Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-tenure/) The CISO has the shortest tenure of any C-level role. Why so brief? Is it the pressure, the responsibility, the opportunities, or all of the above? Check out this LinkedIn discussion to read the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. Our guest is John Meakin, CISO, Equiniti. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you'll learn: There's a lot of confusion as to what a CISO needs to do. All job descriptions for CISOs are different. There are humans behind the data and as a result CISOs are tasked with protecting the humans. CISOs can improve their tenure if they seek out a business mentor to allow them to better support the business. CISOs who aren't able to communicate clearly will not last long. It's a CISO's job to communicate in the language of the business, not the other way around. Before the CISO ever arrives, there's a business culture. There's always going to be a natural push back from the business. "Why are you making us change?" A simple walkabout the office can solve a lot of uncertainty. If employees start asking questions about their personal security, that's a good sign the CISO has successfully inserted security into the business culture. Another huge factor that impacts CISO tenure are the increased opportunities. Regulations and privacy laws are pushing companies to get CISOs to provide much needed oversight. What does the reporting structure in your organization mean in regards to the CISO being heard at the executive and board level?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-toxic-security-teams/) There's an endless number of variables that contribute to creating a toxic security teams. How does it happen, and what are ways to manage and eradicate the toxicity? Check out this LinkedIn discussion to read the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Jinan Budge (@jinan_forrester), principal analyst serving security & risk professionals at Forrester. On this episode of Defense in Depth, you'll learn: Toxic security teams happen because of tribalism, not just within security, but across all departments. Security is seen as an expense and an IT problem and many don't think it's everyone's issue. One core issue is the lack of security culture and management simply not supporting the InfoSec team's efforts. There are many ways a security team's culture can become toxic. The issues are so numerous that it seems more of a challenge to prevent a team from its natural tendency to go sideways. The hero mentality of one individual, who thinks only he/she can solve the problem, can poison an entire group. It can be argued that it's an issue of ego, but many see it as insecurity. Often the individual needs to prove to themselves and others in order to maintain their cybersecurity rockstar status. A toxic security team will have a very hard time hiring new staff. People will leave and tell others you don't want to work there. If you have a diverse team and there's toxicity, the team won't last. There's an enormous cost to disengaged employees.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-personality-tests-in-the-workplace/) As a cybersecurity leader, should you use personality tests for hiring and managing a team? Does it create diversity, understanding of communication styles, or does it just create more conflict? Check out this LinkedIn discussion to read the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Ursula Alford, psychologist, Department of Neuropsychology, Baylor Scott & White Institute of Rehabilitation. On this episode of Defense in Depth, you'll learn: There is plenty of debate as to whether a security leader should use personality tests, such as Myers-Briggs, for hiring or managing employees. Almost universally, no one wanted to use the tests for hiring as it creates bias, but many saw value in using them for managing employees. About half of the people who participated in the discussion just wanted to steer clear of personality tests altogether, never wanting to force their employees to take them either. The tests reveal individuals' preferred communication styles which can be helpful for customizing employee management. This is the main reason they're used. Don't mistake these tests as defining who you are in the future. It's a test to measure personality and communications in a moment in time. People are often asked to take these tests repeatedly and we often score differently with our personalities changing. Meyers-Briggs definitely has issues with validity and reliability. One significant value to any personality test is to see if you're getting a variety of thought patterns on your team. If you're not, then you may be building the wrong team.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-lack-of-diversity-in-cybersecurity/) Cybersecurity teams are notoriously not diverse. At the same time we keep hearing and talking about the need for diversity. Is it critical? Can you be just as successful without it? Check out this Twitter feed for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Christopher Zell, vp, head of information security, The Wendy's Company. Thanks to this week's sponsor, Electronic Frontier Foundation. On this episode of Defense in Depth, you'll learn: Discussion is based on a quote by one PayPal co-founder, Max Levchin, who said, "The notion that diversity in an early team is important or good is completely wrong. You should try to make the early team as non-diverse as possible." There is diversity of people and there's diversity of opinions. Those two often go together, but they don't have to. While appalling, there is some truth to Levchin's statement. When everyone thinks the same you don't have conflict and can move quickly. But lack of diversity of opinion means you don't see the full picture and that can make you susceptible to unforeseen vulnerabilities. If you don't know what problems you're facing, you should want diversity. Minorities often face different and more struggles than those who never have to suffer diversity issues. They've been hardened and that should make them an even more attractive candidate. Start building your diverse network now. When it comes time to hire diversity and you don't have that network already in place, you're going to have a very difficult time. For more, check out the (ISC)^2 study "Innovation Through Inclusion: The Multicultural Cybersecurity Workforce" and Computerworld article, "The next tech skillset is 'differently-abled neuro-diverse'".

