Podcastblaster Podcast Directory  Podcast Directory

Podcast Search   
Podcast title CISO-Security Vendor Relationship Podcast
Website URL http://cisoseries.com/
Description Discussions, tips, and debates around improving the communications and services that security vendors provide to their customers, the security buyer.
Updated Tue, 20 Aug 2019 13:05:42 +0000
Image CISO-Security Vendor Relationship Podcast
Category Technology
News
Subscribe

Vote for this podcast
    Currently 0.00/5

Rating: 0.0/5 ( votes cast)

Link to this podcast CISO-Security Vendor Relationship Podcast

Episodes

1. Like Fine Wine Our Vendor BS Meter Gets Better with Age
http://davidspark.libsyn.com/l... download (audio/mpeg, 53.82Mb)

Description:

All links and images for this episode can be found on CISO Series (https://cisoseries.com/like-fine-wine-our-vendor-bs-meter-gets-better-with-age/) 

The bouquet of this particular vendor BS is a mixture of FUD, unnecessary urgency, and a hint of pecan. Look to your left and grab the spittoon because we don't expect everyone to swallow what you're about to hear on this week's episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Olivia Rose, CISO for MailChimp.

Thanks to this week's podcast sponsor Remediant

Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant’s SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment.

On this week's episode

Why is everyone talking about this now?

One of the reasons we hate hearing security buzzwords is because it doesn't help us understand what it is a vendor is trying to sell. When a vendor says we have a "zero trust" product, what does that mean?

We delve into some of the tell-tale signs that a vendor or consultant is trying to BS you.

According to Olivia Rose, if you're going to pitch a CISO, make sure you can answer the following simply and succinctly:

What does our product/service do?
What specific security problem does it solve?
How will it affect the typical strategic/business drivers for a company?

It's time for "Ask a CISO"

Fernando Montenegro, analyst for 451 Research, asked, "How can the CISO be a change agent for the security team so it can better align with the business?"

What's Worse?!

For this week's game I picked a question very apropos for our guest's current situation.

Um… maybe you shouldn't have done that

Unconscious bias towards women in professional settings is not always overt nor intentional, but it happens. We discuss some examples of unconscious bias for both women and men. And we discuss how too much of it can really push women out of the security industry.

A distributed denial of service attack is the scourge of IT security. According to Verisign, one-third of all downtime incidents are attributed to DDoS attacks, and thousands happen every day. Are they created by sophisticated black hatted evil doers from an underground lair? Of course not. Welcome to the world of cybercrime-as-a-service.

You too can silence a competitor or cause havoc for pretty much anyone for as low as $23.99 a month. Just have your credit card or Bitcoin ready.

For more, go to CISOSeries.com.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

First 90 days of a CISO

Being just six weeks in, our guest, Olivia Rose is living the first 90 days of a CISO. We asked her and Mike what it's like those first few weeks. And to no one's surprise, it's beyond overwhelming.



2. If Capital One Listened to Our Podcast They Still Would Have Been Breached
http://davidspark.libsyn.com/i... download (audio/mpeg, 44.14Mb)

Description:

All links and images for this episode can be found on CISO Series (https://cisoseries.com/if-capital-one-listened-to-our-podcast-they-still-would-have-been-breached/) 

We guarantee listening to our show would have done absolutely nothing to prevent the Capital One breach. We've consulted our lawyers and we feel confident about making that claim. It's all coming up on this week's episode of CISO/Security Vendor Relationship Podcast.

This episode was recorded in the ExtraHop booth during Black Hat 2019. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Tom Stitt (@BlinkerBilly), sr. director, product marketing - security, ExtraHop.

Thanks to this week's podcast sponsor ExtraHop

Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop.

On this week's episode

Why is everyone talking about this now?

I have noticed an either disturbing or coincidental trend. Every year, just before either RSA or Black Hat conferences, there is some massive breach. This year it was Capital One. In the past we've had Ashley Madison, Target, Marriott - all within a few months of the shows. I know I know I know that CISOs absolutely hate being sold on FUD (fear, uncertainty, and doubt), but all conferences are affected by industry relevant news. You simply can't avoid it. Capital One was brought up multiple times during the Black Hat conference. We discuss the do's and don'ts of bringing up the most recent breach at a huge trade show.

We don't have much time. What's your decision?

On LinkedIn, you asked "When your risk and threat models all agree that this feature/product/decision is of low concern but your gut tells you otherwise, what do you do?" It appears most people said go with your gut to which Richard Seiersen of Soluble pointed out that guts are models too. What happens when you're faced with such a scenario and what causes the tools and threat models to be so off your gut?

"What's Worse?!"

We've got a split decision and a really fun scenario.

Please, Enough. No, More.

Today's topic is "network behavior analysis." In the world of anomaly detection, what have Mike and Tom heard enough about and what would you like to hear a lot more?

It’s been two weeks. Time to change your password again. How many times have we all bumped up against this wall – intended to help keep us secure, but extremely annoying when you have things do do? The battle for password security has been a long and arduous one, moving and evolving, sometimes ahead of, but more often lagging behind the activities of the hackers and bad guys, whose limitless resources seek out every possible weakness.

Challenge questions and strings of letters, numbers and characters might soon be coming to the end of their functional life, as security companies start to roll out biometric and behavioral security protocols in their place. Paired with increased access to data and artificial intelligence, it will become easier for organizations to contemplate a switch from basic strings of words to something more esoteric – a retinal scan paired with an extensive ergonomic behavior database for every individual.

These things are not new to the consumer marketplace of course. Apple iPhones are one of many devices that can be unlocked by a fingerprint, and credit card companies and web applications routinely call out unusual login behaviors.

But the new secret sauce in all of this is the availability of huge amounts of data in real time, which can be used to analyze a much larger set of behavioral activity, not simply an unusually timed login. This can then be managed by an Identity-as-a-service (IDaaS) company that would take over the administration, upkeep and security of its clients using the as-a-service model.

A retinal scan paired with a secure knowledge of which hand you carry your coffee in and where you bought it might very soon replace the old chestnut challenge of your mother’s maiden name. That one should stay safe with Mom.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

And now, a listener drops some serious knowledge

On LinkedIn, Ian Murphy of LMNTRIX put together an incredibly funny presentation with great graphics entitled the BS Cybersecurity Awards which included such impressive glass statuettes like the "It'll Never Happen to Us" Award and the "Cash Burner" Award. In general, they were awards for all the bad repeated behavior we see from vendors and users in cybersecurity. What are the awards that are not given out that we'd actually like to see?



3. Improve Security By Hiring People Who Know Everything
http://davidspark.libsyn.com/i... download (audio/mpeg, 59.87Mb)

Description:

All links and images for this episode can be found on CISO Series (https://cisoseries.com/improve-security-by-hiring-people-who-know-everything/)

If you're having a hard time securing your infrastructure, then maybe you need to step up the requirements for expertise. Why not ask for everything? We're offering unreasonable advice on this week's episode of CISO/Security Vendor Relationship Podcast.

This episode was recorded in front of a live audience at ADAPT's CISO Edge conference in Sydney, Australia. This special episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Liam Connolly, CISO of Seek. Our guest is Matt Boon (@mattjboon), director of strategic research for ADAPT. Plus, we have a special sponsored guest appearance from John Karabin, vp, cybersecurity, Dimension Data.

Thanks to this episode's sponsors Dimension Data/NTT and ADAPT

By 1 October 2019, all 28 NTT companies, including Dimension Data, will be branded as NTT. Together we enable the connected future. Visit NTT at hello.global.ntt.

ADAPT’s mission is to equip IT executives with the knowledge, relationships, inspiration and tools needed to gain competitive advantage. ADAPT’s membership platform provides business leaders with fact-based insights, actionable patterns of success and the collective experience of 3,000 peers to improve strategic IT, security, and business decisions. Visit ADAPT for more.

On this week's episode

Why is everyone talking about this now?

Independent security consultant Simon Goldsmith sent this post from Stu Hirst, a security engineer at JUST EAT who posted a job listing that requested subject matter expertise on 12 different aspects of security. This highly demanding request resulted in well over 200 responses from the community. Is it laziness on the part of the company posting? Is it an attempt to just capture job seekers' search queries? Or is it simply an editorial mistake that they shouldn't have requested subject matter expertise but rather basic knowledge across 12 different aspects of security?

Ask a CISO

Mitch Renshaw, Fortinet, describes a problem that many vendors are having. He says:

"Fortinet’s broad portfolio makes it hard to give a concise yet effective overview of our value. As a result I’m worried my emails are going long.
Customers know us for our firewalls – and a full firewall refresh is hard to come by as a sales rep. So if I get more targeted in my demand generation techniques, I’m met with an 'I’m all set, I’ve got Palo/checkpoint/juniper/etc.'"

Mitch has got a conundrum. He's looking for the happy medium on how to sell a company with a wide variety of products, some of which are highly commoditized in the industry. How should he reach out to security professionals?

"What's Worse?!"

We play two rounds and the audience gets to play along as well.

Hey, you're a CISO, what's your take on this?'

My American co-host, Mike Johnson, asked this question of the LinkedIn community, and I ask you this as well. "Why do sites still **** out the password field on a login page?" It's designed to stop shoulder surfing. Is this really the main problem? What else is it helping or hurting, like password reuse? Passwords are a broken system that are easily hacked. We have solutions that add layers on top of it, like multi-factor authentication. What solutions do we have for the password process itself?

OK, what's the risk?

Ross Young of Capital One, asks this question about what risk should you be willing to take on? "What should cyber professionals do when they can’t contract or outsource services like pen testing however they struggle to acquire the talent they need. If they train folks they find them poached sooner and if they don’t they are stuck without the talent they need to survive."

Why is this a bad pitch?

We've got a pitch sent in to us from Eduardo Ortiz. It's not his pitch, but one he received. You may need to strap in when you hear this.

It’s time for the audience question speed round

Yep, it's just like it sounds. I ask the panel to ask some questions submitted from our audience.

 

 



4. Just Click "Accept" As We Explain Informed Consent
http://davidspark.libsyn.com/j... download (audio/mpeg, 48.21Mb)

Description:

Find all images and links for this episode on CISO Series (https://cisoseries.com/just-click-accept-as-we-explain-informed-consent/)

Even if you do give "informed" consent, do you really understand what we're doing with your data? Heck, we don't know what we're going to do with it yet, but we sure know we want a lot of it. It's all coming up on this week's episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Francesco Cipollone (@FrankSEC42), head of security architecture and strategy, HSBC Global Banking and Markets.

Thanks to this week's podcast sponsor ExtraHop

Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop.

On this week's episode

Should you ignore this security advice?

This is advice you should not ignore. It comes from an article by Jonathan Jaffe, director of information security at People.ai where he offered up a great recipe for startup security. We discussed standout tips and were there any disagreements or omissions?

Close your eyes. Breathe in. It's time for a little security philosophy.

Phil Huggins, GoCardless, said, "If we don't know what value is in our data until it has been enriched and analysed can we give informed consent as to its use?"

What's Worse?!

We're concerned with the state of data in this game.

Ask a CISO

Mike Baier, Takeda Pharmaceuticals, asks, "When faced with the scenario of the vendor providing a recent SOC 2 Type 2 report, and then tells you that their internal policies/procedures are considered 'highly confidential' and cannot be shared, what tips would you provide for language that could help cause the vendor to provide the required documentation?"

The 1979 movie When a Stranger Calls gave us that unforgettable horror moment when the police informed Jill that the calls from the stalker were coming from inside the house. Nineteen years earlier, Hitchcock’s Psycho did a similar type of thing with the shower scene. We humans have a real problem when danger pops up in the place we feel safest – our homes. A similar problem happens in corporate IT security. We place a great deal of attention on watching for external hackers, as well as those that seek to dupe our overstressed employees into clicking that spearfishing link. What was it that Edward Hermann’s character, the vampire, said in the Lost Boys? “You have to invite us in.”

But what about internal bad actors? There are those who see great opportunity in accessing, stealing and selling company resources – data – like social security numbers, credit card numbers and medical files.

More on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

OK, what's the risk?

A question from Robert Samuel, CISO, Government of Nova Scotia that I edited somewhat. It's commonly said that the business has the authority for risk-trade off decisions and that security is there just to provide information about the risk and measurement of the risk. I'm going to push this a little. Is this always the case? Do you sometimes disagree with the business or is it your attitude of "I communicated the risk, it's time for me to tap out."



5. Who Are the Perfect Targets for Ransomware?
http://davidspark.libsyn.com/w... download (audio/mpeg, 48.04Mb)

Description:

All images and links for this episode can be found on CISO Series (https://cisoseries.com/who-are-the-perfect-targets-for-ransomware/)

If you've got lots of critical data, a massive insurance policy, and poor security infrastructure, you might be a perfect candidate to be hit with ransomware. This week and this week only, it's an extortion-free episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Walls (@sean_walls2000), vp, cybersecurity, Eurofins.

Thanks to this week's podcast sponsor Core Security

Assigning and managing entitlements rapidly to get employees the access they need is critical, but it can come at the cost of accuracy and security. Core Security’s identity governance and administration (IGA) solutions provide the intelligent, visual context needed to efficiently manage identity related security risks across any enterprise.

On this week's episode

How CISOs are digesting the latest security news

An article in the NYTimes points to a new trend in ransomware that is specifically attacking small governments with weak computer protections and strong insurance policies. Payments from $400-$600K. Lake City, Florida, population 12K paid $460K to extortionists. They got some of their information back but they have been set back years of what will require rescanning of paper documents. Mike, I know your standard philosophy is to not pay the ransom, but after a ransomware attack against the city of Atlanta, the mayor refused to pay $51,000 in extortion demands, and so far it's cost the city $7.2 million. Probably more. These payments by the small cities must be incentivizing more attacks. Does this information change the way you're willing to approach ransomware. What can a small city with zero cybersecurity staff do to create a program to reduce their risk to such a ransomware attack?

Ask a CISO

Bindu Sundaresan, AT&T Consulting Solutions, asks a very simple question, "How is each security initiative supporting the right business outcome?" Do you find yourself selling security into the business this way? If not, would you be more successful selling security to the business if you did do this?

What's Worse?!

We've got a split decision on what information we prefer after a breach.

Listen up, it’s security awareness training time

Jon Sanders, Elevate Security, said, "Security awareness involves A LOT of selling… there’s no cookie cutter approach in security awareness or sales!" Is the reason security training is so tough because so many security people are not born salespeople? I've interviewed many and there's a lot of "just listen to me attitude," which really doesn't work in sales.

Cloud Security Tip, sponsored by OpenVPN

We talk a lot about penetration testing here, given that it remains a staple of proactive IT security. But not everyone feels it’s all it’s cracked up to be. Or should that be, all it’s hacked up to be?” More than one cybersecurity organization points out there are a few flaws in the pen testing concept that make it worth a second look.

