CISO Series Podcast

We're just a bunch of immature teenagers who can't seem to control ourselves or our security program. We're definitely exploring new solutions in the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guests this week is Michael Makstman, CISO of the City and County of San Francisco. Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity. Read the full article on CISOseries.com.

This is a bonus episode of the CISO/Security Vendor Relationship Podcast with former guest, Allan Alford, CISO of Mitel, who was also the subject of a story I wrote in September entitled "One CISO's Grand Experiment to to Engage with Security Vendors." At that end of that discussion, Alford and I agreed that I would follow up with him in a month to see how the experiment went. This conversation is that story. Find the full article here.

Check out more at our site CISOseries.com. We don't play fair and we're not ashamed to admit it. This week's episode of the podcast is super-sized because it was recorded in front of a live audience at the Silicon Valley Code Camp conference held at PayPal in San Jose. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guests this week for the live show were Ahsan Mir (@ahsanmir), CISO, Autodesk and Geoff Belknap (@geoffbelknap), CSO, Slack. (from left) Geoff Belknap, CSO, Slack, Mike Johnson, CISO, Lyft, Ahsan Mir, CISO, Autodesk, David Spark, Founder, Spark Media Solutions Special thanks to our sponsor, Electronic Frontier Foundation. Please support their efforts to protect your digital privacy. On this super-sized episode of the CISO/Security Vendor Relationship Podcast: Ask a CISO Is cybersecurity an IT problem or not? Do non-security executives pigeon-hole the role of security? Is this an unfair assessment? Is it dangerous to only view InfoSec as an IT problem? Why is everyone talking about this now? A hot discussion by Jason Clark of Netskope got everyone discussing why CISOs fail. In general, our panel believes it's a situation of poor alignment with the functions and risk profile of the business. What game best prepares you for a job in InfoSec? A few years ago I wrote an article entitled, "What 30 Classic Games Can Teach Us About Security," in which security professionals point to video games, board games, gambling games, and sports as great metaphors and training grounds for a life in security. Our panel debates the value of games as InfoSec teaching tools. "What's Worse?!" We play two rounds of the game and we get split decisions! The first round touches upon a major pet peeve Mike Johnson has had since our very first episode. What's a CISO to do? Security is often seen as a thankless job. It's though the role of the CISO to make sure everyone knows how awesome their security staff is and what they can do for the rest of the business. What do you think of this pitch? We critique another pitch and with this one a CISO does a rewrite that hopefully the security vendor will use. How do CISOs know they're getting a good deal? Not only do CISOs need to come up with a security program for the company, but they need to understand whether or not they're getting good price for the security tools they purchase. Do CISOs have a method to actually insure they're getting the best price possible? Do they even care?

Our CISOs don't have much confidence they'll receive any support when they hit the 'Send' button on your web form.  Check out our NEW SITE: CISOseries.com This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Aaron Peck, CISO of Shutterfly. Special thanks to our sponsor, ConnecTech, producer of intimate custom executive events for IT professionals. Executives: Register to be notified when one of their events will be coming to your city. Vendors: Sponsor one of their events to get meetings with executives that are looking for solutions that your company provides. On this episode of the CISO/Security Vendor Relationship Podcast: Ask a CISO What were the turning points that led you to achieve the title of CISO? We've got a shout out to Mike Rothman's book, "The Pragmatic CISO" and the desire to find and solve the toughest most needed security problems. How a security vendor helped me CISOs have heard the stories from all the major InfoSec vendors. They're tired of playing second and third fiddler to a vendor's hundreds if not thousands of other clients. While a young startup company, potentially in stealth mode, doesn't necessarily have a track record, they do have eagerness and are willing to make their earliest and first customers extremely happy. This hand-holding-type relationship is very attractive to a CISO. What's Worse?! This entry into our weekly game is all about the following two images. There's so much going on in these pictures of a man who has decided to start day trading in public at a local Starbucks. Can you determine what's worse in these two pictures? Our CISOs debate. For more, check out the avid discussion on LinkedIn. What do you think of this pitch? Mike delivers probably the most thorough analysis of a vendor pitch I've ever heard on the show. What's a CISO to do? Hiring great InfoSec talent is an extreme challenge. Our guest, Aaron Peck, makes an argument for speedy hiring to get value for the company as quickly as possible.

In such a hyper-competitive market for security talent, the natural inclination would be to try everything you can to keep your best employees. Unfortunately, even when you do everything right, your best employees just get up and leave. Can you and should you fight it? Or should you go out of your way to make the exit as smooth as possible for your staff? What's the benefit to you when they do leave? On this episode of the CISO/Security Vendor Relationship Podcast, we discuss: 10-second security tip: Vanity metrics aren't going to create a more secure environment. Pitching the latest crisis: We've talked endlessly about how CISOs don't respond well to fear pitches. Similarly, salespeople need to understand that CISOs are aware of last week's Facebook hack. Don't bring the news they already know. Provide some insight. Selling the latest APT: If it's a new threat, it's sexy. It may make for great news, but focusing on it doesn't necessarily make for good security. Shouldn't you be starting with the boring basics? Can security basics ever be sexy? We play "What's Worse?!" Listen up security vendors. You're going to want to pay attention to this one. What do you think of this pitch? This week's pitch comes from a CISO. It's not his pitch to us, but a pitch he received. It kind of misses the mark. We explain why. Retaining security talent: We discuss the InfoSec manager's role in retaining security talent. How do you form a relationship that all exits or near exits go as smoothly as possible? This show, like all the previous ones are hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Justin Berman (@justinmberman), CISO of Zenefits. Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection.

