CISO Series Podcast

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We tip our hat to the much maligned "Department of No" for having the foresight to see that refusing service is probably the most efficient and secure response. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is April Wright (@AprilWright), CEO, ArchitectSecurity.org. Thanks to our sponsor, Endgame Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall. On this episode How CISOs are digesting the latest security news In an effort to improve security before the 2020 Olympic games, the government of Japan will try to hack its own citizens by using default passwords on webcams, routers, and other Internet connected devices. If they break through they will alert the people that their devices are susceptible to attacks. How good or bad is this idea? Will this give way to easy phishing scams? Why is everybody talking about this now? Online, Mike brought up the subject of security rockstar culture and specifically pointed this comes from the security staff playing offense vs. the ones playing defense who really need a team behind them to be effective. We look at the difference between a healthy leading voice in security vs. "a look at me" security rockstar. It's time to play, "What's Worse?!" Two rounds and the first one Mike spends a lot of time debating. Ask a CISO Brad Green of ObserveIT asks, "Do CISOs pay attention to competitive market conditions of different vendors?" Are you aware of what's going on and what impact do analysts have? What do you think of this pitch? Two pitches to critique. Lots of insight.

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. Do you want a security vendor that's good at protecting you from malware or a vendor that's honest with you about their failure rates? Whatever happens you'll take it on the latest episode of CISO/Security Vendor Relationship Podcast recorded live in NYC for the NY Information Security Meetup (@NYInfoSecurity). Thanks for hosting our recording! This super-sized special episode features drop-in co-host, John Prokap (@JProkap), CISO of HarperCollins Publishers, and our guest Johna Till Johnson (@JohnaTillJohnso), CEO of Nemertes Research. Check out all the awesome photos from the event. Context Information Security is a leading technical cyber security consultancy, with over 20 years of experience and offices worldwide. Through advanced adversary simulation and penetration testing, we help you answer the question – how effective is my current cyber security strategy against real world attacks? On this episode How CISOs are digesting the latest security news To Facebook, our data in aggregate is very valuable. But to each individual, they view it as essentially worthless as they're happy to give it away to Facebook for $20/month. I don't see this ever changing. Does an employees carelessness with their own privacy affect your corporation's privacy? Why is everybody talking about this now? Rich Mason, former CISO at Honeywell posted about the need to change the way we grade malware. He noted that touting 99 percent blocking of malware that allows for one percent failure and network infection is actually a 100 percent failure. It's the classic lying with statistics model. How should we be measuring the effectiveness of malware? What's Worse?! We play two rounds trying to determine the worst of bad security behavior. What's a CISO to do? A CISO can determine their budget by: 1: Meeting compliance issues or minimum security requirements 2: Being reactionary 3: Reducing business risk 4: Enabling the business Far too often, vendors have preyed on reactionary and compliance buyers. But the growing trend from most CISOs is the reduction of business risk. How does this change a CISO's budgeting? Let's dig a little deeper We bring up "do the basics" repeatedly on this show because it is often the basics, not the APTs, that are the cause of a breach or security failure. Why are the basics so darn hard and why are people failing at them? What do you think of this pitch? We've got two pitches for my co-host and guest to critique. And now this... We wrap up our live show with lots of questions from the audience.

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We've got so much data we've got to liquidate. Whatever private information you want - location, purchase history, private messages - we've got it! Call us now before our users realize what we're doing. Your privacy, unleashed, on the latest episode of CISO/Security Vendor Relationship Podcast. Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free. On this episode Why is everybody talking about this now? Oh Facebook, not again. Appears they were paying teenagers for the right to snoop on their phone. The most telling part of this story is that this app was activated by clicking a button that said, "Trust." How does Facebook's untrustworthy behavior affect a CISO's ability to maintain trust with their audience? How are CISOs digesting the latest security news? From the UK, the Cyber Skills Impact Fund will receive a nice boost of £500,000 to attract more people to cybersecurity, but specifically a diverse workforce. We have talked at great length about the need to have a diverse security staff, and Mike has said on a previous show that not having diversity actually makes you less secure because you fall into "one think." How does a diverse staff change the thinking dynamic of your security team? It's time to play "What's Worse?!" We play two rounds of the game. One round is far more challenging than the other. Ask a CISO Tip of the hat to Schaefer Marks of ProtectWise for his suggestion about RSA pitching. I'm starting to get RSA meeting requests. They all follow the same format: assuming we're getting ready, and asking if we would like a meeting with a VP, CEO, some expert. We discuss what pre-event pitching we like and don't like. What do you think of this pitch? We have two pitches, one that's pretty good, and one that's disastrous.

