All links and images for this episode can be found on CISO Series (https://cisoseries.com/i-dont-need-anymore-advice-on-how-to-work-remotely/)

It appears everyone has tips on how to work remotely. And after the deluge the past two weeks, most people have hit their wall. We don't care. We're pushing through with even more advice, just for security professionals.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Brendan O'Connor, CEO, AppOmni.

Thanks to this week's podcast sponsor, AppOmni.

AppOmni is the leading provider of SaaS security and management platform for the enterprise. AppOmni provides unprecedented data access visibility, management and security of SaaS, enabling organizations to secure mission-critical and sensitive data. With AppOmni, organizations can automatically and continuously enforce rules for data access, data sharing and third-party applications.

On this week's episode

Why is everyone talking about this now?

Adapting a line from Wendy Nather of Duo Security, what's the security poverty line for remote work? Gabriel Friedlander of Wizer started a thread of best advice for employees working at home. And then he compiled a list of the best tips. We talk about our favorite tips and add a few of our own.

There’s got to be a better way to handle this

Mike and our sponsored guest, Brendan, are both security leaders who have been thrust into managing their entire team virtually for an extended period of time. On top of that, their teams are going to have new pressures on them (e.g., kids at home) that are going to conflict with their ability to be efficient employees. We talk about what they're doing to adapt and their greatest concerns.

What's Worse?!

How are you dealing with patch management when you've got an all-remote workforce?

Please, Enough. No, More.

Our topic security cloud or specifically SaaS apps. What have we heard enough about on this topic and what would we like to hear a lot more?

A serious confounding feature of public activities like elections and climate change discussions is the proliferation of actual fake news – stories created by bad actors and distributed by bots and which include deepfaked video and propaganda that lead audiences into a state of not knowing who to believe anymore. Security experts including the International Security Forum categorize this as a cyberthreat called Distortion, the loss of trust in the integrity of information.

As threat actors continue to hammer away at the cyber defenses however they can, it is extremely likely that Distortion attacks will be yet one more way of bringing organizations to a point of extreme vulnerability, just like ransomware and siegeware.

Though the Distortion content may be generated externally, it has the potential to be implanted in a company’s environment through phishing, MFA fraud and hacking, leading to media crises, drops in market valuation, destruction of public credibility and of internal stability.

More from our sponsor, ExtraHop.

Um… maybe you shouldn't have done that

Some really well-intentioned people are responsible for some really bad data practices. When I was in Tel Aviv I ran into a number of companies offering discovery solutions to show you where your data is, identify the sensitive data, the PII, and who has access. We learn a lot about sensitive data after it's breached, but there are also plenty of bad data practices happening internally which lend themselves to misuse or greater damage when there is a breach.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-department-of-no-thank-you/)

Just go to the front desk, sign in, and then the receptionist will say “no” in the most polite way possible.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Nina Wyatt, CISO, Sunflower Bank.

Thanks to this week's podcast sponsor, CyberArk.

At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

On this week's episode

There’s got to be a better way to handle this

The hot new cybersecurity threat is the Coronavirus. Not the virus itself or the possible fake phishing emails connected to it, but our overall fear and its impact on work. According to data from Boardish, there is a 42% increase over baseline in fear of immobility, or staff not being able to operate effectively remotely. To put that number in perspective, phishing and ransomware have each seen an 8% threat increase. I read immobility's huge number to mean companies are simply not prepared for how their staff may need to operate.

What we’ve got here is failure to communicate

What's the best way to say 'no' to a vendor? This was a question that was asked of me by Eric Gauthier, CISO at Scout Exchange. He wants to say no because his cloud business has no need for certain services, and he doesn't want to be rude, but just saying no doesn't seem to work. What are the most successful techniques of saying no to a security vendor? And what different kinds of "no" are there?

"What's Worse?!"

A tough decision on a company built on acquisitions.

Walk a mile in this CISO’s shoes

For many CISOs, there is a "What's Next?" as they don't necessarily expect "CISO" to be their final resting place professionally. Gary Hayslip, a CISO for Softbank Investment Advisers and frequent guest, wrote on both LinkedIn and Peerlyst about next steps for CISOs who want to move out of the role. The recommendations were other C-level positions, going independent, and starting a new company.

