Tue, 27 April 2021
All links and images for this episode can be found on CISO Series https://cisoseries.com/pushing-this-to-the-top-of-your-inbox-so-you-can-delete-it-again/ We're following up on our previous email because we love to engage in self-defeat. We assume you don't want to hear from me again, but just to make sure, I've delivered another email for you to delete.
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Rinki Sethi (@rinkisethi), CISO, Twitter. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode
|
Tue, 20 April 2021
All links and images for this episode can be found on CISO Series https://cisoseries.com/ok-i-get-it-youre-all-special-snowflakes/ This department manager thinks their data is the most important. But then this department manager thinks their data is the most important. Can there really be so many crown jewels in your company that are all equally important? How's a CISO supposed to prioritize?
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), executive vp, consumer products and engineering, and CISO, Fox Thanks to our podcast sponsor, Herjavec Group
Herjavec Group excels in complex, multi-technology environments and keeps enterprise organizations secure with best of breed products and comprehensive service offerings. With 5 global Security Operations Centers, emerging technology partners, and a dedicated team of security specialists, we are well-positioned to be your organization’s trusted advisor in cybersecurity. Let’s connect! On this week's episode
Hey, you're a CISO, what's your take?
Recently, we did a Friday video chat on "Hacking the Crown Jewels" where we talked about what's really important, where it resides, and who's accessing it and when. One of the questions that came up from consultant Ian Poynter was how do you handle the conflicts from the different department leaders as to what the crown jewels are? And Jakub Kaluzny of SecuRing asked, "What's harder, identifying your crown jewels, or protecting them?"
Can you change Mike's mind?
Our guest, Melody Hildebrandt mentioned that as of recently she was in a pro-vendor mood Only three months into the year she has taken more new vendor meetings than in all of 2020. What changed? And can she convince Mike to do the same?
"What's Worse?!"
As always, this will be a surprise on the show. And no one will like the options.
If you haven’t made this mistake, you’re not in security
Even if you've configured your email security platform correctly, you can still fail early and often as our guest Melody discovered. But she actually published her findings on Tech Insiders, along with Paul Cheesbrough. Examples she provided included email account compromises that resulted in full evasion of standard email defenses. And given that her business is often an early target for new attacks, protection through threat analysis has become essentially useless. Her solution for enterprise email is to adopt an API-based solution instead of gateways, along with deep machine learning, and continuous protection of email rather than initial scanning and approval. Let's look at how difficult this shift was and how Melody is managing it.
There’s got to be a better way to handle this
On Twitter I asked, "Since security people don’t get applause when nothing happens, how do you let the rest of the company know how well the security team is doing?" One mentioned a slide on reports that says "X days without a breach" others suggested showing improvements to metrics like vulnerability and mean time to response. So what do we say to the whole company, not just the board?
|
Tue, 13 April 2021
All links and images for this episode can be found on CISO Series https://cisoseries.com/what-to-expect-when-youre-expecting-a-network-breach/ Are you expecting a little intrusion into your network any day now? You better be prepared. Are there some vulnerabilities you should have managed, but didn't? Don't worry, first time security professionals are always scared about their first incident.
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Scott Kuffer, co-founder and COO, Nucleus Security Thanks to our podcast sponsor, Nucleus Security
Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo On this week's episode
There’s got to be a better way to handle this
We constantly hear security leaders talk about "people, process, and technology". Overwhelmingly, most security vendors are selling technology, then after a very steep drop there is the sale to managing people, and then "process" feels like a neglected stepchild. Let's talk about one process change made in the past year that had a significant impact on security posture? AND what is the "process" in security that needs the most help? Is there an opportunity in this area for security vendors or this just a combination of project management and increased automation?
