CISO Series Podcast

Check out all links and images for this episode on CISO Series (https://cisoseries.com/our-what-not-to-do-security-selling-secret/) We're not always clear on what vendors should do when selling security products, but when we get a really bad email pitch, we're very clear on what they should not do. We're bedazzled with bad pitch disbelief on this episode of CISO/Security Vendor Relationship Podcast. Thanks to this week's sponsor, Women in Security and Privacy (WISP) Women in Security and Privacy works to advance women in security and privacy. We accomplish this through practical and technical workshops, TANDEM mentorship programs, leadership training, job board postings, Equal Respect speakers bureau, and conference and training scholarships. On this week's episode Why is everybody talking about this now? Facebook is expected to pay somewhere between $3 to $5 billion in FTC fines for violating the 2011 consent decree. They violated user's privacy without giving clear notice or getting clear consent. But, all this financial and reputational damage doesn't seem to do a darn thing to dissuade individuals or investors from Facebook. The site has 2.38 billion active users. It's growing 8% year over year. And after their earnings announcement which mentioned the multi-billion dollar fine, their stock jumped 7%. This doesn't appear to get people to care about security and privacy, So what will? Hey, you're a CISO, what's your take on this?' The NSA has announced that no zero day attacks were used in any high profile breach in the last 24 months. Most of the attacks were simple intrusion where they went after users through techniques like phishing or water holing. We talk endlessly on this show about good cyber hygiene, but we have an event coming up, Black Hat, that thrives on showing security professionals the latest attack techniques, which I know are not zero days. But how can security professionals NOT gravitate towards the newest and coolest? What's Worse?! Who needs to control the problem? Security or the business unit? How to become a CISO Gary Hayslip, CISO of Webroot, and a former guest on Defense in Depth. He wrote an article to his younger self of what he wish he had known when he started in cybersecurity and then becoming a CISO. I'll ask the two of you to do the same exercise. What is something that you now know that there's no way you would have known starting out but would have made your life a lot easier as you took the climb to become a CISO. Why is this a bad pitch? We've got a one-two punch on a bad pitch email that uses self-deprecating humor plus an assumption of business relationship. Ouch. The importance of developing consistent data protection policies across multiple cloud services Many IT departments manage multiple clouds to ensure redundancy and avoid vendor lock-in. But diversifying brings along a new set of risks that demand a consistent and constantly reviewed data governance solution. In general, cloud vendors do not take responsibility for the security of your data. So, your policy must take full responsibility for endpoints, networks and cloud environments. Just a few of the must-haves on this list include limiting user's permissions to only what they absolutely need, strong security practices including multi-factor authentication and password management, enforcing a uniform set of data loss prevention policies, and building a dynamic inventory of applications by the types of data stored, compliance requirements, and potential threats. Policies should be assigned to groups or roles rather than individual people. In-house IT people are already busy. Their attention and energies might be best served by working with senior management to establish and maintain Multicloud and data loss prevention policies, while leaving the heavy lifting and day-to-day proactive maintenance to a completely reputable as-a-service cloud security vendor.

