CISO/Security Vendor Relationship Podcast
Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/ah-heres-the-problem-youve-got-a-leaky-ceo/)

We're waking up the C-suite to the realization that they're the prime target for cyberattacks.

This episode was recorded in front of a live audience at Evanta's CISO Executive Summit in Los Angeles. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers.

CISO/Security Vendor Relationship Podcast live at Evanta CISO Executive Summit in Los Angeles 12/11/19

CISO/Security Vendor Relationship Podcast live at Evanta CISO Executive Summit in Los Angeles 12/11/19

PLUS, joining us live was Jewels Nation, the voice of the CISO Series. You hear her voice on all the bumpers on our podcasts.

Jewels Nation, the voice of the CISO Series podcasts, and David Spark, producer of CISO Series

Jewels Nation, the voice of the CISO Series podcasts, and David Spark, producer of CISO Series

Thanks to this week's podcast sponsor Evanta.

Evanta CISO Executive Summit

Evanta, a Gartner Company, creates exclusive communities of C-level executives from the world’s leading organizations. These invaluable networks are built by and for C-level executives to share innovative ideas, validate strategies and solve critical leadership challenges through peer-to-peer collaboration. Evanta’s trusted communities serve CISOs and their C-suite peers around the world.

On this week's episode

Where does a CISO begin?

Gary recently brought up an excellent discussion pointing out that executives are the backdoor into your organization. Do they understand that they're critical cogs? Do they and are they willing to take on responsibility? What is the patching process?

Walk a mile in this CISO's shoes

Gary, talked a lot about the importance of work/life balance with cyber professionals. Robert Carey of RSA Security said your actions do most of the talking, "As a CISO, you're a model of work life balance. If you stay 14 hours a day, that's what is expected of employees. If you leave at 5pm they'll realize that's ok for them to do." How do our CISOs handle presenting to their staff what is and isn't OK, when they're in the office or when their employees are remote?

What's Worse?!

You've got a new hire. Which one do you choose?

Is this the best solution?

Does the email pitch still serve a function? On a recent CISO Series video chat, we talked about how CISOs get 50-80% of their information about products from other CISOs and that yeah maybe sometimes they read an email pitch. Is there still room for the email pitch or should it just die? And if it should die, what should it be replaced with?

Security Squares: Where CISOs Put Vendors in Their Place

A brand new game that asks CISOs how well do they know the vendor landscape? This one was a nail biter.

It’s time for the audience question speed round

Our audience has questions, and our CISOs will have answers.

Direct download: CISO_Vendor_Live_12-17-2019_FINAL.mp3
Category:podcast -- posted at: 5:30am PST

All links and images for this episode can be found on CISO Series (https://cisoseries.com/trust-me-were-using-advanced-ai/)

We're looking for a good reason to trust your AI on the latest CISO/Security Vendor Relationship Podcast.

This episode was recorded in front of a live audience at Evanta's CISO Executive Summit in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week, is Jimmy Sanders (@jfireluv), head of information security, Netflix DVD.

Mike Johnson, Jimmy Sanders, head of information security, Netflix DVD, and David Spark

Mike Johnson, Jimmy Sanders, head of information security, Netflix DVD, and David Spark

Thanks to this week's podcast sponsors: Trend Micro, SentinelOne, and FireMon. 

Firemon

FireMon provides persistent network security for hybrid environments through a powerful fusion of real-time asset visibility, continuous compliance and automation. Since creating the first-ever network security policy management solution, FireMon has delivered command and control over complex network security infrastructures for more than 1,700 customers.

Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com.

SentinelOne

Are you looking to leave legacy antivirus? Proactively protect every device in realtime with AI. Deploy SentinelOne for EPP, EDR, IoT, and container security today. Autonomous technology is the future. We deliver it now across your endpoints, servers, cloud workloads, and IoT devices.

What we’ve got here is failure to communicate

Is the privacy message getting out to the right people? I argue we need to go to the source and we're not. I was at Dreamforce, the Salesforce conference, and I got the sense I was the only person of the 100K people there that didn't want to be scanned. This crowd is obsessed with the collection of personal data given this conference is mostly about how do I create greater understanding from personal data. Are we as security people in a bubble in this privacy conversation? We need to go to the source of the people who are actually collecting the data and I'm getting the sense we're not getting through.