What do you think of this vendor marketing tactic
Are security vendors eating their own dog food? The next time a security vendor pitches you, Chris Roberts of Hillbilly Hit Squad said on LinkedIn, "Ask them if they are using their own systems to protect themselves OR if they’re relying on someone else’s technology to protect their arses." An excellent question and HOW a vendor answers that question is very telling. So, is our sponsored guest using his own product to protect his business?
"What's Worse?!"
Jeremy Kempner, BT Americas offers up two really crappy communications options for Scott and Mike to wrestle with.
Please, Enough. No, More.
This week's topic: Risk-based vulnerability management, which can be defined as prioritizing your vulnerability remediation based on the risk it poses to your organization. What have we heard enough about with risk-based VM and what should we hear more about?
How have you actually pulled this off?
One of the key parts of a successful pentest is the reconnaissance phase where the necessary background information is generated. Let's walk through that process. How much involves planning vs. discovering? It's assumed that a lot of creativity goes into making a successful pentest. What are some of the techniques and information needed to increase success?
|
Tue, 6 April 2021
All links and images for this episode can be found on CISO Series https://cisoseries.com/we-recommend-a-know-the-right-people-certification/ There are so many fantastic certifications out there for security professionals. But we've found the one certification that will really help you land the right job really quickly, is to provide proof that you know some people at our company who can vouch for you. Remember, we are a business that operates on trust, not giving people their first chances in cybersecurity.
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Jesse Whaley, CISO, Amtrak Thanks to our podcast sponsor, Adaptive Shield Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats. In this week's episode Why is everybody talking about this now?
Should cybersecurity professionals fight back rather than block and tackle? former US government cyber security chief Chris Krebs, has called on law enforcement and others to fight back against ransomware attackers. Krebs, suggested posting private information of the hackers, with malicious intent, AKA doxxing. "Hacking back" is dangerous as it's hard to determine the attacker, and you're essentially taking the law into your own hands, but Chris Krebs is recommending this, seeing that ransomware is the biggest threat.
Dan Lohrmann of Security Mentor shared this article from the Financial Times and it drove a lot of debate. We've heard this before, but from someone like Chris Krebs, that's astonishing. What level of fighting back should people be comfortable with?
Are we having communication issues?
"I push back [on vendors] because I want depth and context from first contact," said John Keenan, director of Information Security, at Memorial Hospital at Gulfport. In this post on LinkedIn he said he's annoyed with vendors' generic first outreach and when he declines their response is "Well, I had to give it a shot". If they want a real connection, include "What's In It for Me". A generic response of "I think you'll really like what we've got to show," does not qualify. Let's talk about who has ever received a first (or heck any) contact that did have depth and context and could clearly articulate the "what's in it for you" message.
"What's Worse?!"
This week's challenge is from Nir Rothenberg, CISO, Rapyd.
How have you actually pulled this off?
Hiring in cybersecurity is a bear. As we've discussed before on this show, there's actually plenty of supply and demand in cybersecurity, yet jobs are not getting filled, possibly because of unreasonable requirements. Let's talk about what percentage of all the ideal skills people are willing to accept in a new hire, and situations where someone was hired who didn't possess that must have-skill for the job. ? And also let's look at the most effective training or mentoring technique used to get employees to adopt those skills.
Hey you’re a CISO. What’s your take?
On Twitter, Alyssa Miller AKA @alyssaM_InfoSec asked: "You're the CISO, rank the priority of the following list from a security perspective and explain your reasons:
|
CISO Series Podcast
Formerly named CISO/Security Vendor Relationship Podcast. Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.
Categories
generalHacking Media Production Podcast
podcast
Archives
AprilMarch
February
January
December
November
October
September
August
July
June
May
April
March
February
January
December
November
October
September
August
July
June
May
April
March
February
January
December
November
October
September
August
July
June
May
April
March
February
January
December
November
October
September
August
July
June
May
April
March
February
January
December
November
October
September
August
July
June
May
April
March
February
January
December
November
October
September
August
July
June
February
June
May
April
March
February
January
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | |
Syndication