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We're comparing ourselves to media you already know in hopes you'll better understand our product and listen to our show. It's our first self-produced live recording of the CISO/Security Vendor Relationship Podcast from San Francisco and it came out awesome. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest for this live show is Andy Steingruebl (@asteingruebl), CSO of Pinterest. Check out all the awesome photos from our first self-produced live recording. Thanks to our sponsors The Synack Crowdsourced Security platform delivers effective penetration testing at scale. Synack uses the world's top security researchers and AI-enabled technology to find what scanners and regular testing do not. It's used by US Dept of Defense and leading enterprises for better security. To learn more, go to synack.com. New Context helps fortune 500s build secure and compliant data platforms. New Context created "Lean Security", a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business. Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free. Why is everybody talking about this now? Chris Roberts with Attivo Networks caused a flurry of discussion when he argued that using the term "security" is meaningless. He said, "There is no such thing as security. There is just a measurement of risk." He went on to say we shouldn't be talking about security risk, but only business risk. Would it be a good idea to change the terminology? How are CISOs are digesting the latest security news? France's data protection regulator, CNIL, issued Google a $57 million fine for failing to comply with its GDPR obligations. Not the first GDPR fine, but it's first big tech giant. And it's not nearly as much as it could have been. But it's the biggest fine so far. Are GDPR fines starting to get real? Will this embolden even more fines? Hey, you're a CISO, what's your take on this? On LinkedIn Mike Johnson brought up the discussion of security vendors marketing what they're not. He claimed that this tactic is doomed to fail, and should just stop. Why is it a failed tactic? It's time to play, "What's Worse?!" We get a little philosophical in this round of "What's Worse?!" Um...What do they do? I read the copy from a vendor's website and the two CISOs try to figure out, "What do they do?" Ask a CISO A listener asks, "What are the signs that tell you that a vendor is serious about improving the security of their product?" How are CISOs are digesting the latest security news? A caustic attendee to DerbyCon brings down the entire event because the organizers didn't know how to handle his behavior. How can event producers in the security space avoid this happening in the future? And now this... We take questions from our audience.

Our new podcast, Defense in Depth, is part of the CISO Series network which can be found at CISOSeries.com. This is a special episode introducing this new podcast. To get more of Defense in Depth, subscribe to the podcast. What are the most important metrics to measure when building out your security program? One thing we learned on this episode is those metrics change, as your security program matures. This episode of Defense in Depth is co-hosted by me, David Spark (@dspark), the creator of CISO Seriesand Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is my co-host of the other show, Mike Johnson, CISO of Lyft. Fluency's correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization's path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019. On this episode of Defense in Depth, you'll learn: There is no golden set of security metrics. Metrics you use to measure your security program this year won't necessarily be the same ones you use next year. Use the NIST model to determine your security program maturity. Unlike B2C, B2B companies can use metrics to build a closer tie between security and the business. Regulations and certifications is one easy way to align security with the business.

