CISO Series Podcast
Formerly named CISO/Security Vendor Relationship Podcast. Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.

Find all the links and images on CISO Series (https://cisoseries.com/were-gonna-run-these-pen-test-exercises-until-you-turn-purple/)

We learn to iterate our security stamina faster by bringing the attackers and defenders in the room together. We're seeing purple on this episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Matt Southworth (@bronx), CISO of Priceline, who was brought to us by our sponsor, Praetorian.

Thanks to this week's sponsor, Praetorian

Praetorian

As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts.

Why is everybody talking about this now?

Senator Elizabeth Warren's proposed bill, the Corporate Executive Accountability Act, would pave the way for criminal charges of executive wrongdoing that leads to some public harm, like a public data breach. Note, there needs to be proof of wrongdoing. This isn't designed to blame victims. Regardless, the cybercommunity lit up on this topic. Warren said that too many executives were walking away free with no penalty while the community were left to suffer. Is this the bill that's needed to put a check on breaches?

Hey, you're a CISO, what's your take on this?'

Priceline has been conducting purple team exercises with our sponsor Praetorian. We discuss the value in purple team efforts over all the other alternatives, like pen testing, red team/blue team exercises, and threat hunting reports. Plus, we discuss the cultural benefits of purple team exercises.

What's Worse?!

We get a consensus on a question about asset and risk management.

How to become a CISO

Question from the director of information security at a Fortune 100 company wants to know how to make the leap from his position to CISO.

Pay attention, it’s security awareness training time

Dan Lohrmann, CSO of Security Mentor and an upcoming guest on our live podcast we're going to be recording on June 6th in Grand Rapids, Michigan had a very interesting article on Peerlyst about avoiding the punishment angle of security training. He said his number one struggle in education is explaining how important security is at an individual level and that individuals understand the impact of their actions. At Priceline, Matt Southworth created a Security Champs program to extend the reach of his security team by training interested non-security coworkers about security. We discuss what this has done to improve culture, security, and help people understand the impact of their actions.

http://openvpn.net/

Two-factor authentication, also called 2FA, is vital, and should be considered the default in online security, not a fancy option.

In short, 2FA means that two separate identifiers are required to gain access to an account. These identifiers should come from: 1.) something only you know, like a complex password, and 2.) something physically separate that belongs to you like a phone that can receive SMS messages, a physical token, a time or location limited message, or something biometric, like a retinal scan or fingerprint.

Currently the SMS message is the most popular “second factor,” but security analysts say this is still the weakest option. A better option is to use an approved app, or to partner with a cybersecurity company who can build one for you.

Direct download: CISO_Vendor_04-24-2019_FINAL.mp3
Category:podcast -- posted at: 7:08pm PDT

This is a special episode of Defense in Depth being shared on this feed. Find the full post with links and images on the CISO Series site here (https://cisoseries.com/defense-in-depth-vulnerability-management/)

So many breaches happen through ports of known vulnerabilities. What is the organizational vulnerability in vulnerability management?

Check out this post and discussion and this one for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Justin Berman (@justinmberman), CISO for Zenefits.

Vulcan Cyber

Vulcan’s vulnerability response automation platform allows enterprises to automate their TVM programs. Vulcan integrates to existing IT DevOps and security tools to fuse enterprise data with propriety intelligence which allows to accurately and subjectively priorities and remediate vulnerabilities - either using a patch workaround or compensating control.

On this episode of Defense in Depth, you'll learn:

  • As the CIS 20 concurs, vulnerability management is the first security measure you should take right after asset inventory.
  • Vulnerability management needs to be everyone's issue and managed by all departments.
  • Lots of discussion around vulnerability management being driven by culture which is a very hard concept to define. To get a "vulnerability management culture" look to a combination of awareness and risk management.
  • Vulnerabilities don't get patched and managed without someone taking on ownership. Without that, people are just talking and not doing.
  • Increased visibility across the life cycle of a vulnerability will allow all departments to see the associated risk.
  • Who are the risk owners? Once you can answer that questions you'll be able to assign accountability and responsibility.

Direct download: Defense_in_Depth_VM_with_intro_FINAL.mp3
Category:podcast -- posted at: 8:51pm PDT

Find the full episode of this podcast (with links and images) on the CISO Series site right here: (https://cisoseries.com/im-humbled-to-tell-you-about-my-prestigious-award/)

I'm not exactly sure what "humbling" means, but I'm going to use it to hopefully soften my braggadocio announcement.

We discuss semantics and when it's OK to boast your accomplishments on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Will Lin (@WilliamLin), partner and co-founder, ForgePoint Capital.

Thanks to this week's sponsor, Praetorian

Praetorian

As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts.

