Defense in Depth

All links and images for this episode can be found on CISO Series You're a new CISO at a new org given a headcount of ten to build a cybersecurity team. What's your strategy to build that team? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest JJ Agha (@jaysquaredx2), CISO, Compass. Thanks to our podcast sponsor, Imperva Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it’s stored and who’s accessing it. Start a free trial now. In this episode The importance of assessments and gap analyses Why you need to leveraging your network Educating and empowering teams Introspection and self-awareness as a leader  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-are-our-data-protection-strategies-evolving/) As we're evolving from putting data on premises to the cloud, are our data protection strategies evolving as well? There are issues of securing data, knowing where it travels, and privacy implications of data. How are we handling all of that? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest, Chris Brown, senior director, data security at Imperva. Thanks to our podcast sponsor, Imperva. Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it’s stored and who’s accessing it. Start a free trial now. In this episode Cloud platforms and exposure make it easier to deploy with less oversight, making mistakes easier. There's a need for a change of mindset of product and marketing leaders to consider consequences of taking in different data types in the design phase. There's also a need for SIEM tools and access management.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-cisos-be-licensed-professionals/) Many professionals are required to obtain a license before they can do their job legally. The demands of cybersecurity professionals, especially CISOs, has become more critical as evidenced by the increasing number of regulations demanding a person oversee security and privacy controls. Should CISOs be licensed to maintain a minimum standard? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Patrick Benoit (@patrickbenoit), vp, global head of GRC and BISO, CBRE. Thanks to this week's podcast sponsor, F5 External threats to your organization’s security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial. Highlights from this episode of Defense in Depth: Almost universally, nobody liked the idea of requiring a CISO to have a license in order to practice. But, with that said, the subject stirred up a hornet's nest of discussion. Main complaint is the job changes so drastically depending on what industry you're in. Many argued that a license won't translate into success. Hard to tell how to put a license around someone who is managing risk, but doesn't own the risk.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-inherently-vulnerable-by-design/) Much of what we do as practitioners is to prevent inadvertent security problems - oversights, zero-days, etc. What about inherent and unavoidable problems? When the very design of the thing requires a lack of security? What do you do then? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Dan Woods, vp of the Shape Intelligence Center, F5. Thanks to this week's podcast sponsor, F5. External threats to your organization’s security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial. On this episode of Defense in Depth, you’ll learn: The mere act of conducting business requires you to have certain procedures that would make you vulnerable. Simple things like taking customer information to create user accounts and processing credit cards. That's inherent to doing business, and by opening that up, it makes you vulnerable. A lot of this inherent vulnerability comes down to having users or customers and needing to authenticate them. When you start a business you're also accepting the inherent vulnerability and you have to ask yourself to what level can the business function having that vulnerability abused? It's all about risk appetite. Two factor authentication sure is nice, but there has to be multiple "behind the scenes" authentications going on to verify identity continuously. As you're collecting all these additional data points you can use that information to ask the user to verify. Provide discounts to customers and users for good security practices. Insurance companies do this with people who prove safe driving practices. It could be a win-win for everybody. For example, with Mailchimp, they give you a discount if you enable 2FA. Why not offer a discount for a really long and complicated password? One of the major issues is the password reset process happens through email. Email wasn't designed for critical authentication. Many hacks happen through the reset process via email.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-imposter-syndrome/) For CISOs and other security leaders, suffering from imposter syndrome seems inevitable. How can you ever be really confident when there's an endless stream of threats and a landscape that changes without your knowledge? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest David Peach (@realdavidp), CISO and head of privacy, The Economist Group. Thanks to this week's podcast sponsor, F5. CISOs are dealing with the increasing sophistication of cyber attackers that are taking advantage of their applications. Find out how F5 helps organizations expand their security and see the unseen by watching the F5 Security Summit webinar. View it here. On this episode of Defense in Depth, you’ll learn: Imposter syndrome is a feeling of not being as good as you purport to be or others perceive you to be. Almost all security professionals, especially CISOs, have moments of imposter syndrome. The root of the problem is underestimating your contributions. Imposter syndrome can debilitate a security professional. But the opposite is also dangerous. If you don't question your ability and think you alone can solve things and others perceive that you can do that as well, that's a disaster waiting to happen. The relentless change of technology and threats can overwhelm a professional and feel that they can't keep up. There's a sense of you will always be behind. It's not a sprint, nor a marathon. Security is an infinite game. There's no winning and no moment of relief, but looking at it as a journey you can see success along the way. There is an outside pressure that CISOs know more than they actually do, and at the same time they don't want to disappoint management, the business, or the team. Imposter syndrome can be seen as a positive when it leads to self awareness and improvement. Be smart enough to know how little you do know and accept it, but still stay on that journey to keep learning more. You can't teach the person who thinks they know it all. The flipside is you rarely get congratulated for your work as a security professional.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-why-dont-more-companies-take-cybersecurity-seriously/) With every cybersecurity breach, we still don't seem to be getting through. Many companies don't seem to be taking cybersecurity seriously. What does it take? Obviously not scare tactics. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Ben Sapiro, global CISO, Great-West LifeCo. Thanks to this week's podcast sponsor, Sonatype. On this episode of Defense in Depth, you’ll learn: Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy. Problem with the "I'm too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses. Watching other companies survive a breach makes one feel as if they'll be just as resilient. Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis. A company in a highly regulated industry has no choice but to take cybersecurity seriously. Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk. Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort. Many people simply don't feel attached to any type of cybersecurity effort. If you're not vested in it, why care about it? Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity. On this episode of Defense in Depth, you’ll learn: Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy. Problem with the "I'm too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses. Watching other companies survive a breach makes one feel as if they'll be just as resilient. Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis. A company in a highly regulated industry has no choice but to take cybersecurity seriously. Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk. Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort. Many people simply don't feel attached to any type of cybersecurity effort. If you're not vested in it, why care about it? Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-protection-and-visibility/) Where is your data? Who's accessing it? You may know if you have an identity access management solution, but what happens when that data leaves your control. What do you do then? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Elliot Lewis (@elliotdlewis), CEO, Keyavi Data. Thanks to this week's podcast sponsor, Keyavi Data. Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com. On this episode of Defense in Depth, you’ll learn: In general, all of security is based on detecting threats and stopping threats. When those two fail, and they do, what's your recourse to protect your data? What if when your data leaves your control either accidentally or through a malicious breach, you were still able to see your data wherever it went and your data could communicate back to you its status, allowing you to control access to your data? There are so many scenarios when data leaves you, it's impossible to protect for all scenarios. Asset inventory is first step in the CIS 20. Just trying to get an asset inventory of equipment is difficult. An inventory of data is near impossible especially when you may be pumping out a terabyte of data a day. Ideal situation is to protect data proactively, as it's being created. The ultimate goal is to have visibility of your data in perpetuity, for the life of the data, and you can decide when to destroy it even when it's no longer within the confines of your greater network and ecosystem. Governing your network, your applications, the rules, and the data is half the battle. Data visibility also allows you to make informed decisions as a business and can provide the answers your legal team will need in case there's a breach. You want the data protection and visibility schema to be platform and ecosystem independent. If data is taken out of the ecosystem, then the protection and visibility is moot. A good precursor to this is digital rights management or DRM. They have figured out how to manage data from being copied and manipulated and they can place controls on it. The limiting factor though is it's platform dependent.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-whats-an-entry-level-cybersecurity-job/) Naomi Buckwalter, director of information security at Energage analyzed one thousand random information security job posts on LinkedIn. The most notable trend she found was that 43% of the posts had CISSP and 5-year experience requirements for entry level positions. Are companies trying to lowball cybersecurity professionals, or do they simply not know what an entry level cybersecurity job is. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Joseph Carrigan (@JTCarrigan), senior security engineer at Johns Hopkins University Information Security Institute, and co-host Hacking Humans podcast. Thanks to this week's podcast sponsor, Keyavi Data. Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com. On this episode of Defense in Depth, you’ll learn: There has been an ongoing trend for companies to post "entry level but experience required" job listings for cybersecurity professionals. This is self-defeating for companies because the positions don't get filled. And for true entry level people, they get discouraged. They feel it's impossible to get into the industry. This can drive them away from cybersecurity which hurts the entire industry. Others would argue that we shouldn't even have this conversation because there is no such thing as an entry level position. Like there are no entry-level doctors. You must have some type of training or experience to do this job. There's no doubt that CISOs fight more for headcount than they do overall dollars. And if they get a limited headcount, they're going to want to get as much talent as they possibly can with that limited number of positions they can fill. Security is a layer on top of IT, engineering, or development. For that reason it can be seen as mid-level experience or above, simply because security is a specialization. Is this behavior of shooting so high for an entry-level cybersecurity role causing the cybersecurity skills gap? Best way to prove your value to a hiring cybersecurity professional is to setup your own home lab. The skill that is hard to put on a resume or to explain in a job listing is non-linear thinking. But that's essentially what you're looking for with an entry-level cybersecurity hire.      

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-securing-digital-transformations/) Digital transformation. It's definition is broad. Meaning securing it is also broad. But there are some principles that can be followed as companies undergo each step in a deeper dive to make more and more of their processes essentially computerized. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Paul Asadoorian (@securityweekly), founder & CTO, Security Weekly, and chief innovation officer, Cyber Risk Alliance. Thanks to this week's podcast sponsor, Keyavi Data. Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com. On this episode of Defense in Depth, you’ll learn: Digital transformation is about relying on computing technology for more integral processes and aspects in our daily work lives. Lots of debate on the definition of digital transformation and as well securing digital transformations. Definition: A targeted change to process and technology for the benefit of the people. Definition: increasing levels of interoperability of information. We heard the recurring argument of the need for security to have a seat at the table at the beginning of a digital transformation, and not at the end. But at the same time reality sunk in and it was argued that security doesn't get to dictate that. And if security tried to, it would create a greater wedge with the business. When security is brought in at the end though, security has no option but to disrupt the business. Then no one is happy. Digital transformation simply introduce new risks, often greater risk. If the point is to integrate more of your processes, then that integrates the risk as well. If you're undergoing a true transformation, you are looking at core processes and saying, "What new tech facilitates, streamlines, and/or actualizes these core processes?" You no longer have to settle for shopping for a solution and then smashing your processes up against it. Your security tools should also undergo a transformation. That includes a transformation in monitoring as well.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-leaked-secrets-in-code-repositories/) Secrets, such as passwords and credentials, are out in the open just sitting there in code repositories. Why do these secrets even exist in public? What's their danger? And how can they be found and removed? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Jérémy Thomas, CEO, GitGuardian. Thanks to this week's podcast sponsor GitGuardian. GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline. On this episode of Defense in Depth, you’ll learn: Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out. Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub. Exposed credentials can appear in SIEMS as it's being exported from the developers' code. There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility. Scanning public code repositories should be your first step. You don't want to be adding code that has known issues. Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills. Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn't eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.