CISO Series Podcast

All links and images for this episode can be found on CISO Series (https://cisoseries.com/trust-me-were-using-advanced-ai/) We're looking for a good reason to trust your AI on the latest CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience at Evanta's CISO Executive Summit in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week, is Jimmy Sanders (@jfireluv), head of information security, Netflix DVD. Mike Johnson, Jimmy Sanders, head of information security, Netflix DVD, and David Spark Thanks to this week's podcast sponsors: Trend Micro, SentinelOne, and FireMon.  FireMon provides persistent network security for hybrid environments through a powerful fusion of real-time asset visibility, continuous compliance and automation. Since creating the first-ever network security policy management solution, FireMon has delivered command and control over complex network security infrastructures for more than 1,700 customers. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. Are you looking to leave legacy antivirus? Proactively protect every device in realtime with AI. Deploy SentinelOne for EPP, EDR, IoT, and container security today. Autonomous technology is the future. We deliver it now across your endpoints, servers, cloud workloads, and IoT devices. What we’ve got here is failure to communicate Is the privacy message getting out to the right people? I argue we need to go to the source and we're not. I was at Dreamforce, the Salesforce conference, and I got the sense I was the only person of the 100K people there that didn't want to be scanned. This crowd is obsessed with the collection of personal data given this conference is mostly about how do I create greater understanding from personal data. Are we as security people in a bubble in this privacy conversation? We need to go to the source of the people who are actually collecting the data and I'm getting the sense we're not getting through. Are we making the situation better or worse? We've talked a lot about AI on this show, and many vendors are selling intelligent solutions, but the factor that seems to hang up usage is trust. Cyber professionals don't think twice about trusting their AI-powered spam filter, but so many other tools are met with skepticism. What's missing from the vendor side and what trust barriers are practitioners putting up? What should the barometers be for trusting AI? What's Worse?! Two bad types of people wanting to do you harm. Which one is worse? Is this the best solution? Should you hire staff from companies that have fallen victim to cybercrime? According to a study by Symantec and Goldsmiths, University of London, as reported by ZDNet, more than half of respondents said they don't discuss breaches or attacks with peers. And more than a third said they fear that sharing breach information on their organization would negatively impact their future career prospects. I would think that asking a prospect, "Have you lived through a breach and how did you handle it?" would be very revealing. Mike? Security Squares: Where CISOs Put Vendors in Their Place A brand new game that asks CISOs how well do they know the vendor landscape? It’s time for the audience question speed round Our audience has questions, and our CISOs will have answers.  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/isnt-that-adorable-our-little-ciso-has-an-opinion/) We're spoon-feeding "respect" to the CISO on this week's CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week, thanks to Trend Micro, is Jim Shilts, founder, North American DevOps Group. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? Gary Hayslip, CISO, Softbank Investment Advisers and regular guest, posted an article about a growing trend of CISO frustration and why they don't last at an organization. This article addresses many issues around burnout, but I want to focus on this one stat from an ISC(2) study which states, "Sixty three percent of respondents said they wanted to work at an organization where their opinions on the existing security posture were taken seriously." Hard to keep any security staff in place if they're not respected. We talk a lot about being able to talk to the board, but the communications has to be two way. How clear are executives in understanding that respect and listening to their cyberstaff is in their best interest? What annoys a security professional Deidre Diamond of CyberSN, asks this very pointed question, "We are short 500k cyber professionals in the US and 89% of our current cyber professionals are open to new opportunities; why are jobs taking on average 4-9 months to fill?" That last stat is CyberSN's data estimates. She's arguing there is plenty of supply. Why is this taking so darn long? Nobody's happy. What's Worse?! We've got a question tailored for our DevOps guest this week. Please, enough. No, more. DevOps and security. This is a topic that has grown over time, evolved in branding, and Mike has spoken out about how much he don't like the term DevSecOps. As we regularly do in this segment, what have you heard enough of on the DevOps and security debate and what would you like to hear a lot more? Two factor authentication is a smart step towards more secure password management but what happens the moment after you have convinced the employees of your company to adopt 2FA, when you then say, “Oh yes, don’t forget your SIM PIN.” 2FA might stop hackers from using easily searchable information like someone’s mother’s maiden name, but these bad actors have already discovered the weak link in this particular chain. They call the phone provider, pretend to be that specific victim and ask to swap the victim’s SIM account information to a new SIM card – one that is in their possession. That way, everything the victim did with their phone – texting, banking, and receiving 2FA passcodes – all goes to this new phone. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Hey, you're a CISO, what's your take on this? Nigel Hedges, CISO, CPA Australia, asked, "Should security operations exist in infrastructure/operations teams?" Nigel asked this questions to colleagues and got mixed results. One CISO said it was doomed to fail, others said its up to leadership and a CISO doesn't need to own secops. "Other people were adamant that the focus required to manage secops, and streamlined incident response cant work within infra because the primary objectives of infra are towards service availability and infra projects," said Nigel who went on to ask, "Is this important prior to considering using a security vendor to provided managed security operations? Is it important to 'get the house in order' prior to using managed secops vendors? And is it easier to get the house in order when secops is not in infra?"

