Mon, 20 May 2019
Find all images and links for this episode on CISO Series (https://cisoseries.com/we-unleash-our-military-grade-infosec-bs-detector/)
We're trying to clean up vendor pitches of unnecessary and outrageous claims so they can sail through to a CISO's inbox. It's our service to cybersecurity community on this week's episode of CISO/Security Vendor Relationship Podcast.
This show was recorded live in front of an audience of CISOs and security vendors at the San Francisco CISO Executive Summit, hosted by Evanta. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Aaron Peck, CISO, Shutterfly.
Thanks to our podcast sponsors ExtraHop and Tenable
Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop.
Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization.
On this week's episode
Why is everybody talking about this now?
Last week I was about to install a popular and approved app in the Google Play store that asked if the app could read, copy, download, and DELETE my contacts. Also last week during Google I/O, Sundar Pichai, Google’s chief executive touted their focus on privacy. This is not the first time we've heard this from Google or Facebook who is going to be facing the largest privacy violation in FTC history. Getting access to our behaviors is how Facebook and Google make their money. What would we like to see, not hear, from either Google or Facebook that convinces us that yes, they are doing something significant and proactive about privacy. Maybe they've already done it.
Why is this a bad pitch?
A Twitter thread asked, "What do vendors say that immediately undermines their credibility?"
There were a lot listed, but the ones I saw repeated multiple times were military grade, next-gen, bank-level encryption, full visibility, 100% effective, and single pane of glass.
We have brought up many of these on our show. And while we understand companies are trying to find a short pithy way to describe their technology, using terms like these can turn a great pitch into an effort to dig out of a hole.
We squeeze in two rounds of this game and our guest tries to dodge the question, but I don't let him.
You're a CISO, what's your take on this?
Brian Fricke, CISO at BBVA Compass is eager to hear how to successfully reconcile the cloud-driven CapEx to OpEx budget shift. CFOs don't get any depreciation benefit from OpEx, and Brian believes they'd prefer to see CapEx even if it's double the cost. He's struggling. Our CISOs offer up some advice.
How to become a CISO
Jason Clark, CISO of Netskope, wrote an article on Forbes about security mentorship. Mentors are needed to create more security leaders, CISOs, increase interest in security, and teach the ability to talk to the business. All of it centered around one theme of motivating others. What are ways to teach motivation across all these areas?