Tue, 1 October 2019
All links and images for this episode can be found on CISO Series (https://cisoseries.com/mapping-unsolvable-problems-to-unattainable-solutions/)
We're busting out the Cyber Defense Matrix to see what our security program we'll never be able to achieve.
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Sounil Yu (@sounilyu), former chief security scientist for Bank of America and creator of the Cyber Defense Matrix.
David Spark, producer, CISO Series, Sounil Yu, creator, Cyber Defense Matrix, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast
Thanks to this week's podcast sponsor, Zix.
Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support.
On this week's episode
Why is everybody talking about this now?
Mike asked the LinkedIn community, "What's bad security advice that needs to die?" We had an entire episode of Defense in Depth on this very topic called "Bad Best Practices." The post got nearly 300 responses, so it's obviously something many people are passionate about. Is there a general theme to bad security advice?
The great CISO challenge
Sounil Yu is the creator of a very simple problem-to-solution chart for security professionals called the Cyber Defense Matrix. This simple chart allows a cyber professional to see how their tools, processes, and people are mapped to all different levels of security protection. We discuss the purpose of the matrix and all the real world applications.
We have a real world "What's Worse?!" scenario and Mike and Sounil compete to see if they answered the way the real world scenario actually played out.
Hey, you're a CISO, what's your take on this?
Last week on Defense in Depth we talked about a discussion initiated by Christophe Foulon of ConQuest Federal on cyber resiliency. Some people argued that it should be a security professional's primary focus because its action is in line with the interests of the business. Should a cyber professional shift their focus to resiliency over security? Would that facilitate better alignment with the business?
Exploitable weaknesses measured in decades. Not a comforting thought. But this is a reality that exists in at least two major IT ecosystems. The first is Microsoft and the second is firmware. Teams belonging to Google’s Project Zero have found exploitable security flaws affecting all versions of Windows going back to Windows XP – which presents a logistical nightmare for admins the world over.
Sarah Zatko, Chief Scientist at the Cyber Independent Testing Lab spoke recently at Red Hat and DEF CON in Las Vegas about deficiencies in the security of firmware, including those from companies that manufacture the world’s best-known routers.
More available at CISO Series.
Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.
Ask a CISO
Thanks to Chris Castaldo, CISO at Dataminr, for this post on new research from the firm Marsh and Microsoft. According to the study, half of the respondents didn't consider cyber risk when adopting new tech. A full 11 percent did no due diligence to actually evaluate the risk a new technology may introduce.
Does it take that much effort to understand the basic risks of introducing a new technology? What are some first level research efforts that should be done with any new tech consideration or adoption?