On this week's episode

How CISOs are digesting the latest security news

In many industries we see VC investments following trends. This is hot and new, let's go and invest in it. A recent story on Forbes spotlights five trends in cybersecurity which comes off as catnip for VCs or at least those in those spaces looking for investments. Is trend hopping a lucrative way to succeed with cybersecurity investments?

Why is everybody talking about this now?

Peter Cohen, director at Countercept remarked on the hypocrisy of posting a photo of yourself on stage and referring to it as "humbling". People say this with zero idea of the definition. The use of humbled or humbling as a verb means that at one time you thought you were superior and now you realize you are not because essentially someone defeated you and put you in your place. I don't get the sense that's what people mean when they refer to an experience as "humbling." But do a search for the term on LinkedIn and you will see people use it ALL THE TIME. Some of the most popular posts on LinkedIn are achievement announcements. Where's the line between saying you're proud of something and would you honor it with me and coming off like a jackass?

What's Worse?!

We have two scenarios this week in honor of our VC guest.

Hey, you're a CISO, what's your take on this?

In a special VC edition of "Hey, you're a CISO, what's your take on this?"

Much of what we talk about on this show is what we like and don't like about how security companies market themselves. In the news, the only role we hear VCs playing is financial. But given that VCs are seeing the inner workings of a startup, they can probably see firsthand why a company succeeds or fails. Given what VCs are privvy to that others of us are not, how can VCs help shape the way vendors market themselves?

Ask a CISO

Fernando Montenegro of 451 Research brought to my attention this tweet from Soldier of Fortran that caused a flurry of discussion. The tweet pointed out that many sites say they offer pricing, but when you go to the page it's just a lot of verbiage with a link to request a quote. Haroon Meer of Thinkst, producers of Canary deception devices and a former guest on this show, said they have pricing on their site even when experienced salesmen told them not to do it. Kyle Hanslovan of Huntress Labs, asked how he could provide transparent pricing when half of his clients are direct and the other half are distributors. Is there a happy medium here or is obfuscation the way to succeed with security selling?

Direct download: CISO_Vendor_4-16-2019_FINAL.mp3
Category:podcast -- posted at: 9:20pm PDT

Episode available on CISO Series blog (https://cisoseries.com/no-shirt-no-security-no-merger/)

Sure, we'd like to merge with your company but geez, have you looked at your security posture lately? Uggh. I don't know if I could be seen in public with your kind let alone acquire your type.

We're wary as to who wants to enter our digital home on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Mark Eggleston (@meggleston), vp, chief information security and privacy officer, Health Partners Plans.

Thanks to this week's sponsor, Praetorian

Praetorian

As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts.

On this week's episode

How CISOs are digesting the latest security news

Good cybersecurity hygiene is critical not just to mitigate breaches but also the valuation of a company, especially during a merger or acquisition. Itzik Kotler, co-founder and CTO of Safe Breach, notes that back in 2016 the Verizon acquisition price of Yahoo was lowered nearly $350 million after Yahoo disclosed data breaches that had happened up to two years earlier. Kotler said, "The problem is cybersecurity risk from mergers and acquisitions perspective should not be about what has happened, but about what vulnerabilities are being introduced and what could happen as a result."

Why is everybody talking about this now?

An interesting question on Quora asked, "Do you regret working in cybersecurity?" Do our CISOs ever regret? Why do people regret?

"What's Worse?!"

We have a challenge that pits securing old and new technology.

Ask a CISO

Eric Rindo just graduated with his MS in Cybersecurity. He has a certification, but zero experience. He's looking for his first InfoSec opportunity. For a CISO, what's attractive about a candidate like Eric?

What do you think of this pitch?

What happens when you pitch something CISOs already have?

Direct download: CISO_Vendor_04-14-2019_FINAL.mp3
Category:podcast -- posted at: 5:48pm PDT

Full post for this episode (https://cisoseries.com/defense-in-depth-machine-learning-failures/)

NOTE: You're seeing this special episode of Defense in Depth, because we think our CISO/Security Vendor Relationship Podcast listeners should hear it. 

Is garbage in, garbage out the reason for machine learning failures? Or is there more to the equation?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Davi Ottenheimer (@daviottenheimer), product security for MongoDB.

Thanks to this week’s podcast sponsor, Remediant

Remediant - Privileged Access Management (PAM)

81% of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment.