Pen testing often consists of a small collection of attacks performed within a set time period against a small sample of situations. Some experts doubt the efficacy of testing against a limited field of known vulnerabilities, without knowing what other weaknesses exist in plain sight, or merely invisible to jaded eyes.

More on CISO Series...

What do you think of this pitch?

We have a pitch from Technium in which our CISOs question what exactly are they selling?



6. Passwords So Good You Can't Help But Reuse Them
http://davidspark.libsyn.com/p... download (audio/mpeg, 51.36Mb)

Description:

All links and images for this episode can be found on CISO Series (https://cisoseries.com/passwords-so-good-you-cant-help-but-reuse-them/)

We've just fallen in love with our passwords we just want to use them again and again and again. Unfortunately, some companies more interested in security aren't letting us do that. We discuss on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is William Gregorian (@WillGregorian), CISO, Addepar.

Thanks to this week's podcast sponsor Cyberint

The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505's latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries.

How CISOs are digesting the latest security news

Chris Castaldo of 2U and a former guest on the show posted this great story of TripAdvisor invalidating user credentials if a member's email and password were found in publicly leaked data breach databases. Is this a great or bad move by TripAdvisor?

Ask a CISO

On LinkedIn, Chad Loder, CEO, Habitu8 posted an issue about the easy deployment and ubiquity of cloud applications. He argues it's no longer Shadow IT. It's just IT. And securing these cloud tools you don't manage nor know about requires a lot of education. Is Shadow IT inevitable. Should we lose the name? And is education the primary means of securing these services?

It's time to play, "What's Worse?!"

One of the toughest rounds of "What's Worse?!" we've ever had.

Close your eyes. Breathe in. It's time for a little security philosophy.

Mike posed a "What's Worse?!" scenario to the LinkedIn community and got a flurry of response. The question was "Would you rather have amazing, quality cybersecurity incident response in 24 hours or spotty, unreliable response in one hour?" I wanted to know what was Mike's initial response and did anyone say anything in the comments to make him change his mind?

For quite a while, IT security experts have been touting the value of two factor authentication (2FA) as a better way to keep data safe than simply using passwords alone. We have even spoken about it here. In its most popular form, 2FA sends a confirmation code to your phone, which you must then enter into the appropriate log-in confirmation window within a short amount of time. This is like having a second key to the safe, like many bank vaults used to have. (more on the site)

It’s time to measure the risk

Chelsea Musante of Akamai asks, "What would you say to someone who thinks their risk for credential abuse / account takeover has decreased because they've implemented MFA (multi-factor authentication)?"



7. Please Don't Investigate Our Impeccable Risk Predictions
http://davidspark.libsyn.com/p... download (audio/mpeg, 46.53Mb)

Description:

All links and images for this episode can be found at CISO Series (https://cisoseries.com/please-dont-investigate-our-impeccable-risk-predictions/)

It's easy to calculate risk if no one ever checks the accuracy of those predictions after the fact. It's all coming up on CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Bob Huber (@bonesrh), CSO, Tenable.

Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization.

On this week's episode

What's the ROI?

Do we analyze how good we are at predicting risk?

Phil Huggins, GoCardless said, "We conduct detailed rigorous risk assessments to support security transformation business cases and identify a series of mitigation actions and then declare success if those actions are completed on time and on budget... We never revisit our risk assessments a year later and see how good we were at predicting risk occurrence. I worry that the avoidance of feedback contributes to the underperformance of security."

Are we looking back and seeing how good we are at analyzing risk?

Close your eyes. Breathe in. It's time for a little security philosophy.

We have evolved from an unchecked "Cloud first" model to a more thoughtful "cloud smart" strategy. Are these just PR slogans apparently implemented by the last two administrations, or is there something to them? Looking ten years ago vs. today, have we really become smarter about implementing cloud technologies? In what way have we made the greatest strides? How are we falling short and where would you like us to be smarter?

What's Worse?!

What would you sacrifice to get all the training you could get?

Please, Enough. No, More.

Our topic is DevSecOps. It's a big one. Mike, what have you heard enough of on the topic of DevSecOps, what would you like to hear a lot more?

What do you think of this pitch?

Shazeb Jiwani of Dialpad forwarded me this pitch from Spanning Cloud Apps. He asks, "how they feel about vendors using an availability issue from a partner (not even a competitor) as a sales pitch."

Parkinson’s Law states that “work expands to fill the time available,” and any IT specialist knows this applies equally to data and can be stated as “Data expands to fill the storage available.” 

As cloud service providers – and the cloud itself both continue to expand, the opportunity to transport and store all of your data seems to be a great convenience. But data management requires oversight, control and governance. The more data – and daily data flow –one has, the greater the potential for misuse, redundancy, errors, and costly maintenance. 

More at https://openvpn.net/latest/security-tips/



8. CISO Series One Year Review
http://davidspark.libsyn.com/c... download (audio/mpeg, 26.31Mb)

Description:

Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-series-one-year-review/) 

The CISO/Security Vendor Relationship Podcast is now more than a year old. On this episode, the hosts of both podcasts, reflect on the series and we respond to listeners critiques, raves, and opinions.

Check out this post and this post for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is the co-host of the CISO/Security Vendor Relationship Podcast, Mike Johnson.

Thanks to this week’s podcast sponsor, Trend Micro

On this episode of Defense in Depth, you'll learn:

We provide the definitive story of how the CISO/Security Vendor Relationship Podcast started and how David, Allan, and Mike all connected. We've been challenging many of the sales techniques that have essentially irked CISOs. The podcast has become a validation tool for sales people to show to their management and say, "We need to change direction." One of the critiques we've heard is the desire to understand more of the sales process. We are actually very much in the dark as to the different levels of incentives are for sales staff. A security sale is often a long and involved process and we know the incentives are more involved than just a sales commission. We've actually done webinars that take a look behind the scenes of sales and we plan to do more. Those who feel isolated with their company enjoy hearing the different viewpoints. There is actually a real return on investment to listening to our show. Sales people say that they've changed their strategy based on advice on the show and it has proved to be fruitful.



9. Worst Question Award Goes to "How Secure Are We?"
http://davidspark.libsyn.com/w... download (audio/mpeg, 44.81Mb)

Description:

Images and links for this episode can be found at CISO Series (https://cisoseries.com/worst-question-award-goes-to-how-secure-are-we/)

We've got better ways to determine the overall quality of your security posture than asking this unanswerable question. It's all coming up on CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Helen Patton (@osucisohelen), CISO, Ohio State University.

Thanks to this week's podcast sponsor Trend Micro.

On this week's episode

Why is everyone talking about this now?

Jamil Fashchi, CISO, Equifax, "In speaking with a CEO the other day, I was asked, 'As someone who isn’t technical, what questions should I ask to determine if my security team is effective?'" This caused a flurry of discussion. What's your advice, and do you agree it's a lot better question than "How secure are we?"

Hey, you're a CISO, what's your take on this?

One issue that comes up a lot in cybersecurity is the lack of diversity. We have discussed the value of diversity, in that it avoids "one think" and brings in the critical need of different viewpoints. The problem is we're often attracted to people like us, and we ask for referrals which if you hired people like you is probably going to deliver more people like you. We focus this discussion on actionable tips that CISOs can take to bring in a diverse workforce.

What's Worse?!

What's it like to work with the business and their acceptance or lack of acceptance of risk?

First 90 days of a CISO

Steve Luczynski, just became CISO of T-Rex Corporation. In the past the CIO has handled both IT and security at the company.

"Now with a CISO onboard, the struggle is figuring out who does what with the expected reluctance by the CIO to let go of certain things and trust me, the new CISO to maintain the same standards. For example, I wanted to change our password policy when I first showed up to match the new NIST guidance of not changing based on a set time period. There was disagreement and it did not change even when I showed the NIST verbiage," said Luczynski.

How should Steve deal with such disagreements?

Ask a CISO

For a while, FUD (fear, uncertainty, and doubt) worked on the average person, to get them to install basic security measures, like an anti-virus. But it appears that's all changed. The cause could be apathy. When there's so many breaches happening the average person feels powerless. Are we marketing cyber-awareness wrong to non-security people? What would get them to be true advocates?

The Pre-nup. It’s a difficult thing for most people to talk about in their personal lives, but it’s something that should always be considered when setting up a relationship with a cloud service provider. Not all business relationships last, and if your organization needs to move its data to another provider, it’s not like packing up your furniture and saying goodbye to your half of the dog. 



10. You're Not Going Anywhere Until You Clean Up That Cyber Mess
http://davidspark.libsyn.com/y... download (audio/mpeg, 45.86Mb)

Description:

The images and links for this episode can be found at CISO Series (https://cisoseries.com/youre-not-going-anywhere-until-you-clean-up-that-cyber-mess/)

Our CISOs and Miss Manners have some rules you should follow when leaving your security program to someone else. It's all coming up on CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is newly free agent CISO, Gary Hayslip (@ghayslip).

Thanks to this week's podcast sponsor Trend Micro

On this week's episode

Why is everyone talking about this now?

Mike, you asked a question to the LinkedIn community about what department owns data privacy. You asserted it was a function of the security team, minus the legal aspects. The community exploded with opinions. What responses most opened your eyes to the data privacy management and responsibility issue you didn't really consider?

Hey, you're a CISO, what's your take on this?'

Someone who is writing a scene for a novel, asks this question on Quora, "How does a hacker know he or she has been caught?" Lots of good suggestions. What's your favorite scenario? And, do you want to let a hacker know he or she has been caught, or do you want to hide it? What circumstances would be appropriate for either?

What's Worse?!

Mike decides What's Worse?! and also what's good for business.

First 90 days of a CISO

Paul Hugenberg of InfoGPS Networks asks, "What fundamentals should the CISO leave for the next, as transitions are fast and frequent and many CISOs approach their role differently. Conversely, what fundamentals should the new CISO (or offered CISO) request evidence of existence before saying YES?" Mike, this is a perfect question for you. You exited and you will eventually re-enter I assume as a CISO. What did you leave and what do you expect?

Ask a CISO

Fernando Montenegro of 451 Research asks, "How do you better align security outcomes with incentives?" Should you incentivize security? Have you done it before? What works, what doesn't?

Imagine how hard it would be to live in a house that is constantly under attack from burglars, vandals, fire ants, drones, wall-piercing radar and virulent bacteria. Most of us are used to putting a lock on the door, cleaning the various surfaces and keeping a can of Raid on hand for anything that moves in the corner. But could you imagine keeping a staff of specialists around 24/7 to do nothing but attack your house in order to find and exploit every weakness?



11. We Take Privacy, Not Our CISO, Seriously
http://davidspark.libsyn.com/w... download (audio/mpeg, 63.55Mb)

Description:

All pictures and links for this episode can be found on CISO Series (https://cisoseries.com/we-take-privacy-not-our-ciso-seriously/)

We're looking for the one company brave enough to say they don't care about privacy on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode was recorded live on June 6th at The B.O.B. in Grand Rapids, Michigan at the 2019 West Michigan IT Summit, hosted by C3 Technology Advisors. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@allanalfordinTX), principal consultant at Side Channel Security. Our guest for this special live recording is the former CISO/CSO/CTO of the state of Michigan, Dan Lohrmann (@govcso).

David Spark and Allan Alford, co-hosts of Defense in Depth on the CISO Series network, and Dan Lohrmann, former CISO/CSO/CTO for the State of Michigan.

Thanks to this week's podcast sponsors C3 Technology Advisors, Fuze, and Assured Data Protection.

C3 Technology Advisors is a technology consulting firm that helps midsize to enterprise organizations make better technology buying decisions. With technology quickly changing, let C3 help you shift through all the disruption, noise, and sales pitches to allow you to make better technology buying decisions for your organization.

Fuze is the #1 cloud communications and collaboration platform for the enterprise, combining calling, meeting, chatting, and sharing into a single, easy-to-use application. Designed for the way people work, Fuze allows the modern, mobile workforce to seamlessly communicate anytime, anywhere, across any device.

Assured Data Protection provides backup and disaster recovery solutions utilizing Rubrik ‘as a Service’. They offer 24/7 global support, with expertise that truly sets them apart from other back up and DR service providers.

On this week's episode

Should you ignore this security advice?

Yaron Levi, CISO of Blue Cross Blue Shield of Kansas City posed an interesting question, "Many people in security follow best practice without questioning them but in fact there are many BAD security best practices." Levi asks the LinkedIn community and I also ask our guests, "What do you consider a 'Bad Best Practice?'"

How to become a CISO

Aaron Weinberg, Kirlin Group, asks, "What would a CIO need to do to switch career tracks to being a CISO?" I'll add why would you want to do that?

What's Worse?!

We've got two rounds of questions and conflict on at least one of them.

I tell ya, CISOs get no respect

Brian Krebs of Krebs Security asked, "Why aren't CISOs often not listed on the executive page of a company website?" Krebs looked at the top 100 global companies and only found 5 that had a CISO listed. Of the NASDAQ 50, there were only three listed with a security title. But plenty had chief of human resources or chief marketing officers listed. One argument for the lack of front page visibility for CISOs is that companies value revenue centers over cost centers. Another argument is the reporting structure. That CISOs often report to CIOs. Is that why it's happening, or is it something else?

Close your eyes. Breathe in. It’s time for a little security philosophy.

A question on Quora asks you to participate in this little thought exercise, "If you knew all computers would be erased tomorrow by a worldwide virus, what steps would you take to protect yourself?" It's a little more involved than just unpluging your computer from the Internet.

Why is this a bad pitch?

I read a cringeworthy bad pitch and our CISOs respond. Listen to the end as I reveal something surprising about this very bad pitch.

And now this…

I burn through a stack of questions from the audience as we go into a cybersecurity speed round.



12. Do These Jeans Make My Vulnerabilities Look Too Big?
http://davidspark.libsyn.com/d... download (audio/mpeg, 44.17Mb)

Description:

Full episode with images and links available at CISO Series (https://cisoseries.com/do-these-jeans-make-my-vulnerabilities-look-too-big/)

We're starting to get a little self-conscious that our vulnerabilities are starting to show. People we don't even know are telling us we have them on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Fredrick Lee (AKA "Flee") (@fredrickl), CSO of Gusto.

Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization.

What's a CISO to do?

Chris Romeo, CEO of Security Journey, wrote a post where he asked, "What if I had to develop an application security program with a budget of zero dollars?" What he presented was a means to lean on the OWASP open source community and tools to build an application security program.

You're a CISO, what's your take on this?

