All images and links for this episode can be found on CISO Series (https://cisoseries.com/open-this-email-for-an-exclusive-look-at-our-clickable-web-links/)

You'll be dazzled by the clickability of our web links on this week's episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Aanchal Gupta (@nchlgpt), head of security for Calibra, Facebook.

Aanchal Gupta, Head of Security for Calibra, Facebook, Mike Johnson, Co-Host, CISO/Security Vendor Relationship Podcast, David Spark, Producer, CISO Series

Thanks to this week's podcast sponsor Expel.

Expel is flipping today’s managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have.

On this week's episode

Hey, You're a CISO, what's your take on this?

Last month, Brian Krebs reported a breach from the 6th-largest cloud solutions provider PCM Inc. which let intruders rifle through Office365 email/documents for a number of customers.

In response, listener Alexander Rabke, Unbound Tech, asked, "Would CISOs continue to do business with ‘security’ companies that are breached?" What's your recommendation for sales people who are at such an organization? How should they manage news like this?

Ask a CISO

We know there are plenty of pros and cons of telecommuting. I'm eager to hear from both of you how security leaders value telecommuting. What are the challenges to a CISO of managing a virtual staff?

What's Worse?!

We've got two extreme scenarios you'd never see in the real world.

Why is everybody talking about this now?

Mike, on LinkedIn you ranted about the term DevSecOps that it was a distraction and that "It's really no different (at a high level) than building security into an Agile development process, or a Waterfall process." I agree but I would argue that when DevOps was introduced it was about getting two groups working in tandem. At the time it was a mistake to omit security.

Last year at Black Hat I produced a video where I asked attendees, "Should security and DevOps be in couples counseling together?" Everyone universally said, "Yes", but I was taken aback that many of the security people responded, "that they should just listen to me." Which, if you've ever been in couples counseling knows that the technique doesn't work.

I argue that the term DevSecOps was brought about to say, "Hey everybody, you have to include us as well."

Mike recommends Kelly Shortridge and Nicole Forsgren presentation at Black Hat 2019, "The Inevitable Marriage of DevOps and Security".

Companies continue to take advantage of the economies of scale offered by multi-tenant cloud services, but complacency is dangerous. Multi-tenant cloud is often described as being like a big apartment building, but the big difference is that the walls that separate tenants from each other are not solid, but software. Software is built by humans which closes the circle: unpredictable humans in an unpredictable world.

I’m not just talking about hacking here. What about compliance? GDPR’s austere and perhaps old-world view that data on a German citizen must stay in Germany, is nonetheless the law, and carries substantial fines for transgression. This requires data centers to be run from multiple countries, but so long as they’re connected by a cable no data is ever truly isolated. Future regulations affecting health records or patents or blockchain transactions might find themselves in limbo when it comes to coming to rest in a certain section of a certain cloud.

For the moment, companies are focusing mostly on the cost-efficiencies of shacking up with other tenants in the same building, but very soon, this too might not be enough.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

The great CISO challenge

Lauren Zink of Amtrust posted an article from Infosec Institute asking, "What are you to do with repeat offenders in social engineering exercises?" The article offers some helpful suggestions. In the discussion, there was some pointing fingers at security training designed to purposefully trick employees. Have either of you had to deal with repeat offenders? What did you do? What's your advice for other security leaders... and HR?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/like-fine-wine-our-vendor-bs-meter-gets-better-with-age/) 

The bouquet of this particular vendor BS is a mixture of FUD, unnecessary urgency, and a hint of pecan. Look to your left and grab the spittoon because we don't expect everyone to swallow what you're about to hear on this week's episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Olivia Rose, CISO for MailChimp.

Thanks to this week's podcast sponsor Remediant

Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant’s SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment.

On this week's episode

Why is everyone talking about this now?

One of the reasons we hate hearing security buzzwords is because it doesn't help us understand what it is a vendor is trying to sell. When a vendor says we have a "zero trust" product, what does that mean?

We delve into some of the tell-tale signs that a vendor or consultant is trying to BS you.

