CISO Series Podcast

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. Be afraid. Be very afraid of the latest episode of the CISO/Security Vendor Relationship Podcast where it's possible that 90 percent of your security breaches are coming from within your own company. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Leon Ravenna, CISO, KAR Auction Services. Synack provides crowdsourced security testing that provides more than older style penetration testing. Instead of using a few researchers who output a final report, Synack uses a globally-sourced crowd of researchers backed by a purpose-built hacking platform. This gives organizations access to security talent that is not available from any one company, and data and insights into the testing process. All Synack security testing is recorded, measured, and analyzed to not only output results like new vulnerabilities and compliance checks, but displays attack patterns and quantities in real-time. By using bug bounties as incentives, researchers are rewarded for the great finds that Synack verifies and shares with its customers. To find out more about the Hacker-Powered Security used by the Internal Revenue Service and many other organizations, go to synack.com. On this episode How CISOs are digesting the latest security news According to a new report from Kroll, "Human Error, Not Hackers, to Blame for Vast Majority of Data Breaches." They report that 2,124 incidents could be attributed to human error, compared to just 292 that were deliberate cyber incidents, They say that's a 75% increase over the past two years but that could be because reporting breaches wasn't mandatory before GDPR. One user commented, these numbers seem to conflict with what the Verizon Breach report says. According to this data it appears a security leader should be spending close to 90 percent of their budget and effort trying to prevent inside data leakage. How would your security plan change if that was your charge? Hey, you're a CISO, what's your take on this?' An article and video published last week on this site written and featuring Elliot Lewis, CEO of Encryptics, talks about the need to get cozy with your legal team because when a breach occurs, you're going to need to have possession, custody, and control of your data. If you can't answer those questions you're putting your legal team in a bind. Mike and our guest talk about being able to answer these questions and building relations with the legal team. It's time to play, "Um... What Do They Do?" It's a brand new game where I read copy from a vendor's website, and Mike and our guest try to guess, "What do they do?" What's a CISO to do? Kip Boyle, past guest, friend of the show, and author of a new book, "Fire Doesn't Innovate," which comes out today asks this question, "Could good cyber risk management be the basis for a competitive differentiator for your business? How?" Kip's book is available at firedoesntinnovate.com and for the first week it's out it's only $.99 via Kindle. Ask a CISO Thomas Torgerson of Blue Cross/Blue Shield of Alabama asks, "How do CISO's feel about presenting webinars or speaking at other events regarding products that they use in their environment?" Are there incentives promoting a vendor solution? Or is it too risky to let threat actors know your security toolsets?   

No matter how much money we shove into security, it never seems to fill up. That's good for vendors. Not so good for buyers of security who don't have a bottomless pit of money to fill the bottomless pit of security.   This week's episode is sponsored by Red Canary. Red Canary is a security operations ally to organizations of all sizes. They arm customers with outcome-focused solutions that can be deployed in minutes to quickly identify and shut down adversaries. Follow their blog for access to educational tools and other resources that can help you improve your security program. Got feedback? Join the conversation on LinkedIn On this episode How CISOs are digesting the latest security news Wayne Rash of eWEEK wrote a piece on what to expect in cybersecurity in 2019. Most of the stuff is more of the same, such as nation state attacks, ransomware, phishing, and assume you're going to get attacked. But, he did bring up some issues that don't get nearly as much discussion. One was cryptomining which is hijacking your cloud instances, encrypting ALL data, moving away from usernames/passwords, and getting a third-party audit. So what's on CISOs' radar in 2019 Why is everybody talking about this now? Dutch Schwartz of Forcepoint brought up the issue of collaboration. This is not a new topic and we all know that if we don't share information the attackers who do share information will always have leverage. There are obvious privacy and competitive reasons why companies don't share information, but I proposed that if the industry believes collaboration is so important, then it should be a requirement (think GDPR) or we should build incentives (think energy incentives) with a time limit. Is this the right approach? Is the collaboration we're doing already enough? What's Worse?! We play yet another round on an issue that really annoys my co-host. What's a CISO to do? Thom Langford, CISO of Publicis Groupe, said that cybersecurity should be seen as a long term campaign. And if you keep at it, you will see results. Think anti-smoking or seat belt campaigns. Yet we see more and more companies treating security as a one-off project and not looking at dealing with it in the long term. Could this be more a problem of how we view security in the media? Ask a CISO Brijesh Singh, Inspector General of Police, Cyber at Government of Maharashtra said, "A young student asked me a very basic question, isn’t Cybersecurity just a branch of IT? Why should it be treated separately?" It's an awesome question that resulted in a flurry of responses. Is there a difference? Got feedback? Join the conversation on LinkedIn  