I was chatting with a pentester, Benjamin McEwan, from Scotland, who reaches out to CISOs trying to responsibly disclose, not expose, a credible security vulnerability. It's his effort to get recognized. He's frustrated though in his ability to find permanent work because those hiring only see him as an independent researcher. Is his exercise the right approach? What can a talented security person in his position do to make himself more attractive to CISOs?

What's Worse?!

We've got a couple of scenarios that shocked our guest at the sheer InfoSec horror.

Breathe In, It's Time for a Little Security Philosophy

On Quora, a question right out of the Matthew Broderick movie WarGames asks, "If a student hacked into university computers and changed his grade in cyber security to an A, does he actually deserve the A?" Except for one person, everyone said, "No," but for different reasons. Mike, are you saying no, and if so, what reason?

What do you think of this pitch?

We've got two pitches from vendors this week. One came directly to me.

Cloud Security Tip, by Steve Prentice - Sponsored by OpenVPN.

The idea behind an Advanced Persistent Threat is both intriguing and a little distracting. It sounds like the title of a Tom Clancy novel – maybe a sequel to Clear and Present Danger.

Designed to penetrate a network, operate while hidden for a long time, all the while receiving commands from an outside agent, an APT is more sophisticated than everyday malware and tends to be deployed against large targets.



13. Great Demo! Let's Schedule a Time to Ignore Your Follow Up
http://davidspark.libsyn.com/g... download (audio/mpeg, 42.32Mb)

Description:

All links and images for this episode can be found on CISO Series (https://cisoseries.com/great-demo-lets-schedule-a-time-to-ignore-your-follow-up/)

We're playing hard to get on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Al Ghous, head of cloud security at GE Digital.

Thanks to this week's podcast sponsor Carbon Black

Carbon Black (NASDAQ: CBLK) is a leader in endpoint security dedicated to keeping the world safe from cyberattacks. The company’s big data and analytics platform, the CB Predictive Security Cloud (PSC), consolidates endpoint security and IT operations into an extensible cloud platform that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations.

On this week's episode

Why is everybody talking about this now?

On LinkedIn, Marcus Capone, Partner at Onyx, a physical and cybersecurity firm said, "I laugh when clients balk at prices. They expect champagne but want to pay for Coors Light…" This caused a flurry of discussion of price/value in security. There was an attitude across the board that we're the absolute best and we should be paid that. But as Allan Alford said on Defense in Depth, there's a market for a slightly worse, but way cheaper version of Splunk. Do CISOs want beer-level security solutions?

It’s time to measure the risk

How can startups and large companies get along better? Enterprises are jealous of startup's agility, and startups are eager to get at an enterprises' assets. But startups can be a security nightmare and it's a non-starter if they can't pass the third-party risk management process. With all this frustration, is there any middle ground?

What's Worse?!

We have a common real-world scenario in this week's game.

You're a CISO, what's your take on this?

We have talked in the past about how the term "AI" can mean a lot of things. It can be a simple script or it can be an algorithm that actually learns by itself. Both will do something for you automatically, but the expectations are vastly different. When security vendors tout AI, what would CISOs like to hear so your expectations can be set appropriately?

Understanding security sales

The frustration of the vendor follow up process after a demo. An anonymous listener asks, "We are usually told some sort of next step or asked to follow up in a few weeks." The challenge is they're often left chasing the potential client getting no response. This can go on for months. "Is there a way to make this more productive for all involved?" Should the prospect be blamed? What can be done to improve the process?

Application Programming Interfaces (API’s) are wonderful for customizing and enhancing the cloud experience, but as a common front door, they pose a significant security risk. Regardless how secure a cloud service provider is, their primary role as an interface means APIs will always pose a weakness that can be exploited by hackers.

 



14. We Unleash Our Military Grade InfoSec BS Detector
http://davidspark.libsyn.com/w... download (audio/mpeg, 38.69Mb)

Description:

Find all images and links for this episode on CISO Series (https://cisoseries.com/we-unleash-our-military-grade-infosec-bs-detector/)

We're trying to clean up vendor pitches of unnecessary and outrageous claims so they can sail through to a CISO's inbox. It's our service to cybersecurity community on this week's episode of CISO/Security Vendor Relationship Podcast.

This show was recorded live in front of an audience of CISOs and security vendors at the San Francisco CISO Executive Summit, hosted by Evanta. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Aaron Peck, CISO, Shutterfly.

Thanks to our podcast sponsors ExtraHop and Tenable

Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop.

Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization.

On this week's episode

Why is everybody talking about this now?

Last week I was about to install a popular and approved app in the Google Play store that asked if the app could read, copy, download, and DELETE my contacts. Also last week during Google I/O, Sundar Pichai, Google’s chief executive touted their focus on privacy. This is not the first time we've heard this from Google or Facebook who is going to be facing the largest privacy violation in FTC history. Getting access to our behaviors is how Facebook and Google make their money. What would we like to see, not hear, from either Google or Facebook that convinces us that yes, they are doing something significant and proactive about privacy. Maybe they've already done it.

Why is this a bad pitch?

A Twitter thread asked, "What do vendors say that immediately undermines their credibility?"

There were a lot listed, but the ones I saw repeated multiple times were military grade, next-gen, bank-level encryption, full visibility, 100% effective, and single pane of glass.

We have brought up many of these on our show. And while we understand companies are trying to find a short pithy way to describe their technology, using terms like these can turn a great pitch into an effort to dig out of a hole.

What's Worse?!

We squeeze in two rounds of this game and our guest tries to dodge the question, but I don't let him.

You're a CISO, what's your take on this?

Brian Fricke, CISO at BBVA Compass is eager to hear how to successfully reconcile the cloud-driven CapEx to OpEx budget shift. CFOs don't get any depreciation benefit from OpEx, and Brian believes they'd prefer to see CapEx even if it's double the cost. He's struggling. Our CISOs offer up some advice.

How to become a CISO

Jason Clark, CISO of Netskope, wrote an article on Forbes about security mentorship. Mentors are needed to create more security leaders, CISOs, increase interest in security, and teach the ability to talk to the business. All of it centered around one theme of motivating others. What are ways to teach motivation across all these areas?

 

 



15. What's Worse?! "Culture of No" or No Culture?
http://davidspark.libsyn.com/w... download (audio/mpeg, 45.52Mb)

Description:

See all links and images for this episode on CISO Series (https://cisoseries.com/whats-worse-culture-of-no-or-no-culture/)

We want to put an end to InfoSec negativity, but not at the sacrifice of the soul of the company. We're weighing our options on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Catlett, CISO of Reddit.

Thanks to this week's sponsor, Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and mobile workforce. We allow cybersecurity professionals to easily build, manage and secure their organization’s networks in one unified, multi-tenant, cloud-native platform. Learn more at www.perimeter81.com.

On this week's episode

Why is everybody talking about this now?

Helen Patton, CISO at Ohio State University, asked the security community, "What cultural/behavioral influences on Security would you like to see changed?"

First 90 Days of a CISO

Matt McManus who works in InfoSec at WeWord asks, "What's the ideal information security team make-up and structure?" Sean, you came into Reddit recently as a new CISO. How did you go about determining what you needed for a team?

What's Worse?!

What needs to be protected? The endpoints or the network?

You're a CISO, what's your take on this?

Last year I was chatting with a CEO, and he mentioned one common frustration with a scenario that keeps repeating itself. He will have a truly fantastic meeting with a potential buyer. Absolutely everything goes right, but the moment he asks to engage in a PoC, Proof of Concept, the conversation does an about face and everything falls apart. And vendors have unrealistic expectations of the time it will take a potential buyer to conduct a PoC.

Ask a CISO

With the recent release of the Verizon Data Breach Investigation Report, or DBIR, we brought up a question from Kip Boyle, author of Fire Doesn't Innovate. He asks, "What role do vendors and the media play in determining and prioritizing your cyber risks?"

Whether your data is in transit or at rest, it’s vital to remember that neither state is secure. Data must be protected in both states, and encryption plays a major role in this. In addition to encryption standards for in-transit data such as TLS for email, HTTPS and SSL for websites and the use of a VPN when connecting from public Wi-Fi hotspots (even those that say they are secure), there is symmetric and asymmetric encryption, part of the Advanced Encryption Standard. Symmetric encryption happens when the sender and receiver of a message use a single shared key to encrypt and decrypt the message, which is something most internet traffic uses. Asymmetric encryption uses more CPU power and is harder to encrypt, and is used for secure online exchanges via the Secure Sockets Layer.

But encryption isn’t the end of the story. There must be network security controls to help protect data in transit as well as securing the transmission networks themselves. Proactivity is key here, which means identifying at-risk data, establishing user prompting regulations and automatic encryption for things like files attached to an email message, and taking stock of, and categorizing all types of data to ensure the right level of security is applied to each.

On a human level, Role-Based Access Control (RBAC) ensures different levels of security and permissions, multi factor authentication helps make data a more difficult target, and of course, each company should take ownership of this challenge and not rely on their cloud supplier to do it for them.

 



16. Our "What Not to Do" Security Selling Secret
http://davidspark.libsyn.com/o... download (audio/mpeg, 44.52Mb)

Description:

Check out all links and images for this episode on CISO Series (https://cisoseries.com/our-what-not-to-do-security-selling-secret/)

We're not always clear on what vendors should do when selling security products, but when we get a really bad email pitch, we're very clear on what they should not do. We're bedazzled with bad pitch disbelief on this episode of CISO/Security Vendor Relationship Podcast.

Thanks to this week's sponsor, Women in Security and Privacy (WISP)

Women in Security and Privacy works to advance women in security and privacy. We accomplish this through practical and technical workshops, TANDEM mentorship programs, leadership training, job board postings, Equal Respect speakers bureau, and conference and training scholarships.

On this week's episode

Why is everybody talking about this now?

Facebook is expected to pay somewhere between $3 to $5 billion in FTC fines for violating the 2011 consent decree. They violated user's privacy without giving clear notice or getting clear consent. But, all this financial and reputational damage doesn't seem to do a darn thing to dissuade individuals or investors from Facebook. The site has 2.38 billion active users. It's growing 8% year over year. And after their earnings announcement which mentioned the multi-billion dollar fine, their stock jumped 7%. This doesn't appear to get people to care about security and privacy, So what will?

Hey, you're a CISO, what's your take on this?'

The NSA has announced that no zero day attacks were used in any high profile breach in the last 24 months. Most of the attacks were simple intrusion where they went after users through techniques like phishing or water holing. We talk endlessly on this show about good cyber hygiene, but we have an event coming up, Black Hat, that thrives on showing security professionals the latest attack techniques, which I know are not zero days. But how can security professionals NOT gravitate towards the newest and coolest?

What's Worse?!

Who needs to control the problem? Security or the business unit?

How to become a CISO

Gary Hayslip, CISO of Webroot, and a former guest on Defense in Depth. He wrote an article to his younger self of what he wish he had known when he started in cybersecurity and then becoming a CISO. I'll ask the two of you to do the same exercise. What is something that you now know that there's no way you would have known starting out but would have made your life a lot easier as you took the climb to become a CISO.

Why is this a bad pitch?

We've got a one-two punch on a bad pitch email that uses self-deprecating humor plus an assumption of business relationship. Ouch.

The importance of developing consistent data protection policies across multiple cloud services
Many IT departments manage multiple clouds to ensure redundancy and avoid vendor lock-in. But diversifying brings along a new set of risks that demand a consistent and constantly reviewed data governance solution.

In general, cloud vendors do not take responsibility for the security of your data. So, your policy must take full responsibility for endpoints, networks and cloud environments. Just a few of the must-haves on this list include limiting user’s permissions to only what they absolutely need, strong security practices including multi-factor authentication and password management, enforcing a uniform set of data loss prevention policies, and building a dynamic inventory of applications by the types of data stored, compliance requirements, and potential threats. Policies should be assigned to groups or roles rather than individual people.

In-house IT people are already busy. Their attention and energies might be best served by working with senior management to establish and maintain Multicloud and data loss prevention policies, while leaving the heavy lifting and day-to-day proactive maintenance to a completely reputable as-a-service cloud security vendor. 



17. We're Gonna Run These Pen Test Exercises Until You Turn Purple
http://davidspark.libsyn.com/w... download (audio/mpeg, 44.35Mb)

Description:

Find all the links and images on CISO Series (https://cisoseries.com/were-gonna-run-these-pen-test-exercises-until-you-turn-purple/)

We learn to iterate our security stamina faster by bringing the attackers and defenders in the room together. We're seeing purple on this episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Matt Southworth (@bronx), CISO of Priceline, who was brought to us by our sponsor, Praetorian.

Thanks to this week's sponsor, Praetorian

As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts.

Why is everybody talking about this now?

Senator Elizabeth Warren's proposed bill, the Corporate Executive Accountability Act, would pave the way for criminal charges of executive wrongdoing that leads to some public harm, like a public data breach. Note, there needs to be proof of wrongdoing. This isn't designed to blame victims. Regardless, the cybercommunity lit up on this topic. Warren said that too many executives were walking away free with no penalty while the community were left to suffer. Is this the bill that's needed to put a check on breaches?

Hey, you're a CISO, what's your take on this?'

Priceline has been conducting purple team exercises with our sponsor Praetorian. We discuss the value in purple team efforts over all the other alternatives, like pen testing, red team/blue team exercises, and threat hunting reports. Plus, we discuss the cultural benefits of purple team exercises.

What's Worse?!

We get a consensus on a question about asset and risk management.

How to become a CISO

Question from the director of information security at a Fortune 100 company wants to know how to make the leap from his position to CISO.

Pay attention, it’s security awareness training time

Dan Lohrmann, CSO of Security Mentor and an upcoming guest on our live podcast we're going to be recording on June 6th in Grand Rapids, Michigan had a very interesting article on Peerlyst about avoiding the punishment angle of security training. He said his number one struggle in education is explaining how important security is at an individual level and that individuals understand the impact of their actions. At Priceline, Matt Southworth created a Security Champs program to extend the reach of his security team by training interested non-security coworkers about security. We discuss what this has done to improve culture, security, and help people understand the impact of their actions.

Two-factor authentication, also called 2FA, is vital, and should be considered the default in online security, not a fancy option.

In short, 2FA means that two separate identifiers are required to gain access to an account. These identifiers should come from: 1.) something only you know, like a complex password, and 2.) something physically separate that belongs to you like a phone that can receive SMS messages, a physical token, a time or location limited message, or something biometric, like a retinal scan or fingerprint.

Currently the SMS message is the most popular “second factor,” but security analysts say this is still the weakest option. A better option is to use an approved app, or to partner with a cybersecurity company who can build one for you.



18. Vulnerability Management
http://davidspark.libsyn.com/v... download (audio/mpeg, 20.13Mb)

Description:

This is a special episode of Defense in Depth being shared on this feed. Find the full post with links and images on the CISO Series site here (https://cisoseries.com/defense-in-depth-vulnerability-management/)

So many breaches happen through ports of known vulnerabilities. What is the organizational vulnerability in vulnerability management?

