CISO Series Podcast

This is an extra segment we recorded with Dan Glass, former CISO, American Airlines for our last episode. It didn't make it into the last episode, but I thought it was still worthwhile to release as a short bonus mini episode of only four minutes. As always, the show includes myself, David Spark, founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Enjoy.

We spend a good portion of this episode of the CISO/Security Vendor Relationship Podcast mocking unrealistic job listings that ask for too many unnecessary credentials and on top of it aren't willing to pay a fair market rate. Did companies forget that it's a buyers' market right now in security? On this episode of the podcast we discuss: The security semantics of "responsibility" vs. "accountability": Which one drives which behavior? And it is possible to try to compel one to the detriment of the other? See Chad Loder's post for more. How do you motivate employees to be concerned about security outside of hammering them with pen tests and fake phishing emails? If it hasn't happened already, those tests to see how secure your environment is may backfire. What can you do to instill secure behavior without testing employees to the point of annoyance? What do you think of this pitch? We get a split decision on a pitch of a company that's operating in a new category. Plus, advice on what never to do in a pitch. Unrealistic expectations for position descriptions: Job descriptions in the security field seem to be getting longer, with more certification requirements, and lower pay. What's going on and do companies who list these types of jobs realize they're only hurting themselves? In a buyers' market you can't just put out an unrealistic job posting to "see who will respond." It will actually damage your brand. Plus, a 10-second security tip (that's a few seconds longer): It's what you should be doing, but probably aren't doing. And a visit from the host of The Cyberwire: Dave Bittner, from The Cyberwire, joins us for a discussion about his daily security tech news show and to tell us about the launch of two more security podcasts. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Dan Glass, former CISO (as of just a couple days ago) of American Airlines. Special thanks to SpyCloud for sponsoring this episode. Learn more about how you can protect employees and customers from account takeover with SpyCloud. Contributions. Contributions. Contributions. I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn. Sponsor the podcast If you're interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.

We promise to keep your identity private while we discuss the troubles of two-factor authentication. On this episode of the CISO/Security Vendor Relationship Podcast we discuss: Why don't more people use two-factor authentication? Does the UX still suck? Why can't we agree on a common model for how to authenticate? Will U2F be the saving grace for 2FA? Story on the debate. What are the signs your employees are going rogue? We debate the need to monitor employees this way. Are internal intrusions the same as external? Is monitoring the monitoring devices enough? What are the signs? Discussion on LinkedIn and a recommended book: "Nothing to Hide: The False Tradeoff between Privacy and Security." We play a round of "What's Worse?!" It's the game where we determine which is the worst of two really bad practices. In this case, the CISOs have to choose between two unpleasant marketing practices. How do CISOs balance compliance and security: The two aren't equal, but compliance is a means to prove that you're doing security right. Our guest hits it out of the park with a very clear explanation and also how to use compliance to better market your company. How do CISOs discover new solutions: This might as well be the title of this podcast, but we delve into some unique angles that CISOs are taking as they're avoiding traditional pitches from security vendors. Discussion on LinkedIn. Ten-second security tip touting the value of passphrases: See this cartoon for more. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Allan Alford (@AllanAlfordinTX), CISO, Mitel. Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection. Contributions. Contributions. Contributions. I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn. Sponsor the podcast If you’re interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.

Just because you have a new salesperson, doesn't mean you have to restart the sales process. If you've been properly entering information into your CRM, you shouldn't have to. On this episode of the podcast we discuss: Are you ready for...Black Hat: Techniques to get the most value out of the conference. We've got some really good post-conference suggestions. What do you think of this pitch? We have one of those follow up pitches that just rubs CISOs and security professionals the wrong way. It's time to play, "What's Worse?!" Both host and guest agreed on this one. It's possibly the worst of the worst. Please, Enough. No, More: We discuss account takeover. What we've heard enough on this subject, and what we'd like to hear a lot more. Make sure to read Lyft's article about fingerprinting fraudulent behavior. What's a CISO to do? Beyond blocking and responding, we discuss different tactics for offense and defense against cybercriminals. Which ones are most effective and which ones are ethically and morally wrong? It's time for "Ask a Vendor!" Working off the same model as "Ask a CISO," we turn the tables and security professionals ask questions of vendors. This time, we asked about the use/non-use of CRMs. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Ted Ross (@tedross), CEO, SpyCloud. Special thanks to SpyCloud for sponsoring this episode. Learn more about how you can protect employees and customers from account takeover with SpyCloud. Contributions. Contributions. Contributions. I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed

Just like so many security products are infused with artificial intelligence, we've also got plenty of meaningless modifiers to describe this podcast. On this episode we've got: First 90 Days of a CISO. How do you assess talent already there, and how do you prioritize the new hires you need? Please, Enough! No, More! We delve into the overexposure of AI (artificial intelligence) and machine learning. Are they the same thing? And what do CISOs actually want to hear more about on both of these topics? "What's Worse?!" This is a brand new game where I ask the CISOs to determine which of two really bad security practices is worse. What Do You Think of This Pitch? We've got another vendor pitch that the CISOs critique. Ask a CISO. How are CISOs involved in purchase decisions that are not security related (e.g., cloud, networking, infrastructure). Special thanks to Signal Sciences for sponsoring this episode. If you're using web application firewalls (WAFs), make sure you read "Three Ways Legacy WAFs Fail" by their head of research, James Wickett. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Dennis Leber (@dennisleber), CISO, Cabinet for Health and Family Services, Commonwealth of Kentucky and the self proclaimed "Most Interesting Man in Information Security." We Want More of "What's Worse?!" In this episode, I introduced a new segment, a game called "What's Worse?!" where I introduce two comparably bad security practices and ask the CISOs to debate on which is worse, and why. Fortunately in this episode the CISOs disagreed on both comparisons posed. I'm eager to challenge CISOs with more "What's Worse?!" questions. So if you've got a good one, please contact me here or on LinkedIn. I'm also interested in: “Ask a CISO” questions. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can mention you and your company name or keep you anonymous. Just let me know which you prefer. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.

If I knew more about your current security needs, I'd probably be able to tell you what security product to buy. But that would require me to spend time understanding your needs and this podcast is only 30 minutes long. Instead, we decided to uncover the universal truths of what security product you shouldn't buy. In this episode of the CISO/Security Vendor Relationship podcast, we uncover failed CISO product purchases plus: Do temporary dips in hacker attacks change your security posture? What CISOs LOVE to see in their inbox. For this week, we're talking about their favorite reports. What metrics are CISOs following? And what are the metrics CISOs use to determine those metrics? Oh, and are there any metrics CISOs should ignore? Our CISOs digest a vendor pitch. And for "Ask a CISO," we question the value of case studies in print or video form. And as always, we launch the show with a 10-second security tip! As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Randall (Fritz) Frietzsche (@frietzche), CISO, Denver Health, Denver ISSA distinguished fellow, and teaches at Harvard University. We Want Your Input and Critiques For every episode we want input from listeners! Please contact me here or on LinkedIn and send me the following: “Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.  

We're fed up with vendors who think they can detect any breach, but we're not fed up with breach detection. On this week's episode: Are millennials excited or not excited about working in security? Supposedly, nine percent of all millennials are interested in a job of security. Is that good news/bad news/misrepresented news? (Read the story) Haroon Meer's amazingly open story of the money Thinkst spent at RSA 2018. Was it worth it? Great advice for anyone else sponsoring a big tech conference. (Read the story) Are you sponsoring Black Hat or another big tech conference? Pick up my book, Three Feet from Seven Figures: One-on-One Engagement Techniques to Qualify More Leads at Trade Shows. We talk about breach detection and the use of deception devices. When a breach happens, should you or shouldn't you blame the victim? How should security sales managers pump up their team for sales? Is letting people know that they're the only ones to fix their customers' problems the right tactic? This episode is sponsored by Thinkst, makers of Canary deception devices. Read how much their customers love their product here. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Haroon Meer (@haroonmeer), founder and researcher of Thinkst. We Want Your Input and Critiques For every episode we want input from listeners! Please contact me here or on LinkedIn and send me the following: “Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.

Are you managing your passwords the same today as you did five years ago? On this episode of the CISO/Security Vendor Relationship podcast, we discuss the changing landscape of what we once thought were best practices, but aren't anymore. On this episode: Which CEOs are more fatalistic about inevitability of cyber attacks Explaining cyber risks to the board Reappropriating the word "hacker." My cartoon that spurned a debate and Rick McElroy of Carbon Black's discussion on LinkedIn. What we're no longer advising you do with your passwords. Do cold calls and emails ever work? What are CISO's biggest organizational roadblocks? All that and a ten-second security tip. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Maxime Rousseau (@maxrousseau), CISO, Personal Capital. We Want Your Input and Critiques For every episode we want input from listeners! Please contact me here or on LinkedIn and send me the following: “Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.

Want to get under a CISO's skin? Ask them if they have a concern for security in their environment. It's like asking a chef if they're concerned about preparing food. In this week's episode of the CISO/Security Vendor Relationship Podcast we learn how the following: Dumbest mistakes you can make as a CISO What to do on day 1 when you're a CISO Why is everyone talking about this now? Questioning a CISO's job interests. Please, Enough. No, More on GDPR. We critique a vendor pitch. And "Ask a CISO." As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Richard Greenberg (@ragreenberg), CISO, LA County Department of Health Services as well as chapter presidents of ISSA and OWASP in Los Angeles. This episode is sponsored by Signal Sciences. We thank them for their support. We Want Your Input and Critiques For every episode we want input from listeners! Please contact me here or on LinkedIn and send me the following: “Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at http://www.sparkmediasolutions.com/contact/Spark Media Solutions.

Did Katy Perry provide sound security advice, or didn’t she? You’ll have to listen to the latest episode of the CISO/Security Vendor Relationship Podcast to find out. In this episode: A Third of UK Organizations Have Sacked Employees for Data Breach Negligence Younger Employees Identified as ‘Main Culprits’ of Security Breaches Who has your CEO’s credentials? – by Robert Herjavec, one of the sharks on “Shark Tank” NEW Segment: Please, Enough. No, More. This week we talk about identity management What do you think of this pitch? A pitch from Cobalt Ask a CISO. How many tools in your suite? Are you worried about integration?   As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Richard Rushing (@secrich), CISO, Motorola Mobility. The written content for this podcast was first published on Security Boulevard.