CISO Series Podcast
Formerly named CISO/Security Vendor Relationship Podcast. Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.

Security is suffering from a serious Rodney Dangerfield "I get no respect" problem. What has often been seen as the department of "no" is struggling under that brand image. That's probably because security is often seen as an inhibitor rather than an enabler. If InfoSec wants to fix that perception, it'll be their responsibility to dig themselves out.

Here's what you'll hear on the latest episode of the CISO/Security Vendor Relationship Podcast:

  • Nobody thinks security is their friend: How can security rid itself of this highly negative branding? Be problem solvers vs. problem creators.
  • Techniques to integrate AppSec into the DevOps process: It comes down to measurement, respecting an engineer's time, and learning from the success of one process and putting it into another. Read more great insight by Chris Steipp of Lyft.
  • We play "What's Worse?!" In this episode of the game we question the worst scenario of an encrypted or unencrypted laptop, but with qualifications.
  • Uggh, WAFs are NOT magical boxes: In a round of "Please, Enough. No, More." we challenge the way web application firewalls (WAFs) are being sold. WAFs need to be more friendly and flexible. No one believes you if you sell them as magical boxes that stop all attacks.
  • How can you be a great customer? We turn the tables from "Ask a CISO" to "Ask a Vendor" and ask what it takes to be a great customer. Vendors would like you to ttop kicking the tires and talk about solving real problems.
  • Plus a ten-second security tip: It may be cliche, but if security departments want to be more effective, they should be moving away from blocking to enabling.

Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Zane Lackey (@zanelackey), co-founder and CSO for Signal Sciences and author of the new book from O'Reilly, "Building a Modern Security Program."

Sponsor the Podcast

If you'd like to sponsor the podcast, contact David Spark at Spark Media Solutions.

Direct download: CISO_Vendor_8-26-18_FINAL.mp3
Category:podcast -- posted at: 2:52pm PDT

This is an extra segment we recorded with Dan Glass, former CISO, American Airlines for our last episode. It didn't make it into the last episode, but I thought it was still worthwhile to release as a short bonus mini episode of only four minutes. As always, the show includes myself, David Spark, founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Enjoy.

Direct download: CISO-Vendor_08-18-18_BONUS_FINAL.mp3
Category:podcast -- posted at: 3:02pm PDT

We spend a good portion of this episode of the CISO/Security Vendor Relationship Podcast mocking unrealistic job listings that ask for too many unnecessary credentials and on top of it aren't willing to pay a fair market rate. Did companies forget that it's a buyers' market right now in security?

On this episode of the podcast we discuss:

  • The security semantics of "responsibility" vs. "accountability": Which one drives which behavior? And it is possible to try to compel one to the detriment of the other? See Chad Loder's post for more.
  • How do you motivate employees to be concerned about security outside of hammering them with pen tests and fake phishing emails? If it hasn't happened already, those tests to see how secure your environment is may backfire. What can you do to instill secure behavior without testing employees to the point of annoyance?
  • What do you think of this pitch? We get a split decision on a pitch of a company that's operating in a new category. Plus, advice on what never to do in a pitch.
  • Unrealistic expectations for position descriptions: Job descriptions in the security field seem to be getting longer, with more certification requirements, and lower pay. What's going on and do companies who list these types of jobs realize they're only hurting themselves? In a buyers' market you can't just put out an unrealistic job posting to "see who will respond." It will actually damage your brand.
  • Plus, a 10-second security tip (that's a few seconds longer): It's what you should be doing, but probably aren't doing.
  • And a visit from the host of The Cyberwire: Dave Bittner, from The Cyberwire, joins us for a discussion about his daily security tech news show and to tell us about the launch of two more security podcasts.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Dan Glass, former CISO (as of just a couple days ago) of American Airlines.

Special thanks to SpyCloud for sponsoring this episode. Learn more about how you can protect employees and customers from account takeover with SpyCloud.

Contributions. Contributions. Contributions.

I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn.

Sponsor the podcast

If you're interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.

Direct download: CISO_Vendor_08-19-18_FINAL.mp3
Category:podcast -- posted at: 8:12am PDT

We promise to keep your identity private while we discuss the troubles of two-factor authentication.

On this episode of the CISO/Security Vendor Relationship Podcast we discuss:

  • Why don't more people use two-factor authentication? Does the UX still suck? Why can't we agree on a common model for how to authenticate? Will U2F be the saving grace for 2FA? Story on the debate.
  • What are the signs your employees are going rogue? We debate the need to monitor employees this way. Are internal intrusions the same as external? Is monitoring the monitoring devices enough? What are the signs? Discussion on LinkedIn and a recommended book: "Nothing to Hide: The False Tradeoff between Privacy and Security."
  • We play a round of "What's Worse?!" It's the game where we determine which is the worst of two really bad practices. In this case, the CISOs have to choose between two unpleasant marketing practices.
  • How do CISOs balance compliance and security: The two aren't equal, but compliance is a means to prove that you're doing security right. Our guest hits it out of the park with a very clear explanation and also how to use compliance to better market your company.
  • How do CISOs discover new solutions: This might as well be the title of this podcast, but we delve into some unique angles that CISOs are taking as they're avoiding traditional pitches from security vendors. Discussion on LinkedIn.
  • Ten-second security tip touting the value of passphrases: See this cartoon for more.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Allan Alford (@AllanAlfordinTX), CISO, Mitel.

SentinelOne-Autonomous endpoint protection

Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection.

Contributions. Contributions. Contributions.

I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn.

Sponsor the podcast

If you’re interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.

Direct download: CISO_Vendor_08-12-2018_FINAL.mp3
Category:podcast -- posted at: 5:42am PDT

Just because you have a new salesperson, doesn't mean you have to restart the sales process. If you've been properly entering information into your CRM, you shouldn't have to.

On this episode of the podcast we discuss:

  • Are you ready for...Black Hat: Techniques to get the most value out of the conference. We've got some really good post-conference suggestions.
  • What do you think of this pitch? We have one of those follow up pitches that just rubs CISOs and security professionals the wrong way.
  • It's time to play, "What's Worse?!" Both host and guest agreed on this one. It's possibly the worst of the worst.
  • Please, Enough. No, More: We discuss account takeover. What we've heard enough on this subject, and what we'd like to hear a lot more. Make sure to read Lyft's article about fingerprinting fraudulent behavior.
  • What's a CISO to do? Beyond blocking and responding, we discuss different tactics for offense and defense against cybercriminals. Which ones are most effective and which ones are ethically and morally wrong?
  • It's time for "Ask a Vendor!" Working off the same model as "Ask a CISO," we turn the tables and security professionals ask questions of vendors. This time, we asked about the use/non-use of CRMs.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Ted Ross (@tedross), CEO, SpyCloud.

Special thanks to SpyCloud for sponsoring this episode. Learn more about how you can protect employees and customers from account takeover with SpyCloud.

Contributions. Contributions. Contributions.

I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

Direct download: CISO_Vendor_8-5-2018_FINAL.mp3
Category:podcast -- posted at: 10:49am PDT