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We're clawing each other's eyes out in the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Darren Death (@darrendeath), VP of InfoSec, CISO, ASRC Federal. Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available. On this episode: How CISOs are digesting the latest security news A nasty fight between two security vendors becomes public because one of the CEOs decides to expose the other CEO. But did he really? What's really going on? Thanks to Nathan Burke of Axonius for bringing this story to our attention. Why is everybody talking about this now? Is calling someone a "blocker" the most weaponized word in the tech industry? How can this be avoided and what are the scenarios this term comes up? What's Worse?! We've got a split decision on this week's question on trust. What's a CISO to do? Robert Samuel, CISO, Government of Nova Scotia asks our CISOs, "What does success look like?" How do CISOs define success? Ask a CISO Where should an SMB, that may have little to no security team, begin building out its security program?

CISO/Security Vendor Relationship Podcast and Series can be found at CISOSeries.com. A newly proposed provision in the Consumer Data Protection Act (CDPA) could result in jail time for intentional data privacy violations. We're not scared. We're still peeping into your digital lives on the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Will Ackerly, co-founder and CTO of Virtru. Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available. On this episode Why is everybody talking about this now? Huge fines and massive jail time for intentional violations of data privacy. Do the new provisions in the CDPA go too far or are they just right? What's a CISO to do? Listener Bradley Teer of Armor Cloud Security asks, “What’s the scariest moment or event that's ever happened in your career as a security practitioner?" What's Worse?! Two listeners, Rick McElroy of Carbon Black and Jamie Leupold of PreVeil asked the same question for this week's game. It's a question Mike knew was eventually going to be asked. Please, Enough. No, More. We talk about data privacy in today's segment. Can we get beyond the discussion of GDPR? Ask a CISO On a previous episode we talked about the meager adoption of multi-factor authentication. We concluded that it was still too complicated to use. So what's encryption's excuse? Why isn't encryption available and used by all? How does the security paradigm change if everyone is sending encrypted messages?

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. Tired of deleting pages of vendor pitches? Wouldn't it be more efficient if  you could see them altogether on one screen so you could simply choose which ones to ignore? We're improving vendor non-engagement efficiency in the latest installment of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Chris Castaldo (@charcuteriecoma), sr. director of cybersecurity, 2U. This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber. Got feedback? Join the conversation on LinkedIn. On this episode: Why is everybody talking about this now? Six months ago Mike Johnson proposed the idea of "Demos for charities" and it got mixed results, but some people took on the challenge from both the practitioner and the vendor side. See how our guest offered up 45 minutes of his time in exchange for a donation to his favorite charity. What's a CISO to do? In light of the most recent Marriott breach, Brian Krebs wrote a great thought piece about our new acceptance of "security" and that is we can't count on companies security our data. How do security professionals communicate that to their team and users and still maintain trust? What's worse?! This week's challenge comes from William Birchett, Sr. Manager IT Security at City of Fort Worth. Both options are annoying and we have a split decision on what's worse. First 90 days of a CISO Tony Dunham of the Professional Development Academy asks how can InfoSec professionals develop the soft skills needed for leadership prior to being put in the pilot seat? Ask a CISO We talk about user-centric design and my co-host has some not-so-nice-words for vendors selling a "single pane of glass" solution.  

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. If we let you know that 90 percent of break-ins happen because of a little known threat we happen to mitigate, you'd purchase our product, right? Ignore basic security practices as you listen to the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Yaniv Bar-Dayan, CEO of Vulcan Cyber. This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber. On this episode: Why is everybody talking about this now? How do you reaffirm that dynamic leadership stance so people aren't just responding to the title, but are actually responding to you and the way you're proving your leadership on a day-to-day basis? Ask a CISO Why do we keep recommending "go back to security basics"? What's Worse?! In honor of our guest, this one is about vulnerability management. Please, enough! No, more! What have we heard enough about on vulnerability management and what would we like to hear a lot more? Ask a vendor How do security vendors work differently with enterprises vs. smaller and mid-size companies?  