Find all the links and images on CISO Series (https://cisoseries.com/were-gonna-run-these-pen-test-exercises-until-you-turn-purple/) We learn to iterate our security stamina faster by bringing the attackers and defenders in the room together. We're seeing purple on this episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Matt Southworth (@bronx), CISO of Priceline, who was brought to us by our sponsor, Praetorian. Thanks to this week's sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. Why is everybody talking about this now? Senator Elizabeth Warren's proposed bill, the Corporate Executive Accountability Act, would pave the way for criminal charges of executive wrongdoing that leads to some public harm, like a public data breach. Note, there needs to be proof of wrongdoing. This isn't designed to blame victims. Regardless, the cybercommunity lit up on this topic. Warren said that too many executives were walking away free with no penalty while the community were left to suffer. Is this the bill that's needed to put a check on breaches? Hey, you're a CISO, what's your take on this?' Priceline has been conducting purple team exercises with our sponsor Praetorian. We discuss the value in purple team efforts over all the other alternatives, like pen testing, red team/blue team exercises, and threat hunting reports. Plus, we discuss the cultural benefits of purple team exercises. What's Worse?! We get a consensus on a question about asset and risk management. How to become a CISO Question from the director of information security at a Fortune 100 company wants to know how to make the leap from his position to CISO. Pay attention, it's security awareness training time Dan Lohrmann, CSO of Security Mentor and an upcoming guest on our live podcast we're going to be recording on June 6th in Grand Rapids, Michigan had a very interesting article on Peerlyst about avoiding the punishment angle of security training. He said his number one struggle in education is explaining how important security is at an individual level and that individuals understand the impact of their actions. At Priceline, Matt Southworth created a Security Champs program to extend the reach of his security team by training interested non-security coworkers about security. We discuss what this has done to improve culture, security, and help people understand the impact of their actions. Two-factor authentication, also called 2FA, is vital, and should be considered the default in online security, not a fancy option. In short, 2FA means that two separate identifiers are required to gain access to an account. These identifiers should come from: 1.) something only you know, like a complex password, and 2.) something physically separate that belongs to you like a phone that can receive SMS messages, a physical token, a time or location limited message, or something biometric, like a retinal scan or fingerprint. Currently the SMS message is the most popular "second factor," but security analysts say this is still the weakest option. A better option is to use an approved app, or to partner with a cybersecurity company who can build one for you.

This is a special episode of Defense in Depth being shared on this feed. Find the full post with links and images on the CISO Series site here (https://cisoseries.com/defense-in-depth-vulnerability-management/) So many breaches happen through ports of known vulnerabilities. What is the organizational vulnerability in vulnerability management? Check out this post and discussion and this one for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Justin Berman (@justinmberman), CISO for Zenefits. Vulcan's vulnerability response automation platform allows enterprises to automate their TVM programs. Vulcan integrates to existing IT DevOps and security tools to fuse enterprise data with propriety intelligence which allows to accurately and subjectively priorities and remediate vulnerabilities - either using a patch workaround or compensating control. On this episode of Defense in Depth, you'll learn: As the CIS 20 concurs, vulnerability management is the first security measure you should take right after asset inventory. Vulnerability management needs to be everyone's issue and managed by all departments. Lots of discussion around vulnerability management being driven by culture which is a very hard concept to define. To get a "vulnerability management culture" look to a combination of awareness and risk management. Vulnerabilities don't get patched and managed without someone taking on ownership. Without that, people are just talking and not doing. Increased visibility across the life cycle of a vulnerability will allow all departments to see the associated risk. Who are the risk owners? Once you can answer that questions you'll be able to assign accountability and responsibility.