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We don't have to make our software any simpler to use. You just need to get smart enough to use it. We're all attitude on the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Mike Nichols (@hmikenichols), VP of product at Endgame. Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall. On this episode How CISOs are digesting the latest security news Is this yet ANOTHER security breach? A massive document of usernames and passwords. These are all available in text files, pretty much for anyone to see. We're not sure, but this may be a collection of usernames and passwords from historical hacks, but it's not clear. Most of us have potentially more than a hundred usernames and passwords. How are we supposed to go through all our accounts and change them all? Can we slap 2FA on top of everything? What should be the best reaction to this kind of news? Hey, you're a CISO, what's your take on this?' In the area of user experience, B2B software seems neglected. All the wonderful usability goes to consumer apps, because everybody needs to be able to use them. But B2B software can cut corners and add extra layers for usability because heck, these people are experts, they're hired to do this job. They should know what they're doing. But that type of thinking is hurting the industry as a whole. What's Worse?! We've got a scenario of two CISOs with two different companies. Which one has the worst security posture? Please, Enough. No, More. Our topic is endpoint protection. We talk about we've heard enough about on endpoint protection, and what we'd like to hear a lot more. Endgame's machine learning engine, Ember, is open source. What's a CISO to do? Why is it so difficult to hire InfoSec professionals? Is there not enough skills, not enough people interested, tough to hire diversity, way too competitive environment, or is it the nature of the recruiting industry itself?

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. Be afraid. Be very afraid of the latest episode of the CISO/Security Vendor Relationship Podcast where it's possible that 90 percent of your security breaches are coming from within your own company. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Leon Ravenna, CISO, KAR Auction Services. Synack provides crowdsourced security testing that provides more than older style penetration testing. Instead of using a few researchers who output a final report, Synack uses a globally-sourced crowd of researchers backed by a purpose-built hacking platform. This gives organizations access to security talent that is not available from any one company, and data and insights into the testing process. All Synack security testing is recorded, measured, and analyzed to not only output results like new vulnerabilities and compliance checks, but displays attack patterns and quantities in real-time. By using bug bounties as incentives, researchers are rewarded for the great finds that Synack verifies and shares with its customers. To find out more about the Hacker-Powered Security used by the Internal Revenue Service and many other organizations, go to synack.com. On this episode How CISOs are digesting the latest security news According to a new report from Kroll, "Human Error, Not Hackers, to Blame for Vast Majority of Data Breaches." They report that 2,124 incidents could be attributed to human error, compared to just 292 that were deliberate cyber incidents, They say that's a 75% increase over the past two years but that could be because reporting breaches wasn't mandatory before GDPR. One user commented, these numbers seem to conflict with what the Verizon Breach report says. According to this data it appears a security leader should be spending close to 90 percent of their budget and effort trying to prevent inside data leakage. How would your security plan change if that was your charge? Hey, you're a CISO, what's your take on this?' An article and video published last week on this site written and featuring Elliot Lewis, CEO of Encryptics, talks about the need to get cozy with your legal team because when a breach occurs, you're going to need to have possession, custody, and control of your data. If you can't answer those questions you're putting your legal team in a bind. Mike and our guest talk about being able to answer these questions and building relations with the legal team. It's time to play, "Um... What Do They Do?" It's a brand new game where I read copy from a vendor's website, and Mike and our guest try to guess, "What do they do?" What's a CISO to do? Kip Boyle, past guest, friend of the show, and author of a new book, "Fire Doesn't Innovate," which comes out today asks this question, "Could good cyber risk management be the basis for a competitive differentiator for your business? How?" Kip's book is available at firedoesntinnovate.com and for the first week it's out it's only $.99 via Kindle. Ask a CISO Thomas Torgerson of Blue Cross/Blue Shield of Alabama asks, "How do CISO's feel about presenting webinars or speaking at other events regarding products that they use in their environment?" Are there incentives promoting a vendor solution? Or is it too risky to let threat actors know your security toolsets?

