Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-when-are-cisos-responsible-for-breaches/) When is a CISO responsible for a breach or cyber incident? Should they be disciplined, fired, or let go with an attractive payout? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Norman Hunt (@normanhunt3), deputy CISO, GEICO. On this episode of Defense in Depth, you’ll learn: On the onset, one may want to jump to finding liability. But a CISO's responsibility should not be isolated at the moment of the breach. There are more issues to consider, such as authority, accountability, efficacy, and expectations. Be wary of assigning accountability if the CISO didn't have the authority to actually carry out his/her intended plan. Often the CISO is seen as a necessary scapegoat when there is a breach. It shows an aggressive move by the company to make a change, but then they'll have to go ahead and hire another CISO, probably at a much higher salary (see last week's episode). When are you measuring the performance of the CISO? Is it as they build the security program, or is it only at the moment of the breach? How well does a CISO handle the breach when it happens and how well do his direct reports and the rest of the company handle it? That's a better measurement of the efficacy of the CISO. CISOs are held to a higher level of expectation to prevent a risky event from happening. CIOs, CEO, and CFOs are not held to the same standard. Even the best CISOs will suffer a breach. It's a single point in time. It sure is a very bad point in time, but what are the events that led up to this moment. Were they building out a security program and were there improvements or was staff education and leadership falling short? The best standard of measurement of a CISO is how well do they communicate and implement security and risk decisions? Failure may be at the definition of the role of the CISO. A CISO's role and its responsibilities are far from standardized.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-post-breach-desperation-and-salary-negotiations/) A data breach usually spells financial and reputational disaster. But such an event can also be an opportunity for a security professional to capitalize. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Michael Piacente, co-founder and managing partner, Hitch Partners. Thanks to this week’s podcast sponsor, Anomali. Anomali is a leader in intelligence-driven cybersecurity solutions. Anomali turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com On this episode of Defense in Depth, you’ll learn: Salary negotiation is a topic that is always in vogue, but the post-breach angle shows the value companies are eventually seeing in the CISO role. Unfortunately for them they realize it after the fact. A bad breach incident will cost far more than an investment in a good security team. But that's your insurance policy. Location, industry, and size of company are all key factors on whether or not a CISO will be able to command a seven figure salary. Industry specific skills will definitely come into play. If a bank is breached and you've been a security professional or a CISO at multiple banks that has maintained its cybersecurity without any significant incidents, then you have a lot of leverage. When a company needs a CISO to right the ship, they're going to want someone who has gained skills in the areas of communicating with the board, strategy, vision, leadership, and successfully creating a pro-security culture. Negotiating salary is not just isolated to CISO role. There are cloud security architects that are in high demand and can garner a much higher wage than just a couple years ago. Threats outnumber security people regardless of their rank. There's no one person that's going to prevent breaches. But if you have a poor security culture, then a company will need to pay for the talent to get it operating in the right direction.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-presenting-to-the-board/) What metrics, reports, or strategies should a security professional utilize to communicate the value to the board? Or is the mode of "presenting to the board" a damaged approach? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Barry Caplin (@bcaplin), executive leadership partner, Gartner. Thanks to this week’s podcast sponsor, Anomali. Anomali is a leader in intelligence-driven cybersecurity solutions. Anomali turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com On this episode of Defense in Depth, you’ll learn: A conversation with the board begins with a discussion of what risk is. But getting that information out of the board is far from a simple task. Vague answers are not helpful. Metrics are of value to the board, but avoid offering up tactical metrics. Instead, utilize strategic metrics. Once risk appetite is understood and agreed upon, then it's appropriate to begin a discussion of the security program's maturity. Caplin recommends a four-slide presentation for the board: Where we were, problem areas identified per risk and maturity. What we spent and a bit of why we spent. Where we are now (metrics come into play here). Best to show how much progress you've made in implementing security programs. Where we want to go next, and what the next ask is. If you're going to show a metric, it should answer a very specific question for the board. If you are going to show one metric, the most popular one is dwell time or the time between when an attack happens, when you discover it, and when it's remediated. The one metric of dwell time provides a lot of information as to the maturity of a CISO's security program as it coincides with its ability to respond to incidents. Some CISOs aim for a storytelling approach completely avoiding metrics because metrics have unfortunately led the board down the wrong path. It's either the wrong metrics, too detailed of a metric, or metrics not tied to business risk or to a maturity model.