Find the full episode of this podcast (with links and images) on the CISO Series site right here: (https://cisoseries.com/im-humbled-to-tell-you-about-my-prestigious-award/) I'm not exactly sure what "humbling" means, but I'm going to use it to hopefully soften my braggadocio announcement. We discuss semantics and when it's OK to boast your accomplishments on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Will Lin (@WilliamLin), partner and co-founder, ForgePoint Capital. Thanks to this week's sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this week's episode How CISOs are digesting the latest security news In many industries we see VC investments following trends. This is hot and new, let's go and invest in it. A recent story on Forbes spotlights five trends in cybersecurity which comes off as catnip for VCs or at least those in those spaces looking for investments. Is trend hopping a lucrative way to succeed with cybersecurity investments? Why is everybody talking about this now? Peter Cohen, director at Countercept remarked on the hypocrisy of posting a photo of yourself on stage and referring to it as "humbling". People say this with zero idea of the definition. The use of humbled or humbling as a verb means that at one time you thought you were superior and now you realize you are not because essentially someone defeated you and put you in your place. I don't get the sense that's what people mean when they refer to an experience as "humbling." But do a search for the term on LinkedIn and you will see people use it ALL THE TIME. Some of the most popular posts on LinkedIn are achievement announcements. Where's the line between saying you're proud of something and would you honor it with me and coming off like a jackass? What's Worse?! We have two scenarios this week in honor of our VC guest. Hey, you're a CISO, what's your take on this? In a special VC edition of "Hey, you're a CISO, what's your take on this?" Much of what we talk about on this show is what we like and don't like about how security companies market themselves. In the news, the only role we hear VCs playing is financial. But given that VCs are seeing the inner workings of a startup, they can probably see firsthand why a company succeeds or fails. Given what VCs are privvy to that others of us are not, how can VCs help shape the way vendors market themselves? Ask a CISO Fernando Montenegro of 451 Research brought to my attention this tweet from Soldier of Fortran that caused a flurry of discussion. The tweet pointed out that many sites say they offer pricing, but when you go to the page it's just a lot of verbiage with a link to request a quote. Haroon Meer of Thinkst, producers of Canary deception devices and a former guest on this show, said they have pricing on their site even when experienced salesmen told them not to do it. Kyle Hanslovan of Huntress Labs, asked how he could provide transparent pricing when half of his clients are direct and the other half are distributors. Is there a happy medium here or is obfuscation the way to succeed with security selling?

Episode available on CISO Series blog (https://cisoseries.com/no-shirt-no-security-no-merger/) Sure, we'd like to merge with your company but geez, have you looked at your security posture lately? Uggh. I don't know if I could be seen in public with your kind let alone acquire your type. We're wary as to who wants to enter our digital home on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Mark Eggleston (@meggleston), vp, chief information security and privacy officer, Health Partners Plans. Thanks to this week's sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this week's episode How CISOs are digesting the latest security news Good cybersecurity hygiene is critical not just to mitigate breaches but also the valuation of a company, especially during a merger or acquisition. Itzik Kotler, co-founder and CTO of Safe Breach, notes that back in 2016 the Verizon acquisition price of Yahoo was lowered nearly $350 million after Yahoo disclosed data breaches that had happened up to two years earlier. Kotler said, "The problem is cybersecurity risk from mergers and acquisitions perspective should not be about what has happened, but about what vulnerabilities are being introduced and what could happen as a result." Why is everybody talking about this now? An interesting question on Quora asked, "Do you regret working in cybersecurity?" Do our CISOs ever regret? Why do people regret? "What's Worse?!" We have a challenge that pits securing old and new technology. Ask a CISO Eric Rindo just graduated with his MS in Cybersecurity. He has a certification, but zero experience. He's looking for his first InfoSec opportunity. For a CISO, what's attractive about a candidate like Eric? What do you think of this pitch? What happens when you pitch something CISOs already have?

Full post for this episode (https://cisoseries.com/defense-in-depth-machine-learning-failures/) NOTE: You're seeing this special episode of Defense in Depth, because we think our CISO/Security Vendor Relationship Podcast listeners should hear it. Is garbage in, garbage out the reason for machine learning failures? Or is there more to the equation? Check out this post and discussion for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Davi Ottenheimer (@daviottenheimer), product security for MongoDB. Thanks to this week's podcast sponsor, Remediant 81% of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Don't fall victim to believing that success and failure of machine learning is isolated to just garbage in/garbage out. It's far more nuanced than that. Some human actually has to determine what is considered garbage in and what is not. It only takes a very small amount of data to completely corrupt and ruin machine learning data. This knowledge of small infection can spread and corrupt all of the data and can have political and economic motivations to do just that. We have failures in human intervention. Machine learning can just magnify that at rapid rates. While there are many warning signs that machine learning can fail, and we have the examples to back it up, many argue that competitive environments don't allow us to ignore it. We're in a use it or lose it scenario. Even when you're aware of the pitfalls, you may have no choice but to utilize machine learning to accelerate development and/or innovation.

