CISO Series Podcast

Do the biggest tech companies abuse our privacy because they have no competitive incentive to protect it? That debate and more on the latest episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Emilio Escobar (@eaescob), head of information security for Hulu. Endgame makes military-grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode Why is everybody talking about this now? Why can't security vendors get CRM right? One week after RSA I have received cold phone calls and emails from companies for which I"m already engaging with multiple people at said company, some I've actually interviewed their CEOs, actually worked for the company, and/or they've sponsored this very podcast. Other industries use their CRM. Why does it appear en masse the cybersecurity industry is failing at basic CRM? How CISOs are digesting the latest security news Massachusetts Senator Elizabeth Warren wrote an opinion piece on Medium saying that if elected President her administration would seek to breakup Amazon, Facebook, and Google. She cited them as monopolies squashing innovation and competition and damaging our privacy for their profit. She said, "With fewer competitors entering the market, the big tech companies do not have to compete as aggressively in key areas like protecting our privacy." What's Worse!? What's the best kind of CISO to have? What's a CISO to do? Last year at Black Hat I produced a video where I asked attendees, "Should DevOps and security be in couples counseling?" Everyone said yes. Are security leaders taking on the role of couples counselor as they try to get security and DevOps working together? What do you think of this pitch? We've got two pitches for the show and the second one has a response that veers into insulting.  

Since no one ever checks a research study's methodology, why not just make up all the numbers? You're in the risk analysis business, right? Chances are very good they'll never check and research studies are a great way to get free press. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), CISO of FOX. Thanks to this week's sponsors, Axonius and New Context. New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business. Huge congrats to Axonius for their two big wins at RSA this year. They were named Rookie Security Company of the Year by SC Media and they also won top prize at RSA’s Innovation Sandbox. They’ve been touted as the company trying to solve the least sexy part of cybersecurity, asset management. Go to Axonius’ site to learn more. On this episode Ask a CISO It’s been reported many times, that the average life of a CISO is 18 months and Mike Johnson lasted 18 months at Lyft. At the time of Mike’s departure so many people were forwarding me articles regarding the stress level of CISOs, most notably around Nominet’s study that claimed that about 1 in 5 CISOs turn to alcohol or self-medicating. With two CISOs on the panel we discuss if this was the most high-pressured job they had and would you be eager and willing to jump back into the CISO role again. Why is everybody talking about this now? Couple weeks ago I wrote an article entitled “30 Security Behaviors that Set Off a CISO’s BS Detector.” There was quite a response from the community to this. Now that we’ve just finished RSA, did our CISOs see or hear anything that set off their BS detectors. What’s Worse?! We play two rounds of “What’s Worse?!” Both rounds are cases of employees putting security in very compromising positions. What’s a CISO to do? When we talk about security we’re often talking about protecting customer and employee data. While all companies have intellectual property they need to protect, at FOX, Melody Hildebrandt is having to deal with some very high profile individual assets that are of interest to many hackers. What are the factors a CISO must consider, that most security people probably aren’t thinking about, when you’re trying to secure a single media asset that’s worth hundreds of millions of dollars? What do you think of this pitch? After you hear this pitch, every security professional may be out of a job. Tip of the hat to Christopher Stealey of Barclays for providing this pitch he received. You’re a CISO, what’s your take on this? Ameer Shihadeh of Varonis asks a question of trying to overcome the objection from a security professional that they don’t have any security initiatives or projects. And now this… We field questions from our audience for the CISOs.

We eschew those cybersecurity firms touting claims of artificial intelligence for our organic conversation-based approach to podcasting. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Mike Wiacek (@Mikewiacek), co-founder and CSO for Chronicle. Thanks to this week's sponsor, Chronicle Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself. On this episode What's a CISO to do? As we brace for RSA this week, we expect most companies on the floor will be touting some form of artificial intelligence or machine learning. CISOs are no longer even slightly moved by those terms. What should vendors be saying? And what should a savvy security shopper demand to know about a company's AI or ML? Why is everybody talking about this now? Allan Alford, CISO of Mitel, and my co-host on the other CISO Series podcast, Defense in Depth, created a very funny "Cybersecurity Startup Name & Mission Generator!" chart that got a lot of response. We've seen a lot of these name generators, but this one seemed creepily too real. We discuss InfoSec company names and how not to let your eyes glaze over as you walk the trade show floor. What's Worse?! How do you feel when big security companies acquire smaller security companies? Please, enough. No, more. This week's topic is "threat hunting." We talk about what we've heard enough of on "threat hunting," and what we'd like to hear a lot more. What's a CISO to do? A great challenge question from an anonymous source: "My users learned security from the evening news. Now I can't see their traffic due to their VPN tunnel and they are using programs that delete evidence to be more secure." What's a CISO to do?

