Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-series-one-year-review/) 

The CISO/Security Vendor Relationship Podcast is now more than a year old. On this episode, the hosts of both podcasts, reflect on the series and we respond to listeners critiques, raves, and opinions.

Check out this post and this post for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is the co-host of the CISO/Security Vendor Relationship Podcast, Mike Johnson.

Thanks to this week’s podcast sponsor, Trend Micro

On this episode of Defense in Depth, you'll learn:

• We provide the definitive story of how the CISO/Security Vendor Relationship Podcast started and how David, Allan, and Mike all connected.
• We've been challenging many of the sales techniques that have essentially irked CISOs. The podcast has become a validation tool for sales people to show to their management and say, "We need to change direction."
• One of the critiques we've heard is the desire to understand more of the sales process. We are actually very much in the dark as to the different levels of incentives are for sales staff. A security sale is often a long and involved process and we know the incentives are more involved than just a sales commission.
• We've actually done webinars that take a look behind the scenes of sales and we plan to do more.
• Those who feel isolated with their company enjoy hearing the different viewpoints.
• There is actually a real return on investment to listening to our show. Sales people say that they've changed their strategy based on advice on the show and it has proved to be fruitful.

Images and links for this episode can be found at CISO Series (https://cisoseries.com/worst-question-award-goes-to-how-secure-are-we/)

We've got better ways to determine the overall quality of your security posture than asking this unanswerable question. It's all coming up on CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Helen Patton (@osucisohelen), CISO, Ohio State University.

Thanks to this week's podcast sponsor Trend Micro.

On this week's episode

Why is everyone talking about this now?

Jamil Fashchi, CISO, Equifax, "In speaking with a CEO the other day, I was asked, 'As someone who isn’t technical, what questions should I ask to determine if my security team is effective?'" This caused a flurry of discussion. What's your advice, and do you agree it's a lot better question than "How secure are we?"

Hey, you're a CISO, what's your take on this?

One issue that comes up a lot in cybersecurity is the lack of diversity. We have discussed the value of diversity, in that it avoids "one think" and brings in the critical need of different viewpoints. The problem is we're often attracted to people like us, and we ask for referrals which if you hired people like you is probably going to deliver more people like you. We focus this discussion on actionable tips that CISOs can take to bring in a diverse workforce.

What's Worse?!

What's it like to work with the business and their acceptance or lack of acceptance of risk?

First 90 days of a CISO

Steve Luczynski, just became CISO of T-Rex Corporation. In the past the CIO has handled both IT and security at the company.

"Now with a CISO onboard, the struggle is figuring out who does what with the expected reluctance by the CIO to let go of certain things and trust me, the new CISO to maintain the same standards. For example, I wanted to change our password policy when I first showed up to match the new NIST guidance of not changing based on a set time period. There was disagreement and it did not change even when I showed the NIST verbiage," said Luczynski.

How should Steve deal with such disagreements?

Ask a CISO

For a while, FUD (fear, uncertainty, and doubt) worked on the average person, to get them to install basic security measures, like an anti-virus. But it appears that's all changed. The cause could be apathy. When there's so many breaches happening the average person feels powerless. Are we marketing cyber-awareness wrong to non-security people? What would get them to be true advocates?

The Pre-nup. It’s a difficult thing for most people to talk about in their personal lives, but it’s something that should always be considered when setting up a relationship with a cloud service provider. Not all business relationships last, and if your organization needs to move its data to another provider, it’s not like packing up your furniture and saying goodbye to your half of the dog. 

The images and links for this episode can be found at CISO Series (https://cisoseries.com/youre-not-going-anywhere-until-you-clean-up-that-cyber-mess/)

Our CISOs and Miss Manners have some rules you should follow when leaving your security program to someone else. It's all coming up on CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is newly free agent CISO, Gary Hayslip (@ghayslip).

Thanks to this week's podcast sponsor Trend Micro

On this week's episode

Why is everyone talking about this now?

Mike, you asked a question to the LinkedIn community about what department owns data privacy. You asserted it was a function of the security team, minus the legal aspects. The community exploded with opinions. What responses most opened your eyes to the data privacy management and responsibility issue you didn't really consider?

Hey, you're a CISO, what's your take on this?'

Someone who is writing a scene for a novel, asks this question on Quora, "How does a hacker know he or she has been caught?" Lots of good suggestions. What's your favorite scenario? And, do you want to let a hacker know he or she has been caught, or do you want to hide it? What circumstances would be appropriate for either?

What's Worse?!

Mike decides What's Worse?! and also what's good for business.

First 90 days of a CISO

Paul Hugenberg of InfoGPS Networks asks, "What fundamentals should the CISO leave for the next, as transitions are fast and frequent and many CISOs approach their role differently. Conversely, what fundamentals should the new CISO (or offered CISO) request evidence of existence before saying YES?" Mike, this is a perfect question for you. You exited and you will eventually re-enter I assume as a CISO. What did you leave and what do you expect?

Ask a CISO

Fernando Montenegro of 451 Research asks, "How do you better align security outcomes with incentives?" Should you incentivize security? Have you done it before? What works, what doesn't?