Check out this post and discussion and this one for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Justin Berman (@justinmberman), CISO for Zenefits.

Vulcan’s vulnerability response automation platform allows enterprises to automate their TVM programs. Vulcan integrates to existing IT DevOps and security tools to fuse enterprise data with propriety intelligence which allows to accurately and subjectively priorities and remediate vulnerabilities - either using a patch workaround or compensating control.

On this episode of Defense in Depth, you'll learn:

As the CIS 20 concurs, vulnerability management is the first security measure you should take right after asset inventory. Vulnerability management needs to be everyone's issue and managed by all departments. Lots of discussion around vulnerability management being driven by culture which is a very hard concept to define. To get a "vulnerability management culture" look to a combination of awareness and risk management. Vulnerabilities don't get patched and managed without someone taking on ownership. Without that, people are just talking and not doing. Increased visibility across the life cycle of a vulnerability will allow all departments to see the associated risk. Who are the risk owners? Once you can answer that questions you'll be able to assign accountability and responsibility.



19. I'm Humbled to Tell You About My Prestigious Award
http://davidspark.libsyn.com/i... download (audio/mpeg, 43.34Mb)

Description:

Find the full episode of this podcast (with links and images) on the CISO Series site right here: (https://cisoseries.com/im-humbled-to-tell-you-about-my-prestigious-award/)

I'm not exactly sure what "humbling" means, but I'm going to use it to hopefully soften my braggadocio announcement.

We discuss semantics and when it's OK to boast your accomplishments on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Will Lin (@WilliamLin), partner and co-founder, ForgePoint Capital.

Thanks to this week's sponsor, Praetorian

As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts.

On this week's episode

How CISOs are digesting the latest security news

In many industries we see VC investments following trends. This is hot and new, let's go and invest in it. A recent story on Forbes spotlights five trends in cybersecurity which comes off as catnip for VCs or at least those in those spaces looking for investments. Is trend hopping a lucrative way to succeed with cybersecurity investments?

Why is everybody talking about this now?

Peter Cohen, director at Countercept remarked on the hypocrisy of posting a photo of yourself on stage and referring to it as "humbling". People say this with zero idea of the definition. The use of humbled or humbling as a verb means that at one time you thought you were superior and now you realize you are not because essentially someone defeated you and put you in your place. I don't get the sense that's what people mean when they refer to an experience as "humbling." But do a search for the term on LinkedIn and you will see people use it ALL THE TIME. Some of the most popular posts on LinkedIn are achievement announcements. Where's the line between saying you're proud of something and would you honor it with me and coming off like a jackass?

What's Worse?!

We have two scenarios this week in honor of our VC guest.

Hey, you're a CISO, what's your take on this?

In a special VC edition of "Hey, you're a CISO, what's your take on this?"

Much of what we talk about on this show is what we like and don't like about how security companies market themselves. In the news, the only role we hear VCs playing is financial. But given that VCs are seeing the inner workings of a startup, they can probably see firsthand why a company succeeds or fails. Given what VCs are privvy to that others of us are not, how can VCs help shape the way vendors market themselves?

Ask a CISO

Fernando Montenegro of 451 Research brought to my attention this tweet from Soldier of Fortran that caused a flurry of discussion. The tweet pointed out that many sites say they offer pricing, but when you go to the page it's just a lot of verbiage with a link to request a quote. Haroon Meer of Thinkst, producers of Canary deception devices and a former guest on this show, said they have pricing on their site even when experienced salesmen told them not to do it. Kyle Hanslovan of Huntress Labs, asked how he could provide transparent pricing when half of his clients are direct and the other half are distributors. Is there a happy medium here or is obfuscation the way to succeed with security selling?



20. No Shirt. No Security. No Merger.
http://davidspark.libsyn.com/n... download (audio/mpeg, 48.81Mb)

Description:

Episode available on CISO Series blog (https://cisoseries.com/no-shirt-no-security-no-merger/)

Sure, we'd like to merge with your company but geez, have you looked at your security posture lately? Uggh. I don't know if I could be seen in public with your kind let alone acquire your type.

We're wary as to who wants to enter our digital home on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Mark Eggleston (@meggleston), vp, chief information security and privacy officer, Health Partners Plans.

Thanks to this week's sponsor, Praetorian

As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts.

On this week's episode

How CISOs are digesting the latest security news

Good cybersecurity hygiene is critical not just to mitigate breaches but also the valuation of a company, especially during a merger or acquisition. Itzik Kotler, co-founder and CTO of Safe Breach, notes that back in 2016 the Verizon acquisition price of Yahoo was lowered nearly $350 million after Yahoo disclosed data breaches that had happened up to two years earlier. Kotler said, "The problem is cybersecurity risk from mergers and acquisitions perspective should not be about what has happened, but about what vulnerabilities are being introduced and what could happen as a result."

Why is everybody talking about this now?

An interesting question on Quora asked, "Do you regret working in cybersecurity?" Do our CISOs ever regret? Why do people regret?

"What's Worse?!"

We have a challenge that pits securing old and new technology.

Ask a CISO

Eric Rindo just graduated with his MS in Cybersecurity. He has a certification, but zero experience. He's looking for his first InfoSec opportunity. For a CISO, what's attractive about a candidate like Eric?

What do you think of this pitch?

What happens when you pitch something CISOs already have?



21. Machine Learning Failures
http://davidspark.libsyn.com/m... download (audio/mpeg, 29.11Mb)

Description:

Full post for this episode (https://cisoseries.com/defense-in-depth-machine-learning-failures/)

NOTE: You're seeing this special episode of Defense in Depth, because we think our CISO/Security Vendor Relationship Podcast listeners should hear it. 

Is garbage in, garbage out the reason for machine learning failures? Or is there more to the equation?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Davi Ottenheimer (@daviottenheimer), product security for MongoDB.

Thanks to this week’s podcast sponsor, Remediant

81% of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment.

On this episode of Defense in Depth, you'll learn:

Don't fall victim to believing that success and failure of machine learning is isolated to just garbage in/garbage out. It's far more nuanced than that. Some human actually has to determine what is considered garbage in and what is not. It only takes a very small amount of data to completely corrupt and ruin machine learning data. This knowledge of small infection can spread and corrupt all of the data and can have political and economic motivations to do just that. We have failures in human intervention. Machine learning can just magnify that at rapid rates. While there are many warning signs that machine learning can fail, and we have the examples to back it up, many argue that competitive environments don't allow us to ignore it. We're in a use it or lose it scenario. Even when you're aware of the pitfalls, you may have no choice but to utilize machine learning to accelerate development and/or innovation.

22. All Aboard the 5G Paranoia Train
http://davidspark.libsyn.com/a... download (audio/mpeg, 42.25Mb)

Description:

The direct link to this episode (https://cisoseries.com/all-aboard-the-5g-paranoia-train/)

We're getting excited and stressed out about the impending 5G network that appears will control our lives and all our cities. Will it be as exciting, productive, and lacking of security protocols as we expect? We discuss that and more on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Bruce Schneier (@schneiersblog), book author, lecturer at Harvard Kennedy School, and prolific blogger at Schneider on Security.

Thanks to this week's sponsor, Chronicle, makers of Backstory

Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself.

On this week's episode

How CISOs are digesting the latest security news

Marsh, an insurance broker, is working with other cyber insurers to identify products and services that will reduce your cyber risk. With their Cyber Catalyst program, they're offering what appears to be some type of Better Business Bureau stamp of approval on solutions that meet their cyber risk standards. What gets us excited and what sets off red flags when we see such an offering?

Why is everybody talking about this now?

Are you scared of 5G yet? You should be. Well, according to our government, we need to be wary of China and Huawei with their rollout of 5G because owning the next-gen network will conceivably own all of commerce, transportation, and heck anything else. In Schneier's new book, Click Here to Kill Everybody, he speaks to how to survive with all our hyper-connected devices. How aggressively is 5G going to exacerbate the issue of cyber-survival?

What's Worse!?

We have a split decision on a scenario that involves a time limit.

Hey, you're a CISO, what's your take on this?

On Schneier's blog, he shared a study that examined whether freelance programmers hired online would write secure code, whether prompted to do it or not. The coders were paid a small pittance and it was unclear if they knew anything about security and surprise. In the end they didn't write secure code. While there are questions about the validity of this study, this does bring up an interesting question: Using a marketplace like Upwork or Freelance.com, how does one go about hiring a freelance coder that can write secure code?

Ask a CISO

Mark Toney of CrowdStrike asked, after the purchase and use of a security tool, does a CISO or CTO do a post-mortem to see if they got what they paid for? Mark wants to know are you looking at what was improved, where it was improved, and by how much it was improved?

 



23. Do You Know the Secret Cybersecurity Handshake?
http://davidspark.libsyn.com/d... download (audio/mpeg, 46.64Mb)

Description:

Direct link for episode on blog (https://cisoseries.com/do-you-know-the-secret-cybersecurity-handshake/)

We get the feeling that as we're adding more solutions and requiring more certificates, we're just making the problem of security harder and harder. Has the problem of not enough talent become an issue that we created? We discuss that and more on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Taylor Lehmann (@BostonCyberGuy), CISO, Wellforce.

Thanks to this week's sponsor, Chronicle, makers of Backstory

Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself.

On this week's episode

How CISOs are digesting the latest security news

The Hill reports, "A Democrat on the House Intelligence Committee introduced a bill on Wednesday that would require publicly traded companies to disclose to investors whether any members of their board of directors have cybersecurity expertise."

The Cybersecurity Disclosure Act of 2019, would require the SEC to issue a new set of rules requiring U.S. companies to tell their investors whether they have someone who has cyber expertise on their board. If they don't, they must explain to their investors why this is the case."

Will such a measure pass and if not, what is the best action here to insure some level of cybersecurity confidence?

Why is everybody talking about this now?

On a recent episode of the podcast we talked about swapping out the word "security" for "safety." Chris Roberts of Attivo Networks brought this topic up and he says if we change the conversation more people will care. How does the viewpoint of security change when you're talking about safety? How does behavior change?

What's Worse?!

I can't believe it's taken me this long to ask this question.

Hey, you're a CISO, what's your take on this?

Once you connect a device to the Internet and trade information, you're now a potential attack vector. And if your device is critical for maintaining life, like automobiles and medical devices, vulnerabilities no longer become a case of losing data, but of losing lives. Medical device manufacturers are rarely experts at software development, let alone cybersecurity. Vulnerabilities happen all the time. What is and isn't working with the reporting, alerting, and fixing of device vulnerabilities?

Ask a CISO

Could the talent gap be a self-fulfilling prophecy or at the very least an avoidable consequence of security’s red hot growth," asked Sam Curry, CSO at Cybereason, on Forbes. "What started as an esoteric field is becoming even more arcane as we grow." Curry offered some suggestions on where to improve situations to improve the complexity of security. Are fixing these issues harder than fixing security?

 



24. If At First You Don't Succeed, There's Always Blackmail
http://davidspark.libsyn.com/i... download (audio/mpeg, 39.77Mb)

Description:

Direct link for episode on blog (https://cisoseries.com/if-at-first-you-dont-succeed-theres-always-blackmail/)

We note that blackmail has become an option even in cybersecurity sales. It appears some vendors have become so desperate that they've resorted to borderline criminal activity.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Branden Newman, CISO for Adidas.

Thanks to this week's sponsor, Logicgate

LogicGate is an agile GRC process automation platform that combines powerful functionality with an intuitive design to enhance enterprise governance, risk, and compliance programs. With our prebuilt process templates, organizations quickly and efficiently operationalize their GRC activities without requiring support from consultants or corporate IT.

On this week's episode

How CISOs are digesting the latest security news

CNBC published a piece about security vendors being so desperate for meetings with CISOs that they've resorted to blackmail. They see a breach, even if it's not holding any critical or personal data, and they threaten to take it to the press if the CISO doesn't meet with them and/or let them fix it. Has this happened to our CISOs and if so, what did they do?

Why is everybody talking about this now?

We talk about the basics a lot on this show, but I'm getting the sense that the industry is finally taking it seriously. We saw evidence at RSA with 60% of the content being focused on fundamentals. And CISOs at major companies not touting the latest threats, but getting back to basics. We've talked a lot about this issue on the show. How else can the industry turn the focus about getting back to basics?

What's Worse?!

I challenge the CISOs once again on what is probably the shortest What's Worse?! question.

Hey, you're a CISO, what's your take on this?'

The horror of the badge scanner. Chad Loder, CEO of Habitu8, posted that he never uses badge scanners because "There's nothing worse than talking to someone only to have them ask, 'Mind if I scan you?' - it reinforces the idea that the goal of this human interaction is to ensure you're added to a list." The goals of attendees (learning and valuable conversations) are not coinciding with the goals of vendors (more scans for follow up cold calls and marketing). What is the ideal booth experience for a security professional?

BTW, I wrote a book on how to engage at a trade show entitled Three Feet from Seven Figures: One-on-One Engagement Techniques to Qualify More Leads at Trade Shows. Check it out at http://threefeetbook.com

Ask a CISO

Jeremiah Grossman, CEO of Bit Discovery, and a former guest, asked this question on Twiter which caused a flurry of discussion: "In InfoSec we often hear, 'Why don’t organizations just do or fix … X?' As a thought exercise, ask the opposite. 'Why should businesses do or fix… X?,' and do so in dollars and cents terms.It’s often surprisingly difficult." Is it possible to calculate this formula?



25. When Abusing Our Privacy, Does Size Matter?
http://davidspark.libsyn.com/w... download (audio/mpeg, 46.94Mb)

Description:

Do the biggest tech companies abuse our privacy because they have no competitive incentive to protect it? That debate and more on the latest episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Emilio Escobar (@eaescob), head of information security for Hulu.

Endgame makes military-grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com.

On this episode

Why is everybody talking about this now?

Why can't security vendors get CRM right? One week after RSA I have received cold phone calls and emails from companies for which I"m already engaging with multiple people at said company, some I've actually interviewed their CEOs, actually worked for the company, and/or they've sponsored this very podcast. Other industries use their CRM. Why does it appear en masse the cybersecurity industry is failing at basic CRM?

How CISOs are digesting the latest security news

Massachusetts Senator Elizabeth Warren wrote an opinion piece on Medium saying that if elected President her administration would seek to breakup Amazon, Facebook, and Google. She cited them as monopolies squashing innovation and competition and damaging our privacy for their profit. She said, "With fewer competitors entering the market, the big tech companies do not have to compete as aggressively in key areas like protecting our privacy."

What's Worse!?

What's the best kind of CISO to have?

What's a CISO to do?