We admit we've posted some rather embarrassing posts on social media. In particular, my co-host, Mike Johnson, talks about a post he initially regretted, but then realized it's what brought all of us together. In fact, it's a post that initiated much of the discussion we're having today about the relationships between CISOs and security vendors. On this week's episode of the CISO/Security Vendor Relationship Podcast, we discuss: A CISO that eagerly wants to talk to security vendors: CISO of Mitel, and former guest, Allan Alford sent a shock through the industry when he said he was going to reserve time to actually speak with security vendors. Why was this announcement such a big deal? One CISO and one CTO admit to posts they regret: Turns out posts you wish you didn't write actually shake up the pot so much that they form relations, like the two you hear on this show. We play "What's Worse?!" Possibly our toughest round of the game ever. Hint: think security policies. What Do You Think of This Pitch? Mike and our guest dissect a pitch from a listener. They advise what should be taken out, and what should be put in its place. Ask a CISO: Do CISOs need consultative resellers? When are they valuable? If not now, were they valuable? And as always, we've got launch with a great 10-second security tip. Today's episode is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Mike D. Kail (@mdkail), CTO of Everest.org. This episode is sponsored by Thinkst, makers of Canary deception devices. Read how much their customers love their product here. We thank Thinkst for sponsoring this episode of the podcast.

With absolutely no irony three white men discuss the value of diversity in cybersecurity in the latest episode of CISO/Security Vendor Relationship Podcast. So before you tell me we're three white men talking about diversity, I'm letting you know ahead of time we're three white men talking about diversity. We have no shame! On this episode of the CISO/Security Vendor Relationship Podcast, we debate the following: Microsoft Office macros still top the malware attack vector charts: After apparently three decades it appears that MS Office macros are still the attack point of choice of malicious hackers. What legacy nonsense are enterprises still holding onto? What's the real value of diversity? As I readily admitted, our all white male panel confesses that lack of diversity results in group think and unconscious bias. We play a round of "What's Worse?!" This one has to do with budget and there's a split decision! Which one do you think is worse? Please, Enough. No, More. (on endpoint security): There is a very long list of stuff Mike and our guest don't want to hear anymore about with regard to endpoint security. And similarly, there's plenty more they do want to hear about. Listen to know what you should be paying attention to regarding endpoint security. Does complicating security infrastructure make us safer? What's the right balance of security complexity and simplicity to make your environment safer? If you've got more systems and more security applications in place that means you've got more vectors to exploit. Ten second security tip: And as always, we've got a quick security tip so you don't have to listen to more than a minute of the show before you get some value of this podcast. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Tomer Weingarten, CEO, SentinelOne. Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection. Catch up on past episodes plus read articles and watch the latest videos from the series at CISOseries.com.

We have an exciting announcement. Our latest version of the podcast is packed with new features and they're riddled with security holes. We know you wanted the features. The security vulnerabilities are just a bonus. On this episode of the CISO/Security Vendor Relationship Podcast, we discuss: Cybersecurity burnout: How bad is it? What can be done to mitigate it? And what are the warning signs? All tech professionals have burnout issues, but InfoSec has it toughest because it's very hard for them to get a sense of accomplishment for their work. CISO/Security Vendor Relationship Podcast is making an impact in the vendor community: We hear multiple stories from vendors how the advice from Mike and the guests is really changing the way they reach out to security professionals. Are you willing to release a product with known security vulnerabilities? What if the customer really demands the new feature next week and they're expecting it, but remediation may take much longer. Do you give the customer what they want, or are there other solutions? What's Worse?! We play a round of picking the worse of two evils. This one is all about training your staff. We unleash another pitch on the security professionals: Their response will surprise you as will the outcome of this pitch. Dumb CISO mistakes: This one actually may not be so dumb. It could actually be good advice when it comes to product testing. Ten-second security tip: This one offers up a more holistic view of security that you may have not considered, but definitely should. Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest is Anne Marie Zettlemoyer, a security strategist and independent researcher who is also on the board of directors for SSH.  

Security is suffering from a serious Rodney Dangerfield "I get no respect" problem. What has often been seen as the department of "no" is struggling under that brand image. That's probably because security is often seen as an inhibitor rather than an enabler. If InfoSec wants to fix that perception, it'll be their responsibility to dig themselves out. Here's what you'll hear on the latest episode of the CISO/Security Vendor Relationship Podcast: Nobody thinks security is their friend: How can security rid itself of this highly negative branding? Be problem solvers vs. problem creators. Techniques to integrate AppSec into the DevOps process: It comes down to measurement, respecting an engineer's time, and learning from the success of one process and putting it into another. Read more great insight by Chris Steipp of Lyft. We play "What's Worse?!" In this episode of the game we question the worst scenario of an encrypted or unencrypted laptop, but with qualifications. Uggh, WAFs are NOT magical boxes: In a round of "Please, Enough. No, More." we challenge the way web application firewalls (WAFs) are being sold. WAFs need to be more friendly and flexible. No one believes you if you sell them as magical boxes that stop all attacks. How can you be a great customer? We turn the tables from "Ask a CISO" to "Ask a Vendor" and ask what it takes to be a great customer. Vendors would like you to ttop kicking the tires and talk about solving real problems. Plus a ten-second security tip: It may be cliche, but if security departments want to be more effective, they should be moving away from blocking to enabling. Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Zane Lackey (@zanelackey), co-founder and CSO for Signal Sciences and author of the new book from O'Reilly, "Building a Modern Security Program." Sponsor the Podcast If you'd like to sponsor the podcast, contact David Spark at Spark Media Solutions.

This is an extra segment we recorded with Dan Glass, former CISO, American Airlines for our last episode. It didn't make it into the last episode, but I thought it was still worthwhile to release as a short bonus mini episode of only four minutes. As always, the show includes myself, David Spark, founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Enjoy.