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-when-are-cisos-responsible-for-breaches/) When is a CISO responsible for a breach or cyber incident? Should they be disciplined, fired, or let go with an attractive payout? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Norman Hunt (@normanhunt3), deputy CISO, GEICO. On this episode of Defense in Depth, you'll learn: On the onset, one may want to jump to finding liability. But a CISO's responsibility should not be isolated at the moment of the breach. There are more issues to consider, such as authority, accountability, efficacy, and expectations. Be wary of assigning accountability if the CISO didn't have the authority to actually carry out his/her intended plan. Often the CISO is seen as a necessary scapegoat when there is a breach. It shows an aggressive move by the company to make a change, but then they'll have to go ahead and hire another CISO, probably at a much higher salary (see last week's episode). When are you measuring the performance of the CISO? Is it as they build the security program, or is it only at the moment of the breach? How well does a CISO handle the breach when it happens and how well do his direct reports and the rest of the company handle it? That's a better measurement of the efficacy of the CISO. CISOs are held to a higher level of expectation to prevent a risky event from happening. CIOs, CEO, and CFOs are not held to the same standard. Even the best CISOs will suffer a breach. It's a single point in time. It sure is a very bad point in time, but what are the events that led up to this moment. Were they building out a security program and were there improvements or was staff education and leadership falling short? The best standard of measurement of a CISO is how well do they communicate and implement security and risk decisions? Failure may be at the definition of the role of the CISO. A CISO's role and its responsibilities are far from standardized.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-post-breach-desperation-and-salary-negotiations/) A data breach usually spells financial and reputational disaster. But such an event can also be an opportunity for a security professional to capitalize. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Michael Piacente, co-founder and managing partner, Hitch Partners. Thanks to this week's podcast sponsor, Anomali. Anomali is a leader in intelligence-driven cybersecurity solutions. Anomali turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com On this episode of Defense in Depth, you'll learn: Salary negotiation is a topic that is always in vogue, but the post-breach angle shows the value companies are eventually seeing in the CISO role. Unfortunately for them they realize it after the fact. A bad breach incident will cost far more than an investment in a good security team. But that's your insurance policy. Location, industry, and size of company are all key factors on whether or not a CISO will be able to command a seven figure salary. Industry specific skills will definitely come into play. If a bank is breached and you've been a security professional or a CISO at multiple banks that has maintained its cybersecurity without any significant incidents, then you have a lot of leverage. When a company needs a CISO to right the ship, they're going to want someone who has gained skills in the areas of communicating with the board, strategy, vision, leadership, and successfully creating a pro-security culture. Negotiating salary is not just isolated to CISO role. There are cloud security architects that are in high demand and can garner a much higher wage than just a couple years ago. Threats outnumber security people regardless of their rank. There's no one person that's going to prevent breaches. But if you have a poor security culture, then a company will need to pay for the talent to get it operating in the right direction.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-presenting-to-the-board/) What metrics, reports, or strategies should a security professional utilize to communicate the value to the board? Or is the mode of "presenting to the board" a damaged approach? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Barry Caplin (@bcaplin), executive leadership partner, Gartner. Thanks to this week's podcast sponsor, Anomali. Anomali is a leader in intelligence-driven cybersecurity solutions. Anomali turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com On this episode of Defense in Depth, you'll learn: A conversation with the board begins with a discussion of what risk is. But getting that information out of the board is far from a simple task. Vague answers are not helpful. Metrics are of value to the board, but avoid offering up tactical metrics. Instead, utilize strategic metrics. Once risk appetite is understood and agreed upon, then it's appropriate to begin a discussion of the security program's maturity. Caplin recommends a four-slide presentation for the board: Where we were, problem areas identified per risk and maturity. What we spent and a bit of why we spent. Where we are now (metrics come into play here). Best to show how much progress you've made in implementing security programs. Where we want to go next, and what the next ask is. If you're going to show a metric, it should answer a very specific question for the board. If you are going to show one metric, the most popular one is dwell time or the time between when an attack happens, when you discover it, and when it's remediated. The one metric of dwell time provides a lot of information as to the maturity of a CISO's security program as it coincides with its ability to respond to incidents. Some CISOs aim for a storytelling approach completely avoiding metrics because metrics have unfortunately led the board down the wrong path. It's either the wrong metrics, too detailed of a metric, or metrics not tied to business risk or to a maturity model.