Last year at Black Hat I produced a video where I asked attendees, "Should DevOps and security be in couples counseling?" Everyone said yes. Are security leaders taking on the role of couples counselor as they try to get security and DevOps working together?

What do you think of this pitch?

We've got two pitches for the show and the second one has a response that veers into insulting.

 



26. We’re Releasing Security Studies of Made Up Numbers
http://davidspark.libsyn.com/w... download (audio/mpeg, 38.57Mb)

Description:

Since no one ever checks a research study's methodology, why not just make up all the numbers? You're in the risk analysis business, right? Chances are very good they'll never check and research studies are a great way to get free press.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), CISO of FOX.

Thanks to this week's sponsors, Axonius and New Context.

New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business.

Huge congrats to Axonius for their two big wins at RSA this year. They were named Rookie Security Company of the Year by SC Media and they also won top prize at RSA’s Innovation Sandbox. They’ve been touted as the company trying to solve the least sexy part of cybersecurity, asset management. Go to Axonius’ site to learn more.

On this episode

Ask a CISO

It’s been reported many times, that the average life of a CISO is 18 months and Mike Johnson lasted 18 months at Lyft. At the time of Mike’s departure so many people were forwarding me articles regarding the stress level of CISOs, most notably around Nominet’s study that claimed that about 1 in 5 CISOs turn to alcohol or self-medicating. With two CISOs on the panel we discuss if this was the most high-pressured job they had and would you be eager and willing to jump back into the CISO role again.

Why is everybody talking about this now?

Couple weeks ago I wrote an article entitled “30 Security Behaviors that Set Off a CISO’s BS Detector.” There was quite a response from the community to this. Now that we’ve just finished RSA, did our CISOs see or hear anything that set off their BS detectors.

What’s Worse?!

We play two rounds of “What’s Worse?!” Both rounds are cases of employees putting security in very compromising positions.

What’s a CISO to do?

When we talk about security we’re often talking about protecting customer and employee data. While all companies have intellectual property they need to protect, at FOX, Melody Hildebrandt is having to deal with some very high profile individual assets that are of interest to many hackers. What are the factors a CISO must consider, that most security people probably aren’t thinking about, when you’re trying to secure a single media asset that’s worth hundreds of millions of dollars?

What do you think of this pitch?

After you hear this pitch, every security professional may be out of a job. Tip of the hat to Christopher Stealey of Barclays for providing this pitch he received.

You’re a CISO, what’s your take on this?

Ameer Shihadeh of Varonis asks a question of trying to overcome the objection from a security professional that they don’t have any security initiatives or projects.

And now this…

We field questions from our audience for the CISOs.



27. A Pesticide-Free Podcast Made with 'All Natural' Intelligence
http://davidspark.libsyn.com/a... download (audio/mpeg, 40.56Mb)

Description:

We eschew those cybersecurity firms touting claims of artificial intelligence for our organic conversation-based approach to podcasting.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Mike Wiacek (@Mikewiacek), co-founder and CSO for Chronicle.

Thanks to this week's sponsor, Chronicle

Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself.

On this episode

What's a CISO to do?

As we brace for RSA this week, we expect most companies on the floor will be touting some form of artificial intelligence or machine learning. CISOs are no longer even slightly moved by those terms. What should vendors be saying? And what should a savvy security shopper demand to know about a company's AI or ML?

Why is everybody talking about this now?

Allan Alford, CISO of Mitel, and my co-host on the other CISO Series podcast, Defense in Depth, created a very funny "Cybersecurity Startup Name & Mission Generator!" chart that got a lot of response. We've seen a lot of these name generators, but this one seemed creepily too real. We discuss InfoSec company names and how not to let your eyes glaze over as you walk the trade show floor.

What's Worse?!

How do you feel when big security companies acquire smaller security companies?

Please, enough. No, more.

This week's topic is "threat hunting." We talk about what we've heard enough of on "threat hunting," and what we'd like to hear a lot more.

What's a CISO to do?

A great challenge question from an anonymous source: "My users learned security from the evening news. Now I can't see their traffic due to their VPN tunnel and they are using programs that delete evidence to be more secure." What's a CISO to do?



28. You Get a Private Network! You Get a Private Network!
http://davidspark.libsyn.com/y... download (audio/mpeg, 44.97Mb)

Description:

CISO/Security Vendor Relationship Podcast and series is available at CISOSeries.com.

We're giving away private networks to everybody. Even if you think you don't need one, you want one. It's all on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Francis Dinha, CEO of OpenVPN.

Thanks to this week's sponsor, OpenVPN

Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.

On this episode

What's a CISO to do?

A few years back I interviewed Francis Dinha about hiring talent. Dinha had the fortune to be able to mine his own community of people of open source volunteers. It's become a great resource for hiring talent. Finding those passionate communities are key for finding talent. We discuss other possible resources and why it's critical or maybe not critical to hire people who've contributed to the open source community.

Why is everybody talking about this now?

Given the number of default passwords being used and connected devices with little to no security, does achieving "zero trust" have to be the InfoSec equivalent of climbing Mt. Everest? We discuss simplifying security architecture so achieving "zero trust" isn't a badge of honor but rather something everybody can easily do.

"What's Worse?!"

Another round where we debate an open source conundrum.

Please, enough. No, more.

What have we heard enough with VPNs and what would we like to hear a lot more?

Let's dig a little deeper

John Prokap, CISO of HarperCollins, said on our live NYC recording, "If you patch your systems, you will have less threats that will hurt you." I posted John's basic security advice as a meme, and it got a flurry of response. My favorite came from Greg Van Der Gaast of CMCG who said, "The fact that this is quote/post-worthy in 2019 boggles my mind." The issue of "why aren't you doing this" came up and people discussed integration issues, hard to keep up, and the fact that patches can often break applications. Is this a cycle that's impossible to break?

 



29. Productivity Tip! Get More Done By Refusing To Do Anything
http://davidspark.libsyn.com/p... download (audio/mpeg, 46.87Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

We tip our hat to the much maligned "Department of No" for having the foresight to see that refusing service is probably the most efficient and secure response.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is April Wright (@AprilWright), CEO, ArchitectSecurity.org.

Thanks to our sponsor, Endgame

Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall.

On this episode

How CISOs are digesting the latest security news

In an effort to improve security before the 2020 Olympic games, the government of Japan will try to hack its own citizens by using default passwords on webcams, routers, and other Internet connected devices. If they break through they will alert the people that their devices are susceptible to attacks. How good or bad is this idea? Will this give way to easy phishing scams?

Why is everybody talking about this now?

Online, Mike brought up the subject of security rockstar culture and specifically pointed this comes from the security staff playing offense vs. the ones playing defense who really need a team behind them to be effective. We look at the difference between a healthy leading voice in security vs. “a look at me” security rockstar.

It’s time to play, “What’s Worse?!”

Two rounds and the first one Mike spends a lot of time debating.

Ask a CISO

Brad Green of ObserveIT asks, “Do CISOs pay attention to competitive market conditions of different vendors?”

Are you aware of what’s going on and what impact do analysts have?

What do you think of this pitch?

Two pitches to critique. Lots of insight.

 



30. We’re 99% Sure Our Malware Protection Will Fail 1% of the Time
http://davidspark.libsyn.com/w... download (audio/mpeg, 60.86Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

Do you want a security vendor that’s good at protecting you from malware or a vendor that’s honest with you about their failure rates? Whatever happens you’ll take it on the latest episode of CISO/Security Vendor Relationship Podcast recorded live in NYC for the NY Information Security Meetup (@NYInfoSecurity). Thanks for hosting our recording!

This super-sized special episode features drop-in co-host, John Prokap (@JProkap), CISO of HarperCollins Publishers, and our guest Johna Till Johnson (@JohnaTillJohnso), CEO of Nemertes Research.

Check out all the awesome photos from the event.

Context Information Security is a leading technical cyber security consultancy, with over 20 years of experience and offices worldwide. Through advanced adversary simulation and penetration testing, we help you answer the question – how effective is my current cyber security strategy against real world attacks?

On this episode

How CISOs are digesting the latest security news

To Facebook, our data in aggregate is very valuable. But to each individual, they view it as essentially worthless as they're happy to give it away to Facebook for $20/month. I don't see this ever changing. Does an employees carelessness with their own privacy affect your corporation's privacy?

Why is everybody talking about this now?

Rich Mason, former CISO at Honeywell posted about the need to change the way we grade malware. He noted that touting 99 percent blocking of malware that allows for one percent failure and network infection is actually a 100 percent failure. It's the classic lying with statistics model. How should we be measuring the effectiveness of malware?

What's Worse?!

We play two rounds trying to determine the worst of bad security behavior.

What's a CISO to do?

A CISO can determine their budget by:

1: Meeting compliance issues or minimum security requirements
2: Being reactionary
3: Reducing business risk
4: Enabling the business

Far too often, vendors have preyed on reactionary and compliance buyers. But the growing trend from most CISOs is the reduction of business risk. How does this change a CISO's budgeting?

Let's dig a little deeper

We bring up "do the basics" repeatedly on this show because it is often the basics, not the APTs, that are the cause of a breach or security failure. Why are the basics so darn hard and why are people failing at them?

What do you think of this pitch?

We've got two pitches for my co-host and guest to critique.

And now this...

We wrap up our live show with lots of questions from the audience.



31. We're Selling Your Data at Unbeatable Prices
http://davidspark.libsyn.com/w... download (audio/mpeg, 42.89Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

We've got so much data we've got to liquidate. Whatever private information you want - location, purchase history, private messages - we've got it! Call us now before our users realize what we're doing.

Your privacy, unleashed, on the latest episode of CISO/Security Vendor Relationship Podcast.

Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.  

 

On this episode

Why is everybody talking about this now?

Oh Facebook, not again. Appears they were paying teenagers for the right to snoop on their phone. The most telling part of this story is that this app was activated by clicking a button that said, "Trust." How does Facebook's untrustworthy behavior affect a CISO's ability to maintain trust with their audience?

How are CISOs digesting the latest security news?

From the UK, the Cyber Skills Impact Fund will receive a nice boost of £500,000 to attract more people to cybersecurity, but specifically a diverse workforce. We have talked at great length about the need to have a diverse security staff, and Mike has said on a previous show that not having diversity actually makes you less secure because you fall into "one think." How does a diverse staff change the thinking dynamic of your security team?

It's time to play "What's Worse?!"

We play two rounds of the game. One round is far more challenging than the other.

Ask a CISO

Tip of the hat to Schaefer Marks of ProtectWise for his suggestion about RSA pitching. I'm starting to get RSA meeting requests. They all follow the same format: assuming we're getting ready, and asking if we would like a meeting with a VP, CEO, some expert. We discuss what pre-event pitching we like and don't like.

What do you think of this pitch?

We have two pitches, one that's pretty good, and one that's disastrous.

 



32. We're the Ellen of Cybersecurity Podcasts
http://davidspark.libsyn.com/w... download (audio/mpeg, 62.81Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

We're comparing ourselves to media you already know in hopes you'll better understand our product and listen to our show. It's our first self-produced live recording of the CISO/Security Vendor Relationship Podcast from San Francisco and it came out awesome.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest for this live show is Andy Steingruebl (@asteingruebl), CSO of Pinterest.

Check out all the awesome photos from our first self-produced live recording.

Thanks to our sponsors

The Synack Crowdsourced Security platform delivers effective penetration testing at scale. Synack uses the world’s top security researchers and AI-enabled technology to find what scanners and regular testing do not. It’s used by US Dept of Defense and leading enterprises for better security. To learn more, go to synack.com.

New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business.

 Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.  

Why is everybody talking about this now?

Chris Roberts with Attivo Networks caused a flurry of discussion when he argued that using the term "security" is meaningless. He said, "There is no such thing as security. There is just a measurement of risk." He went on to say we shouldn't be talking about security risk, but only business risk. Would it be a good idea to change the terminology?

How are CISOs are digesting the latest security news?

France’s data protection regulator, CNIL, issued Google a $57 million fine for failing to comply with its GDPR obligations. Not the first GDPR fine, but it's first big tech giant. And it's not nearly as much as it could have been. But it's the biggest fine so far. Are GDPR fines starting to get real? Will this embolden even more fines?

Hey, you're a CISO, what's your take on this?

On LinkedIn Mike Johnson brought up the discussion of security vendors marketing what they're not. He claimed that this tactic is doomed to fail, and should just stop. Why is it a failed tactic?

It's time to play, "What's Worse?!"

We get a little philosophical in this round of "What's Worse?!"

Um...What do they do?

I read the copy from a vendor's website and the two CISOs try to figure out, "What do they do?"

Ask a CISO

A listener asks, "What are the signs that tell you that a vendor is serious about improving the security of their product?"

How are CISOs are digesting the latest security news?

A caustic attendee to DerbyCon brings down the entire event because the organizers didn't know how to handle his behavior. How can event producers in the security space avoid this happening in the future?

And now this...

We take questions from our audience.

 



33. Introducing Defense in Depth: Security Metrics
http://davidspark.libsyn.com/i... download (audio/mpeg, 23.62Mb)

Description:

Our new podcast, Defense in Depth, is part of the CISO Series network which can be found at CISOSeries.com.

This is a special episode introducing this new podcast. To get more of Defense in Depth, subscribe to the podcast.

What are the most important metrics to measure when building out your security program? One thing we learned on this episode is those metrics change, as your security program matures.

This episode of Defense in Depth is co-hosted by me, David Spark (@dspark), the creator of CISO Seriesand Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is my co-host of the other show, Mike Johnson, CISO of Lyft.

Fluency's correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization's path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019.
On this episode of Defense in Depth, you'll learn: There is no golden set of security metrics. Metrics you use to measure your security program this year won't necessarily be the same ones you use next year. Use the NIST model to determine your security program maturity. Unlike B2C, B2B companies can use metrics to build a closer tie between security and the business. Regulations and certifications is one easy way to align security with the business.

34. You're the Expert, You Figure Out Our Software
http://davidspark.libsyn.com/y... download (audio/mpeg, 44.19Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

We don't have to make our software any simpler to use. You just need to get smart enough to use it. We're all attitude on the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Mike Nichols (@hmikenichols), VP of product at Endgame.

Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall.

On this episode

How CISOs are digesting the latest security news

Is this yet ANOTHER security breach? A massive document of usernames and passwords. These are all available in text files, pretty much for anyone to see. We're not sure, but this may be a collection of usernames and passwords from historical hacks, but it's not clear. Most of us have potentially more than a hundred usernames and passwords. How are we supposed to go through all our accounts and change them all? Can we slap 2FA on top of everything? What should be the best reaction to this kind of news?

Hey, you're a CISO, what's your take on this?'