Are we making the situation better or worse?

We've talked a lot about AI on this show, and many vendors are selling intelligent solutions, but the factor that seems to hang up usage is trust. Cyber professionals don't think twice about trusting their AI-powered spam filter, but so many other tools are met with skepticism. What's missing from the vendor side and what trust barriers are practitioners putting up? What should the barometers be for trusting AI?

What's Worse?!

Two bad types of people wanting to do you harm. Which one is worse?

Is this the best solution?

Should you hire staff from companies that have fallen victim to cybercrime? According to a study by Symantec and Goldsmiths, University of London, as reported by ZDNet, more than half of respondents said they don't discuss breaches or attacks with peers. And more than a third said they fear that sharing breach information on their organization would negatively impact their future career prospects. I would think that asking a prospect, "Have you lived through a breach and how did you handle it?" would be very revealing. Mike?

Security Squares: Where CISOs Put Vendors in Their Place

A brand new game that asks CISOs how well do they know the vendor landscape?

It’s time for the audience question speed round

Our audience has questions, and our CISOs will have answers.

 

Direct download: CISO_Vendor_Live_12-10-2019_FINAL.mp3
Category:podcast -- posted at: 5:17am PST

All links and images for this episode can be found on CISO Series (https://cisoseries.com/isnt-that-adorable-our-little-ciso-has-an-opinion/)

We're spoon-feeding "respect" to the CISO on this week's CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week, thanks to Trend Micro, is Jim Shilts, founder, North American DevOps Group.

Thanks to this week's podcast sponsor Trend Micro.

Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com.

On this week's episode

Why is everyone talking about this now?

Gary Hayslip, CISO, Softbank Investment Advisers and regular guest, posted an article about a growing trend of CISO frustration and why they don't last at an organization. This article addresses many issues around burnout, but I want to focus on this one stat from an ISC(2) study which states, "Sixty three percent of respondents said they wanted to work at an organization where their opinions on the existing security posture were taken seriously." Hard to keep any security staff in place if they're not respected. We talk a lot about being able to talk to the board, but the communications has to be two way. How clear are executives in understanding that respect and listening to their cyberstaff is in their best interest?

What annoys a security professional

Deidre Diamond of CyberSN, asks this very pointed question, "We are short 500k cyber professionals in the US and 89% of our current cyber professionals are open to new opportunities; why are jobs taking on average 4-9 months to fill?" That last stat is CyberSN's data estimates. She's arguing there is plenty of supply. Why is this taking so darn long? Nobody's happy.

What's Worse?!

We've got a question tailored for our DevOps guest this week.

Please, enough. No, more.

DevOps and security. This is a topic that has grown over time, evolved in branding, and Mike has spoken out about how much he don't like the term DevSecOps. As we regularly do in this segment, what have you heard enough of on the DevOps and security debate and what would you like to hear a lot more?

Cloud Security Tip sponsored by OpenVPN

Two factor authentication is a smart step towards more secure password management but what happens the moment after you have convinced the employees of your company to adopt 2FA, when you then say, “Oh yes, don’t forget your SIM PIN.”

2FA might stop hackers from using easily searchable information like someone’s mother’s maiden name, but these bad actors have already discovered the weak link in this particular chain. They call the phone provider, pretend to be that specific victim and ask to swap the victim’s SIM account information to a new SIM card – one that is in their possession. That way, everything the victim did with their phone – texting, banking, and receiving 2FA passcodes – all goes to this new phone.

More on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Hey, you're a CISO, what's your take on this?

Nigel Hedges, CISO, CPA Australia, asked, "Should security operations exist in infrastructure/operations teams?"

Nigel asked this questions to colleagues and got mixed results. One CISO said it was doomed to fail, others said its up to leadership and a CISO doesn't need to own secops.

"Other people were adamant that the focus required to manage secops, and streamlined incident response cant work within infra because the primary objectives of infra are towards service availability and infra projects," said Nigel who went on to ask, "Is this important prior to considering using a security vendor to provided managed security operations? Is it important to 'get the house in order' prior to using managed secops vendors? And is it easier to get the house in order when secops is not in infra?"

Direct download: CISO_Vendor_12-03-2019_FINAL.mp3
Category:podcast -- posted at: 5:30am PST