CISO Series Podcast

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. Tired of deleting pages of vendor pitches? Wouldn't it be more efficient if you could see them altogether on one screen so you could simply choose which ones to ignore? We're improving vendor non-engagement efficiency in the latest installment of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Chris Castaldo (@charcuteriecoma), sr. director of cybersecurity, 2U. This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber. Got feedback? Join the conversation on LinkedIn. On this episode: Why is everybody talking about this now? Six months ago Mike Johnson proposed the idea of "Demos for charities" and it got mixed results, but some people took on the challenge from both the practitioner and the vendor side. See how our guest offered up 45 minutes of his time in exchange for a donation to his favorite charity. What's a CISO to do? In light of the most recent Marriott breach, Brian Krebs wrote a great thought piece about our new acceptance of "security" and that is we can't count on companies security our data. How do security professionals communicate that to their team and users and still maintain trust? What's worse?! This week's challenge comes from William Birchett, Sr. Manager IT Security at City of Fort Worth. Both options are annoying and we have a split decision on what's worse. First 90 days of a CISO Tony Dunham of the Professional Development Academy asks how can InfoSec professionals develop the soft skills needed for leadership prior to being put in the pilot seat? Ask a CISO We talk about user-centric design and my co-host has some not-so-nice-words for vendors selling a "single pane of glass" solution.

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. If we let you know that 90 percent of break-ins happen because of a little known threat we happen to mitigate, you'd purchase our product, right? Ignore basic security practices as you listen to the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Yaniv Bar-Dayan, CEO of Vulcan Cyber. This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber. On this episode: Why is everybody talking about this now? How do you reaffirm that dynamic leadership stance so people aren't just responding to the title, but are actually responding to you and the way you're proving your leadership on a day-to-day basis? Ask a CISO Why do we keep recommending "go back to security basics"? What's Worse?! In honor of our guest, this one is about vulnerability management. Please, enough! No, more! What have we heard enough about on vulnerability management and what would we like to hear a lot more? Ask a vendor How do security vendors work differently with enterprises vs. smaller and mid-size companies?

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. We're no longer buying their albums because we've had enough of the "can do no wrong" toxic culture of cybersecurity rock stars. On this episode of the CISO/Security Vendor Relationship Podcast we are elevating the little known indie InfoSec professionals. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is independent analyst, Kelly Shortridge (@swagitda_). Follow her musings at Swagitda. This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber. On this episode: Why is everybody talking about this now? We do a health check on where we are in terms of security enabling the business. What have been the greatest strides and where are we falling behind? We reference a post by CISO of Mitel, Allan Alford. Please, Enough. No, More. We discuss the phenomenon of cybersecurity rock stars and why their "they can do no wrong" pass is toxic to the industry. What's Worse?! Tip of the hat to Kip Boyle, CEO of Cyber Risk Opportunities for this week's question. Ask a CISO The phenomenon of security buzzwords. When is it actually used to describe a product and when is it used to fill up space in a marketing campaign? What's a CISO to do? We talk about people being the problem in security, but it's not in the way you think it is.

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. Why is our financial institution sending us an email suggesting we click on a link to log into our account? On this episode of the CISO/Security Vendor Relationship Podcast we educate your customers and your marketing department about suspicious looking emails. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Chenxi Wang, managing general partner, Rain Capital. Special thanks to Virtru for sponsoring this episode. As a reader, I know you're always worried about your data. That's why Virtru is providing a free copy of Forrester's 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it's still available. On this episode Why is everybody talking about this now? While many security professionals' eyes roll when they hear the word "blockchain," it is currently the second most popular area of security research, according to IDG. What is it about blockchain that VCs and security professionals find so attractive? Question for the board What responsibility does the board bear for educating the C-suite about cybersecurity competency? PwC put together a great list of questions the board should be asking regarding cybersecurity competency. It's time to play "What's Worse?!" There's a visual attached to this game. Go ahead and look here and tune in to hear the question. What's a CISO to do? Our guest, Chenxi Wang, provided some excellent advice for startups on getting on the diversity train early on. If you don't, you'll find it's incredibly hard to build in diversity with an established and non-diverse team. And now this... How do VCs play a crucial role in the relationship between buyers and sellers of security products?

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. Why were we brought to this event? Why can't we leave? I don't think we have enough clues to get out of this vendor meeting. We struggle to remember our safe word in the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Richard Seiersen (@RichardSeiersen), former CISO of LendingClub. Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity. Got feedback? Join the conversation on LinkedIn On this episode: Opening We realize that Mike's comment about burning found USB drives was spot on. According to an experiment conducted by Sophos, about 2/3rds of found USB drives were infected. What's a CISO to do? You've been invited to a vendor dinner, but you feel trapped. Where can you go? We discuss what constitutes a good vendor dinner and which ones make you feel trapped? Here's a link to that Onion article I referenced on the show: "'First Date Going Really Well,' Thinks Man Who Hasn't Stopped Talking Yet." Ask a CISO Are CISOs swayed when a vendor sells themselves as "market leading?" Could it actually be a detractor? What about the array of current clients? Does that have any impact? What's Worse?! Mike Johnson says this could be the most even comparison ever! How a vendor helped me this week We talked about an article I released last week, "How to Make a Huge Impact in the Security Community with Zero Marketing," which told the story of building thought leadership and industry influence through open source and related contributions, but not marketing. Ask a CISO How quickly is risk being created in your environment and how quickly can you reduce it? More importantly, can you measure that? Our guest, Richard Seiersen, author of the upcoming book, "The Metrics Manifesto: Confronting Security With Data" (Wiley 2019), explains.