In the area of user experience, B2B software seems neglected. All the wonderful usability goes to consumer apps, because everybody needs to be able to use them. But B2B software can cut corners and add extra layers for usability because heck, these people are experts, they're hired to do this job. They should know what they're doing. But that type of thinking is hurting the industry as a whole.

What's Worse?!

We've got a scenario of two CISOs with two different companies. Which one has the worst security posture?

Please, Enough. No, More.

Our topic is endpoint protection. We talk about we've heard enough about on endpoint protection, and what we'd like to hear a lot more. Endgame's machine learning engine, Ember, is open source.

What's a CISO to do?

Why is it so difficult to hire InfoSec professionals? Is there not enough skills, not enough people interested, tough to hire diversity, way too competitive environment, or is it the nature of the recruiting industry itself?



35. Get Out! The Data Leak Is Coming from the Inside
http://davidspark.libsyn.com/g... download (audio/mpeg, 37.28Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

Be afraid. Be very afraid of the latest episode of the CISO/Security Vendor Relationship Podcast where it's possible that 90 percent of your security breaches are coming from within your own company.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Leon Ravenna, CISO, KAR Auction Services.

Synack provides crowdsourced security testing that provides more than older style penetration testing. Instead of using a few researchers who output a final report, Synack uses a globally-sourced crowd of researchers backed by a purpose-built hacking platform. This gives organizations access to security talent that is not available from any one company, and data and insights into the testing process. All Synack security testing is recorded, measured, and analyzed to not only output results like new vulnerabilities and compliance checks, but displays attack patterns and quantities in real-time. By using bug bounties as incentives, researchers are rewarded for the great finds that Synack verifies and shares with its customers. To find out more about the Hacker-Powered Security used by the Internal Revenue Service and many other organizations, go to synack.com.

On this episode

How CISOs are digesting the latest security news

According to a new report from Kroll, "Human Error, Not Hackers, to Blame for Vast Majority of Data Breaches." They report that 2,124 incidents could be attributed to human error, compared to just 292 that were deliberate cyber incidents, They say that's a 75% increase over the past two years but that could be because reporting breaches wasn't mandatory before GDPR. One user commented, these numbers seem to conflict with what the Verizon Breach report says. According to this data it appears a security leader should be spending close to 90 percent of their budget and effort trying to prevent inside data leakage. How would your security plan change if that was your charge?

Hey, you're a CISO, what's your take on this?'

An article and video published last week on this site written and featuring Elliot Lewis, CEO of Encryptics, talks about the need to get cozy with your legal team because when a breach occurs, you're going to need to have possession, custody, and control of your data. If you can't answer those questions you're putting your legal team in a bind. Mike and our guest talk about being able to answer these questions and building relations with the legal team.

It's time to play, "Um... What Do They Do?"

It's a brand new game where I read copy from a vendor's website, and Mike and our guest try to guess, "What do they do?"

What's a CISO to do?

Kip Boyle, past guest, friend of the show, and author of a new book, "Fire Doesn't Innovate," which comes out today asks this question, "Could good cyber risk management be the basis for a competitive differentiator for your business? How?"

Kip's book is available at firedoesntinnovate.com and for the first week it's out it's only $.99 via Kindle.

Ask a CISO

Thomas Torgerson of Blue Cross/Blue Shield of Alabama asks, "How do CISO's feel about presenting webinars or speaking at other events regarding products that they use in their environment?" Are there incentives promoting a vendor solution? Or is it too risky to let threat actors know your security toolsets? 

 



36. Shoving Money Down Security's Bottomless Pit
http://davidspark.libsyn.com/s... download (audio/mpeg, 44.90Mb)

Description:

No matter how much money we shove into security, it never seems to fill up. That's good for vendors. Not so good for buyers of security who don't have a bottomless pit of money to fill the bottomless pit of security.

 

This week's episode is sponsored by Red Canary. Red Canary is a security operations ally to organizations of all sizes. They arm customers with outcome-focused solutions that can be deployed in minutes to quickly identify and shut down adversaries. Follow their blog for access to educational tools and other resources that can help you improve your security program.

Got feedback? Join the conversation on LinkedIn

On this episode

How CISOs are digesting the latest security news

Wayne Rash of eWEEK wrote a piece on what to expect in cybersecurity in 2019. Most of the stuff is more of the same, such as nation state attacks, ransomware, phishing, and assume you're going to get attacked. But, he did bring up some issues that don't get nearly as much discussion. One was cryptomining which is hijacking your cloud instances, encrypting ALL data, moving away from usernames/passwords, and getting a third-party audit. So what's on CISOs' radar in 2019

Why is everybody talking about this now?

Dutch Schwartz of Forcepoint brought up the issue of collaboration. This is not a new topic and we all know that if we don't share information the attackers who do share information will always have leverage. There are obvious privacy and competitive reasons why companies don't share information, but I proposed that if the industry believes collaboration is so important, then it should be a requirement (think GDPR) or we should build incentives (think energy incentives) with a time limit. Is this the right approach? Is the collaboration we're doing already enough?

What's Worse?!

We play yet another round on an issue that really annoys my co-host.

What's a CISO to do?

Thom Langford, CISO of Publicis Groupe, said that cybersecurity should be seen as a long term campaign. And if you keep at it, you will see results. Think anti-smoking or seat belt campaigns. Yet we see more and more companies treating security as a one-off project and not looking at dealing with it in the long term. Could this be more a problem of how we view security in the media?

Ask a CISO

Brijesh Singh, Inspector General of Police, Cyber at Government of Maharashtra said, "A young student asked me a very basic question, isn’t Cybersecurity just a branch of IT? Why should it be treated separately?" It's an awesome question that resulted in a flurry of responses. Is there a difference?

Got feedback? Join the conversation on LinkedIn

 



37. Real Housewives of Cybersecurity
http://davidspark.libsyn.com/r... download (audio/mpeg, 43.89Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

We're clawing each other's eyes out in the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Darren Death (@darrendeath), VP of InfoSec, CISO, ASRC Federal.

Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available.

On this episode:

How CISOs are digesting the latest security news

A nasty fight between two security vendors becomes public because one of the CEOs decides to expose the other CEO. But did he really? What's really going on? Thanks to Nathan Burke of Axonius for bringing this story to our attention.

Why is everybody talking about this now?

Is calling someone a "blocker" the most weaponized word in the tech industry? How can this be avoided and what are the scenarios this term comes up?

What's Worse?!

We've got a split decision on this week's question on trust.

What's a CISO to do?

Robert Samuel, CISO, Government of Nova Scotia asks our CISOs, "What does success look like?" How do CISOs define success?

Ask a CISO

Where should an SMB, that may have little to no security team, begin building out its security program?



38. America's Next Top Data Privacy Violator
http://davidspark.libsyn.com/a... download (audio/mpeg, 44.64Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series can be found at CISOSeries.com.

A newly proposed provision in the Consumer Data Protection Act (CDPA) could result in jail time for intentional data privacy violations.

We're not scared. We're still peeping into your digital lives on the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Will Ackerly, co-founder and CTO of Virtru.

Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available.

On this episode

Why is everybody talking about this now?

Huge fines and massive jail time for intentional violations of data privacy. Do the new provisions in the CDPA go too far or are they just right?

What's a CISO to do?

Listener Bradley Teer of Armor Cloud Security asks, “What’s the scariest moment or event that's ever happened in your career as a security practitioner?"

What's Worse?!

Two listeners, Rick McElroy of Carbon Black and Jamie Leupold of PreVeil asked the same question for this week's game. It's a question Mike knew was eventually going to be asked.

Please, Enough. No, More.

We talk about data privacy in today's segment. Can we get beyond the discussion of GDPR?

Ask a CISO

On a previous episode we talked about the meager adoption of multi-factor authentication. We concluded that it was still too complicated to use. So what's encryption's excuse? Why isn't encryption available and used by all? How does the security paradigm change if everyone is sending encrypted messages?



39. A 'Single Pane of Glass' for Ignoring Vendor Pitches
http://davidspark.libsyn.com/a... download (audio/mpeg, 46.96Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

Tired of deleting pages of vendor pitches? Wouldn't it be more efficient if  you could see them altogether on one screen so you could simply choose which ones to ignore? We're improving vendor non-engagement efficiency in the latest installment of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Chris Castaldo (@charcuteriecoma), sr. director of cybersecurity, 2U.

This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber.

Got feedback? Join the conversation on LinkedIn.

On this episode:

Why is everybody talking about this now?

Six months ago Mike Johnson proposed the idea of "Demos for charities" and it got mixed results, but some people took on the challenge from both the practitioner and the vendor side. See how our guest offered up 45 minutes of his time in exchange for a donation to his favorite charity.

What's a CISO to do?

In light of the most recent Marriott breach, Brian Krebs wrote a great thought piece about our new acceptance of "security" and that is we can't count on companies security our data. How do security professionals communicate that to their team and users and still maintain trust?

What's worse?!

This week's challenge comes from William Birchett, Sr. Manager IT Security at City of Fort Worth. Both options are annoying and we have a split decision on what's worse.

First 90 days of a CISO

Tony Dunham of the Professional Development Academy asks how can InfoSec professionals develop the soft skills needed for leadership prior to being put in the pilot seat?

Ask a CISO

We talk about user-centric design and my co-host has some not-so-nice-words for vendors selling a "single pane of glass" solution.

 



40. The Latest Unnecessary Stats on Marginal Security Threats
http://davidspark.libsyn.com/t... download (audio/mpeg, 45.59Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

If we let you know that 90 percent of break-ins happen because of a little known threat we happen to mitigate, you'd purchase our product, right? Ignore basic security practices as you listen to the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Yaniv Bar-Dayan, CEO of Vulcan Cyber.

This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber.

On this episode:

Why is everybody talking about this now?

How do you reaffirm that dynamic leadership stance so people aren't just responding to the title, but are actually responding to you and the way you're proving your leadership on a day-to-day basis?

Ask a CISO

Why do we keep recommending "go back to security basics"?

What's Worse?!

In honor of our guest, this one is about vulnerability management.

Please, enough! No, more!

What have we heard enough about on vulnerability management and what would we like to hear a lot more?

Ask a vendor

How do security vendors work differently with enterprises vs. smaller and mid-size companies?

 



41. We Turn Our Backs on Cybersecurity Rock Stars
http://davidspark.libsyn.com/w... download (audio/mpeg, 41.41Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

We're no longer buying their albums because we've had enough of the "can do no wrong" toxic culture of cybersecurity rock stars. On this episode of the CISO/Security Vendor Relationship Podcast we are elevating the little known indie InfoSec professionals.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is independent analyst, Kelly Shortridge (@swagitda_). Follow her musings at Swagitda.

This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber.

On this episode:

Why is everybody talking about this now?

We do a health check on where we are in terms of security enabling the business. What have been the greatest strides and where are we falling behind? We reference a post by CISO of Mitel, Allan Alford.

Please, Enough. No, More.

We discuss the phenomenon of cybersecurity rock stars and why their “they can do no wrong” pass is toxic to the industry.

What’s Worse?!

Tip of the hat to Kip Boyle, CEO of Cyber Risk Opportunities for this week’s question.

Ask a CISO

The phenomenon of security buzzwords. When is it actually used to describe a product and when is it used to fill up space in a marketing campaign?

What’s a CISO to do?

We talk about people being the problem in security, but it’s not in the way you think it is.

 



42. We'd Feel Safer if This Legitimate Email Was a Phishing Attack
http://davidspark.libsyn.com/w... download (audio/mpeg, 42.65Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

Why is our financial institution sending us an email suggesting we click on a link to log into our account? On this episode of the CISO/Security Vendor Relationship Podcast we educate your customers and your marketing department about suspicious looking emails.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Chenxi Wang, managing general partner, Rain Capital.

Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available.

On this episode

Why is everybody talking about this now?

While many security professionals' eyes roll when they hear the word "blockchain," it is currently the second most popular area of security research, according to IDG. What is it about blockchain that VCs and security professionals find so attractive?

Question for the board

What responsibility does the board bear for educating the C-suite about cybersecurity competency? PwC put together a great list of questions the board should be asking regarding cybersecurity competency.

It's time to play "What's Worse?!"

There's a visual attached to this game. Go ahead and look here and tune in to hear the question.

What's a CISO to do?

Our guest, Chenxi Wang, provided some excellent advice for startups on getting on the diversity train early on. If you don't, you'll find it's incredibly hard to build in diversity with an established and non-diverse team.

And now this...

How do VCs play a crucial role in the relationship between buyers and sellers of security products?



43. Is This a Vendor Dinner or an Escape Room?
http://davidspark.libsyn.com/i... download (audio/mpeg, 47.57Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

Why were we brought to this event? Why can't we leave? I don't think we have enough clues to get out of this vendor meeting. We struggle to remember our safe word in the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Richard Seiersen (@RichardSeiersen), former CISO of LendingClub.

Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity.

Got feedback? Join the conversation on LinkedIn

On this episode:

Opening

We realize that Mike's comment about burning found USB drives was spot on. According to an experiment conducted by Sophos, about 2/3rds of found USB drives were infected.

What's a CISO to do?

You've been invited to a vendor dinner, but you feel trapped. Where can you go?

We discuss what constitutes a good vendor dinner and which ones make you feel trapped? Here's a link to that Onion article I referenced on the show: "‘First Date Going Really Well,’ Thinks Man Who Hasn't Stopped Talking Yet."

Ask a CISO

Are CISOs swayed when a vendor sells themselves as "market leading?" Could it actually be a detractor? What about the array of current clients? Does that have any impact?

What's Worse?!

Mike Johnson says this could be the most even comparison ever!

How a vendor helped me this week

We talked about an article I released last week, "How to Make a Huge Impact in the Security Community with Zero Marketing," which told the story of building thought leadership and industry influence through open source and related contributions, but not marketing.

Ask a CISO

How quickly is risk being created in your environment and how quickly can you reduce it? More importantly, can you measure that? Our guest, Richard Seiersen, author of the upcoming book, "The Metrics Manifesto: Confronting Security With Data" (Wiley 2019), explains.



44. STAND BACK! We're Plugging In USB Drives We Found on the Ground
http://davidspark.libsyn.com/s... download (audio/mpeg, 45.41Mb)

Description:

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

We gear up in HAZMAT suits and get ready for some dangerous USB drive analysis. We're taking all precautions on the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Dean Sysman (@DeanSysman), CEO of Axonius.

Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity.

On this episode:

Opening

We talked about how the history of the Enigma machine speaks volumes to how users react when they're forced to use a way too complicated security solution. They will find ways to simplify even if means weakening the overall security. Learn more from Mark Baldwin, Dr. Enigma.

Why is everyone talking about this now?

I challenged Mike and Dean to this question posed on Quora, "What is the safest way to check the content of a USB stick I found on the ground?"

What's a CISO to do?

