CISO Series Podcast

All links and images for this episode can be found on CISO Series (https://cisoseries.com/were-market-leaders-in-customer-confusion/) We could offer a simpler explanation of our technology, but if we confuse you we can charge a lot more. This episode was recorded in front of a live audience at BsidesSF 2020 in San Francisco. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Olivia Rose, former CISO, Mailchimp. Look at that screen! We were in a movie theater. Those small people in the lower right are David Spark, producer, CISO Series, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, and Olivia Rose, former CISO, Mailchimp. Photo credit to @ash1warya. Thanks to this week's podcast sponsors, Vulcan Cyber and CyberArk. Vulcan is a vulnerability management platform built for remediation. By orchestrating the entire remediation process, Vulcan ensures that vulnerabilities aren’t just found, they’re fixed. Pioneering a remediation orchestration approach, the platform enables security, operational and business teams to effectively remediate cyber risks at scale. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this week's episode How to become a CISO What is some actionable "let's start today" advice. What could an individual do right now to develop the skills to be a cyber leader and make it clear to management, that's what they're gunning for? What we’ve got here is failure to communicate If all vendors stopped sending cold emails, which is what we constantly hear CISOs say they should do, how should they spend their time and money instead to greatly improve their success? If a CISO played the role of a vendor, which happens often, what should you do, to get to you? What's Worse?! We play TWO rounds. What do you think of this vendor marketing tactic? According to a recent study by Valimail, CISOs are very suspect of security vendors' claims. In general, the numbers are horrible for vendor credibility. Close to half of security professionals claim the following: Vendors' tech and explanation are confusing Practitioners have a hard time seeing and measuring value Practitioners don't know how a vendor's product will stay valid on their security roadmap.   What could cybersecurity vendors do to make their claims more believable? Close your eyes and visualize the perfect engagement Rafal Los, Armor Cloud Security asked, "If you could implement one thing in your organization that would receive universal adoption without push-back, what would it be?" The question, which seems reasonable, but in the security world often feels impossible, generated a ton of responses on both LinkedIn and Twitter. Many wanted company-wide adoption of one solution, such as MFA or vulnerability management. Others wanted widespread and ongoing security education. Our CISOs debate the one pushback-free solution that would yield the greatest results.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/last-chance-to-vote-for-most-stressed-out-ciso/) Think you or your CISO has what it take to shoulder all the tension, risk, and security issues of your organization? You may be a perfect candidate for "Most Stressed Out CISO". This episode was recorded in person at Zenefits' offices in San Francisco. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Keith McCartney (@kmflgator), CISO, Zenefits. Keith McCartney, CISO, Zenefits and Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast Thanks to this week's podcast sponsor, CyberArk At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this week's episode There’s got to be a better way to handle this CISO Stress. We've talked about it before on the show, and now Nominet just released a new study that claims stress levels are increasing. 8% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year (27%). 31% of CISOs said that stress had affected their ability to do their job. Almost all surveyed CISOs (90%) said they’d take a pay cut if it improved their work-life balance. How could a CISO negotiate better work/life balance upfront and have either of our CISOs done it? Hey, you're a CISO. What's your take on this? Gary Hayslip shared this Peerlyst article by Ian Barwise of Morgan Computer Services about the incredible array of OSINT tools. What OSINT tools do our CISOs find most valuable and for what purposes. What's Worse?! A little too much agreement on this week's "What's Worse?!" Here's some surprising research Why are cloud security positions so much harder to fill? Robert Herjavec of the Herjavec Group posted a number of disturbing hiring statistics. Most notably was one from Cyber Seek that stated jobs requesting public cloud security skills remain open 79 days on average — longer than almost any other IT skills. Why isn't supply meeting demand? Why is it such a difficult security skill to find? And how easy and quickly can you train for it? EKANS is the backward spelling of SNAKE. It is also the name of new ransomware code that targets the industrial control systems in oil refineries and power grids. Not only does it extort a ransom, it also has the ability to destroy software components that do things like monitor the status of a pipeline, or similar critical functions in a power grid or utility. A recently documented attack on Bahrain’s national oil company reveals the architecture and deployment of EKANS not to be the work of a hostile nation-state, but of cybercriminals. The chilling message behind that, of course, is that penetrating and sabotaging critical components of a country’s infrastructure is no longer exclusive to sophisticated national intelligence agencies. Lower level criminal agencies may have motives that are far less predictable and trackable, and when combined with the complexities of an industrial control system, these may have cascading effects beyond the wildest dreams of the instigators themselves. More from our sponsor ExtraHop. What do you think of this pitch? We get a pitch with some suggestions on how best to improve the pitch. We want more pitches!  