According to Olivia Rose, if you're going to pitch a CISO, make sure you can answer the following simply and succinctly:

What does our product/service do?
What specific security problem does it solve?
How will it affect the typical strategic/business drivers for a company?

It's time for "Ask a CISO"

Fernando Montenegro, analyst for 451 Research, asked, "How can the CISO be a change agent for the security team so it can better align with the business?"

What's Worse?!

For this week's game I picked a question very apropos for our guest's current situation.

Um… maybe you shouldn't have done that

Unconscious bias towards women in professional settings is not always overt nor intentional, but it happens. We discuss some examples of unconscious bias for both women and men. And we discuss how too much of it can really push women out of the security industry.

A distributed denial of service attack is the scourge of IT security. According to Verisign, one-third of all downtime incidents are attributed to DDoS attacks, and thousands happen every day. Are they created by sophisticated black hatted evil doers from an underground lair? Of course not. Welcome to the world of cybercrime-as-a-service.

You too can silence a competitor or cause havoc for pretty much anyone for as low as $23.99 a month. Just have your credit card or Bitcoin ready.

For more, go to CISOSeries.com.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

First 90 days of a CISO

Being just six weeks in, our guest, Olivia Rose is living the first 90 days of a CISO. We asked her and Mike what it's like those first few weeks. And to no one's surprise, it's beyond overwhelming.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/if-capital-one-listened-to-our-podcast-they-still-would-have-been-breached/) 

We guarantee listening to our show would have done absolutely nothing to prevent the Capital One breach. We've consulted our lawyers and we feel confident about making that claim. It's all coming up on this week's episode of CISO/Security Vendor Relationship Podcast.

This episode was recorded in the ExtraHop booth during Black Hat 2019. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Tom Stitt (@BlinkerBilly), sr. director, product marketing - security, ExtraHop.

Thanks to this week's podcast sponsor ExtraHop

Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop.

On this week's episode

Why is everyone talking about this now?

I have noticed an either disturbing or coincidental trend. Every year, just before either RSA or Black Hat conferences, there is some massive breach. This year it was Capital One. In the past we've had Ashley Madison, Target, Marriott - all within a few months of the shows. I know I know I know that CISOs absolutely hate being sold on FUD (fear, uncertainty, and doubt), but all conferences are affected by industry relevant news. You simply can't avoid it. Capital One was brought up multiple times during the Black Hat conference. We discuss the do's and don'ts of bringing up the most recent breach at a huge trade show.

We don't have much time. What's your decision?

On LinkedIn, you asked "When your risk and threat models all agree that this feature/product/decision is of low concern but your gut tells you otherwise, what do you do?" It appears most people said go with your gut to which Richard Seiersen of Soluble pointed out that guts are models too. What happens when you're faced with such a scenario and what causes the tools and threat models to be so off your gut?

"What's Worse?!"

We've got a split decision and a really fun scenario.

Please, Enough. No, More.

Today's topic is "network behavior analysis." In the world of anomaly detection, what have Mike and Tom heard enough about and what would you like to hear a lot more?

It’s been two weeks. Time to change your password again. How many times have we all bumped up against this wall – intended to help keep us secure, but extremely annoying when you have things do do? The battle for password security has been a long and arduous one, moving and evolving, sometimes ahead of, but more often lagging behind the activities of the hackers and bad guys, whose limitless resources seek out every possible weakness.

Challenge questions and strings of letters, numbers and characters might soon be coming to the end of their functional life, as security companies start to roll out biometric and behavioral security protocols in their place. Paired with increased access to data and artificial intelligence, it will become easier for organizations to contemplate a switch from basic strings of words to something more esoteric – a retinal scan paired with an extensive ergonomic behavior database for every individual.

These things are not new to the consumer marketplace of course. Apple iPhones are one of many devices that can be unlocked by a fingerprint, and credit card companies and web applications routinely call out unusual login behaviors.

But the new secret sauce in all of this is the availability of huge amounts of data in real time, which can be used to analyze a much larger set of behavioral activity, not simply an unusually timed login. This can then be managed by an Identity-as-a-service (IDaaS) company that would take over the administration, upkeep and security of its clients using the as-a-service model.