On January 2 of this year, parking meters in New York City stopped accepting credit and parking cards. At fault? Security software that had expired on the first day of 2020. Reminiscent of Y2K, this draws attention to the next two time-related bugs predicted for 2036 and 2038. The 2038 problem affects 32-bit systems that rely on timecodes that max out on January 19 of that year. A similar rollover is expected in 2036 for Network Time Protocol systems.

In all likelihood, affected systems either have been or will be replaced over the next 18 years, but the dangers still exist, in situations where vulnerable devices remain buried in a legacy system or in cases where advanced calculation of expiry dates are needed, or like New York City, where the upgrade was apparently overlooked.  It serves as a reminder that data security must look to its past while it plans for the future.

More from our sponsor ExtraHop.

Hey, you're a CISO. What's your take on this?

What's the impact of Europe's Right to Be Forgotten (RTFB)? It's been five years and Google has received ~3.2 million requests to delist URLs, from ~502,000 requesters. Forty five percent of those URLs met the criteria for delisting, according to Elie Bursztein, leader of Google's anti-abuse research team. Search engines and media sites hold the greatest responsibility, but what responsibility are companies forced to deal with and do they have the capacity to meet these requests?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-pick-the-best-security-awareness-programs-for-your-staff-to-ignore/)

It doesn’t matter which security awareness training program you purchase. Your staff is going to do whatever they can to either tune out or get out of this annual compulsory exercise.

This week’s episode of CISO/Security Vendor Relationship Podcast was recording in front of a live audience at athenahealth in Watertown, Massachusetts. The recording features me, David Spark (@dspark), producer of CISO Series, my guest co-host, Taylor Lehmann (@BostonCyberGuy), CISO, athenahealth, and guest Marnie Wilking, global head of security & technology risk management, Wayfair.

David Spark, producer of CISO Series, Taylor Lehmann, CISO, athenahealth, Marnie Wilking, global head of security & technology risk management, Wayfair

Check out all the photos from our recording.

Thanks to this week's podcast sponsors, Check Point and Skybox Security.

It's no secret that today's cyber attacks are targeted and sophisticated. Leaving even one point of entry vulnerable to a cyber attack endangers your entire organization. Check Point created the Secure Your Everything Resource Center to help you develop a comprehensive approach to prevent cyber attacks.

At Skybox, we remove complexities from cybersecurity management. By integrating data, delivering new insights and unifying processes, we help you control security without restricting business agility. Our comprehensive solution unites security perspectives into the big picture, minimizes risk and empowers security programs to move to the next level.

On this week's episode

Pay attention, it’s security awareness training time

Jinan Budge of Forester finished a report on security awareness training programs. She found a trend that supported both the need for compliance and the need to actually train employees to be more security aware. We discuss what actually works to get people to be more aware of cybersecurity.

What do you think of this vendor marketing tactic?

At RSA, I talked to a vendor who told me about their new solution. It was so unique that Gartner was creating a new category for their product with yet another acronym. UGGH, another category for which you have to educate the market? And now you have to convince buyers to create a new line item for this category? And now what is that going to do to your marketing budget? It didn't take much convincing for me to point out that their product was just third-party risk management.

Admittedly, cybersecurity professionals love the new and shiny, but where do we draw the line about learning something new in cybersecurity and adding confusion to the marketplace?

It's time to play, "What's Worse?!"

Two rounds, lots of debate.

Where does a CISO begin?

When we hear about digital transformation, it is being done for purposes of speed, accuracy, and business competitiveness. Scott McCool, former CIO at Polycom was on our show Defense in Depth, disputed the common notion that security serves the business. Instead, he believes that security IS the business. And if you deem that to be true, then security can no longer can take a consultative role. It must take the role of brand and value building.

This is more than just a discussion of "shifting left." What are actions that security must take to make it clear that they are part of making the business fast, innovative, and competitive?

Um... maybe you shouldn't have done that

We tell talks of the worst proof of concept (POC) efforts.

Audience question speed round

We close out the show with a series of quick answers to audience questions.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/buy-our-product-we-have-no-idea-what-were-selling/)

What do you think of our confusing non-descriptive ad copy? We think it’s brilliant.

We’re patting ourselves on the back on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience in NYC at the coworking space, Rise NYC. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and JJ Agha, vp, head of information security at WeWork. Our guest is Mike Wilkes (@eclectiqus), CISO, ASCAP.