Traditionally, CISOs rise through the ranks as security practitioners and slowly learn the business. But what if you're a CISO that never held the title of practitioner, but is very well versed in the business. How is selling to that type of a CISO different?

What's Worse?!

Mike and Dean are challenged with two horrible scenarios in asset management. Both are very risky, it's just one will probably result in a breach faster than the other.

Please, Enough. No, More!

We talk about asset management, and what's shocking is there isn't much to complain about in the "Please, Enough" portion of the segment. The reality is it's all "No, More!"

Ask a CISO

Dennis Leber, CISO for Cabinet for Health and Family Services for the Commonwealth in Kentucky asked if traditional sales pitches for the latest and greatest threat are really detracting companies from dealing with the basics of security.



45. We Get to Know Our Bodies and Our Security Program
http://davidspark.libsyn.com/w... download (audio/mpeg, 47.25Mb)

Description:

We're just a bunch of immature teenagers who can't seem to control ourselves or our security program. We're definitely exploring new solutions in the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guests this week is Michael Makstman, CISO of the City and County of San Francisco.

Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity.

Read the full article on CISOseries.com.



46. Why it’s Critical for CISOs to Proactively Engage with Vendors
http://davidspark.libsyn.com/w... download (audio/mpeg, 25.49Mb)

Description:

This is a bonus episode of the CISO/Security Vendor Relationship Podcast with former guest, Allan Alford, CISO of Mitel, who was also the subject of a story I wrote in September entitled "One CISO's Grand Experiment to to Engage with Security Vendors." At that end of that discussion, Alford and I agreed that I would follow up with him in a month to see how the experiment went. This conversation is that story.

Find the full article here.



47. CHEAT! Best Practices to Win at Monopoly and Security
http://davidspark.libsyn.com/c... download (audio/mpeg, 68.46Mb)

Description:

Check out more at our site CISOseries.com.

We don't play fair and we're not ashamed to admit it. This week's episode of the podcast is super-sized because it was recorded in front of a live audience at the Silicon Valley Code Camp conference held at PayPal in San Jose.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guests this week for the live show were Ahsan Mir (@ahsanmir), CISO, Autodesk and Geoff Belknap (@geoffbelknap), CSO, Slack.

(from left) Geoff Belknap, CSO, Slack, Mike Johnson, CISO, Lyft, Ahsan Mir, CISO, Autodesk, David Spark, Founder, Spark Media Solutions

Special thanks to our sponsor, Electronic Frontier Foundation. Please support their efforts to protect your digital privacy.

On this super-sized episode of the CISO/Security Vendor Relationship Podcast: Ask a CISO

Is cybersecurity an IT problem or not? Do non-security executives pigeon-hole the role of security? Is this an unfair assessment? Is it dangerous to only view InfoSec as an IT problem?

Why is everyone talking about this now?

A hot discussion by Jason Clark of Netskope got everyone discussing why CISOs fail. In general, our panel believes it's a situation of poor alignment with the functions and risk profile of the business.

What game best prepares you for a job in InfoSec?

A few years ago I wrote an article entitled, "What 30 Classic Games Can Teach Us About Security," in which security professionals point to video games, board games, gambling games, and sports as great metaphors and training grounds for a life in security. Our panel debates the value of games as InfoSec teaching tools.

"What's Worse?!"

We play two rounds of the game and we get split decisions! The first round touches upon a major pet peeve Mike Johnson has had since our very first episode.

What's a CISO to do?

Security is often seen as a thankless job. It's though the role of the CISO to make sure everyone knows how awesome their security staff is and what they can do for the rest of the business.

What do you think of this pitch?

We critique another pitch and with this one a CISO does a rewrite that hopefully the security vendor will use.

How do CISOs know they're getting a good deal?

Not only do CISOs need to come up with a security program for the company, but they need to understand whether or not they're getting good price for the security tools they purchase. Do CISOs have a method to actually insure they're getting the best price possible? Do they even care?



48. We Acknowledge We've Received and Are Ignoring Your Support Ticket
http://davidspark.libsyn.com/w... download (audio/mpeg, 46.70Mb)

Description:

Our CISOs don't have much confidence they'll receive any support when they hit the 'Send' button on your web form. 

Check out our NEW SITE: CISOseries.com

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Aaron Peck, CISO of Shutterfly.

Special thanks to our sponsor, ConnecTech, producer of intimate custom executive events for IT professionals.

Executives: Register to be notified when one of their events will be coming to your city.

Vendors: Sponsor one of their events to get meetings with executives that are looking for solutions that your company provides.

On this episode of the CISO/Security Vendor Relationship Podcast: Ask a CISO

What were the turning points that led you to achieve the title of CISO? We've got a shout out to Mike Rothman's book, "The Pragmatic CISO" and the desire to find and solve the toughest most needed security problems.

How a security vendor helped me

CISOs have heard the stories from all the major InfoSec vendors. They're tired of playing second and third fiddler to a vendor's hundreds if not thousands of other clients. While a young startup company, potentially in stealth mode, doesn't necessarily have a track record, they do have eagerness and are willing to make their earliest and first customers extremely happy. This hand-holding-type relationship is very attractive to a CISO.

What's Worse?!

This entry into our weekly game is all about the following two images. There's so much going on in these pictures of a man who has decided to start day trading in public at a local Starbucks. Can you determine what's worse in these two pictures? Our CISOs debate. For more, check out the avid discussion on LinkedIn.

What do you think of this pitch?

Mike delivers probably the most thorough analysis of a vendor pitch I've ever heard on the show.

What's a CISO to do?

Hiring great InfoSec talent is an extreme challenge. Our guest, Aaron Peck, makes an argument for speedy hiring to get value for the company as quickly as possible.



49. How to Help Your Best Employees Leave
http://davidspark.libsyn.com/h... download (audio/mpeg, 49.38Mb)

Description:

In such a hyper-competitive market for security talent, the natural inclination would be to try everything you can to keep your best employees. Unfortunately, even when you do everything right, your best employees just get up and leave. Can you and should you fight it? Or should you go out of your way to make the exit as smooth as possible for your staff? What's the benefit to you when they do leave?

On this episode of the CISO/Security Vendor Relationship Podcast, we discuss:

10-second security tip: Vanity metrics aren't going to create a more secure environment. Pitching the latest crisis: We've talked endlessly about how CISOs don't respond well to fear pitches. Similarly, salespeople need to understand that CISOs are aware of last week's Facebook hack. Don't bring the news they already know. Provide some insight. Selling the latest APT: If it's a new threat, it's sexy. It may make for great news, but focusing on it doesn't necessarily make for good security. Shouldn't you be starting with the boring basics? Can security basics ever be sexy? We play "What's Worse?!" Listen up security vendors. You're going to want to pay attention to this one. What do you think of this pitch? This week's pitch comes from a CISO. It's not his pitch to us, but a pitch he received. It kind of misses the mark. We explain why. Retaining security talent: We discuss the InfoSec manager's role in retaining security talent. How do you form a relationship that all exits or near exits go as smoothly as possible?

This show, like all the previous ones are hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Justin Berman (@justinmberman), CISO of Zenefits.

Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection.



50. I Wish I Didn't Post That... But I'm Glad I Did
http://davidspark.libsyn.com/i... download (audio/mpeg, 40.69Mb)

Description:

We admit we've posted some rather embarrassing posts on social media. In particular, my co-host, Mike Johnson, talks about a post he initially regretted, but then realized it's what brought all of us together. In fact, it's a post that initiated much of the discussion we're having today about the relationships between CISOs and security vendors.

On this week's episode of the CISO/Security Vendor Relationship Podcast, we discuss:

A CISO that eagerly wants to talk to security vendors: CISO of Mitel, and former guest, Allan Alford sent a shock through the industry when he said he was going to reserve time to actually speak with security vendors. Why was this announcement such a big deal? One CISO and one CTO admit to posts they regret: Turns out posts you wish you didn't write actually shake up the pot so much that they form relations, like the two you hear on this show. We play "What's Worse?!" Possibly our toughest round of the game ever. Hint: think security policies. What Do You Think of This Pitch? Mike and our guest dissect a pitch from a listener. They advise what should be taken out, and what should be put in its place. Ask a CISO: Do CISOs need consultative resellers? When are they valuable? If not now, were they valuable? And as always, we've got launch with a great 10-second security tip.

Today's episode is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Mike D. Kail (@mdkail), CTO of Everest.org.

This episode is sponsored by Thinkst, makers of Canary deception devices. Read how much their customers love their product here. We thank Thinkst for sponsoring this episode of the podcast.



51. Our All White Male Panel Discusses Diversity in Cybersecurity
http://davidspark.libsyn.com/o... download (audio/mpeg, 43.65Mb)

Description:

With absolutely no irony three white men discuss the value of diversity in cybersecurity in the latest episode of CISO/Security Vendor Relationship Podcast. So before you tell me we're three white men talking about diversity, I'm letting you know ahead of time we're three white men talking about diversity. We have no shame!

On this episode of the CISO/Security Vendor Relationship Podcast, we debate the following:

Microsoft Office macros still top the malware attack vector charts: After apparently three decades it appears that MS Office macros are still the attack point of choice of malicious hackers. What legacy nonsense are enterprises still holding onto? What's the real value of diversity? As I readily admitted, our all white male panel confesses that lack of diversity results in group think and unconscious bias. We play a round of "What's Worse?!" This one has to do with budget and there's a split decision! Which one do you think is worse? Please, Enough. No, More. (on endpoint security): There is a very long list of stuff Mike and our guest don't want to hear anymore about with regard to endpoint security. And similarly, there's plenty more they do want to hear about. Listen to know what you should be paying attention to regarding endpoint security. Does complicating security infrastructure make us safer? What's the right balance of security complexity and simplicity to make your environment safer? If you've got more systems and more security applications in place that means you've got more vectors to exploit. Ten second security tip: And as always, we've got a quick security tip so you don't have to listen to more than a minute of the show before you get some value of this podcast.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Tomer Weingarten, CEO, SentinelOne.

Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection.

Catch up on past episodes plus read articles and watch the latest videos from the series at CISOseries.com.



52. Our Latest Product Release Includes Shiny New Security Vulnerabilities
http://davidspark.libsyn.com/o... download (audio/mpeg, 43.36Mb)

Description:

We have an exciting announcement. Our latest version of the podcast is packed with new features and they're riddled with security holes. We know you wanted the features. The security vulnerabilities are just a bonus.

On this episode of the CISO/Security Vendor Relationship Podcast, we discuss:

Cybersecurity burnout: How bad is it? What can be done to mitigate it? And what are the warning signs? All tech professionals have burnout issues, but InfoSec has it toughest because it's very hard for them to get a sense of accomplishment for their work. CISO/Security Vendor Relationship Podcast is making an impact in the vendor community: We hear multiple stories from vendors how the advice from Mike and the guests is really changing the way they reach out to security professionals. Are you willing to release a product with known security vulnerabilities? What if the customer really demands the new feature next week and they're expecting it, but remediation may take much longer. Do you give the customer what they want, or are there other solutions? What's Worse?! We play a round of picking the worse of two evils. This one is all about training your staff. We unleash another pitch on the security professionals: Their response will surprise you as will the outcome of this pitch. Dumb CISO mistakes: This one actually may not be so dumb. It could actually be good advice when it comes to product testing. Ten-second security tip: This one offers up a more holistic view of security that you may have not considered, but definitely should.

Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest is Anne Marie Zettlemoyer, a security strategist and independent researcher who is also on the board of directors for SSH.

 



53. Security Made the Mess. They Should Clean It Up.
http://davidspark.libsyn.com/s... download (audio/mpeg, 41.14Mb)

Description:

Security is suffering from a serious Rodney Dangerfield "I get no respect" problem. What has often been seen as the department of "no" is struggling under that brand image. That's probably because security is often seen as an inhibitor rather than an enabler. If InfoSec wants to fix that perception, it'll be their responsibility to dig themselves out.

Here's what you'll hear on the latest episode of the CISO/Security Vendor Relationship Podcast:

Nobody thinks security is their friend: How can security rid itself of this highly negative branding? Be problem solvers vs. problem creators. Techniques to integrate AppSec into the DevOps process: It comes down to measurement, respecting an engineer's time, and learning from the success of one process and putting it into another. Read more great insight by Chris Steipp of Lyft. We play "What's Worse?!" In this episode of the game we question the worst scenario of an encrypted or unencrypted laptop, but with qualifications. Uggh, WAFs are NOT magical boxes: In a round of "Please, Enough. No, More." we challenge the way web application firewalls (WAFs) are being sold. WAFs need to be more friendly and flexible. No one believes you if you sell them as magical boxes that stop all attacks. How can you be a great customer? We turn the tables from "Ask a CISO" to "Ask a Vendor" and ask what it takes to be a great customer. Vendors would like you to ttop kicking the tires and talk about solving real problems. Plus a ten-second security tip: It may be cliche, but if security departments want to be more effective, they should be moving away from blocking to enabling.

Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Zane Lackey (@zanelackey), co-founder and CSO for Signal Sciences and author of the new book from O'Reilly, "Building a Modern Security Program."

Sponsor the Podcast

If you'd like to sponsor the podcast, contact David Spark at Spark Media Solutions.



54. BONUS: What's So Awesome About Being a CISO?
http://davidspark.libsyn.com/b... download (audio/mpeg, 6.69Mb)

Description:

This is an extra segment we recorded with Dan Glass, former CISO, American Airlines for our last episode. It didn't make it into the last episode, but I thought it was still worthwhile to release as a short bonus mini episode of only four minutes. As always, the show includes myself, David Spark, founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Enjoy.



55. Job Opportunity: Unqualified AND Underpaid
http://davidspark.libsyn.com/j... download (audio/mpeg, 43.99Mb)

Description:

We spend a good portion of this episode of the CISO/Security Vendor Relationship Podcast mocking unrealistic job listings that ask for too many unnecessary credentials and on top of it aren't willing to pay a fair market rate. Did companies forget that it's a buyers' market right now in security?

On this episode of the podcast we discuss:

The security semantics of "responsibility" vs. "accountability": Which one drives which behavior? And it is possible to try to compel one to the detriment of the other? See Chad Loder's post for more. How do you motivate employees to be concerned about security outside of hammering them with pen tests and fake phishing emails? If it hasn't happened already, those tests to see how secure your environment is may backfire. What can you do to instill secure behavior without testing employees to the point of annoyance? What do you think of this pitch? We get a split decision on a pitch of a company that's operating in a new category. Plus, advice on what never to do in a pitch. Unrealistic expectations for position descriptions: Job descriptions in the security field seem to be getting longer, with more certification requirements, and lower pay. What's going on and do companies who list these types of jobs realize they're only hurting themselves? In a buyers' market you can't just put out an unrealistic job posting to "see who will respond." It will actually damage your brand. Plus, a 10-second security tip (that's a few seconds longer): It's what you should be doing, but probably aren't doing. And a visit from the host of The Cyberwire: Dave Bittner, from The Cyberwire, joins us for a discussion about his daily security tech news show and to tell us about the launch of two more security podcasts.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Dan Glass, former CISO (as of just a couple days ago) of American Airlines.