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-the-iran-cybersecurity-threat/) The Iran conflict has threatened new retaliations and we don't know where they're going to come from. Cyber retaliation is a real possibility. Who's being threatened and how should we prepare? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Nicholas Hayden, global head of threat intelligence, Anomali. Thanks to this week’s podcast sponsor, Anomali. Anomali is a leader in intelligence-driven cybersecurity solutions. Anomaly turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com On this episode of Defense in Depth, you’ll learn: As we're seeing now, it often takes a scare like Iran, to get everyone to pay attention to their threat detection and response capabilities. if you believe you're a target for an APT (advanced persistent threat) you need to also assume it's going to be hidden. If and when you find an APT, also assume it's at the beginning of an attack chain. You're going to have to go deeper. Shutting it off at that moment won't let you understand what's happening. Iran may use the resources of China and Russia as they have hooks into other industries. There's a strong belief that cyber warfare is commingled with organized crime. The two groups need each other. Much of the "how to handle Iran" advice is to focus on foundations, not basics, because it's actually not easy, said Yaron Levi, CISO, Blue Cross/Blue Shield of Kansas City, we use these potential threats as an area of focus. If you are doing the fundamentals, and doing them well, you are doing what you can. You don't have the intelligence that the military has, and therefore, you don't have the ability to craft specific defenses. Beware of complacency and going in and out of "heightened alert". Eventually, people will forget about this perceived impending Iran threat. That's why threat intelligence needs to be handled consistently over time.

Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-building-a-fully-remote-security-team/) Could you be successful with a fully virtual InfoSec team? Many say it can't be done, while some have actually done it and been successful. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Kathy Wang, former CISO, GitLab. Thanks to this week’s podcast sponsor, Pulse Secure. Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance. On this episode of Defense in Depth, you’ll learn: A fully remote team is possible. Our guest was formerly the CISO of GitHub which is a fully remote organization so the concept of remote work was built into the company's DNA. Two of the most important factors to great remote success are each individual's willingness to over communicate and never be afraid to escalate an issue. Not surprisingly, remote work requires top-down support and it starts at the point of hiring. Trust is a two-way street in remote work. Under the umbrella of "over communicating" is documenting everything. Huge benefit of having a remote team is you are no longer competing with location-based hiring. There are talented people all over the world. With your staff living all over the world, you in effect create a 24/7 office network with everyone operating in different time zones. A fully virtual company is perfect for cloud native companies. It can be very costly to place a person physically on site. Saving money is a great side effect of remote staffing. Make sure to have in-person team building events. Kathy does one to two a year and tries to make sure one of them coincides with a big security event like DEFCON, RSA, or Black Hat. One unforeseen benefit of remote work is that you're always able to start meetings on time. Problem with in-person meetings is you're often waiting for another meeting to finish in a room so you can start your meeting.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-account-takeover/) An account takeover traditionally follows a methodical path that takes considerable time before anything bad happens. Is it worth a company's time and effort to be monitoring a potential account takeover at the earliest stages? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Mike Wilson, CTO and co-founder, Enzoic. Thanks to this week’s podcast sponsor, Enzoic. Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic. On this episode of Defense in Depth, you’ll learn: Attack takeover (ATO) has a life cycle with multiple (6) steps. The first step is reconnaissance and you need to focus on that to stop the life cycle. There's plenty of talk about sharing OSINT (open source intelligence), but the reality is, and always been, that there are more consumers than contributors. Like any open source endeavor, it can only get better if more people contribute. Account takeover has at its root in stolen credentials, and as we know from sites like "Have I been pwned?" there are billions of stolen credentials floating out there that are consistently being used in credential stuffing attacks. What is your credential situation? How unique are they? Can they be learned? Start threat modeling your existing systems to determine what type of investment you'll need to make in account takeover. You can greatly reduce the risk of ATO by implementing multi-factor authentication (MFA) and privileged access management (PAM). The bad guys are playing the same game as we are and we essentially need to have better reconnaissance than them. Problem is they're sharing information freely and we're not.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ux-in-cybersecurity/) Security products and programs may be functional and work correctly, but are they usable in the sense that it fits into the work patterns of our users? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Rakesh Patwari (@rakeshpatwari), UX lead, Salesforce and UX instructor at UC Berkeley Extension. Thanks to this week’s podcast sponsor, Enzoic. Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic. On this episode of Defense in Depth, you’ll learn: There is the path to security you create and the path that your users take, or the desired path. As a security and UX professional you should plan to make those two the same path. If not, your users will take the simpler route and circumvent your security controls. Users will always choose the easier path which is not necessarily the most secure path. Security is an "ask." You're requesting users do something, but it's hard to get them to keep doing that "ask" if you don't give them feedback as to the reason or value of the ask. Error messages historically provide little to no information to the user and thus no guidance to solve the problem. We often have to go outside of the environment (a search engine) to find a solution. Security professionals need to take on the role of a UX designer which requires defining work processes by interviewing users, not deciding what you want those processes to be. Creating a simple process is far more difficult than creating a complex process. Secure processes don't require users to constantly turn functions on and off or go through additional unnecessary steps to get their job done. View your users as customers where you're trying to sell them on your process rather than dictating which will eventually be avoided.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-infosec-trends-for-2020/) We're coming to the end of the year and that means it's time to make our predictions for 2020. Mark this episode and check back in one year to see how we did. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Rob Potter, chief revenue officer for Verodin. Thanks to this week’s podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you’ll learn: More large scale breaches is not a prediction. At this stage that's an inevitability. ML/AI/Blockchain will continue to be oversold and under-delivered. Most cloud breaches are configuration errors. They are not mastermind attacks. They can't be called a breach if they were never secured properly in the first place. Note that cyber insurance does not pay out unless proper protections were in place. "Better" cloud and Internet of Things (IoT) security is not possible given how far it's been mismanaged up to this point. There are so many insecure nodes out there that it appears an impossibility to create any type of patch protection. There was strong debate as to whether this was a true statement or not. Strongest prediction (and it's already in motion) is the convergence of privacy and security. Privacy will be driven by regulations and as a result more people will be instituting chief privacy officers to avoid being in violation.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-readiness-as-hiring-criteria/) What if every candidate interviewed was tested on their cybersecurity competency? How would that affect hiring and how would that affect your company's security? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Greg van der Gaast, head of information security, University of Salford. Thanks to this week’s podcast sponsor, Enzoic. Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic. On this episode of Defense in Depth, you’ll learn: For all candidates, whether in cybersecurity or not, gauge their current level of cybersecurity awareness. There was a time we put knowledge of Microsoft Word and Excel on our resumes. Now you never see it because it's common knowledge. Security knowledge is not common. At this stage it would be seen as a valuable bonus to have it on your resume. There are always small things that hiring managers look for to tip the scales in a candidates favor. Cybersecurity skills should be one of them. For candidates who would have the most to gain from cybersecurity awareness, bring in the CISO to ask one or two questions during the hiring process. Different departments bounce candidates off each other even if they're not going to be working in a specific department. They want to know how well a person will or won't interface with your department. There's a strong fear that adding cybersecurity into the hiring criteria will greatly slow down the hiring process which could damage business productivity. There was much debate around seemingly great candidates, such as an accountant with 20 years of experience, who fails miserably on cyber awareness. Would that raise a red flag?  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-and-the-media/) Cybersecurity and the media. It rides the line between providing valuable information and feeding the FUD cycle. What's the media's role? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Dave Bittner (@bittner), producer and host of The CyberWire Podcast, Hacking Humans podcast, and Recorded Future podcast. Thanks to this week’s podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you’ll learn: Stop laying blame on the media for negative cybersecurity perceptions. They're acting as a reflection of ourselves, both good and bad. When done right, the media can bring about much needed attention to issues, most often to enlighten those not in the know. A good indicator of media's success in informing us is when our friends and family, who are not as cybersavvy, start asking us our thoughts on big security issues. Disturbing trend is the media referring to an attack as "sophisticated" when it's often a poorly secure server that was just waiting to be breached. Given this trend, many are eager for the media to demystify these supposedly "advanced" attacks demonstrating that the rest of us can protect ourselves even if we're not cyber-sophisticated. Social engineering demos are often done for the purpose of humor rather than showing how dangerous it can be when we let our guard down. Outside of someone like Bruce Schneier, the cybersecurity industry needs the equivalent of a high-profile expert who can speak to the lay person, à la Bill Nye, The Science Guy.