Defense in Depth

The full post (if you're not seeing links and images) can be found here (https://cisoseries.com/defense-in-depth-software-fixing-hardware-problems/) As we have seen with the Boeing 737 MAX crashes, when software tries to fix hardware flaws, it can turn deadly. What are the security implications? Thanks to this week’s podcast sponsor, Unbound Tech Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode Dan Glass (@djglass), former CISO for American Airlines. Founded in 2014, Unbound Tech equips companies with the first pure-software solution to protect cryptographic keys, ensuring they never exist anywhere in complete form. By eliminating the burden of hardware solutions, keys can be distributed across any cloud, endpoint or server to offer a new paradigm for security, privacy and digital innovation. On this episode of Defense in Depth, you'll learn: The reason the Boeing 737 MAX airplane crashes are such a big story is airplanes don't usually crash because the airline industry is ingrained in a culture of safety. Even though safety culture is predominant in the airline industry , there were safety features (e.g., training for the pilots on this new software correcting feature) that were optional for airlines to purchase. Software is now in charge of everything. What company is not a digital company? We can't avoid the fact that we have software running our systems, even items that control our safety. The software industry does not operate in a safety culture like the airline industry. Is this just a data integrity issue? Is that the root cause of problems? How do we increase the integrity of data? Can we override software when we believe it's making a bad decision? Allan brought up one example of a friend who tried to swerve out of his lane to avoid something in the road. The self-driving car forced him back in his lane and he hit the thing he was trying to avoid. Fortunately, it was just a bag, but what if it was a child? The self-correcting software didn't let him takeover and avoid the object in the road.

To see all the notes and links for this episode, go here (https://cisoseries.com/defense-in-depth-tools-for-managing-3rd-party-risk/) Are there any good tools that really help to manage third-party risk? Can tools alone solve this problem? What else is required? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Eric Cowperthwaite, director of information security, Esterline. Got feedback? Join the conversation on LinkedIn. Thanks to this week’s podcast sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this episode of Defense in Depth, you'll learn: We question if there's some type of pseudo-protection racket going on with auditors offering to increase vendors' security scores if they go into business with them. The basic model is to help you identify issues and resolve them in order to reduce your risk and protect yourself from certain types of risk. While our risk changes on a daily basis, we're not measuring the risk other 3rd parties may be introducing at the same iteration level. Often it's only annual which doesn't coincide with how we measure our own risk. As a result, there's a desire for ongoing real-time assessment of third party risk. CISOs want the depth of an audit combined with real-time monitoring. Best of breed approach often introduces new risk at the lines of integration.

Are CISOs the most stressed individuals on a security team, or do mental health issues affect everyone in security? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Webroot. Thanks to this week’s podcast sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this episode of Defense in Depth, you'll learn: You have to come to an acceptance that a security program that's at 90 percent is good enough. Accept that you will never reach the end of the tunnel. You'll never have a perfect defense. The CISO's role is that of a change agent and depending on the depth of your relationship, you may get push back. Don't underestimate the impact you're trying to make on the business culture. Organizations can only change in increments. Stressing that will generate stress in you, the security professional. Since security touches every department and you need to engage with every department, you will deal with a lot of personalities. In addition to dealing with all the departments, you won't have authority over them, but you will be perceived as accountable for their security issues. The business needs to own security and its relevant risk. Don't fall into impostor syndrome where you chronically feel you're doing a bad job. Accept small wins. Break up huge projects into smaller chunks and celebrate those wins.

Is the RSA Conference a must attend for security professionals? Or is it enough to "just be in San Francisco that week"? Check out this post and discussion for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Tyson Martin, CISO for Lumber Liquidators. David Spark, producer of CISO Series, Tyson Martin, CISO, Lumber Liquidators, and Allan Alford, CISO, Mitel. Thanks to this week's sponsor, Praetorian. As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this episode of Defense in Depth, you'll learn: Is RSAC for education or connecting? Does the value happen in the conference center or outside? This was the initial part of our debate and one argument is you need to graduate from RSAC to make it more of a "connecting outside of the event" type of event. The show floor is overwhelming. As David Gorton of OverwatchID noted, "The circus hides the serious of what we're trying to do." There were a lot of comments about people not having fear of missing out (FOMO), but you can't argue that RSAC has a gravitational force that brings tons of security-minded people to San Francisco for one week every year. There is enormous value in that. The marketing model for vendors during and after the show is starting to grate on practitioners. They're not enjoying the endless cold calls the following week. The expo hall is focused on leads and given that so many of these products are high ticket items, if just a few sales comes through, then the event pays for itself. It's impossible for small booths to compete for visibility with huge booths at the conference.

