Defense in Depth

Julie Tsai, CISO-in-Residence at Ballistic Ventures, joins the conversation to dissect the relevance of least privilege in modern security. She argues that concepts like dynamic access and just-in-time provisioning are still rooted in least privilege principles. The discussion highlights the importance of prioritizing critical assets and implementing controls tailored to industry needs. Julie also emphasizes how automation can ease access control challenges, ensuring more reliable processes and compliance in today's fast-paced tech landscape.

Bobby Ford, Chief Strategy and Experience Officer at Doppel, dives deep into the world of social engineering defenses. He discusses why traditional phishing click rates are flawed metrics and shares insights on measuring risk effectively, especially for high-impact users. Bobby emphasizes the importance of a tailored social engineering susceptibility score while exposing how AI is changing the landscape of personalized attacks. The conversation highlights building a security culture through collaboration and timely reporting, ultimately enhancing digital integrity.

Alex Guilday, BISO at Royal Caribbean Group and a former cybersecurity salesperson, shares insights on effective sales strategies in cybersecurity. He discusses the importance of tailoring outreach to avoid saturating security professionals with generic messaging. With a dual perspective, Alex reflects on the necessity of building long-term relationships over transactional tactics. He highlights the value of trusted peer recommendations and emphasizes the significance of timing and touch frequency in sales sequences.

Unlock the power of soft skills in cybersecurity! Discover how curiosity, resilience, and conflict resolution can turn technical sales into partnerships. Learn the importance of personalizing communication and anchoring security conversations to business goals. Delve into advocacy and empathy as vital collaborative skills. Find out how to effectively showcase these soft skills during interviews with impactful stories. Soft skills are not just nice to have; they are essential for team success and can be developed with practice.

James Bruce, Business Security Services Director at WPP, shares his expertise in security across diverse environments. He highlights the transformation of visibility into actionable intelligence, emphasizing its importance beyond just dashboards. Bruce discusses the critical need for risk-based prioritization, advocating for focusing on essential assets instead of chasing every vulnerability. The conversation navigates the complexities of identity management and the pitfalls of relying solely on dashboard metrics, exposing gaps that can jeopardize security.

In this discussion, Ash Hunt, VP of Strategy at Cyera and a data security expert, tackles the fast-evolving landscape of data governance amid AI's rise. He highlights the critical issue of access creep and how traditional governance often feels inadequate. The conversation uncovers the shift toward adaptive, metadata-driven controls and data storytelling as essential tools for managing integrity challenges from AI-generated outputs. Business pressures surrounding data supply chains and the balance between centralized and decentralized governance models are also explored.

Join Jason Tall, CISO at Luminis Health, as he unpacks the challenges security vendors face in a crowded market. He discusses the difference between 'best' and 'best fit' in vendor selection. Integration issues and legacy systems can stifle innovation, while trusted VAR relationships play a pivotal role in market traction. Jason emphasizes the importance of no-cost proofs of value and risk aversion among buyers, advocating for transparency and trust to foster better sales practices.

Kara Sprague, CEO of HackerOne and an expert in AI security, delves into the complex world of AI risks. She emphasizes the need for new governance to manage the unique challenges posed by AI, such as shadow AI and identity issues. The discussion highlights the importance of red teaming for ongoing security testing and how the rapid adoption of AI necessitates clear guidelines for safe usage. Kara also advocates for defining risk appetites and establishing 'paved paths' to channel AI experimentation effectively.

Edward Contreras, CISO at Frost Bank, and Hadas Cassorla, CISO and reporter for CISO Series, tackle the intricate world of cybersecurity adoption. They highlight how small to medium-sized businesses struggle with security tools while larger companies dominate the landscape. The duo discusses the 'security poverty line' and the challenges startups face in gaining market traction. Strategies for enhancing adoption through simplified solutions and the critical role of managed service providers are also explored, making for a compelling listen.

All links and images can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is our sponsored guest Mokhtar Bacha, founder and CEO, Formal. In this episode: Access management faces transformation AI agents demand new authentication paradigms AI complexity demands simplified governance approaches Data-centric identity management replaces role-based approaches Huge thanks to our sponsor, Formal Formal secures humans, AI agent's access to MCP servers, infrastructure, and data stores by monitoring and controlling data flows in real time. Using a protocol-aware reverse proxy, Formal enforces least-privilege access to sensitive data and APIs, ensuring AI behavior stays predictable and secure. Visit joinformal.com to learn more or schedule a demo.