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-blow-our-entire-marketing-budget-at-rsa/) Security professionals only think about security one week out of the year, right? So let's drop every single dollar we have budgeted for marketing on the last week of February. Whaddya say? This episode was recorded in person at Intel's offices in Santa Clara, California. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Tom Garrison (@tommgarrison), vp and gm of client security strategy at Intel (@IntelNews). David Spark, CISO Series, Tom Garrison, Intel, and Mike Johnson, CISO/Security Vendor Relationship Podcast. Thanks to this week's podcast sponsor, Intel. The globalization of technology has created an environment of complicated supply chains with limited transparency. Intel’s Compute Lifecycle Assurance (CLA) initiative solves this through a range and tools and solutions that deliver assurances of integrity throughout the entire lifetime of a platform --from build to retire. On this week's episode There’s got to be a better way to handle this Next week is RSA and by podcast law we're required to talk about it. We offer up tips on maximizing the following: education, engagement, and follow up. What’s the return on investment? On Peerlyst, John Mueller, a security architect with the US Navy, suggested ways to use incident response metrics to help determine whether your cybersecurity program is improving. But as Mueller points out, it's not easy as you could fool yourself into believing you're doing well if you don't valuable discovery tools. We discuss methods to measure improvements in security programs. What's Worse?! A really tough one that delivers a split decision. Please, enough. No, more. Our topic is trust and hardware manufactures. We discuss what we've heard enough about with trusting hardware manufacturers of tech products, and then we discuss what we'd like to hear a lot more. The fable of Walt Disney having been cryogenically frozen to be revived in an age where the science to do so existed is just that – a fable. But there is still something to be taken from that when it comes to documents archived on the cloud or consigned to data landfills. Just because encrypted data cannot be easily decrypted by hackers using today’s tools, that doesn’t mean tomorrow’s tools can’t do the job and revive the information stored inside. When threat actors take it upon themselves to steal data, through hacking, ransomware, or AI, they might, of course be searching for material that is immediately exploitable, such personal data, or data that has immediate value in being returned or unlocked as in the case of ransomware. But other players are in it for the long game, counting on the fact that the inexorable momentum of progress will lead to a decryption solution in time for stolen archived data to still be of use for future crimes, frauds and deep fakery. More from our sponsor ExtraHop. Close your eyes. Breathe in. It’s time for a little security philosophy. I got back from Tel Aviv where cybersecurity professionals find themselves innovating out of necessity. They're often short on resources. We discuss the kinds of exercises we've tried to help ourselves and our team to think creatively about cybersecurity. One suggestion is the interrogation technique of "Five Whys" to get at the root reason of why we make our choices.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/empowered-working-together-to-pile-on-the-cyber-guilt/) We can all be more secure if we work together as a team to shame those who don't agree with how we approach security. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Chris Hatter, CISO, Nielsen. On this week's episode Mike's confused. Let's help him out. Mike inspired this brand new segment with his question to the LinkedIn community, asking what's the big deal with 5G security? The story I heard about 5G is just sheer volume over unsecured networks. But Mike said, we've been dealing with unsecured networks since 2G and 3G and we dealt with them using Transport Layer Security or TLS, and implementing other services such as multi-factor authentication or MFA. Mike called out to the community to clue him in as to why we should be more concerned with 5G. Does shaming improve security? Thanks to Mark Eggleston, CISO, Health Partners Plans for alerting me to Chris Castaldo, CISO of Dataminr, and his post about Rob Chahin's "Single Sign-On or SSO Wall of Shame". Chahin, who is the head of security at Eero, purports that SSO should be a standard feature in applications and websites that allow for secure sign on through third party identity services, such as Google and Okta. Single sign-on is a significant boon for security and management simplicity and Chahin argues that many companies force users to pay dearly to enable SSO. What's Worse?! A grand financial decision in this scenario. Is this the best solution? According to a recent article in the Wall Street Journal, there is an ever slight trend of CISOs moving away from reporting to the CIO, opting instead to report directly to the CEO. Why is this trend happening? What are the benefits and disadvantages?   