The direct link to this episode (https://cisoseries.com/all-aboard-the-5g-paranoia-train/) We're getting excited and stressed out about the impending 5G network that appears will control our lives and all our cities. Will it be as exciting, productive, and lacking of security protocols as we expect? We discuss that and more on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Bruce Schneier (@schneiersblog), book author, lecturer at Harvard Kennedy School, and prolific blogger at Schneider on Security. Thanks to this week's sponsor, Chronicle, makers of Backstory Chronicle's Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself. On this week's episode How CISOs are digesting the latest security news Marsh, an insurance broker, is working with other cyber insurers to identify products and services that will reduce your cyber risk. With their Cyber Catalyst program, they're offering what appears to be some type of Better Business Bureau stamp of approval on solutions that meet their cyber risk standards. What gets us excited and what sets off red flags when we see such an offering? Why is everybody talking about this now? Are you scared of 5G yet? You should be. Well, according to our government, we need to be wary of China and Huawei with their rollout of 5G because owning the next-gen network will conceivably own all of commerce, transportation, and heck anything else. In Schneier's new book, Click Here to Kill Everybody, he speaks to how to survive with all our hyper-connected devices. How aggressively is 5G going to exacerbate the issue of cyber-survival? What's Worse!? We have a split decision on a scenario that involves a time limit. Hey, you're a CISO, what's your take on this? On Schneier's blog, he shared a study that examined whether freelance programmers hired online would write secure code, whether prompted to do it or not. The coders were paid a small pittance and it was unclear if they knew anything about security and surprise. In the end they didn't write secure code. While there are questions about the validity of this study, this does bring up an interesting question: Using a marketplace like Upwork or Freelance.com, how does one go about hiring a freelance coder that can write secure code? Ask a CISO Mark Toney of CrowdStrike asked, after the purchase and use of a security tool, does a CISO or CTO do a post-mortem to see if they got what they paid for? Mark wants to know are you looking at what was improved, where it was improved, and by how much it was improved?

Direct link for episode on blog (https://cisoseries.com/do-you-know-the-secret-cybersecurity-handshake/) We get the feeling that as we're adding more solutions and requiring more certificates, we're just making the problem of security harder and harder. Has the problem of not enough talent become an issue that we created? We discuss that and more on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Taylor Lehmann (@BostonCyberGuy), CISO, Wellforce. Thanks to this week's sponsor, Chronicle, makers of Backstory Chronicle's Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself. On this week's episode How CISOs are digesting the latest security news The Hill reports, "A Democrat on the House Intelligence Committee introduced a bill on Wednesday that would require publicly traded companies to disclose to investors whether any members of their board of directors have cybersecurity expertise." The Cybersecurity Disclosure Act of 2019, would require the SEC to issue a new set of rules requiring U.S. companies to tell their investors whether they have someone who has cyber expertise on their board. If they don't, they must explain to their investors why this is the case." Will such a measure pass and if not, what is the best action here to insure some level of cybersecurity confidence? Why is everybody talking about this now? On a recent episode of the podcast we talked about swapping out the word "security" for "safety." Chris Roberts of Attivo Networks brought this topic up and he says if we change the conversation more people will care. How does the viewpoint of security change when you're talking about safety? How does behavior change? What's Worse?! I can't believe it's taken me this long to ask this question. Hey, you're a CISO, what's your take on this? Once you connect a device to the Internet and trade information, you're now a potential attack vector. And if your device is critical for maintaining life, like automobiles and medical devices, vulnerabilities no longer become a case of losing data, but of losing lives. Medical device manufacturers are rarely experts at software development, let alone cybersecurity. Vulnerabilities happen all the time. What is and isn't working with the reporting, alerting, and fixing of device vulnerabilities? Ask a CISO Could the talent gap be a self-fulfilling prophecy or at the very least an avoidable consequence of security's red hot growth," asked Sam Curry, CSO at Cybereason, on Forbes. "What started as an esoteric field is becoming even more arcane as we grow." Curry offered some suggestions on where to improve situations to improve the complexity of security. Are fixing these issues harder than fixing security?

