CISO Series Podcast
Formerly named CISO/Security Vendor Relationship Podcast. Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.

CISO/Security Vendor Relationship Podcast and series is available at CISOSeries.com.

We're giving away private networks to everybody. Even if you think you don't need one, you want one. It's all on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Francis Dinha, CEO of OpenVPN.

Francis Dinha, CEO, OpenVPN

Thanks to this week's sponsor, OpenVPN

OpenVPN

Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.

On this episode

What's a CISO to do?

A few years back I interviewed Francis Dinha about hiring talent. Dinha had the fortune to be able to mine his own community of people of open source volunteers. It's become a great resource for hiring talent. Finding those passionate communities are key for finding talent. We discuss other possible resources and why it's critical or maybe not critical to hire people who've contributed to the open source community.

Why is everybody talking about this now?

Given the number of default passwords being used and connected devices with little to no security, does achieving "zero trust" have to be the InfoSec equivalent of climbing Mt. Everest? We discuss simplifying security architecture so achieving "zero trust" isn't a badge of honor but rather something everybody can easily do.

"What's Worse?!"

Another round where we debate an open source conundrum.

Please, enough. No, more.

What have we heard enough with VPNs and what would we like to hear a lot more?

Let's dig a little deeper

John Prokap, CISO of HarperCollins, said on our live NYC recording, "If you patch your systems, you will have less threats that will hurt you." I posted John's basic security advice as a meme, and it got a flurry of response. My favorite came from Greg Van Der Gaast of CMCG who said, "The fact that this is quote/post-worthy in 2019 boggles my mind." The issue of "why aren't you doing this" came up and people discussed integration issues, hard to keep up, and the fact that patches can often break applications. Is this a cycle that's impossible to break?

 

Direct download: CISO_Vendor_2-22-2019_FINAL.mp3
Category:podcast -- posted at: 4:33pm PDT

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

We tip our hat to the much maligned "Department of No" for having the foresight to see that refusing service is probably the most efficient and secure response.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is April Wright (@AprilWright), CEO, ArchitectSecurity.org.

Thanks to our sponsor, Endgame

Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall.

On this episode

How CISOs are digesting the latest security news

In an effort to improve security before the 2020 Olympic games, the government of Japan will try to hack its own citizens by using default passwords on webcams, routers, and other Internet connected devices. If they break through they will alert the people that their devices are susceptible to attacks. How good or bad is this idea? Will this give way to easy phishing scams?

Why is everybody talking about this now?

Online, Mike brought up the subject of security rockstar culture and specifically pointed this comes from the security staff playing offense vs. the ones playing defense who really need a team behind them to be effective. We look at the difference between a healthy leading voice in security vs. “a look at me” security rockstar.

It’s time to play, “What’s Worse?!”

Two rounds and the first one Mike spends a lot of time debating.

Ask a CISO

Brad Green of ObserveIT asks, “Do CISOs pay attention to competitive market conditions of different vendors?”

Are you aware of what’s going on and what impact do analysts have?

What do you think of this pitch?

Two pitches to critique. Lots of insight.

 

Direct download: CISO_Vendor_02-17-2019_FINAL.mp3
Category:podcast -- posted at: 6:55pm PDT

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

Do you want a security vendor that’s good at protecting you from malware or a vendor that’s honest with you about their failure rates? Whatever happens you’ll take it on the latest episode of CISO/Security Vendor Relationship Podcast recorded live in NYC for the NY Information Security Meetup (@NYInfoSecurity). Thanks for hosting our recording!

This super-sized special episode features drop-in co-host, John Prokap (@JProkap), CISO of HarperCollins Publishers, and our guest Johna Till Johnson (@JohnaTillJohnso), CEO of Nemertes Research.

Check out all the awesome photos from the event.

Context Information Security

Context Information Security is a leading technical cyber security consultancy, with over 20 years of experience and offices worldwide. Through advanced adversary simulation and penetration testing, we help you answer the question – how effective is my current cyber security strategy against real world attacks?

On this episode

How CISOs are digesting the latest security news

To Facebook, our data in aggregate is very valuable. But to each individual, they view it as essentially worthless as they're happy to give it away to Facebook for $20/month. I don't see this ever changing. Does an employees carelessness with their own privacy affect your corporation's privacy?

Why is everybody talking about this now?

Rich Mason, former CISO at Honeywell posted about the need to change the way we grade malware. He noted that touting 99 percent blocking of malware that allows for one percent failure and network infection is actually a 100 percent failure. It's the classic lying with statistics model. How should we be measuring the effectiveness of malware?

What's Worse?!

We play two rounds trying to determine the worst of bad security behavior.

What's a CISO to do?

A CISO can determine their budget by:

1: Meeting compliance issues or minimum security requirements
2: Being reactionary
3: Reducing business risk
4: Enabling the business

Far too often, vendors have preyed on reactionary and compliance buyers. But the growing trend from most CISOs is the reduction of business risk. How does this change a CISO's budgeting?

Let's dig a little deeper

We bring up "do the basics" repeatedly on this show because it is often the basics, not the APTs, that are the cause of a breach or security failure. Why are the basics so darn hard and why are people failing at them?

What do you think of this pitch?

We've got two pitches for my co-host and guest to critique.

And now this...

We wrap up our live show with lots of questions from the audience.

Direct download: CISO_Vendor_02-05-19_Live_NYC_FINAL.mp3
Category:podcast -- posted at: 9:32pm PDT

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

We've got so much data we've got to liquidate. Whatever private information you want - location, purchase history, private messages - we've got it! Call us now before our users realize what we're doing.

Your privacy, unleashed, on the latest episode of CISO/Security Vendor Relationship Podcast.

OpenVPN

Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.  

 

On this episode

Why is everybody talking about this now?

Oh Facebook, not again. Appears they were paying teenagers for the right to snoop on their phone. The most telling part of this story is that this app was activated by clicking a button that said, "Trust." How does Facebook's untrustworthy behavior affect a CISO's ability to maintain trust with their audience?

How are CISOs digesting the latest security news?

From the UK, the Cyber Skills Impact Fund will receive a nice boost of £500,000 to attract more people to cybersecurity, but specifically a diverse workforce. We have talked at great length about the need to have a diverse security staff, and Mike has said on a previous show that not having diversity actually makes you less secure because you fall into "one think." How does a diverse staff change the thinking dynamic of your security team?

It's time to play "What's Worse?!"

We play two rounds of the game. One round is far more challenging than the other.

Ask a CISO

Tip of the hat to Schaefer Marks of ProtectWise for his suggestion about RSA pitching. I'm starting to get RSA meeting requests. They all follow the same format: assuming we're getting ready, and asking if we would like a meeting with a VP, CEO, some expert. We discuss what pre-event pitching we like and don't like.

What do you think of this pitch?

We have two pitches, one that's pretty good, and one that's disastrous.

 

Direct download: CISO_Vendor_02-03-2019_FINAL.mp3
Category:podcast -- posted at: 6:16pm PDT