No matter how much money we shove into security, it never seems to fill up. That's good for vendors. Not so good for buyers of security who don't have a bottomless pit of money to fill the bottomless pit of security. This week's episode is sponsored by Red Canary. Red Canary is a security operations ally to organizations of all sizes. They arm customers with outcome-focused solutions that can be deployed in minutes to quickly identify and shut down adversaries. Follow their blog for access to educational tools and other resources that can help you improve your security program. Got feedback? Join the conversation on LinkedIn On this episode How CISOs are digesting the latest security news Wayne Rash of eWEEK wrote a piece on what to expect in cybersecurity in 2019. Most of the stuff is more of the same, such as nation state attacks, ransomware, phishing, and assume you're going to get attacked. But, he did bring up some issues that don't get nearly as much discussion. One was cryptomining which is hijacking your cloud instances, encrypting ALL data, moving away from usernames/passwords, and getting a third-party audit. So what's on CISOs' radar in 2019 Why is everybody talking about this now? Dutch Schwartz of Forcepoint brought up the issue of collaboration. This is not a new topic and we all know that if we don't share information the attackers who do share information will always have leverage. There are obvious privacy and competitive reasons why companies don't share information, but I proposed that if the industry believes collaboration is so important, then it should be a requirement (think GDPR) or we should build incentives (think energy incentives) with a time limit. Is this the right approach? Is the collaboration we're doing already enough? What's Worse?! We play yet another round on an issue that really annoys my co-host. What's a CISO to do? Thom Langford, CISO of Publicis Groupe, said that cybersecurity should be seen as a long term campaign. And if you keep at it, you will see results. Think anti-smoking or seat belt campaigns. Yet we see more and more companies treating security as a one-off project and not looking at dealing with it in the long term. Could this be more a problem of how we view security in the media? Ask a CISO Brijesh Singh, Inspector General of Police, Cyber at Government of Maharashtra said, "A young student asked me a very basic question, isn't Cybersecurity just a branch of IT? Why should it be treated separately?" It's an awesome question that resulted in a flurry of responses. Is there a difference? Got feedback? Join the conversation on LinkedIn

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We're clawing each other's eyes out in the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Darren Death (@darrendeath), VP of InfoSec, CISO, ASRC Federal. Special thanks to Virtru for sponsoring this episode. As a reader, I know you're always worried about your data. That's why Virtru is providing a free copy of Forrester's 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it's still available. On this episode: How CISOs are digesting the latest security news A nasty fight between two security vendors becomes public because one of the CEOs decides to expose the other CEO. But did he really? What's really going on? Thanks to Nathan Burke of Axonius for bringing this story to our attention. Why is everybody talking about this now? Is calling someone a "blocker" the most weaponized word in the tech industry? How can this be avoided and what are the scenarios this term comes up? What's Worse?! We've got a split decision on this week's question on trust. What's a CISO to do? Robert Samuel, CISO, Government of Nova Scotia asks our CISOs, "What does success look like?" How do CISOs define success? Ask a CISO Where should an SMB, that may have little to no security team, begin building out its security program?

CISO/Security Vendor Relationship Podcast and Series can be found at CISOSeries.com. A newly proposed provision in the Consumer Data Protection Act (CDPA) could result in jail time for intentional data privacy violations. We're not scared. We're still peeping into your digital lives on the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Will Ackerly, co-founder and CTO of Virtru. Special thanks to Virtru for sponsoring this episode. As a reader, I know you're always worried about your data. That's why Virtru is providing a free copy of Forrester's 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it's still available. On this episode Why is everybody talking about this now? Huge fines and massive jail time for intentional violations of data privacy. Do the new provisions in the CDPA go too far or are they just right? What's a CISO to do? Listener Bradley Teer of Armor Cloud Security asks, "What's the scariest moment or event that's ever happened in your career as a security practitioner?" What's Worse?! Two listeners, Rick McElroy of Carbon Black and Jamie Leupold of PreVeil asked the same question for this week's game. It's a question Mike knew was eventually going to be asked. Please, Enough. No, More. We talk about data privacy in today's segment. Can we get beyond the discussion of GDPR? Ask a CISO On a previous episode we talked about the meager adoption of multi-factor authentication. We concluded that it was still too complicated to use. So what's encryption's excuse? Why isn't encryption available and used by all? How does the security paradigm change if everyone is sending encrypted messages?