Direct link for episode on blog (https://cisoseries.com/if-at-first-you-dont-succeed-theres-always-blackmail/) We note that blackmail has become an option even in cybersecurity sales. It appears some vendors have become so desperate that they've resorted to borderline criminal activity. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Branden Newman, CISO for Adidas. Thanks to this week's sponsor, Logicgate LogicGate is an agile GRC process automation platform that combines powerful functionality with an intuitive design to enhance enterprise governance, risk, and compliance programs. With our prebuilt process templates, organizations quickly and efficiently operationalize their GRC activities without requiring support from consultants or corporate IT. On this week's episode How CISOs are digesting the latest security news CNBC published a piece about security vendors being so desperate for meetings with CISOs that they've resorted to blackmail. They see a breach, even if it's not holding any critical or personal data, and they threaten to take it to the press if the CISO doesn't meet with them and/or let them fix it. Has this happened to our CISOs and if so, what did they do? Why is everybody talking about this now? We talk about the basics a lot on this show, but I'm getting the sense that the industry is finally taking it seriously. We saw evidence at RSA with 60% of the content being focused on fundamentals. And CISOs at major companies not touting the latest threats, but getting back to basics. We've talked a lot about this issue on the show. How else can the industry turn the focus about getting back to basics? What's Worse?! I challenge the CISOs once again on what is probably the shortest What's Worse?! question. Hey, you're a CISO, what's your take on this?' The horror of the badge scanner. Chad Loder, CEO of Habitu8, posted that he never uses badge scanners because "There's nothing worse than talking to someone only to have them ask, 'Mind if I scan you?' - it reinforces the idea that the goal of this human interaction is to ensure you're added to a list." The goals of attendees (learning and valuable conversations) are not coinciding with the goals of vendors (more scans for follow up cold calls and marketing). What is the ideal booth experience for a security professional? BTW, I wrote a book on how to engage at a trade show entitled Three Feet from Seven Figures: One-on-One Engagement Techniques to Qualify More Leads at Trade Shows. Check it out at http://threefeetbook.com Ask a CISO Jeremiah Grossman, CEO of Bit Discovery, and a former guest, asked this question on Twiter which caused a flurry of discussion: "In InfoSec we often hear, 'Why don't organizations just do or fix … X?' As a thought exercise, ask the opposite. 'Why should businesses do or fix… X?,' and do so in dollars and cents terms.It's often surprisingly difficult." Is it possible to calculate this formula?

Do the biggest tech companies abuse our privacy because they have no competitive incentive to protect it? That debate and more on the latest episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Emilio Escobar (@eaescob), head of information security for Hulu. Endgame makes military-grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode Why is everybody talking about this now? Why can't security vendors get CRM right? One week after RSA I have received cold phone calls and emails from companies for which I"m already engaging with multiple people at said company, some I've actually interviewed their CEOs, actually worked for the company, and/or they've sponsored this very podcast. Other industries use their CRM. Why does it appear en masse the cybersecurity industry is failing at basic CRM? How CISOs are digesting the latest security news Massachusetts Senator Elizabeth Warren wrote an opinion piece on Medium saying that if elected President her administration would seek to breakup Amazon, Facebook, and Google. She cited them as monopolies squashing innovation and competition and damaging our privacy for their profit. She said, "With fewer competitors entering the market, the big tech companies do not have to compete as aggressively in key areas like protecting our privacy." What's Worse!? What's the best kind of CISO to have? What's a CISO to do? Last year at Black Hat I produced a video where I asked attendees, "Should DevOps and security be in couples counseling?" Everyone said yes. Are security leaders taking on the role of couples counselor as they try to get security and DevOps working together? What do you think of this pitch? We've got two pitches for the show and the second one has a response that veers into insulting.