If a company's brand and value is built on trust, then your security department is critical to building the value of the company. Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Scott McCool (@McCoolScott), former CIO of Polycomm. Thanks to this week’s podcast sponsor, SpyCloud Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you’ll learn: When a business becomes an idea, the only thing that matters is the perceived value by the owners. If you deem security is the business, then it no longer can take a consultative role. It must take the role of brand and value building. Explicit value is generating or saving money. Implicit value is what drives those two opposite ends of the spectrum. A security department shouldn't be focused on trying to get more budget for themselves. They should see where they are in the value chain and at any given point in time they must fully understand the business and see which department could generate the most business value. If you only lobby for the security department in terms of its importance for getting budget, and not lobby for the overall business then you will lose credibility with your partners within the business.

Do companies who deliver "threat intelligence" deliver on that promise, or is there more the customer needs to bring to the table to be able to take action? Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our sponsored guest for this episode is Eric Murphy (@_EricMurphy), VP, security research, SpyCloud.   Thanks to this week’s podcast sponsor, SpyCloud Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you’ll learn: Threat intelligence is about telling a story. And that story is broken up into three parts: strategic, operational, and tactical intelligence. Threat intelligence today really isn’t about creating that story. Most of the cases are about correlating data points. Threat intelligence becomes stale when you are reactionary vs. being proactive. Threat intelligence fails when you don’t mix multiple intelligence points to form a more complete full story of your adversaries. Feeds are not valuable by themselves. When you combine it with your internal data, that’s when you could actually come up with something actionable. If you’re not ingesting and onboarding your data appropriately into your internal threat intelligence team, why do you even have it? Find more at CISOSeries.com

Defense in Depth is available at CISOSeries.com. Is the "free to use" Secure Controls Framework the one meta-framework to rule them all? Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Tom Cornelius, founder and contributor of the Secure Controls Framework (SCF) (@scf_support). Thanks to this week’s podcast sponsor, SpyCloud Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you’ll learn: Purpose of the Secure Controls Framework is to have a single framework to address multiple requirements. It's a meta framework that takes into consideration the controls of all other frameworks. You only need to use the security controls that are important and relevant to you. For that reason, don't be daunted by the number of controls on SCF (currently 750). You can have security without privacy, but you can't have privacy without security. Integrating privacy and security is critical to SCF.

Defense in Depth is available at CISOSeries.com. Is your own staff the greatest threat to the security of your company? On this episode of Defense in Depth we discuss protecting your business from itself. Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Vijay Bolina (@_jamesbaud_), CISO, Blackhawk Network. Thanks to this week’s podcast sponsor, Fluency Security: Fluency’s correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization’s path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019. On this episode of Defense in Depth, you’ll learn: Nearly 1 in 5 people would sell their health record for $500. (source) Insider threat mistakes can take many forms. It could be someone carelessly leaving a USB key somewhere or it could be a developer simply not securing their code. Security people make mistakes just like non-security people. Difference is when a security person makes a mistake, chances are the gravity of the damage will be much higher. A breach doesn’t necessarily have to damage the company. A breach simply means data left your protected area of the business. And that is still bad even if there was no actual damage.

Defense in Depth is part of the CISO Series network, which can be found at CISOseries.com. Security for the business affects everyone and all departments. On this episode of Defense in Depth we discuss the values and difficulties of building an information security council.  Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Nick Espinosa (@NickAEsp), host of nationally syndicated show The Deep Dive with Nick Espinosa, and his daily podcast is called Nick's Nerd News Daily. Find Nick on Facebook, YouTube, and his articles on Forbes.   Thanks to this week’s podcast sponsor, Fluency Security:   Fluency's correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization’s path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019. On this episode of Defense in Depth, you’ll learn: A good starting point for building an information security council is to develop a business continuity and disaster recovery plan with all departments and stakeholders. Understand the risk tolerance of each division. A well-informed information security council can often benefit from less security training. The number one battle to develop an InfoSec council is never technical. It is always cultural. Need to create a culture of not shaming people for making mistakes that compromise security. You want employees to feel free to speak up if they do make a mistake.  

Will the privacy outcry and new regulations limit companies’ abilities to do business, or will it span a whole new industry? We discuss building a business in the new age of privacy regulations on this week’s Defense in Depth. Chris Jordan, CEO, Fluency Security This episode of Defense in Depth is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our sponsored guest is Chris Jordan, CEO of Fluency Security. Thanks to this week’s podcast sponsor, Fluency Security:   Fluency’s correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization’s path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019.  On this episode of Defense in Depth, you’ll learn: While new privacy regulations may hamper a company’s ability to collect and sell any data they want, they don’t necessarily stifle the economy. For example, the introduction of HIPAA regulations spawned a growing industry. DuckDuckGo is a search engine that doesn’t collect your browsing history to determine your search results. Even if you are very protective of your data, the people around you probably aren’t. Through relationships and triangulation a profile of you, sans your personal data, can still be created. Because of this ability to triangulate data, your employees’ personal data, outside of work can become a risk to your company.