CISO/Security Vendor Relationship Podcast and series is available at CISOSeries.com. We're giving away private networks to everybody. Even if you think you don't need one, you want one. It's all on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Francis Dinha, CEO of OpenVPN. Thanks to this week's sponsor, OpenVPN Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free. On this episode What's a CISO to do? A few years back I interviewed Francis Dinha about hiring talent. Dinha had the fortune to be able to mine his own community of people of open source volunteers. It's become a great resource for hiring talent. Finding those passionate communities are key for finding talent. We discuss other possible resources and why it's critical or maybe not critical to hire people who've contributed to the open source community. Why is everybody talking about this now? Given the number of default passwords being used and connected devices with little to no security, does achieving "zero trust" have to be the InfoSec equivalent of climbing Mt. Everest? We discuss simplifying security architecture so achieving "zero trust" isn't a badge of honor but rather something everybody can easily do. "What's Worse?!" Another round where we debate an open source conundrum. Please, enough. No, more. What have we heard enough with VPNs and what would we like to hear a lot more? Let's dig a little deeper John Prokap, CISO of HarperCollins, said on our live NYC recording, "If you patch your systems, you will have less threats that will hurt you." I posted John's basic security advice as a meme, and it got a flurry of response. My favorite came from Greg Van Der Gaast of CMCG who said, "The fact that this is quote/post-worthy in 2019 boggles my mind." The issue of "why aren't you doing this" came up and people discussed integration issues, hard to keep up, and the fact that patches can often break applications. Is this a cycle that's impossible to break?  

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We tip our hat to the much maligned "Department of No" for having the foresight to see that refusing service is probably the most efficient and secure response. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is April Wright (@AprilWright), CEO, ArchitectSecurity.org. Thanks to our sponsor, Endgame Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall. On this episode How CISOs are digesting the latest security news In an effort to improve security before the 2020 Olympic games, the government of Japan will try to hack its own citizens by using default passwords on webcams, routers, and other Internet connected devices. If they break through they will alert the people that their devices are susceptible to attacks. How good or bad is this idea? Will this give way to easy phishing scams? Why is everybody talking about this now? Online, Mike brought up the subject of security rockstar culture and specifically pointed this comes from the security staff playing offense vs. the ones playing defense who really need a team behind them to be effective. We look at the difference between a healthy leading voice in security vs. “a look at me” security rockstar. It’s time to play, “What’s Worse?!” Two rounds and the first one Mike spends a lot of time debating. Ask a CISO Brad Green of ObserveIT asks, “Do CISOs pay attention to competitive market conditions of different vendors?” Are you aware of what’s going on and what impact do analysts have? What do you think of this pitch? Two pitches to critique. Lots of insight.  

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. Do you want a security vendor that’s good at protecting you from malware or a vendor that’s honest with you about their failure rates? Whatever happens you’ll take it on the latest episode of CISO/Security Vendor Relationship Podcast recorded live in NYC for the NY Information Security Meetup (@NYInfoSecurity). Thanks for hosting our recording! This super-sized special episode features drop-in co-host, John Prokap (@JProkap), CISO of HarperCollins Publishers, and our guest Johna Till Johnson (@JohnaTillJohnso), CEO of Nemertes Research. Check out all the awesome photos from the event. Context Information Security is a leading technical cyber security consultancy, with over 20 years of experience and offices worldwide. Through advanced adversary simulation and penetration testing, we help you answer the question – how effective is my current cyber security strategy against real world attacks? On this episode How CISOs are digesting the latest security news To Facebook, our data in aggregate is very valuable. But to each individual, they view it as essentially worthless as they're happy to give it away to Facebook for $20/month. I don't see this ever changing. Does an employees carelessness with their own privacy affect your corporation's privacy? Why is everybody talking about this now? Rich Mason, former CISO at Honeywell posted about the need to change the way we grade malware. He noted that touting 99 percent blocking of malware that allows for one percent failure and network infection is actually a 100 percent failure. It's the classic lying with statistics model. How should we be measuring the effectiveness of malware? What's Worse?! We play two rounds trying to determine the worst of bad security behavior. What's a CISO to do? A CISO can determine their budget by: 1: Meeting compliance issues or minimum security requirements 2: Being reactionary 3: Reducing business risk 4: Enabling the business Far too often, vendors have preyed on reactionary and compliance buyers. But the growing trend from most CISOs is the reduction of business risk. How does this change a CISO's budgeting? Let's dig a little deeper We bring up "do the basics" repeatedly on this show because it is often the basics, not the APTs, that are the cause of a breach or security failure. Why are the basics so darn hard and why are people failing at them? What do you think of this pitch? We've got two pitches for my co-host and guest to critique. And now this... We wrap up our live show with lots of questions from the audience.