All links and images for this episode can be found on CISO Series (https://cisoseries.com/rest-assured-were-confident-our-security-sucks/) We may not have the protection you want, but what we lack in adequate security we make up in confidence. Sleep better at night after you listen to this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Billy Spears (@billyjspears), CISO, loanDepot. Thanks to this week's podcast sponsor, CyberInt. The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505’s latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. On this week’s episode Why is everybody talking about this now? Tip of the hat to Eduardo Ortiz for forwarding this discussion Stuart Mitchell of Stott and May initiated on LinkedIn asking if there should be a "golden bullet" clause in a CISO's contract. He was referring to the CISO of Capital One who had to step down and take on a consulting role after the breach. What are arguments for and against? Ask a CISO Nir Rothenberg, CISO, Rapyd asks, "If you were given control of company IT, what would be the first things you would do?" What's Worse?! Should a CISO be closing sales or securing the company? Hey, you're a CISO, what's your take on this? According to Nominet's Cyber Confidence Report, 71 percent of CISOs say their organization uses the company's security posture as a selling point, even though only 17% of CISOs are confident about their security posture. There are probably many factors that contribute to this disparity. Is it a gap that will ever close, or is this just the nature of security people vs. sales? Bluetooth is a convenient and easy method of sharing data between devices, which, of course, qualifies it as a prime target for exploitation. A trio of researchers has discovered a vulnerability that has the potential of attacking billions of Bluetooth-enabled devices, including phones, laptops, IoT and IIoT technologies. In short, this Key Negotiation of Bluetooth vulnerability, which has been given the acronym KNOB, exploits the pairing encryption protocol within the Bluetooth Classic wireless technology standard, which supports encryption keys with entropy between 1 and 16 bytes/octets. It inserts between the pairing devices forcing both to agree to encryption with 1 byte or 8 bits of entropy, after which it simply brute-forces the encryption keys. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. What do you think of this pitch? How targeted should your pitch have to be?  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/what-security-advice-will-your-family-ignore/) This Thanksgiving we wish you lots of luck convincing your family members to use a password manager. Would getting them to switch political allegiances be easier? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Jeff Hudesman, head of information security, DailyPay. Thanks to this week's podcast sponsor Tenable. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. On this week’s episode Why is everybody talking about this now? Rich Malewicz, CIO, Livingston County, started a thread of common threats and scams we should warn family and friends about over the holidays. Lots of great advice. We discuss our favorites, whether we turn into family tech support, and if you had one cyber holiday wish for every family member, what would it be? Hey, you're a CISO, what's your take on this? When is the right time and WRONG time to start red teaming? (the process of letting ethical hackers loose on your business to test your defenses, your blue team.) What exactly is it you're testing? Are you testing your network's resiliency or your business' resiliency? "What's Worse?!" Three options in this "What's Worse?!" scenario. The great CISO challenge We have repeatedly touted on the podcast the benefits of multi-factor authentication or MFA. Our guest implemented an MFA solution at his company. We talk about the challenges, criteria, and roll out like? And did they see any visible evidence of security improvements? Casey from accounting is getting frustrated, waiting for client files being held up by the firewall. Jordan is trying to join a video conference that needs a plugin, but the firewall won’t let it through. So they call the IT manager who then disables it. This happens a lot. Maybe not in large companies, but small law firms, medical clinics, or small businesses that might use an old-school administrator who will either turn off the firewall or opt out of using one altogether, believing in the power of a cheap antivirus product to keep things safe. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. What do you think of this pitch? There is lots of disagreement over whether this pitch is any good.