Imagine how hard it would be to live in a house that is constantly under attack from burglars, vandals, fire ants, drones, wall-piercing radar and virulent bacteria. Most of us are used to putting a lock on the door, cleaning the various surfaces and keeping a can of Raid on hand for anything that moves in the corner. But could you imagine keeping a staff of specialists around 24/7 to do nothing but attack your house in order to find and exploit every weakness?

All pictures and links for this episode can be found on CISO Series (https://cisoseries.com/we-take-privacy-not-our-ciso-seriously/)

We're looking for the one company brave enough to say they don't care about privacy on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode was recorded live on June 6th at The B.O.B. in Grand Rapids, Michigan at the 2019 West Michigan IT Summit, hosted by C3 Technology Advisors. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@allanalfordinTX), principal consultant at Side Channel Security. Our guest for this special live recording is the former CISO/CSO/CTO of the state of Michigan, Dan Lohrmann (@govcso).

David Spark and Allan Alford, co-hosts of Defense in Depth on the CISO Series network, and Dan Lohrmann, former CISO/CSO/CTO for the State of Michigan.

Thanks to this week's podcast sponsors C3 Technology Advisors, Fuze, and Assured Data Protection.

C3 Technology Advisors is a technology consulting firm that helps midsize to enterprise organizations make better technology buying decisions. With technology quickly changing, let C3 help you shift through all the disruption, noise, and sales pitches to allow you to make better technology buying decisions for your organization.

Fuze is the #1 cloud communications and collaboration platform for the enterprise, combining calling, meeting, chatting, and sharing into a single, easy-to-use application. Designed for the way people work, Fuze allows the modern, mobile workforce to seamlessly communicate anytime, anywhere, across any device.

Assured Data Protection provides backup and disaster recovery solutions utilizing Rubrik ‘as a Service’. They offer 24/7 global support, with expertise that truly sets them apart from other back up and DR service providers.

On this week's episode

Should you ignore this security advice?

Yaron Levi, CISO of Blue Cross Blue Shield of Kansas City posed an interesting question, "Many people in security follow best practice without questioning them but in fact there are many BAD security best practices." Levi asks the LinkedIn community and I also ask our guests, "What do you consider a 'Bad Best Practice?'"

How to become a CISO

Aaron Weinberg, Kirlin Group, asks, "What would a CIO need to do to switch career tracks to being a CISO?" I'll add why would you want to do that?

What's Worse?!

We've got two rounds of questions and conflict on at least one of them.

I tell ya, CISOs get no respect

Brian Krebs of Krebs Security asked, "Why aren't CISOs often not listed on the executive page of a company website?" Krebs looked at the top 100 global companies and only found 5 that had a CISO listed. Of the NASDAQ 50, there were only three listed with a security title. But plenty had chief of human resources or chief marketing officers listed. One argument for the lack of front page visibility for CISOs is that companies value revenue centers over cost centers. Another argument is the reporting structure. That CISOs often report to CIOs. Is that why it's happening, or is it something else?

Close your eyes. Breathe in. It’s time for a little security philosophy.

A question on Quora asks you to participate in this little thought exercise, "If you knew all computers would be erased tomorrow by a worldwide virus, what steps would you take to protect yourself?" It's a little more involved than just unpluging your computer from the Internet.

Why is this a bad pitch?

I read a cringeworthy bad pitch and our CISOs respond. Listen to the end as I reveal something surprising about this very bad pitch.

And now this…

I burn through a stack of questions from the audience as we go into a cybersecurity speed round.

Full episode with images and links available at CISO Series (https://cisoseries.com/do-these-jeans-make-my-vulnerabilities-look-too-big/)

We're starting to get a little self-conscious that our vulnerabilities are starting to show. People we don't even know are telling us we have them on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Fredrick Lee (AKA "Flee") (@fredrickl), CSO of Gusto.

Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization.

What's a CISO to do?

Chris Romeo, CEO of Security Journey, wrote a post where he asked, "What if I had to develop an application security program with a budget of zero dollars?" What he presented was a means to lean on the OWASP open source community and tools to build an application security program.

You're a CISO, what's your take on this?

I was chatting with a pentester, Benjamin McEwan, from Scotland, who reaches out to CISOs trying to responsibly disclose, not expose, a credible security vulnerability. It's his effort to get recognized. He's frustrated though in his ability to find permanent work because those hiring only see him as an independent researcher. Is his exercise the right approach? What can a talented security person in his position do to make himself more attractive to CISOs?

What's Worse?!

We've got a couple of scenarios that shocked our guest at the sheer InfoSec horror.

Breathe In, It's Time for a Little Security Philosophy

On Quora, a question right out of the Matthew Broderick movie WarGames asks, "If a student hacked into university computers and changed his grade in cyber security to an A, does he actually deserve the A?" Except for one person, everyone said, "No," but for different reasons. Mike, are you saying no, and if so, what reason?

What do you think of this pitch?

We've got two pitches from vendors this week. One came directly to me.

Cloud Security Tip, by Steve Prentice - Sponsored by OpenVPN.

The idea behind an Advanced Persistent Threat is both intriguing and a little distracting. It sounds like the title of a Tom Clancy novel – maybe a sequel to Clear and Present Danger.

Designed to penetrate a network, operate while hidden for a long time, all the while receiving commands from an outside agent, an APT is more sophisticated than everyday malware and tends to be deployed against large targets.