CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

We're comparing ourselves to media you already know in hopes you'll better understand our product and listen to our show. It's our first self-produced live recording of the CISO/Security Vendor Relationship Podcast from San Francisco and it came out awesome.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest for this live show is Andy Steingruebl (@asteingruebl), CSO of Pinterest.

Check out all the awesome photos from our first self-produced live recording.

Thanks to our sponsors

The Synack Crowdsourced Security platform delivers effective penetration testing at scale. Synack uses the world’s top security researchers and AI-enabled technology to find what scanners and regular testing do not. It’s used by US Dept of Defense and leading enterprises for better security. To learn more, go to synack.com.

New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business.

 Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.  

Why is everybody talking about this now?

Chris Roberts with Attivo Networks caused a flurry of discussion when he argued that using the term "security" is meaningless. He said, "There is no such thing as security. There is just a measurement of risk." He went on to say we shouldn't be talking about security risk, but only business risk. Would it be a good idea to change the terminology?

How are CISOs are digesting the latest security news?

France’s data protection regulator, CNIL, issued Google a $57 million fine for failing to comply with its GDPR obligations. Not the first GDPR fine, but it's first big tech giant. And it's not nearly as much as it could have been. But it's the biggest fine so far. Are GDPR fines starting to get real? Will this embolden even more fines?

Hey, you're a CISO, what's your take on this?

On LinkedIn Mike Johnson brought up the discussion of security vendors marketing what they're not. He claimed that this tactic is doomed to fail, and should just stop. Why is it a failed tactic?

It's time to play, "What's Worse?!"

We get a little philosophical in this round of "What's Worse?!"

Um...What do they do?

I read the copy from a vendor's website and the two CISOs try to figure out, "What do they do?"

Ask a CISO

A listener asks, "What are the signs that tell you that a vendor is serious about improving the security of their product?"

How are CISOs are digesting the latest security news?

A caustic attendee to DerbyCon brings down the entire event because the organizers didn't know how to handle his behavior. How can event producers in the security space avoid this happening in the future?

And now this...

We take questions from our audience.

Our new podcast, Defense in Depth, is part of the CISO Series network which can be found at CISOSeries.com.

This is a special episode introducing this new podcast. To get more of Defense in Depth, subscribe to the podcast.

What are the most important metrics to measure when building out your security program? One thing we learned on this episode is those metrics change, as your security program matures.

This episode of Defense in Depth is co-hosted by me, David Spark (@dspark), the creator of CISO Seriesand Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is my co-host of the other show, Mike Johnson, CISO of Lyft.

On this episode of Defense in Depth, you'll learn:

• There is no golden set of security metrics.
• Metrics you use to measure your security program this year won't necessarily be the same ones you use next year.
• Use the NIST model to determine your security program maturity.
• Unlike B2C, B2B companies can use metrics to build a closer tie between security and the business.
• Regulations and certifications is one easy way to align security with the business.

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

We don't have to make our software any simpler to use. You just need to get smart enough to use it. We're all attitude on the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Mike Nichols (@hmikenichols), VP of product at Endgame.

Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall.

On this episode

How CISOs are digesting the latest security news

Is this yet ANOTHER security breach? A massive document of usernames and passwords. These are all available in text files, pretty much for anyone to see. We're not sure, but this may be a collection of usernames and passwords from historical hacks, but it's not clear. Most of us have potentially more than a hundred usernames and passwords. How are we supposed to go through all our accounts and change them all? Can we slap 2FA on top of everything? What should be the best reaction to this kind of news?

Hey, you're a CISO, what's your take on this?'

In the area of user experience, B2B software seems neglected. All the wonderful usability goes to consumer apps, because everybody needs to be able to use them. But B2B software can cut corners and add extra layers for usability because heck, these people are experts, they're hired to do this job. They should know what they're doing. But that type of thinking is hurting the industry as a whole.

What's Worse?!

We've got a scenario of two CISOs with two different companies. Which one has the worst security posture?

Please, Enough. No, More.

Our topic is endpoint protection. We talk about we've heard enough about on endpoint protection, and what we'd like to hear a lot more. Endgame's machine learning engine, Ember, is open source.

What's a CISO to do?

Why is it so difficult to hire InfoSec professionals? Is there not enough skills, not enough people interested, tough to hire diversity, way too competitive environment, or is it the nature of the recruiting industry itself?

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

Be afraid. Be very afraid of the latest episode of the CISO/Security Vendor Relationship Podcast where it's possible that 90 percent of your security breaches are coming from within your own company.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Leon Ravenna, CISO, KAR Auction Services.