A retinal scan paired with a secure knowledge of which hand you carry your coffee in and where you bought it might very soon replace the old chestnut challenge of your mother’s maiden name. That one should stay safe with Mom.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

And now, a listener drops some serious knowledge

On LinkedIn, Ian Murphy of LMNTRIX put together an incredibly funny presentation with great graphics entitled the BS Cybersecurity Awards which included such impressive glass statuettes like the "It'll Never Happen to Us" Award and the "Cash Burner" Award. In general, they were awards for all the bad repeated behavior we see from vendors and users in cybersecurity. What are the awards that are not given out that we'd actually like to see?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/improve-security-by-hiring-people-who-know-everything/)

If you're having a hard time securing your infrastructure, then maybe you need to step up the requirements for expertise. Why not ask for everything? We're offering unreasonable advice on this week's episode of CISO/Security Vendor Relationship Podcast.

This episode was recorded in front of a live audience at ADAPT's CISO Edge conference in Sydney, Australia. This special episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Liam Connolly, CISO of Seek. Our guest is Matt Boon (@mattjboon), director of strategic research for ADAPT. Plus, we have a special sponsored guest appearance from John Karabin, vp, cybersecurity, Dimension Data.

Thanks to this episode's sponsors Dimension Data/NTT and ADAPT

By 1 October 2019, all 28 NTT companies, including Dimension Data, will be branded as NTT. Together we enable the connected future. Visit NTT at hello.global.ntt.

ADAPT’s mission is to equip IT executives with the knowledge, relationships, inspiration and tools needed to gain competitive advantage. ADAPT’s membership platform provides business leaders with fact-based insights, actionable patterns of success and the collective experience of 3,000 peers to improve strategic IT, security, and business decisions. Visit ADAPT for more.

On this week's episode

Why is everyone talking about this now?

Independent security consultant Simon Goldsmith sent this post from Stu Hirst, a security engineer at JUST EAT who posted a job listing that requested subject matter expertise on 12 different aspects of security. This highly demanding request resulted in well over 200 responses from the community. Is it laziness on the part of the company posting? Is it an attempt to just capture job seekers' search queries? Or is it simply an editorial mistake that they shouldn't have requested subject matter expertise but rather basic knowledge across 12 different aspects of security?

Ask a CISO

Mitch Renshaw, Fortinet, describes a problem that many vendors are having. He says:

"Fortinet’s broad portfolio makes it hard to give a concise yet effective overview of our value. As a result I’m worried my emails are going long.
Customers know us for our firewalls – and a full firewall refresh is hard to come by as a sales rep. So if I get more targeted in my demand generation techniques, I’m met with an 'I’m all set, I’ve got Palo/checkpoint/juniper/etc.'"

Mitch has got a conundrum. He's looking for the happy medium on how to sell a company with a wide variety of products, some of which are highly commoditized in the industry. How should he reach out to security professionals?

"What's Worse?!"

We play two rounds and the audience gets to play along as well.

Hey, you're a CISO, what's your take on this?'

My American co-host, Mike Johnson, asked this question of the LinkedIn community, and I ask you this as well. "Why do sites still **** out the password field on a login page?" It's designed to stop shoulder surfing. Is this really the main problem? What else is it helping or hurting, like password reuse? Passwords are a broken system that are easily hacked. We have solutions that add layers on top of it, like multi-factor authentication. What solutions do we have for the password process itself?

OK, what's the risk?

Ross Young of Capital One, asks this question about what risk should you be willing to take on? "What should cyber professionals do when they can’t contract or outsource services like pen testing however they struggle to acquire the talent they need. If they train folks they find them poached sooner and if they don’t they are stuck without the talent they need to survive."

Why is this a bad pitch?

We've got a pitch sent in to us from Eduardo Ortiz. It's not his pitch, but one he received. You may need to strap in when you hear this.

It’s time for the audience question speed round

Yep, it's just like it sounds. I ask the panel to ask some questions submitted from our audience.