Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-risk-lead-grc/) Defining risk for the business. Is that where a governance, risk, and compliance effort should begin? How does risk inform the other two, or does calculating risk take too long that you can't start with it? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our guest is Marnie Wilking (@mhwilking), global head of security & technology risk management, Wayfair. Thanks to this week’s podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you’ll learn: The model of risk = likelihood x impact doesn't take into account the value of assets. Assets have to be valued first before you calculate risk. Is the reason risk isn't used to lead governance, risk, and compliance (GRC) because it's so darn hard to calculate? Many CISOs say their toughest job starting out is trying to understand what the crown jewels are and what the board's risk tolerance is. Risk management allows the board to know when you have enough security. Some assets may require eight layers where others may only require one or two. Determining likelihood of an attack involves a good amount of guesswork. We've discussed on a previous episode of CISO/Security Vendor Relationship Podcastthat we don't go back to see how good our risk predictions were. If you want to get better at it, you should. Otherwise, it will always be guesswork. Even if you can get someone to agree what their risk tolerance is, or what asset is of importance, trying to get agreement among a group can be a blocker. Keep in mind that each person is going to have a different viewpoint and concerns. Knowing risk appetite is critical. You can apply security controls without knowing it, but that's providing a unified security layer across all data, people, and applications when they are all not equal when it comes to asset valuation.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-responsible-disclosure/) Security researchers and hackers find vulnerabilities. What's their responsibility in disclosure? What about the vendors when they hear the vulnerabilities? And do journalists have to adhere to the same timelines? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Tom Merritt (@acedtect), host, Daily Tech News Show. Thanks to this week’s podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you’ll learn: Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure. Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure. While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor's Hippocratic Oath, the goal is to minimize harm. You can't announce a vulnerability without offering a fix. It's opening the door to the bad guys to come in and cause havoc. There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities. One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure." There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they're not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn't a good fix yet.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth:-internet-of-things/) When Internet of Things or IoT devices first came onto the market, security wasn't even a thought, let alone an afterthought. Now we're flooded with devices with no security and their openness and connectivity are being used to launch malicious attacks. What are methods to secure environments today and how should these IoT devices being secured in the future? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Josh Corman (@joshcorman), founder of I Am The Cavalry. Thanks to this week’s podcast sponsor, Pulse Secure. Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance. On this episode of Defense in Depth, you’ll learn: For years, manufacturers didn't consider device security. As a result, attackers have used insecure devices like connected webcams to gain entry into a corporate network. If you're manufacturing devices, then make security and patches a top concern even after end of life support. Big gap between public trust and the reality. Almost all people trust manufacturers to secure their devices. The reality is most manufacturers aren't securing their devices. While we've seen webcams used to launch distributed denial of service (DDoS) attacks, the greatest concern is of a similar style attack being launched against industrial IoT. The discussion of IoT security goes beyond security of devices. We know there are devices with zero security connected to our network. This is where a larger discussion of zero trust and defense in depth style security programming comes into play. We have a growing number of unmanaged devices. Devices that are just always on and connected to the Internet providing simple functions like reading their environment. How much responsibility do manufacturers have for the security of their devices after they've been purchased and shipped? They can create updates and patches, but they can't enforce them.

Mustapha Kebbeh, CISO at Brinks, shares his deep insights on the intersection of governance, risk management, and compliance (GRC). He emphasizes that strong governance practices are essential for meaningful GRC programs. Without effective leadership, achieving compliance becomes challenging. The discussion covers how actionable and accountable policies drive successful outcomes and the significance of integrating stakeholder perspectives for cohesive risk management. Discover how prioritizing governance can help organizations navigate the complexities of cybersecurity.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-who-should-the-ciso-report-to/) Who should the CISO report to? What factors determine that decision? And why is that single decision so critical to a company's overall security? Check out this post for the basis for our conversation on this week’s episode which features me, special guest co-host Yaron Levi (@0xL3v1) CISO, Blue Cross Blue Shield of Kansas City. Our guest is Gary Harbison, vp, global CISO, Bayer. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you’ll learn: We're having this discussion because as Allison Berey, M:CALIBRATE explained, "Wrong reporting lines can mean poor decision-making." There is no definitive answers as to what the reporting line should be. The final answer on this this discussion was "it depends." A CISO's placement within an organization should depend on where a company derives its value. All companies say security is important. How they place the CISO within the reporting structure and the influence they have on the organization is very telling as to whether the company truly does value security. There was a lot of concern reporting to other C-level executives that are not the CEO as the CISO's concerns could play second fiddle to a CFO, CIO, or CRO's primary desires. Many felt the most desirable reporting line was CISO-to-CEO. But, assuming every department is dealing with some sort of business risk, don't they all have the right to report to the CISO? Where do you draw the line?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-hybrid-cloud/) The consistency of your security program becomes a challenge once you introduce the cloud. Controls and visibility are not necessarily transferable. How do you maintain the control you want in a hybrid environment? Check out this post for the basis for our conversation on this week’s episode which features me, special guest co-host Taylor Lehmann (@BostonCyberGuy), vp, CISO, athenahealth, and our sponsored guest, Chris Meenan (@chris_meenan), director, offering management and strategy, IBM Security. Chris Meenan, director, offering management and strategy, IBM Security, David Spark, producer, CISO Series, Taylor Lehmann, vp, CISO, athenahealth. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you’ll learn: Moving to the cloud, like any other technology initiative, is a business decision. What controls are you ceding over to the cloud provider? What service level agreements (SLAs) and performance measurements do you have for the provider? Be realistic about what’s going to be done if a service provider violates the SLA. You’re not going to all of a sudden dump the provider. You’re going to put some types of corrections in place. Make sure you know what those are and how that can be handled, realistically. Understand your shared responsibility in the cloud. According to a report by FireMon on hybrid cloud use and adoption, about one-third do not fully understand the shared responsibility model of the cloud. Start slow. While you may need to go with multiple cloud providers to fill distribution and requirements, begin with one and learn from that experience. Use cloud adoption as an excuse to join forces with your privacy team to understand where data is being placed and what control you have over it. Cloud providers are not interchangeable like a utility. Cloud providers are chosen based on the services they offer.  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-tenure/) The CISO has the shortest tenure of any C-level role. Why so brief? Is it the pressure, the responsibility, the opportunities, or all of the above? Check out this LinkedIn discussion to read the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. Our guest is John Meakin, CISO, Equiniti. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you’ll learn: There's a lot of confusion as to what a CISO needs to do. All job descriptions for CISOs are different. There are humans behind the data and as a result CISOs are tasked with protecting the humans. CISOs can improve their tenure if they seek out a business mentor to allow them to better support the business. CISOs who aren't able to communicate clearly will not last long. It's a CISO's job to communicate in the language of the business, not the other way around. Before the CISO ever arrives, there's a business culture. There's always going to be a natural push back from the business. "Why are you making us change?" A simple walkabout the office can solve a lot of uncertainty. If employees start asking questions about their personal security, that's a good sign the CISO has successfully inserted security into the business culture. Another huge factor that impacts CISO tenure are the increased opportunities. Regulations and privacy laws are pushing companies to get CISOs to provide much needed oversight. What does the reporting structure in your organization mean in regards to the CISO being heard at the executive and board level?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-toxic-security-teams/) There's an endless number of variables that contribute to creating a toxic security teams. How does it happen, and what are ways to manage and eradicate the toxicity? Check out this LinkedIn discussion to read the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Jinan Budge (@jinan_forrester), principal analyst serving security & risk professionals at Forrester. On this episode of Defense in Depth, you’ll learn: Toxic security teams happen because of tribalism, not just within security, but across all departments. Security is seen as an expense and an IT problem and many don't think it's everyone's issue. One core issue is the lack of security culture and management simply not supporting the InfoSec team's efforts. There are many ways a security team's culture can become toxic. The issues are so numerous that it seems more of a challenge to prevent a team from its natural tendency to go sideways. The hero mentality of one individual, who thinks only he/she can solve the problem, can poison an entire group. It can be argued that it's an issue of ego, but many see it as insecurity. Often the individual needs to prove to themselves and others in order to maintain their cybersecurity rockstar status. A toxic security team will have a very hard time hiring new staff. People will leave and tell others you don't want to work there. If you have a diverse team and there's toxicity, the team won't last. There's an enormous cost to disengaged employees.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-personality-tests-in-the-workplace/) As a cybersecurity leader, should you use personality tests for hiring and managing a team? Does it create diversity, understanding of communication styles, or does it just create more conflict? Check out this LinkedIn discussion to read the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Ursula Alford, psychologist, Department of Neuropsychology, Baylor Scott & White Institute of Rehabilitation. On this episode of Defense in Depth, you’ll learn: There is plenty of debate as to whether a security leader should use personality tests, such as Myers-Briggs, for hiring or managing employees. Almost universally, no one wanted to use the tests for hiring as it creates bias, but many saw value in using them for managing employees. About half of the people who participated in the discussion just wanted to steer clear of personality tests altogether, never wanting to force their employees to take them either. The tests reveal individuals' preferred communication styles which can be helpful for customizing employee management. This is the main reason they're used. Don't mistake these tests as defining who you are in the future. It's a test to measure personality and communications in a moment in time. People are often asked to take these tests repeatedly and we often score differently with our personalities changing. Meyers-Briggs definitely has issues with validity and reliability. One significant value to any personality test is to see if you're getting a variety of thought patterns on your team. If you're not, then you may be building the wrong team.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-lack-of-diversity-in-cybersecurity/) Cybersecurity teams are notoriously not diverse. At the same time we keep hearing and talking about the need for diversity. Is it critical? Can you be just as successful without it? Check out this Twitter feed for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Christopher Zell, vp, head of information security, The Wendy's Company. Thanks to this week's sponsor, Electronic Frontier Foundation. On this episode of Defense in Depth, you’ll learn: Discussion is based on a quote by one PayPal co-founder, Max Levchin, who said, "The notion that diversity in an early team is important or good is completely wrong. You should try to make the early team as non-diverse as possible." There is diversity of people and there's diversity of opinions. Those two often go together, but they don't have to. While appalling, there is some truth to Levchin's statement. When everyone thinks the same you don't have conflict and can move quickly. But lack of diversity of opinion means you don't see the full picture and that can make you susceptible to unforeseen vulnerabilities. If you don't know what problems you're facing, you should want diversity. Minorities often face different and more struggles than those who never have to suffer diversity issues. They've been hardened and that should make them an even more attractive candidate. Start building your diverse network now. When it comes time to hire diversity and you don't have that network already in place, you're going to have a very difficult time. For more, check out the (ISC)^2 study "Innovation Through Inclusion: The Multicultural Cybersecurity Workforce" and Computerworld article, "The next tech skillset is ‘differently-abled neuro-diverse’".