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. We're no longer buying their albums because we've had enough of the "can do no wrong" toxic culture of cybersecurity rock stars. On this episode of the CISO/Security Vendor Relationship Podcast we are elevating the little known indie InfoSec professionals. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is independent analyst, Kelly Shortridge (@swagitda_). Follow her musings at Swagitda. This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber. On this episode: Why is everybody talking about this now? We do a health check on where we are in terms of security enabling the business. What have been the greatest strides and where are we falling behind? We reference a post by CISO of Mitel, Allan Alford. Please, Enough. No, More. We discuss the phenomenon of cybersecurity rock stars and why their “they can do no wrong” pass is toxic to the industry. What’s Worse?! Tip of the hat to Kip Boyle, CEO of Cyber Risk Opportunities for this week’s question. Ask a CISO The phenomenon of security buzzwords. When is it actually used to describe a product and when is it used to fill up space in a marketing campaign? What’s a CISO to do? We talk about people being the problem in security, but it’s not in the way you think it is.  

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. Why is our financial institution sending us an email suggesting we click on a link to log into our account? On this episode of the CISO/Security Vendor Relationship Podcast we educate your customers and your marketing department about suspicious looking emails. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Chenxi Wang, managing general partner, Rain Capital. Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available. On this episode Why is everybody talking about this now? While many security professionals' eyes roll when they hear the word "blockchain," it is currently the second most popular area of security research, according to IDG. What is it about blockchain that VCs and security professionals find so attractive? Question for the board What responsibility does the board bear for educating the C-suite about cybersecurity competency? PwC put together a great list of questions the board should be asking regarding cybersecurity competency. It's time to play "What's Worse?!" There's a visual attached to this game. Go ahead and look here and tune in to hear the question. What's a CISO to do? Our guest, Chenxi Wang, provided some excellent advice for startups on getting on the diversity train early on. If you don't, you'll find it's incredibly hard to build in diversity with an established and non-diverse team. And now this... How do VCs play a crucial role in the relationship between buyers and sellers of security products?

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. Why were we brought to this event? Why can't we leave? I don't think we have enough clues to get out of this vendor meeting. We struggle to remember our safe word in the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Richard Seiersen (@RichardSeiersen), former CISO of LendingClub. Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity. Got feedback? Join the conversation on LinkedIn On this episode: Opening We realize that Mike's comment about burning found USB drives was spot on. According to an experiment conducted by Sophos, about 2/3rds of found USB drives were infected. What's a CISO to do? You've been invited to a vendor dinner, but you feel trapped. Where can you go? We discuss what constitutes a good vendor dinner and which ones make you feel trapped? Here's a link to that Onion article I referenced on the show: "‘First Date Going Really Well,’ Thinks Man Who Hasn't Stopped Talking Yet." Ask a CISO Are CISOs swayed when a vendor sells themselves as "market leading?" Could it actually be a detractor? What about the array of current clients? Does that have any impact? What's Worse?! Mike Johnson says this could be the most even comparison ever! How a vendor helped me this week We talked about an article I released last week, "How to Make a Huge Impact in the Security Community with Zero Marketing," which told the story of building thought leadership and industry influence through open source and related contributions, but not marketing. Ask a CISO How quickly is risk being created in your environment and how quickly can you reduce it? More importantly, can you measure that? Our guest, Richard Seiersen, author of the upcoming book, "The Metrics Manifesto: Confronting Security With Data" (Wiley 2019), explains.

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. We gear up in HAZMAT suits and get ready for some dangerous USB drive analysis. We're taking all precautions on the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Dean Sysman (@DeanSysman), CEO of Axonius. Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity. On this episode: Opening We talked about how the history of the Enigma machine speaks volumes to how users react when they're forced to use a way too complicated security solution. They will find ways to simplify even if means weakening the overall security. Learn more from Mark Baldwin, Dr. Enigma. Why is everyone talking about this now? I challenged Mike and Dean to this question posed on Quora, "What is the safest way to check the content of a USB stick I found on the ground?" What's a CISO to do? Traditionally, CISOs rise through the ranks as security practitioners and slowly learn the business. But what if you're a CISO that never held the title of practitioner, but is very well versed in the business. How is selling to that type of a CISO different? What's Worse?! Mike and Dean are challenged with two horrible scenarios in asset management. Both are very risky, it's just one will probably result in a breach faster than the other. Please, Enough. No, More! We talk about asset management, and what's shocking is there isn't much to complain about in the "Please, Enough" portion of the segment. The reality is it's all "No, More!" Ask a CISO Dennis Leber, CISO for Cabinet for Health and Family Services for the Commonwealth in Kentucky asked if traditional sales pitches for the latest and greatest threat are really detracting companies from dealing with the basics of security.