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/dos-and-donts-of-trashing-your-competition/) We want to malign our competitors, but just don't know how mean we should be. Miss Manners steps in on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and special guest co-host, Mark Eggleston (@meggleston), CISO, Health Partners Plans, and our guest is Anahi Santiago (@AnahiSantiago), CISO, ChristianaCare Health System. We recorded in front of a live audience at Evanta's CISO Executive Summit in Philadelphia on November 5th, 2019. Recording CISO/Security Vendor Relationship Podcast in front of a live audience at Evanta's CISO Executive Summit in Philadelphia (11-05-19) Thanks to this week's podcast sponsors Trend Micro, Thinkst, and Secure Controls Framework. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. The Secure Controls Framework (SCF) is a meta-framework – a framework of frameworks. This free solution is available for companies to use to design, implement and manage their cybersecurity and privacy controls in an efficient and sustainable manner. Our approach provides a comprehensive solution to manage complex compliance needs. Most companies find out way too late that they’ve been breached. Thinkst Canary changes this. Find out why the Thinkst Canary is one of the most loved products in the business and why the smartest security teams in the world run Canary. Visit https://canary.tools. On this week’s episode Why is everyone talking about this now? Greg van der Gaast, former guest who runs security at The University of Salford, initiated a popular LinkedIn discussion on the topic of human error. According to his colleague Matthew Trump of the University of Sussex, in critical industries, such as aerospace, oil & gas, and medical, “human error” is not an acceptable answer. You simply have to prevent the incident. If not, a mistake can be both a regulatory violation and lethal. But people are a part of the security equation. It’s unavoidable. We know zero erros is impossible, but can you accept “human error” as a fail point? Hey, you’re a CISO, what’s your take on this? Listener David said, “One thing I have experienced at my last two jobs is integrating with a ‘global’ security team whose security program is effectively and functionally inferior to our own. In these occasions, the global security team wanted us to remove current safeguards, processes/procedures and tooling that reduced the preparedness and effectiveness of our security program and introduced risk(s) that we have not been exposed to in years. All of these changes were always touted as a ‘one team’ initiative but never once was due diligence on security posture taken into account. “What is the best way to go about a consolidation like this? Do you not mess with a good thing and ask the ‘better’ security program to report up incidents, conform to compliance check boxes etc. or as a CISO do you sign off on a risk acceptance knowing that the operating company is now in a worse state of security.” “What’s Worse?!” We’ve got two rounds of really bad scenarios. What annoys a security professional Geoff Belknap, former guest and CISO of LinkedIn, appreciates a vendor’s desire to “bring like minds” together around food or drink, but the invite is not welcome on a weekend. Belknap feels that the weekend intrudes into a CISO’s personal/family space. There was a lot of debate and disagreements on this, but there were some solutions. One mentioned a vendor invite that included round trip Lyft rides and childcare. Oh, they did something stupid on social media again Jason Hoenich, CEO of Habitu8 posted on LinkedIn that he didn’t appreciate Fortinet writing about security training for CSO Online, something for which Jason’s business does and for which he believes Fortinet does not have any expertise. It appears this was a sponsored article, but Jason didn’t point to the article nor did he isolate specifically what he felt was wrong with Fortinet’s advice. Here at the CISO Series, we like Jason and Habitu8. They’ve been strong contributors to the community. But complaining and not pointing to any concrete evidence is not the best way to convince an audience. Earlier this year we saw something similar with the CEO of Crowdstrike going after the CEO of Cybereason claiming an underhanded sales tactic that was not specified nor anyone at Cybereason knew what he was talking about. Is it OK to go after your competition in a public forum? If so, what’s the most professional and respectful way to handle it? It’s time for the audience question speed round Our Philadelphia audience has questions and our CISOs had some answers. We rattle off a quick series of questions and answers to close the show.