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We've got so much data we've got to liquidate. Whatever private information you want - location, purchase history, private messages - we've got it! Call us now before our users realize what we're doing. Your privacy, unleashed, on the latest episode of CISO/Security Vendor Relationship Podcast. Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.     On this episode Why is everybody talking about this now? Oh Facebook, not again. Appears they were paying teenagers for the right to snoop on their phone. The most telling part of this story is that this app was activated by clicking a button that said, "Trust." How does Facebook's untrustworthy behavior affect a CISO's ability to maintain trust with their audience? How are CISOs digesting the latest security news? From the UK, the Cyber Skills Impact Fund will receive a nice boost of £500,000 to attract more people to cybersecurity, but specifically a diverse workforce. We have talked at great length about the need to have a diverse security staff, and Mike has said on a previous show that not having diversity actually makes you less secure because you fall into "one think." How does a diverse staff change the thinking dynamic of your security team? It's time to play "What's Worse?!" We play two rounds of the game. One round is far more challenging than the other. Ask a CISO Tip of the hat to Schaefer Marks of ProtectWise for his suggestion about RSA pitching. I'm starting to get RSA meeting requests. They all follow the same format: assuming we're getting ready, and asking if we would like a meeting with a VP, CEO, some expert. We discuss what pre-event pitching we like and don't like. What do you think of this pitch? We have two pitches, one that's pretty good, and one that's disastrous.  

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We're comparing ourselves to media you already know in hopes you'll better understand our product and listen to our show. It's our first self-produced live recording of the CISO/Security Vendor Relationship Podcast from San Francisco and it came out awesome. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest for this live show is Andy Steingruebl (@asteingruebl), CSO of Pinterest. Check out all the awesome photos from our first self-produced live recording. Thanks to our sponsors The Synack Crowdsourced Security platform delivers effective penetration testing at scale. Synack uses the world’s top security researchers and AI-enabled technology to find what scanners and regular testing do not. It’s used by US Dept of Defense and leading enterprises for better security. To learn more, go to synack.com. New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business.  Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.   Why is everybody talking about this now? Chris Roberts with Attivo Networks caused a flurry of discussion when he argued that using the term "security" is meaningless. He said, "There is no such thing as security. There is just a measurement of risk." He went on to say we shouldn't be talking about security risk, but only business risk. Would it be a good idea to change the terminology? How are CISOs are digesting the latest security news? France’s data protection regulator, CNIL, issued Google a $57 million fine for failing to comply with its GDPR obligations. Not the first GDPR fine, but it's first big tech giant. And it's not nearly as much as it could have been. But it's the biggest fine so far. Are GDPR fines starting to get real? Will this embolden even more fines? Hey, you're a CISO, what's your take on this? On LinkedIn Mike Johnson brought up the discussion of security vendors marketing what they're not. He claimed that this tactic is doomed to fail, and should just stop. Why is it a failed tactic? It's time to play, "What's Worse?!" We get a little philosophical in this round of "What's Worse?!" Um...What do they do? I read the copy from a vendor's website and the two CISOs try to figure out, "What do they do?" Ask a CISO A listener asks, "What are the signs that tell you that a vendor is serious about improving the security of their product?" How are CISOs are digesting the latest security news? A caustic attendee to DerbyCon brings down the entire event because the organizers didn't know how to handle his behavior. How can event producers in the security space avoid this happening in the future? And now this... We take questions from our audience.  

Our new podcast, Defense in Depth, is part of the CISO Series network which can be found at CISOSeries.com. This is a special episode introducing this new podcast. To get more of Defense in Depth, subscribe to the podcast. What are the most important metrics to measure when building out your security program? One thing we learned on this episode is those metrics change, as your security program matures. This episode of Defense in Depth is co-hosted by me, David Spark (@dspark), the creator of CISO Seriesand Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is my co-host of the other show, Mike Johnson, CISO of Lyft. Fluency's correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization's path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019. On this episode of Defense in Depth, you'll learn: There is no golden set of security metrics. Metrics you use to measure your security program this year won't necessarily be the same ones you use next year. Use the NIST model to determine your security program maturity. Unlike B2C, B2B companies can use metrics to build a closer tie between security and the business. Regulations and certifications is one easy way to align security with the business.

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We don't have to make our software any simpler to use. You just need to get smart enough to use it. We're all attitude on the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Mike Nichols (@hmikenichols), VP of product at Endgame. Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall. On this episode How CISOs are digesting the latest security news Is this yet ANOTHER security breach? A massive document of usernames and passwords. These are all available in text files, pretty much for anyone to see. We're not sure, but this may be a collection of usernames and passwords from historical hacks, but it's not clear. Most of us have potentially more than a hundred usernames and passwords. How are we supposed to go through all our accounts and change them all? Can we slap 2FA on top of everything? What should be the best reaction to this kind of news? Hey, you're a CISO, what's your take on this?' In the area of user experience, B2B software seems neglected. All the wonderful usability goes to consumer apps, because everybody needs to be able to use them. But B2B software can cut corners and add extra layers for usability because heck, these people are experts, they're hired to do this job. They should know what they're doing. But that type of thinking is hurting the industry as a whole. What's Worse?! We've got a scenario of two CISOs with two different companies. Which one has the worst security posture? Please, Enough. No, More. Our topic is endpoint protection. We talk about we've heard enough about on endpoint protection, and what we'd like to hear a lot more. Endgame's machine learning engine, Ember, is open source. What's a CISO to do? Why is it so difficult to hire InfoSec professionals? Is there not enough skills, not enough people interested, tough to hire diversity, way too competitive environment, or is it the nature of the recruiting industry itself?