On this episode of Defense in Depth, you'll learn:

  • Don't fall victim to believing that success and failure of machine learning is isolated to just garbage in/garbage out. It's far more nuanced than that. Some human actually has to determine what is considered garbage in and what is not.
  • It only takes a very small amount of data to completely corrupt and ruin machine learning data.
  • This knowledge of small infection can spread and corrupt all of the data and can have political and economic motivations to do just that.
  • We have failures in human intervention. Machine learning can just magnify that at rapid rates.
  • While there are many warning signs that machine learning can fail, and we have the examples to back it up, many argue that competitive environments don't allow us to ignore it. We're in a use it or lose it scenario. Even when you're aware of the pitfalls, you may have no choice but to utilize machine learning to accelerate development and/or innovation.
Direct download: Defense_in_Depth_ML_Failures_FINAL.mp3
Category:podcast -- posted at: 3:59pm PDT

The direct link to this episode (https://cisoseries.com/all-aboard-the-5g-paranoia-train/)

We're getting excited and stressed out about the impending 5G network that appears will control our lives and all our cities. Will it be as exciting, productive, and lacking of security protocols as we expect? We discuss that and more on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Bruce Schneier (@schneiersblog), book author, lecturer at Harvard Kennedy School, and prolific blogger at Schneider on Security.

Thanks to this week's sponsor, Chronicle, makers of Backstory

Chronicle Backstory

Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself.

On this week's episode

How CISOs are digesting the latest security news

Marsh, an insurance broker, is working with other cyber insurers to identify products and services that will reduce your cyber risk. With their Cyber Catalyst program, they're offering what appears to be some type of Better Business Bureau stamp of approval on solutions that meet their cyber risk standards. What gets us excited and what sets off red flags when we see such an offering?

Why is everybody talking about this now?

Are you scared of 5G yet? You should be. Well, according to our government, we need to be wary of China and Huawei with their rollout of 5G because owning the next-gen network will conceivably own all of commerce, transportation, and heck anything else. In Schneier's new book, Click Here to Kill Everybody, he speaks to how to survive with all our hyper-connected devices. How aggressively is 5G going to exacerbate the issue of cyber-survival?

What's Worse!?

We have a split decision on a scenario that involves a time limit.

Hey, you're a CISO, what's your take on this?

On Schneier's blog, he shared a study that examined whether freelance programmers hired online would write secure code, whether prompted to do it or not. The coders were paid a small pittance and it was unclear if they knew anything about security and surprise. In the end they didn't write secure code. While there are questions about the validity of this study, this does bring up an interesting question: Using a marketplace like Upwork or Freelance.com, how does one go about hiring a freelance coder that can write secure code?

Ask a CISO

Mark Toney of CrowdStrike asked, after the purchase and use of a security tool, does a CISO or CTO do a post-mortem to see if they got what they paid for? Mark wants to know are you looking at what was improved, where it was improved, and by how much it was improved?

 

Direct download: CISO_Vendor_04-02-2019_FINAL.mp3
Category:podcast -- posted at: 9:20pm PDT

Direct link for episode on blog (https://cisoseries.com/do-you-know-the-secret-cybersecurity-handshake/)

We get the feeling that as we're adding more solutions and requiring more certificates, we're just making the problem of security harder and harder. Has the problem of not enough talent become an issue that we created? We discuss that and more on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Taylor Lehmann (@BostonCyberGuy), CISO, Wellforce.

Thanks to this week's sponsor, Chronicle, makers of Backstory

Chronicle, makers of Backstory

Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself.

On this week's episode

How CISOs are digesting the latest security news

The Hill reports, "A Democrat on the House Intelligence Committee introduced a bill on Wednesday that would require publicly traded companies to disclose to investors whether any members of their board of directors have cybersecurity expertise."

The Cybersecurity Disclosure Act of 2019, would require the SEC to issue a new set of rules requiring U.S. companies to tell their investors whether they have someone who has cyber expertise on their board. If they don't, they must explain to their investors why this is the case."

Will such a measure pass and if not, what is the best action here to insure some level of cybersecurity confidence?

Why is everybody talking about this now?

On a recent episode of the podcast we talked about swapping out the word "security" for "safety." Chris Roberts of Attivo Networks brought this topic up and he says if we change the conversation more people will care. How does the viewpoint of security change when you're talking about safety? How does behavior change?

What's Worse?!

I can't believe it's taken me this long to ask this question.

Hey, you're a CISO, what's your take on this?

Once you connect a device to the Internet and trade information, you're now a potential attack vector. And if your device is critical for maintaining life, like automobiles and medical devices, vulnerabilities no longer become a case of losing data, but of losing lives. Medical device manufacturers are rarely experts at software development, let alone cybersecurity. Vulnerabilities happen all the time. What is and isn't working with the reporting, alerting, and fixing of device vulnerabilities?

Ask a CISO

Could the talent gap be a self-fulfilling prophecy or at the very least an avoidable consequence of security’s red hot growth," asked Sam Curry, CSO at Cybereason, on Forbes. "What started as an esoteric field is becoming even more arcane as we grow." Curry offered some suggestions on where to improve situations to improve the complexity of security. Are fixing these issues harder than fixing security?

 

Direct download: CISO_Vendor_3-27-2019_FINAL.mp3
Category:podcast -- posted at: 6:00pm PDT