All links and images for this post can be found on CISO Series (https://cisoseries.com/get-out-the-fud-is-coming-from-the-inside/) On this week's CISO/Security Vendor Relationship Podcast, we're pointing fingers at practitioners, not vendors, for promoting the FUD (fear, uncertainty, and doubt) scare-a-thon. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Eddie Contreras (@CISOEdwardC), CISO, Frost Bank. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? On LinkedIn, Ron C. of CoreSolutions Software said, "Cybersecurity is no longer just a technical problem. It’s now more of a people problem! So why aren’t businesses prioritizing security awareness training for their staff?" There was a massive response and mixed agreement. Regardless, are we falling short on security awareness training? Is it not effective? Is it too complicated to pull off? Is the cost not justified? More importantly, has security awareness training had any impact? Hey, you're a CISO, what's your take on this? accidentalciso on our reddit channel, r/cisoseries, asks, How does a security professional know if "CISO truly is the right career goal for them? I don’t think the reality of the role is consistent with what one might think early on in their career." What was it about the CISO role that makes a security professional want to pursue it and how does that previous perception of what a CISO did counter or align with what was really experienced? It's time to play, "What's Worse?!" Is there a worst type of attack? Ask a CISO James Dobra, Bromium, asks, "Are security organizations guilty of using FUD internally, e.g. with the board and with users, while complaining that vendors use it too much?" Does FUD happen internally? Do security teams do it to get the money they want and/or shame users into submission? On August 30, 2019, white hat hacker Tavis Ormandy discovered a vulnerability in a LastPass browser extension. This was a vulnerability, not a breach and was very quickly remedied without damage. But it still causes chills when the last bastion of password security reveals its Achilles heel. It’s like seeing your family doctor contract a terminal disease. But for CISOs, this might be a good thing. Password complacency and sloppy security hygiene are the scourge of security specialists everywhere. A SaaS-based password manager that uses hashes and salts to remove the existence of physical passwords in their own vaults, is still a highly proactive solution. More found on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 Days of a CISO Both Mike and our guest, Ed, are second time CISOs in their first 90 days at the role. We review what mistakes they made the first time as a CISO that they're actively avoiding this time. Are there any hurdles that are simply unavoidable and they're just going to have to face it like any new CISO would.  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/say-it-loud-i-didnt-read-the-privacy-policy-and-im-proud/) If we don't understand the purpose of a privacy policy, why should we bother reading it? We're claiming the cyber ignorance defense on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Roger Hale (@haleroger), CISO in residence, YL Ventures. Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Roger Hale, CISO in residence, YL Ventures, David Spark, producer, CISO Series. Thanks to this week's podcast sponsor Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support. On this week's episode How CISOs are digesting the latest security news We're blowing it with general cybersecurity education. According to a study by the Pew Internet Research Center, most Americans don't understand or can't identify basic cybersecurity concepts such as two-factor authentication, private browsing, or the purpose of a privacy policy. We talk a lot about the important of education and it appears we're not doing a good job. What are some creative ways we can dramatically improve these numbers? Hey, you're a CISO, what's your take on this? Cai Thomas, Tessian, has an article on TechRadar on the dangers of sending corporate work via personal email accounts. He outlines the issues. As per the previous story, chances are very high people are completely unaware of the risk their placing the company in by forwarding corporate email to personal accounts. No amount of education is going to solve this problem. What are the systems that companies can and should setup to give people a better alternative than sending emails to personal accounts? What's Worse?! How damaging can not having a seat on the board be? Ask a CISO Nick Sorensen, Whistic, asks, "What do you see the most proactive vendors doing to prepare for vendor security reviews from their customers?" “Your bank account has been frozen.” That’s now an old chestnut in the scamming world, but it thrives through increasingly sophisticated spoofing activities that include a banks’ real phone number and real-looking pop-up websites for password refresh requests. Even IT experts can get caught by these things occasionally, as some have even confessed on this very podcast series. This level of relentless innovation is worth keeping front of mind when considering the amounts of data that Internet of Things devices are creating but that organizations have no plan or space for. IBM, Forrester, and others have suggested that maybe 1 percent of data generated from IoT connectivity is being used, mostly for immediate learning or predictive activities. More available on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 days of a CISO Today is Roger's first official day as a CISO in residence at YL Ventures. What the heck does that mean, and how does that differ from being an operational CISO?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/ill-see-your-gated-whitepaper-and-raise-you-one-fake-email-address/) We're all in with not wanting "follow up email marketing" on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Ian Amit (@iiamit), CSO, Cimpress. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? To gate or not to gate. Mike posted on LinkedIn about how much he appreciated vendors who don't gate their content behind a registration wall. The post blew up on LinkedIn. The overwhelming response got some vendors willing to change their tune. Hey, you're a CISO, what's your take on this? Kevin Kieda of RSA Security asks, "For an initial meeting what are the things you want the sales person to know about your business that many of them don't." Kevin says he gets frustrated that he gets the sense a prospect wants them to know what tools they're using even though he knows he often can't find out that information. What is the must know, nice to know, and boy I'm impressed you know that? Mike Johnson recommends BuiltWith.com for basic OSINT on a company site. What's Worse?! Whose mistakes are worse? Your own or the vendor's? The great CISO challenge Factor Analysis of Information Risk (FAIR) is a risk framework (often laid ontop of others) that simplifies the understanding of risk by identifying the blocks that contribute to risk and their relationship to each other and then quantifying that in terms of money. Ian, can you give me an example of how you actually do this? Since its inception back in 2010, Zero Trust Architecture has been gaining traction. Much of the interest stems from the nature of work and data today – people working from anywhere on any device, and data racing around networks and to and from the cloud means there is no single fortress where everything can exist safely. Operating on a belief that everything inside the perimeter is safe because it’s inside the perimeter is no match to today’s hacking, penetration and inside sabotage. The establishment of new perimeter protections, including microtunnels and MFA is best applied to new cloud deployments but must still somehow be factored into a legacy architecture without becoming more inconvenient and vulnerable than what it is trying to replace. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Why is this a bad pitch? What's the polite way to hande the way too generic vendor request. We offer two examples of non-specific pitches that are obviously just begging for a CISO's time. Is there a polite way to refute the request and let them know without talking down to them and letting them know that this isn't a tactic they should pursue?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/rated-1-in-irresponsible-security-journalism/) No security alert is too small for us to completely misrepresent its severity. The sky is falling on the latest episode of CISO/Security Vendor Relationship Podcast. Thanks to this week's podcast sponsor, Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support. On this week's episode Why is everybody talking about this now? Two recent stories showed some fallibility in multi-factor authentication or MFA. We repeatedly recommended MFA on this show. But, the FBI announced some technical and social engineering techniques that are being used to break multi-factor authentication. In addition, Twitter admitted that email addresses and phone numbers used to set up MFA might have been sent to third party advertisers. The FBI says its news shouldn't change our trust in MFA. William Gregorian, CISO, Addepar, posted on LinkedIn that the press is claiming that MFA is broken and that's irresponsible journalism. Let's dig a little deeper Security professionals thrive on hearing about and learning about the latest threats. It feeds the latest security headlines and conferences. While it's often fascinating and keeps everyone interested, to what level are security concerns based on well-known years old threats vs. the latest threats? "What's Worse?!" Whose mistakes are worse? Yours or the vendors'? Please, enough. No, more. We've talked a lot about machine learning on this show and the definition of it is broad. What's ML's value in threat protection. We discuss what we've heard enough about with regard to machine learning being used for threat protection And what would we like to hear a lot more. When companies in retail or enterprise remind their online visitors to change their passwords, are they doing them a favor or causing them grief? Password managers exist, of course, as do newer forms of passwordless authentication, multifactor authentication and behavioral and biometric data. But ultimately, whose responsibility is this? Should a merchant website place the onus of personal security back on the customer? And if so, how would this protect the merchant’s own property? If this jeopardizes a sale or transaction, the cost of proactive security, at least for the short term appears too great. And it’s obvious, from the avalanche of data breaches of recent years that stored data of any sort becomes a permanent liability. More available on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Ask a CISO Gina Yacone, a consultant with Agio, asks, "If you’re performing a table top exercise. Who are the only three people you would want to have a seat at that table?"

All links and images for this episode can be found on CISO Series (https://cisoseries.com/cybercrimes-solved-in-an-hour-or-your-next-ones-free/) In the real world, cybercrimes just don't get solved as fast as they do on CSI. So we're offering a guarantee. If we don't catch the cyber-perpetrator in an hour (including commercial breaks) we'll make sure you're attacked again. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Jason Hill (@chillisec), lead researcher at CyberInt Research Lab. Thanks to this week's podcast sponsor, Cyberint. The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505’s latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. On this week's episode What annoys a security professional Question on Quora asks, "What does everybody get wrong about working in the field of forensics?" There were a handful of answers from looking to TV and film dramas to that it's only a post mortem analysis. What are the biggest misconception of digital forensics? Why is everybody talking about this now? Tip of the hat to Stu Hirst of Just Eat who posted this Dilbert cartoon that got a flurry of response. Read for yourself, but in essence, it's a boss that thought technology would solve all his problems. Not realizing that people and process are also part of the equation. All too familiar. The "I've been hearing a lot about __________" phenomenon. What causes this behavior and how do you manage it? "What's Worse?!" How much flexibility to you require in your security team and the business? Please, Enough. No, More. How far can AI go? Where does the human element need to exist? What are the claims of the far reaching capabilities of AI? We discuss what we'd like to hear regarding the realistic capabilities and limitations of AI. Every year, the Fall season sees billions of dollars being spent on home-based IoT devices. The back-to-school sales are the starting point, Cyber Monday is the clubhouse turn and the year-end holiday season is the finish line. As usual, these devices – printers, DVRs, IP cameras, smart home assistants, are relatively inexpensive and provide plug and play convenience, to satisfy an impatient customer base. For the rest of the cloud tip, head to CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. We don't have much time. What's your decision? What are the best models for crowdsourcing security? There are entire businesses, such as bug bounty firms, that are dedicated to creating crowdsourced security environments. Our guest this week is passionate about investigative work. We asked him and Mike what elements they've found that inspire and simplify the community to participate in a crowdsourced security effort.