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-the-iran-cybersecurity-threat/) The Iran conflict has threatened new retaliations and we don't know where they're going to come from. Cyber retaliation is a real possibility. Who's being threatened and how should we prepare? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Nicholas Hayden, global head of threat intelligence, Anomali. Thanks to this week's podcast sponsor, Anomali. Anomali is a leader in intelligence-driven cybersecurity solutions. Anomaly turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com On this episode of Defense in Depth, you'll learn: As we're seeing now, it often takes a scare like Iran, to get everyone to pay attention to their threat detection and response capabilities. if you believe you're a target for an APT (advanced persistent threat) you need to also assume it's going to be hidden. If and when you find an APT, also assume it's at the beginning of an attack chain. You're going to have to go deeper. Shutting it off at that moment won't let you understand what's happening. Iran may use the resources of China and Russia as they have hooks into other industries. There's a strong belief that cyber warfare is commingled with organized crime. The two groups need each other. Much of the "how to handle Iran" advice is to focus on foundations, not basics, because it's actually not easy, said Yaron Levi, CISO, Blue Cross/Blue Shield of Kansas City, we use these potential threats as an area of focus. If you are doing the fundamentals, and doing them well, you are doing what you can. You don't have the intelligence that the military has, and therefore, you don't have the ability to craft specific defenses. Beware of complacency and going in and out of "heightened alert". Eventually, people will forget about this perceived impending Iran threat. That's why threat intelligence needs to be handled consistently over time.

Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-building-a-fully-remote-security-team/) Could you be successful with a fully virtual InfoSec team? Many say it can't be done, while some have actually done it and been successful. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Kathy Wang, former CISO, GitLab. Thanks to this week's podcast sponsor, Pulse Secure. Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance. On this episode of Defense in Depth, you'll learn: A fully remote team is possible. Our guest was formerly the CISO of GitHub which is a fully remote organization so the concept of remote work was built into the company's DNA. Two of the most important factors to great remote success are each individual's willingness to over communicate and never be afraid to escalate an issue. Not surprisingly, remote work requires top-down support and it starts at the point of hiring. Trust is a two-way street in remote work. Under the umbrella of "over communicating" is documenting everything. Huge benefit of having a remote team is you are no longer competing with location-based hiring. There are talented people all over the world. With your staff living all over the world, you in effect create a 24/7 office network with everyone operating in different time zones. A fully virtual company is perfect for cloud native companies. It can be very costly to place a person physically on site. Saving money is a great side effect of remote staffing. Make sure to have in-person team building events. Kathy does one to two a year and tries to make sure one of them coincides with a big security event like DEFCON, RSA, or Black Hat. One unforeseen benefit of remote work is that you're always able to start meetings on time. Problem with in-person meetings is you're often waiting for another meeting to finish in a room so you can start your meeting.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-account-takeover/) An account takeover traditionally follows a methodical path that takes considerable time before anything bad happens. Is it worth a company's time and effort to be monitoring a potential account takeover at the earliest stages? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Mike Wilson, CTO and co-founder, Enzoic. Thanks to this week's podcast sponsor, Enzoic. Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic. On this episode of Defense in Depth, you'll learn: Attack takeover (ATO) has a life cycle with multiple (6) steps. The first step is reconnaissance and you need to focus on that to stop the life cycle. There's plenty of talk about sharing OSINT (open source intelligence), but the reality is, and always been, that there are more consumers than contributors. Like any open source endeavor, it can only get better if more people contribute. Account takeover has at its root in stolen credentials, and as we know from sites like "Have I been pwned?" there are billions of stolen credentials floating out there that are consistently being used in credential stuffing attacks. What is your credential situation? How unique are they? Can they be learned? Start threat modeling your existing systems to determine what type of investment you'll need to make in account takeover. You can greatly reduce the risk of ATO by implementing multi-factor authentication (MFA) and privileged access management (PAM). The bad guys are playing the same game as we are and we essentially need to have better reconnaissance than them. Problem is they're sharing information freely and we're not.