With hacks and breaches becoming all too commonplace and even encrypted data still vulnerable to hackers who can read and copy it, focus is now being placed on Quantum Communication as a potential next option. This is a technique that encodes data into photons of light, each of which can carry multiple copies of ones and zeroes simultaneously, but which collapses into a single one-and-zero if tampered with. Basically, the scrambling of data to an unusable format. Although Quantum communication has been development for a few years, researchers in China have apparently already outfitted a fleet of drones that will soon be able to communicate upwards to its already launched Quantum satellites and downwards to ground stations while remaining stable in flight. This paves the way for the field of quantum teleportation, a glamorous term whose uses and actual development are no longer just the realm of science fiction. For data at least. More from our sponsor ExtraHop. Close your eyes. Breathe in. It’s time for a little security philosophy. Simon Goldsmith, adidas, said, "I’ve been having some success in replacing risk with uncertainty. By which I mean not having a threat, vulnerability or impact made tangible creates uncertainty which is next to impossible to factor into any modern decision making process. If I make it tangible, it becomes a risk and I can help you make a better decision. Puts value on turning uncertainty to risk and fights FUD."

All links and images for this episode can be found on CISO Series (https://cisoseries.com/youre-mistaken-im-not-annoying-its-chutzpah/) We're pushing just to the edge of irritation on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience in Tel Aviv on the eve of the 2020 Cybertech conference. Special thanks to Glilot Capital for hosting this event. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and my special guest co-host, Bobby Ford, global CISO for Unilever. Our guest is John Meakin, veteran financial CISO, and currently CISO for Equiniti. David Spark, producer, CISO Series, Bobby Ford, CISO, Unilver, and John Meakin, CISO, Equiniti. Thanks to this week's podcast sponsors, Polyrize and Intsights. As newly adopted SaaS and IaaS services add an additional layer of risk for security teams, Polyrize provides a cloud-centric approach to simplifying the task of protecting user identities and their access across the public cloud by right-sizing their privileges and continuously protecting them through a unified authorization model. IntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response. To learn more, visit intsights.com. On this week's episode How do you go about discovering new security solutions? In an article on LinkedIn entitled, "Why do CISOs take a vendor meeting?" Dutch Schwartz, of AWS said that they take meetings per a recommendation of their staff, their peers, or they have an explicit problem that they've already researched, or they have known unknowns. Are those the reasons to take a meeting with a security vendor? We discuss what meetings CISOs take, and which ones are the most attractive. It's time for "Ask a CISO" Israel is known for a thriving startup community. But what I always see is cross pollination between Israel and Silicon Valley when it comes to startups. We discuss what Israeli startups can learn from Silicon Valley and vice versa. What's Worse?! We've got two rounds. One agreement and one split vote. It’s time to measure the risk Five years ago I wrote an article for CIO.com about the greatest myths of cloud security, The first myth was the cloud is inherently insecure. And the other 19 are ones I'm still hearing today. My conclusion for the whole article was if you can overcome these myths about cloud security, you can reduce risk. In this segment we dispel cloud security myths and explain how the cloud helps reduce risk possibly in ways many of us are not aware. Close your eyes. Breathe in. It’s time for a little security philosophy. On this podcast we talk a lot about CISOs needing to understand the business. In a thought-provoking post on Peerlyst, Eh-den Biber, a student of information security at Royal Holloway, University of London, noted that the job of cybsecurity is more than that. It's about understanding the flow of business and being present in the individuals' lives and their stories. We discuss the importance of being present in your users' lives. It's time for the audience question speed round The audience has questions and our CISOs have answers. We get through a lot really quickly.  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/revisiting-a-whole-career-of-cyber-screw-ups/) This episode was recorded in front of a live audience at Malwarebytes' offices in Santa Clara, California for the Silicon Valley ISSA chapter meeting. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Peter Liebert, former CISO, state of California. Peter is now an independent consultant and commander of cyber operations for California State Guard. (left to right) David Spark, producer, CISO Series, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, and Peter Liebert, commander, cyber operations, California State Guard Thanks to this week's podcast sponsor, Malwarebytes. Malwarebytes secures endpoints, making workplaces resilient. Our adaptive cyber protection predicts and detects attacks with multi-layer detection across the kill chain. We enable active threat response with machine learning that is actionable and automated, allowing for full recovery when a compromise occurs. We empower enterprise endpoint orchestration across siloed IT and Security organizations, simplifying security management and making responses effective. Malwarebytes makes endpoints resilient so workplaces can protect and remediate, and employees can regain control of their digital lives. On this week's episode Why is everybody talking about this now? Chris Roberts of Attivo Networks posted about his video game addiction as he admitted one certain game ate up 475 hours of his life. He really struck a chord with the community as he got hundreds of comments of people admitting to the same but also recognizing that video games are great stress relievers and that the problem solving in games actually helps keep your mind sharp. There is the obvious need for a break, but is there a correlation between how gaming in any form can help someone with their job in cybersecurity? Hey, you're a CISO, what's your take on this?' Are we doing a good job defining the available jobs in cybersecurity? The brand that we see out there is the image of the hacker and the hoodie. In a post on Peerlyst, Nathan Chung lists off eleven other cybersecurity jobs that don't fall under that well known cybersecurity trope. Jobs such as data privacy lawyers, data scientists developing AI and machine learning algorithms, law enforcement, auditors who work on compliance, and even project managers. We discuss some of the concrete ways to explain the other lesser known opportunities in cybersecurity. What's Worse?! We play two rounds with the CISOs. Um… maybe you shouldn't have done that In an article on Peerlyst, cybersecurity writer Kim Crawley, asked her followers on Twitter, "What mistakes have you made over the course of your career that you would recommend newbies avoid?" There was some great advice in here. We discuss our favorite pieces of advice from the list and our CISO admit what is the mistake they've made in their cybersecurity career that they specifically recommend newbies avoid. We’ve got listeners, and they’ve got questions Chris Hill of Check Point Software, asked, "How can non-technical people working their way up in the security industry improve their knowledge and abilities from a CISO perspective." Chris is a newbie and he wants advice on being a “trusted advisor” and he's trying to figure out the best/most efficient way to get there. It's time for the audience question speed round We go through a ton of questions the audience has for our CISOs

All links and images for this episode can be found on CISO Series (https://cisoseries.com/debunking-the-misused-chased-by-bear-cybersecurity-metaphor/) We don't want anyone to be caught by the bear on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Elliot Lewis (@ElliotDLewis), CEO, Encryptics. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Is this the best solution? On LinkedIn, Rich Malewicz of Wizer opened up a discussion of security is really just about making the lives difficult for attackers, or more difficult than another target. Rui Santos summed Rich's theory succinctly, "you don't have to be Fort Knox, just make it not worth the effort of hacking your organization." Let's dive into the specifics of this. Provide some examples of how you architect a security program that makes it too difficult or too costly for an attacker. Obviously, this would change given the asset you're trying to protect. The great CISO challenge Brad Green, Palo Alto Networks, asks, "What are the most important functions of the SOC (security operations center), and what are the most important activities that support them? What's Worse?! As always, both options stink, but one is worse. Please, Enough. No, More. Today's topic is data security. What have you heard enough about with data security, and what would you like to hear a lot more? Mike? Communicating cyberthreats to the general public has always been a challenge for cybersecurity specialists, especially when it comes to eliciting cooperation in areas like cyberhygiene. Sometimes it helps to give people an awareness that the need for proactive security doesn’t exist only on screens, but everywhere. One fascinating example of this can be seen in the research of Dina Katabi of MIT, who has shown how WiFi signals can be monitored – not for their content, but as a form of radar that can see through walls, and which can accurately observe people physically moving around, or even detecting heartbeats and sleep patterns. Remote espionage opens up all kinds of opportunities for bad actors to build ergonomic profiles of anyone and then deploy AI and ML enabled analysis to influence