Mon, 6 May 2019
Check out all links and images for this episode on CISO Series (https://cisoseries.com/our-what-not-to-do-security-selling-secret/)
We're not always clear on what vendors should do when selling security products, but when we get a really bad email pitch, we're very clear on what they should not do. We're bedazzled with bad pitch disbelief on this episode of CISO/Security Vendor Relationship Podcast.
Thanks to this week's sponsor, Women in Security and Privacy (WISP)
Women in Security and Privacy works to advance women in security and privacy. We accomplish this through practical and technical workshops, TANDEM mentorship programs, leadership training, job board postings, Equal Respect speakers bureau, and conference and training scholarships.
On this week's episode
Why is everybody talking about this now?
Facebook is expected to pay somewhere between $3 to $5 billion in FTC fines for violating the 2011 consent decree. They violated user's privacy without giving clear notice or getting clear consent. But, all this financial and reputational damage doesn't seem to do a darn thing to dissuade individuals or investors from Facebook. The site has 2.38 billion active users. It's growing 8% year over year. And after their earnings announcement which mentioned the multi-billion dollar fine, their stock jumped 7%. This doesn't appear to get people to care about security and privacy, So what will?
Hey, you're a CISO, what's your take on this?'
The NSA has announced that no zero day attacks were used in any high profile breach in the last 24 months. Most of the attacks were simple intrusion where they went after users through techniques like phishing or water holing. We talk endlessly on this show about good cyber hygiene, but we have an event coming up, Black Hat, that thrives on showing security professionals the latest attack techniques, which I know are not zero days. But how can security professionals NOT gravitate towards the newest and coolest?
Who needs to control the problem? Security or the business unit?
How to become a CISO
Gary Hayslip, CISO of Webroot, and a former guest on Defense in Depth. He wrote an article to his younger self of what he wish he had known when he started in cybersecurity and then becoming a CISO. I'll ask the two of you to do the same exercise. What is something that you now know that there's no way you would have known starting out but would have made your life a lot easier as you took the climb to become a CISO.
Why is this a bad pitch?
We've got a one-two punch on a bad pitch email that uses self-deprecating humor plus an assumption of business relationship. Ouch.
The importance of developing consistent data protection policies across multiple cloud services
In general, cloud vendors do not take responsibility for the security of your data. So, your policy must take full responsibility for endpoints, networks and cloud environments. Just a few of the must-haves on this list include limiting user’s permissions to only what they absolutely need, strong security practices including multi-factor authentication and password management, enforcing a uniform set of data loss prevention policies, and building a dynamic inventory of applications by the types of data stored, compliance requirements, and potential threats. Policies should be assigned to groups or roles rather than individual people.
In-house IT people are already busy. Their attention and energies might be best served by working with senior management to establish and maintain Multicloud and data loss prevention policies, while leaving the heavy lifting and day-to-day proactive maintenance to a completely reputable as-a-service cloud security vendor.