Synack provides crowdsourced security testing that provides more than older style penetration testing. Instead of using a few researchers who output a final report, Synack uses a globally-sourced crowd of researchers backed by a purpose-built hacking platform. This gives organizations access to security talent that is not available from any one company, and data and insights into the testing process. All Synack security testing is recorded, measured, and analyzed to not only output results like new vulnerabilities and compliance checks, but displays attack patterns and quantities in real-time. By using bug bounties as incentives, researchers are rewarded for the great finds that Synack verifies and shares with its customers. To find out more about the Hacker-Powered Security used by the Internal Revenue Service and many other organizations, go to synack.com.

On this episode

How CISOs are digesting the latest security news

According to a new report from Kroll, "Human Error, Not Hackers, to Blame for Vast Majority of Data Breaches." They report that 2,124 incidents could be attributed to human error, compared to just 292 that were deliberate cyber incidents, They say that's a 75% increase over the past two years but that could be because reporting breaches wasn't mandatory before GDPR. One user commented, these numbers seem to conflict with what the Verizon Breach report says. According to this data it appears a security leader should be spending close to 90 percent of their budget and effort trying to prevent inside data leakage. How would your security plan change if that was your charge?

Hey, you're a CISO, what's your take on this?'

An article and video published last week on this site written and featuring Elliot Lewis, CEO of Encryptics, talks about the need to get cozy with your legal team because when a breach occurs, you're going to need to have possession, custody, and control of your data. If you can't answer those questions you're putting your legal team in a bind. Mike and our guest talk about being able to answer these questions and building relations with the legal team.

It's time to play, "Um... What Do They Do?"

It's a brand new game where I read copy from a vendor's website, and Mike and our guest try to guess, "What do they do?"

What's a CISO to do?

Kip Boyle, past guest, friend of the show, and author of a new book, "Fire Doesn't Innovate," which comes out today asks this question, "Could good cyber risk management be the basis for a competitive differentiator for your business? How?"

Kip's book is available at firedoesntinnovate.com and for the first week it's out it's only $.99 via Kindle.

Ask a CISO

Thomas Torgerson of Blue Cross/Blue Shield of Alabama asks, "How do CISO's feel about presenting webinars or speaking at other events regarding products that they use in their environment?" Are there incentives promoting a vendor solution? Or is it too risky to let threat actors know your security toolsets? 

No matter how much money we shove into security, it never seems to fill up. That's good for vendors. Not so good for buyers of security who don't have a bottomless pit of money to fill the bottomless pit of security.

This week's episode is sponsored by Red Canary. Red Canary is a security operations ally to organizations of all sizes. They arm customers with outcome-focused solutions that can be deployed in minutes to quickly identify and shut down adversaries. Follow their blog for access to educational tools and other resources that can help you improve your security program.

Got feedback? Join the conversation on LinkedIn

On this episode

How CISOs are digesting the latest security news

Wayne Rash of eWEEK wrote a piece on what to expect in cybersecurity in 2019. Most of the stuff is more of the same, such as nation state attacks, ransomware, phishing, and assume you're going to get attacked. But, he did bring up some issues that don't get nearly as much discussion. One was cryptomining which is hijacking your cloud instances, encrypting ALL data, moving away from usernames/passwords, and getting a third-party audit. So what's on CISOs' radar in 2019

Why is everybody talking about this now?

Dutch Schwartz of Forcepoint brought up the issue of collaboration. This is not a new topic and we all know that if we don't share information the attackers who do share information will always have leverage. There are obvious privacy and competitive reasons why companies don't share information, but I proposed that if the industry believes collaboration is so important, then it should be a requirement (think GDPR) or we should build incentives (think energy incentives) with a time limit. Is this the right approach? Is the collaboration we're doing already enough?

What's Worse?!

We play yet another round on an issue that really annoys my co-host.

What's a CISO to do?

Thom Langford, CISO of Publicis Groupe, said that cybersecurity should be seen as a long term campaign. And if you keep at it, you will see results. Think anti-smoking or seat belt campaigns. Yet we see more and more companies treating security as a one-off project and not looking at dealing with it in the long term. Could this be more a problem of how we view security in the media?

Ask a CISO

Brijesh Singh, Inspector General of Police, Cyber at Government of Maharashtra said, "A young student asked me a very basic question, isn’t Cybersecurity just a branch of IT? Why should it be treated separately?" It's an awesome question that resulted in a flurry of responses. Is there a difference?

Got feedback? Join the conversation on LinkedIn