and impersonate them. Showing people just how many different dimensions can be used in cybercrime may one day shift public perception of cybersecurity into the center spotlight where it belongs. More from our sponsor ExtraHop. There’s got to be a better way to handle this For years security professionals have talked about trying to secure the exponentially expanding surface area. One way to simplify, that we've all heard before, is driving security to the data level. Could we let networks run wild, within reason, and just have a data-security first approach? How is that different from zero trust, if at all? To what extent does this work/not work? We've all been having conversations about encryption for decades. It's not a new story. But it's still not universally used. There are billions of user accounts available in open text. After decades, why has the encryption story still not been getting through? What's holding back universal usage?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-put-the-fun-in-infunsec/) We're cranking up the entertainment value on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Adrian Ludwig, CISO, Atlassian. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Close your eyes and visualize the perfect engagement What should a CISO's relationship with the board be and how much should a CISO be involved in business decisions? According to a Kaspersky survey, 58% of CISOs say they're adequately involved in business decision making. 34% say they're summoned by the board for data/security related manners. 74% of CISOs are not part of the board and of that group, Of that group, 25% think they should be. What are the pros and cons of a CISO being heavily involved in the business? The great CISO challenge On Dark Reading, Joan Goodchild asked CISOs what were their New Year's resolution. Most said obvious stuff about visibility, being a business enabler, work on human element, and privacy. But I was most intrigued by Jason Haward Grau, CISO of PAS Global, who said he wanted to make security a little more fun. Keeping it fun and interesting is my obsession with this show. If you want to attract, and more importantly retain, security talent, a little bit of fun is critical. So what is currently fun about cybersecurity and what can CISOs do to make it more fun? What's Worse?! First time Mike Johnson admits to being wrong! Looking down the security roadmap On LinkedIn, Mike recommended that security professionals line up tools with their comparable threat models, and then compare that list with their company's actual threat models. Mike admittedly offered the advice but never actually had done itself until he wrote the post and then he started. We delve into what actually happened and how one could actually do it. The Cyber Defense Matrix is a handy, yet easy to use grid plan that helps IT and cybersecurity professionals formulate a plan of proactive defense and effective response. Devised by security specialist Sounil Yu and discussed in detail on the October 17, 2019 episode of Defense in Depth, the matrix continues to gain ground as a vital tool for not only understanding the required spread of technologies, people and process, but also in performing gap analysis and crisis planning. The matrix creates a logical construct across two axes, creating a five by five fill-in grid. Although some experts debate whether it is sufficiently broad in scope, cybersecurity organizations such as OWASP tend to agree that its role in organizing a jumble of concepts products and terminologies into a coherent inventory helps cybersecurity specialists measure their security coverage, discover gaps in their IT strategy, and create a better project plan. More from our sponsor ExtraHop. And now, a listener drops some serious knowledge "Sandor Slijderink (SLY-DUR-INK), CISO at undisclosed company, offered a quick tip on a new phishing scam. Type in some text that looks like a foreign language, then create a hyperlink that reads: ""See translation"" We discuss some attack vectors that we think others may not be fully aware of but need to pay attention.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-lower-the-security-and-pass-the-savings-on-to-you/) We're racing to the bottom in terms of price and security on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Seth Rosenblatt (@sethr), editor-in-chief, The Parallax. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Are we making the situation better or worse? Are big Internet giants' privacy violations thwarting startup innovation? That's been presidential candidate Elizabeth Warren's argument, and it's why she wants to break up companies like Facebook and Google for what she sees as anti-competitive practices. According to Seth Roseblatt's article, it appears all of a sudden Facebook and Google are very concerned about privacy. Nine years ago, I remember seeing Eric Schmidt, then CEO of Google, proudly admit that they tracked people's movements so thoroughly that they can accurately predict where you're going to go next. Nobody blinked about the privacy implications. But today, users are upset but they don't seem to be leaving these services at all. Is it all talk on both sides? Have you seen any movement to improve privacy by these companies and would regulation be the only answer? And