software chain

All links and images for this episode can be found on CISO Series https://cisoseries.com/our-top-ten-list-of-vendors-that-arent-you/ You look at a top ten list is to see if you made the list. Don't bother. You're not on it. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Nancy Hunter, vp, CISO, Federal Reserve Bank of Philadelphia. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Threat tracking: what's better? Your SOC's data or reading industry trends? Finding good security people -what's better?: existing skills/experience, or a hunger to learn? Listing the things we like about security vendors Diversity hiring still has some challenges

All links and images for this episode can be found on CISO Series https://cisoseries.com/do-we-have-to-let-the-ciso-sit-with-us/ I guess because it's a pandemic, and we really need them, just this one time, we'll let the CISO hang out at the cool kids' table. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Jadee Hanson (@jadeehanson), CISO, Code42. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Apparently, CIOs have become really hot commodities within the organization Do compliance checkboxes to third party surveys provide any security for the supply chain? Insider risk should look more at mistakes as well as intentional acts The real value of vendor white papers

All links and images for this episode can be found on CISO Series https://cisoseries.com/why-commute-when-you-can-stay-home-and-be-overworked/ Work from home seemed ideal until you realized you were working at all hours with people all over the world. It would actually be a nice respite to have to commute and leave work at a reasonable hour. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Adam Glick, CISO, Rocket Software. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Work-from-home – the joys and the sorrows What do we want the board and C-Suite to know about cybersecurity? Are you a cybersecurity or infosec hiring manager? What kind of interview questions do you ask? CISOs working with young cybersecurity entrepreneurs

All links and images for this episode can be found on CISO Series https://cisoseries.com/pushing-this-to-the-top-of-your-inbox-so-you-can-delete-it-again/ We're following up on our previous email because we love to engage in self-defeat. We assume you don't want to hear from me again, but just to make sure, I've delivered another email for you to delete. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Rinki Sethi (@rinkisethi), CISO, Twitter. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company's Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode It takes a while to hire an awesome cybersecurity team. It takes even more work to keep them. Breaches are bad, but handling them badly might be worse The unique aspects of work from anywhere security that take time to discover More of "what not to do" as a vendor pitching a cybersec prospect

All links and images for this episode can be found on CISO Series https://cisoseries.com/ok-i-get-it-youre-all-special-snowflakes/ This department manager thinks their data is the most important. But then this department manager thinks their data is the most important. Can there really be so many crown jewels in your company that are all equally important? How's a CISO supposed to prioritize? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), executive vp, consumer products and engineering, and CISO, Fox Thanks to our podcast sponsor, Herjavec Group Herjavec Group excels in complex, multi-technology environments and keeps enterprise organizations secure with best of breed products and comprehensive service offerings. With 5 global Security Operations Centers, emerging technology partners, and a dedicated team of security specialists, we are well-positioned to be your organization's trusted advisor in cybersecurity. Let's connect! On this week's episode Hey, you're a CISO, what's your take? Recently, we did a Friday video chat on "Hacking the Crown Jewels" where we talked about what's really important, where it resides, and who's accessing it and when. One of the questions that came up from consultant Ian Poynter was how do you handle the conflicts from the different department leaders as to what the crown jewels are? And Jakub Kaluzny of SecuRing asked, "What's harder, identifying your crown jewels, or protecting them?" Can you change Mike's mind? Our guest, Melody Hildebrandt mentioned that as of recently she was in a pro-vendor mood Only three months into the year she has taken more new vendor meetings than in all of 2020. What changed? And can she convince Mike to do the same? "What's Worse?!" As always, this will be a surprise on the show. And no one will like the options. If you haven't made this mistake, you're not in security Even if you've configured your email security platform correctly, you can still fail early and often as our guest Melody discovered. But she actually published her findings on Tech Insiders, along with Paul Cheesbrough. Examples she provided included email account compromises that resulted in full evasion of standard email defenses. And given that her business is often an early target for new attacks, protection through threat analysis has become essentially useless. Her solution for enterprise email is to adopt an API-based solution instead of gateways, along with deep machine learning, and continuous protection of email rather than initial scanning and approval. Let's look at how difficult this shift was and how Melody is managing it. There's got to be a better way to handle this On Twitter I asked, "Since security people don't get applause when nothing happens, how do you let the rest of the company know how well the security team is doing?" One mentioned a slide on reports that says "X days without a breach" others suggested showing improvements to metrics like vulnerability and mean time to response. So what do we say to the whole company, not just the board?