All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-department-of-no-thank-you/)

Just go to the front desk, sign in, and then the receptionist will say “no” in the most polite way possible.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Nina Wyatt, CISO, Sunflower Bank.

Thanks to this week's podcast sponsor, CyberArk.

At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

On this week's episode

There’s got to be a better way to handle this

The hot new cybersecurity threat is the Coronavirus. Not the virus itself or the possible fake phishing emails connected to it, but our overall fear and its impact on work. According to data from Boardish, there is a 42% increase over baseline in fear of immobility, or staff not being able to operate effectively remotely. To put that number in perspective, phishing and ransomware have each seen an 8% threat increase. I read immobility's huge number to mean companies are simply not prepared for how their staff may need to operate.

What we’ve got here is failure to communicate

What's the best way to say 'no' to a vendor? This was a question that was asked of me by Eric Gauthier, CISO at Scout Exchange. He wants to say no because his cloud business has no need for certain services, and he doesn't want to be rude, but just saying no doesn't seem to work. What are the most successful techniques of saying no to a security vendor? And what different kinds of "no" are there?

"What's Worse?!"

A tough decision on a company built on acquisitions.

Walk a mile in this CISO’s shoes

For many CISOs, there is a "What's Next?" as they don't necessarily expect "CISO" to be their final resting place professionally. Gary Hayslip, a CISO for Softbank Investment Advisers and frequent guest, wrote on both LinkedIn and Peerlyst about next steps for CISOs who want to move out of the role. The recommendations were other C-level positions, going independent, and starting a new company.

On January 2 of this year, parking meters in New York City stopped accepting credit and parking cards. At fault? Security software that had expired on the first day of 2020. Reminiscent of Y2K, this draws attention to the next two time-related bugs predicted for 2036 and 2038. The 2038 problem affects 32-bit systems that rely on timecodes that max out on January 19 of that year. A similar rollover is expected in 2036 for Network Time Protocol systems.

In all likelihood, affected systems either have been or will be replaced over the next 18 years, but the dangers still exist, in situations where vulnerable devices remain buried in a legacy system or in cases where advanced calculation of expiry dates are needed, or like New York City, where the upgrade was apparently overlooked.  It serves as a reminder that data security must look to its past while it plans for the future.

More from our sponsor ExtraHop.

Hey, you're a CISO. What's your take on this?

What's the impact of Europe's Right to Be Forgotten (RTFB)? It's been five years and Google has received ~3.2 million requests to delist URLs, from ~502,000 requesters. Forty five percent of those URLs met the criteria for delisting, according to Elie Bursztein, leader of Google's anti-abuse research team. Search engines and media sites hold the greatest responsibility, but what responsibility are companies forced to deal with and do they have the capacity to meet these requests?