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. We gear up in HAZMAT suits and get ready for some dangerous USB drive analysis. We're taking all precautions on the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Dean Sysman (@DeanSysman), CEO of Axonius. Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity. On this episode: Opening We talked about how the history of the Enigma machine speaks volumes to how users react when they're forced to use a way too complicated security solution. They will find ways to simplify even if means weakening the overall security. Learn more from Mark Baldwin, Dr. Enigma. Why is everyone talking about this now? I challenged Mike and Dean to this question posed on Quora, "What is the safest way to check the content of a USB stick I found on the ground?" What's a CISO to do? Traditionally, CISOs rise through the ranks as security practitioners and slowly learn the business. But what if you're a CISO that never held the title of practitioner, but is very well versed in the business. How is selling to that type of a CISO different? What's Worse?! Mike and Dean are challenged with two horrible scenarios in asset management. Both are very risky, it's just one will probably result in a breach faster than the other. Please, Enough. No, More! We talk about asset management, and what's shocking is there isn't much to complain about in the "Please, Enough" portion of the segment. The reality is it's all "No, More!" Ask a CISO Dennis Leber, CISO for Cabinet for Health and Family Services for the Commonwealth in Kentucky asked if traditional sales pitches for the latest and greatest threat are really detracting companies from dealing with the basics of security.

We're just a bunch of immature teenagers who can't seem to control ourselves or our security program. We're definitely exploring new solutions in the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guests this week is Michael Makstman, CISO of the City and County of San Francisco. Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity. Read the full article on CISOseries.com.

This is a bonus episode of the CISO/Security Vendor Relationship Podcast with former guest, Allan Alford, CISO of Mitel, who was also the subject of a story I wrote in September entitled "One CISO's Grand Experiment to to Engage with Security Vendors." At that end of that discussion, Alford and I agreed that I would follow up with him in a month to see how the experiment went. This conversation is that story. Find the full article here.

Check out more at our site CISOseries.com. We don't play fair and we're not ashamed to admit it. This week's episode of the podcast is super-sized because it was recorded in front of a live audience at the Silicon Valley Code Camp conference held at PayPal in San Jose. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guests this week for the live show were Ahsan Mir (@ahsanmir), CISO, Autodesk and Geoff Belknap (@geoffbelknap), CSO, Slack. (from left) Geoff Belknap, CSO, Slack, Mike Johnson, CISO, Lyft, Ahsan Mir, CISO, Autodesk, David Spark, Founder, Spark Media Solutions Special thanks to our sponsor, Electronic Frontier Foundation. Please support their efforts to protect your digital privacy. On this super-sized episode of the CISO/Security Vendor Relationship Podcast: Ask a CISO Is cybersecurity an IT problem or not? Do non-security executives pigeon-hole the role of security? Is this an unfair assessment? Is it dangerous to only view InfoSec as an IT problem? Why is everyone talking about this now? A hot discussion by Jason Clark of Netskope got everyone discussing why CISOs fail. In general, our panel believes it's a situation of poor alignment with the functions and risk profile of the business. What game best prepares you for a job in InfoSec? A few years ago I wrote an article entitled, "What 30 Classic Games Can Teach Us About Security," in which security professionals point to video games, board games, gambling games, and sports as great metaphors and training grounds for a life in security. Our panel debates the value of games as InfoSec teaching tools. "What's Worse?!" We play two rounds of the game and we get split decisions! The first round touches upon a major pet peeve Mike Johnson has had since our very first episode. What's a CISO to do? Security is often seen as a thankless job. It's though the role of the CISO to make sure everyone knows how awesome their security staff is and what they can do for the rest of the business. What do you think of this pitch? We critique another pitch and with this one a CISO does a rewrite that hopefully the security vendor will use. How do CISOs know they're getting a good deal? Not only do CISOs need to come up with a security program for the company, but they need to understand whether or not they're getting good price for the security tools they purchase. Do CISOs have a method to actually insure they're getting the best price possible? Do they even care?

Our CISOs don't have much confidence they'll receive any support when they hit the 'Send' button on your web form. Check out our NEW SITE: CISOseries.com This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Aaron Peck, CISO of Shutterfly. Special thanks to our sponsor, ConnecTech, producer of intimate custom executive events for IT professionals. Executives: Register to be notified when one of their events will be coming to your city. Vendors: Sponsor one of their events to get meetings with executives that are looking for solutions that your company provides. On this episode of the CISO/Security Vendor Relationship Podcast: Ask a CISO What were the turning points that led you to achieve the title of CISO? We've got a shout out to Mike Rothman's book, "The Pragmatic CISO" and the desire to find and solve the toughest most needed security problems. How a security vendor helped me CISOs have heard the stories from all the major InfoSec vendors. They're tired of playing second and third fiddler to a vendor's hundreds if not thousands of other clients. While a young startup company, potentially in stealth mode, doesn't necessarily have a track record, they do have eagerness and are willing to make their earliest and first customers extremely happy. This hand-holding-type relationship is very attractive to a CISO. What's Worse?! This entry into our weekly game is all about the following two images. There's so much going on in these pictures of a man who has decided to start day trading in public at a local Starbucks. Can you determine what's worse in these two pictures? Our CISOs debate. For more, check out the avid discussion on LinkedIn. What do you think of this pitch? Mike delivers probably the most thorough analysis of a vendor pitch I've ever heard on the show. What's a CISO to do? Hiring great InfoSec talent is an extreme challenge. Our guest, Aaron Peck, makes an argument for speedy hiring to get value for the company as quickly as possible.