heck, what would be regulated? Here's some surprising research Over the past 15 years, home WiFi routers have been manufactured to be less secure. Seth reported on this study by the Cyber Independent Testing Lab, which we also discussed on an episode of Defense in Depth. The most notorious weakening is the use of default passwords, but there's a host of other firmware features that don't get updated. Is there any rationale to why this happens? And has this study done anything to turn things around? Is this a cybersecurity disinformation campaign? Fighting "fake news" like it's malware. In Seth's story, he noted there are structural and distribution similarities. I envision there are some similarities between fake news and adware which isn't necessarily designed for negative intent. Fake news appears to be an abuse of our constitutional acceptance of free speech. How are security tactics being used to thwart fake news and how successful is it? When you set up your new home assistant, try not to position it close to a window, because someone across the street might be preparing to send voice commands, such as “open the garage door” by way of a laser beam. Researchers from the University of Michigan and The University of Electro-Communications in Tokyo have successfully used laser light to inject malicious commands into smart speakers, tablets, and phones across large distances and through glass windows. They use standard wake commands modulated from audio signals and pair them with brute forcing of PINS where necessary. They have also been successful in eavesdropping, and in unlocking and starting cars. Their research shows how easy it is and will be to use lasers to not only penetrate connected devices but to deploy acoustic injection attacks that overwhelm motion detectors and other sensors. More information including access to the white paper is available at lightcommands.com. More from our sponsor ExtraHop. Look at this, another company got breached Tip of the hat to Malcolm Harkins at Cymatic for posting this story on Forbes by Tony Bradley of Alert Logic who offers a rather pessimistic view of the cybersecurity industry. It's broken, argues Bradley. We spend fortunes on tools and yet still get hacked year over year using the same tools. The article quotes Matt Moynahan, CEO, Forcepoint, who said we wrongly think of security as an "us" vs. "them" theory or "keeping people out" when in actuality most hacks are because someone got access to legitimate user credentials, or a user within our organization did something unintentional or potentially malicious. Are we wrongheaded about how we envision cybersecurity, and if so, is there a new overarching philosophy we should be embracing?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/ah-heres-the-problem-youve-got-a-leaky-ceo/) We're waking up the C-suite to the realization that they're the prime target for cyberattacks. This episode was recorded in front of a live audience at Evanta's CISO Executive Summit in Los Angeles. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. CISO/Security Vendor Relationship Podcast live at Evanta CISO Executive Summit in Los Angeles 12/11/19 PLUS, joining us live was Jewels Nation, the voice of the CISO Series. You hear her voice on all the bumpers on our podcasts. Jewels Nation, the voice of the CISO Series podcasts, and David Spark, producer of CISO Series Thanks to this week's podcast sponsor Evanta. Evanta, a Gartner Company, creates exclusive communities of C-level executives from the world’s leading organizations. These invaluable networks are built by and for C-level executives to share innovative ideas, validate strategies and solve critical leadership challenges through peer-to-peer collaboration. Evanta’s trusted communities serve CISOs and their C-suite peers around the world. On this week's episode Where does a CISO begin? Gary recently brought up an excellent discussion pointing out that executives are the backdoor into your organization. Do they understand that they're critical cogs? Do they and are they willing to take on responsibility? What is the patching process? Walk a mile in this CISO's shoes Gary, talked a lot about the importance of work/life balance with cyber professionals. Robert Carey of RSA Security said your actions do most of the talking, "As a CISO, you're a model of work life balance. If you stay 14 hours a day, that's what is expected of employees. If you leave at 5pm they'll realize that's ok for them to do." How do our CISOs handle presenting to their staff what is and isn't OK, when they're in the office or when their employees are remote? What's Worse?! You've got a new hire. Which one do you choose? Is this the best solution? Does the email pitch still serve a function? On a recent CISO Series video chat, we talked about how CISOs get 50-80% of their information about products from other CISOs and that yeah maybe sometimes they read an email pitch. Is there still room for the email pitch or should it just die? And if it should die, what should it be replaced with? Security Squares: Where CISOs Put Vendors in Their Place A brand new game that asks CISOs how well do they know the vendor landscape? This one was a nail biter. It’s time for the audience question speed round Our audience has questions, and our CISOs will have answers.