Special thanks to SpyCloud for sponsoring this episode. Learn more about how you can protect employees and customers from account takeover with SpyCloud.

Contributions. Contributions. Contributions.

I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn.

Sponsor the podcast

If you're interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.



56. How CISOs Stay Current When They're Ignoring Vendor Pitches
http://davidspark.libsyn.com/h... download (audio/mpeg, 50.73Mb)

Description:

We promise to keep your identity private while we discuss the troubles of two-factor authentication.

On this episode of the CISO/Security Vendor Relationship Podcast we discuss:

Why don't more people use two-factor authentication? Does the UX still suck? Why can't we agree on a common model for how to authenticate? Will U2F be the saving grace for 2FA? Story on the debate. What are the signs your employees are going rogue? We debate the need to monitor employees this way. Are internal intrusions the same as external? Is monitoring the monitoring devices enough? What are the signs? Discussion on LinkedIn and a recommended book: "Nothing to Hide: The False Tradeoff between Privacy and Security." We play a round of "What's Worse?!" It's the game where we determine which is the worst of two really bad practices. In this case, the CISOs have to choose between two unpleasant marketing practices. How do CISOs balance compliance and security: The two aren't equal, but compliance is a means to prove that you're doing security right. Our guest hits it out of the park with a very clear explanation and also how to use compliance to better market your company. How do CISOs discover new solutions: This might as well be the title of this podcast, but we delve into some unique angles that CISOs are taking as they're avoiding traditional pitches from security vendors. Discussion on LinkedIn. Ten-second security tip touting the value of passphrases: See this cartoon for more.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Allan Alford (@AllanAlfordinTX), CISO, Mitel.

Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection.

Contributions. Contributions. Contributions.

I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn.

Sponsor the podcast

If you’re interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.



57. Use Your CRM. CISOs Are Tired of Repeating Themselves.
http://davidspark.libsyn.com/u... download (audio/mpeg, 41.30Mb)

Description:

Just because you have a new salesperson, doesn't mean you have to restart the sales process. If you've been properly entering information into your CRM, you shouldn't have to.

On this episode of the podcast we discuss:

Are you ready for...Black Hat: Techniques to get the most value out of the conference. We've got some really good post-conference suggestions. What do you think of this pitch? We have one of those follow up pitches that just rubs CISOs and security professionals the wrong way. It's time to play, "What's Worse?!" Both host and guest agreed on this one. It's possibly the worst of the worst. Please, Enough. No, More: We discuss account takeover. What we've heard enough on this subject, and what we'd like to hear a lot more. Make sure to read Lyft's article about fingerprinting fraudulent behavior. What's a CISO to do? Beyond blocking and responding, we discuss different tactics for offense and defense against cybercriminals. Which ones are most effective and which ones are ethically and morally wrong? It's time for "Ask a Vendor!" Working off the same model as "Ask a CISO," we turn the tables and security professionals ask questions of vendors. This time, we asked about the use/non-use of CRMs.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Ted Ross (@tedross), CEO, SpyCloud.

Special thanks to SpyCloud for sponsoring this episode. Learn more about how you can protect employees and customers from account takeover with SpyCloud.

Contributions. Contributions. Contributions.

I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

iTunes Google Play Stitcher RSS Feed

58. Ultra Enhanced Deluxe AI with a Drop of Retsyn
http://davidspark.libsyn.com/u... download (audio/mpeg, 41.73Mb)

Description:

Just like so many security products are infused with artificial intelligence, we've also got plenty of meaningless modifiers to describe this podcast.

On this episode we've got:

First 90 Days of a CISO. How do you assess talent already there, and how do you prioritize the new hires you need? Please, Enough! No, More! We delve into the overexposure of AI (artificial intelligence) and machine learning. Are they the same thing? And what do CISOs actually want to hear more about on both of these topics? "What's Worse?!" This is a brand new game where I ask the CISOs to determine which of two really bad security practices is worse. What Do You Think of This Pitch? We've got another vendor pitch that the CISOs critique. Ask a CISO. How are CISOs involved in purchase decisions that are not security related (e.g., cloud, networking, infrastructure).

Special thanks to Signal Sciences for sponsoring this episode. If you're using web application firewalls (WAFs), make sure you read "Three Ways Legacy WAFs Fail" by their head of research, James Wickett.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Dennis Leber (@dennisleber), CISO, Cabinet for Health and Family Services, Commonwealth of Kentucky and the self proclaimed "Most Interesting Man in Information Security."

We Want More of "What's Worse?!"

In this episode, I introduced a new segment, a game called "What's Worse?!" where I introduce two comparably bad security practices and ask the CISOs to debate on which is worse, and why. Fortunately in this episode the CISOs disagreed on both comparisons posed. I'm eager to challenge CISOs with more "What's Worse?!" questions. So if you've got a good one, please contact me here or on LinkedIn.

I'm also interested in:

“Ask a CISO” questions. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals.

In all cases, we can mention you and your company name or keep you anonymous. Just let me know which you prefer.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

iTunes Google Play Stitcher RSS Feed Sponsor the Podcast

If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.



59. How to Choose a Bad Security Product
http://davidspark.libsyn.com/h... download (audio/mpeg, 44.89Mb)

Description:

If I knew more about your current security needs, I'd probably be able to tell you what security product to buy. But that would require me to spend time understanding your needs and this podcast is only 30 minutes long. Instead, we decided to uncover the universal truths of what security product you shouldn't buy.

In this episode of the CISO/Security Vendor Relationship podcast, we uncover failed CISO product purchases plus:

Do temporary dips in hacker attacks change your security posture? What CISOs LOVE to see in their inbox. For this week, we're talking about their favorite reports. What metrics are CISOs following? And what are the metrics CISOs use to determine those metrics? Oh, and are there any metrics CISOs should ignore? Our CISOs digest a vendor pitch. And for "Ask a CISO," we question the value of case studies in print or video form. And as always, we launch the show with a 10-second security tip!

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Randall (Fritz) Frietzsche (@frietzche), CISO, Denver Health, Denver ISSA distinguished fellow, and teaches at Harvard University.

We Want Your Input and Critiques

For every episode we want input from listeners!

Please contact me here or on LinkedIn and send me the following:

“Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals.

In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

iTunes Google Play Stitcher RSS Feed

Sponsor the Podcast

If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.

 



60. We Have the Silver Bullet for BS Detection
http://davidspark.libsyn.com/w... download (audio/mpeg, 46.83Mb)

Description:

We're fed up with vendors who think they can detect any breach, but we're not fed up with breach detection.

On this week's episode:

Are millennials excited or not excited about working in security? Supposedly, nine percent of all millennials are interested in a job of security. Is that good news/bad news/misrepresented news? (Read the story) Haroon Meer's amazingly open story of the money Thinkst spent at RSA 2018. Was it worth it? Great advice for anyone else sponsoring a big tech conference. (Read the story) Are you sponsoring Black Hat or another big tech conference? Pick up my book, Three Feet from Seven Figures: One-on-One Engagement Techniques to Qualify More Leads at Trade Shows. We talk about breach detection and the use of deception devices. When a breach happens, should you or shouldn't you blame the victim? How should security sales managers pump up their team for sales? Is letting people know that they're the only ones to fix their customers' problems the right tactic?

This episode is sponsored by Thinkst, makers of Canary deception devices. Read how much their customers love their product here.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Haroon Meer (@haroonmeer), founder and researcher of Thinkst.

We Want Your Input and Critiques

For every episode we want input from listeners!

Please contact me here or on LinkedIn and send me the following:

“Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals.

In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

iTunes Google Play Stitcher RSS Feed Sponsor the Podcast

If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.



61. Is Password2 More Secure Than Password1?
http://davidspark.libsyn.com/i... download (audio/mpeg, 42.96Mb)

Description:

Are you managing your passwords the same today as you did five years ago? On this episode of the CISO/Security Vendor Relationship podcast, we discuss the changing landscape of what we once thought were best practices, but aren't anymore.

On this episode:

Which CEOs are more fatalistic about inevitability of cyber attacks Explaining cyber risks to the board Reappropriating the word "hacker." My cartoon that spurned a debate and Rick McElroy of Carbon Black's discussion on LinkedIn. What we're no longer advising you do with your passwords. Do cold calls and emails ever work? What are CISO's biggest organizational roadblocks? All that and a ten-second security tip.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Maxime Rousseau (@maxrousseau), CISO, Personal Capital.

We Want Your Input and Critiques

For every episode we want input from listeners!

Please contact me here or on LinkedIn and send me the following:

“Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals.

In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

iTunes Google Play Stitcher RSS Feed Sponsor the Podcast

If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.



62. Stop Asking CISOs if They Care about Security
http://davidspark.libsyn.com/s... download (audio/mpeg, 38.32Mb)

Description:

Want to get under a CISO's skin? Ask them if they have a concern for security in their environment. It's like asking a chef if they're concerned about preparing food. In this week's episode of the CISO/Security Vendor Relationship Podcast we learn how the following:

Dumbest mistakes you can make as a CISO What to do on day 1 when you're a CISO Why is everyone talking about this now? Questioning a CISO's job interests. Please, Enough. No, More on GDPR. We critique a vendor pitch. And "Ask a CISO."

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Richard Greenberg (@ragreenberg), CISO, LA County Department of Health Services as well as chapter presidents of ISSA and OWASP in Los Angeles.

This episode is sponsored by Signal Sciences. We thank them for their support.

We Want Your Input and Critiques

For every episode we want input from listeners!

Please contact me here or on LinkedIn and send me the following:

“Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals.

In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

iTunes Google Play Stitcher RSS Feed Sponsor the Podcast

If your company would like to sponsor this podcast, please contact David Spark at http://www.sparkmediasolutions.com/contact/Spark Media Solutions.



63. Katy Perry Recommends Two-Factor Authentication
http://davidspark.libsyn.com/k... download (audio/mpeg, 40.86Mb)

Description:

Did Katy Perry provide sound security advice, or didn’t she? You’ll have to listen to the latest episode of the CISO/Security Vendor Relationship Podcast to find out. In this episode:

A Third of UK Organizations Have Sacked Employees for Data Breach Negligence Younger Employees Identified as ‘Main Culprits’ of Security Breaches Who has your CEO’s credentials? – by Robert Herjavec, one of the sharks on “Shark Tank” NEW Segment: Please, Enough. No, More. This week we talk about identity management What do you think of this pitch? A pitch from Cobalt Ask a CISO. How many tools in your suite? Are you worried about integration?

  As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Richard Rushing (@secrich), CISO, Motorola Mobility. The written content for this podcast was first published on Security Boulevard.



64. Your ‘Go-To Source’ for Unnecessary Cyber Terror Alerts
http://davidspark.libsyn.com/y... download (audio/mpeg, 27.49Mb)

Description:

On this week’s episode of the CISO/Security Vendor Relationship podcast we ask, “What good is a security alert if there’s no actionable item?” As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Wendy Nather (@wendynather), director, advisory CISOs, Duo Security.   On this episode, you’ll learn:

Flex your incident response muscles. Does your cybersecurity policy change around high-profile events? What’s the definition of cybersecurity and why do so many people care? How a security vendor helped me a long time ago, but Mike thought about them this week. A couple of vendors submit their pitches for a critique. One is confusing and one is almost perfect. And a couple of “Ask a CISO” questions.

  The written content for this podcast was first published on Security Boulevard.



65. CISOs Don’t Care About Your Funny Sales Pitch
http://davidspark.libsyn.com/c... download (audio/mpeg, 29.30Mb)

Description:

Don’t bother trying to craft a potentially clever, funny and adorable email that you hope will tickle a security practitioner; it’s simply not going to work. When it comes to security pitches, practitioners just want the facts. While humor is appreciated, a cold email pitch is not the time to showcase your creative writing skills. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions  and Mike Johnson, CISO, Lyft. Our guest this week is Jeremiah Grossman (@jeremiahg), CEO, Bit Discovery.   On this week’s CISO/Security Vendor Relationship podcast, You’ll discover that InfoSec truism and:

10-second security tip (do you have these security controls in place?). The correct pronunciation of CISO (and whether anyone cares). Consumers and activists issuing lawsuits in the name of GDPR and why that’s a good thing for the future of GDPR. The increasing cost of breaches. A new method to get a security practitioner’s time (Is the idea so crazy it will work? Or do we just need more crazy ideas?). How a security vendor helped me this week.

  The written content for this podcast was first published on Security Boulevard.



66. Security Vendors Buy Their First Pack of Condoms
http://davidspark.libsyn.com/s... download (audio/mpeg, 26.50Mb)

Description:

After tackling some dodgy audio issues, we have released the second episode of the CISO/Security Vendor Relationship podcast with our guest Kip Boyle (@KipBoyle), CEO of Cyber Risk Opportunities. Subscribe to Kip’s podcast. As always, the show is hosted by myself, David Spark (@dspark), Founder, Spark Media Solutions and Mike Johnson, CISO, Lyft.   In this episode, “Security Vendors Buy Their First Pack of Condoms”:

10-second security tip. Amazon Alexa hacked or just a failure of the technology? Does rebooting your router help or is it just security theater? Will automation replace entry-level SOC jobs and if so, how do we bring in new security talent? How security vendors helped me this week. Security vendors padding their pitches. Mitigating new risks or getting back to security basics?

  The written content for this podcast was first published on Security Boulevard. Creative Commons photo attribution to Peter Rivera.



67. A Privacy Policy Written in English (Introducing the CISO/Security Vendor Relationship Podcast with Mike Johnson and David Spark)
http://traffic.libsyn.com/davi... download (audio/mpeg, 42.38Mb)

Description:

I’m proud and excited to announce the launch of the CISO/Security Vendor Relationship Podcast based on the series of articles and videos I produced that examine the relationship between security buyers and sellers. That series was heavily inspired by the writings, posts and insane engagement that Mike Johnson, CISO of Lyft, continues to drive on LinkedIn. And what’s even more awesome, Mike agreed to be my co-host! For our first episode, Mike and I invite Dwayne Melançon (@ThatDwayne), CTO, Innovyze.   In this episode we have:

10-second security tips. Tidal claims “breach” when they’re accused of faking streaming numbers Google Chrome switches its “secured” website alert to one of “not secured” Juro introduces a privacy policy that anyone can read. How security vendors helped me this week How to improve your pitch And ASK a CISO

The written content for this podcast was first published on Security Boulevard.