Tue, 27 August 2019
All images and links for this episode can be found on CISO Series (https://cisoseries.com/open-this-email-for-an-exclusive-look-at-our-clickable-web-links/)
You'll be dazzled by the clickability of our web links on this week's episode of CISO/Security Vendor Relationship Podcast.
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Aanchal Gupta (@nchlgpt), head of security for Calibra, Facebook.
Aanchal Gupta, Head of Security for Calibra, Facebook, Mike Johnson, Co-Host, CISO/Security Vendor Relationship Podcast, David Spark, Producer, CISO Series
Thanks to this week's podcast sponsor Expel.
Expel is flipping today’s managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have.
On this week's episode
Hey, You're a CISO, what's your take on this?
Last month, Brian Krebs reported a breach from the 6th-largest cloud solutions provider PCM Inc. which let intruders rifle through Office365 email/documents for a number of customers.
In response, listener Alexander Rabke, Unbound Tech, asked, "Would CISOs continue to do business with ‘security’ companies that are breached?" What's your recommendation for sales people who are at such an organization? How should they manage news like this?
Ask a CISO
We know there are plenty of pros and cons of telecommuting. I'm eager to hear from both of you how security leaders value telecommuting. What are the challenges to a CISO of managing a virtual staff?
We've got two extreme scenarios you'd never see in the real world.
Why is everybody talking about this now?
Mike, on LinkedIn you ranted about the term DevSecOps that it was a distraction and that "It's really no different (at a high level) than building security into an Agile development process, or a Waterfall process." I agree but I would argue that when DevOps was introduced it was about getting two groups working in tandem. At the time it was a mistake to omit security.
Last year at Black Hat I produced a video where I asked attendees, "Should security and DevOps be in couples counseling together?" Everyone universally said, "Yes", but I was taken aback that many of the security people responded, "that they should just listen to me." Which, if you've ever been in couples counseling knows that the technique doesn't work.
I argue that the term DevSecOps was brought about to say, "Hey everybody, you have to include us as well."
Mike recommends Kelly Shortridge and Nicole Forsgren presentation at Black Hat 2019, "The Inevitable Marriage of DevOps and Security".
Companies continue to take advantage of the economies of scale offered by multi-tenant cloud services, but complacency is dangerous. Multi-tenant cloud is often described as being like a big apartment building, but the big difference is that the walls that separate tenants from each other are not solid, but software. Software is built by humans which closes the circle: unpredictable humans in an unpredictable world.
I’m not just talking about hacking here. What about compliance? GDPR’s austere and perhaps old-world view that data on a German citizen must stay in Germany, is nonetheless the law, and carries substantial fines for transgression. This requires data centers to be run from multiple countries, but so long as they’re connected by a cable no data is ever truly isolated. Future regulations affecting health records or patents or blockchain transactions might find themselves in limbo when it comes to coming to rest in a certain section of a certain cloud.
For the moment, companies are focusing mostly on the cost-efficiencies of shacking up with other tenants in the same building, but very soon, this too might not be enough.
Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.
The great CISO challenge
Lauren Zink of Amtrust posted an article from Infosec Institute asking, "What are you to do with repeat offenders in social engineering exercises?" The article offers some helpful suggestions. In the discussion, there was some pointing fingers at security training designed to purposefully trick employees. Have either of you had to deal with repeat offenders? What did you do? What's your advice for other security leaders... and HR?