David Spark, producer, CISO Series, JJ Agha, vp, head of information security, WeWork, and Mike Wilkes, CISO, ASCAP

Thanks to this week's podcast sponsor, Check Point

It's no secret that today's cyber attacks are targeted and sophisticated. Leaving even one point of entry vulnerable to a cyber attack endangers your entire organization. Check Point created the Secure Your Everything Resource Center to help you develop a comprehensive approach to prevent cyber attacks.

On this week's episode

There’s got to be a better way to handle this

How well are you configuring your controls today and tomorrow? At RSA, I chatted with Adam Glick, CISO, Rocket Software. He said what he'd like is a tool to test the maturity of his deployed controls. How are his controls optimized over time? What does it looks like today vs. a year from now? How are we currently trying to solve that problem and what could be done to improve it?

Hey, you're a CISO, what's your take on this?

"Which cybersecurity certification should I get?" It's a question I see repeated often, especially on Quora and Peerlyst. Your best bet would probably be the one that most employers are looking for. And according to job board searches, conducted by Business News Daily, CISSP is the overwhelming favorite. Do our CISOs prefer certain certifications over others? Is it a requirement for hiring? And what does a security professional with certifications vs. experience tell us about that person?

What’s Worse?!

Split decisions on both and the audience plays along as well.

Is this the best use of my money?

"One of the common complaints I repeatedly hear is that cybersecurity vendors are not solving real problems. They're just looking to make money. I think that's a rather unfair blanket statement, but regardless, I hear it a lot.

I think why I hear that so often is that we're all in the cybersecurity fight together and we need to help each other. Helping each other is often done by participating in the open source community.

Why is it critical to contribute to the open source community?

Um... What do they do?

I read copy that appeared on various booths at RSA 2020. Most are confusing and non-descriptive and don’t appear to assume a pre-existing understanding of cybersecurity.

The expo hall at RSA is filled with security professionals who are already security minded. I honestly don't know exactly the reaction they're looking to get or what type of information these vendors are trying to convey.

Audience question speed round

We close out the show with a series of quick answers to audience questions.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/were-market-leaders-in-customer-confusion/)

We could offer a simpler explanation of our technology, but if we confuse you we can charge a lot more.

This episode was recorded in front of a live audience at BsidesSF 2020 in San Francisco. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Olivia Rose, former CISO, Mailchimp.

Look at that screen! We were in a movie theater. Those small people in the lower right are David Spark, producer, CISO Series, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, and Olivia Rose, former CISO, Mailchimp. Photo credit to @ash1warya.

Thanks to this week's podcast sponsors, Vulcan Cyber and CyberArk.

Vulcan is a vulnerability management platform built for remediation. By orchestrating the entire remediation process, Vulcan ensures that vulnerabilities aren’t just found, they’re fixed. Pioneering a remediation orchestration approach, the platform enables security, operational and business teams to effectively remediate cyber risks at scale.

At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

On this week's episode

How to become a CISO

What is some actionable "let's start today" advice. What could an individual do right now to develop the skills to be a cyber leader and make it clear to management, that's what they're gunning for?

What we’ve got here is failure to communicate

If all vendors stopped sending cold emails, which is what we constantly hear CISOs say they should do, how should they spend their time and money instead to greatly improve their success? If a CISO played the role of a vendor, which happens often, what should you do, to get to you?

What's Worse?!

We play TWO rounds.

What do you think of this vendor marketing tactic?

According to a recent study by Valimail, CISOs are very suspect of security vendors' claims. In general, the numbers are horrible for vendor credibility. Close to half of security professionals claim the following:

• Vendors' tech and explanation are confusing
• Practitioners have a hard time seeing and measuring value
• Practitioners don't know how a vendor's product will stay valid on their security roadmap.
•  

What could cybersecurity vendors do to make their claims more believable?

Close your eyes and visualize the perfect engagement

Rafal Los, Armor Cloud Security asked, "If you could implement one thing in your organization that would receive universal adoption without push-back, what would it be?" The question, which seems reasonable, but in the security world often feels impossible, generated a ton of responses on both LinkedIn and Twitter. Many wanted company-wide adoption of one solution, such as MFA or vulnerability management. Others wanted widespread and ongoing security education. Our CISOs debate the one pushback-free solution that would yield the greatest results.