All links and images for this episode can be found on CISO Series (https://cisoseries.com/wait-what-good-news-in-cybersecurity/)

On this episode of CISO/Security Vendor Relationship Podcast, cybercrime fails and we brag about it.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Geoff Belknap (@geoffbelknap), CISO, LinkedIn.

Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Geoff Belknap, CISO, LinkedIn, and David Spark, producer, CISO Series.

Thanks to this week's podcast sponsor Trend Micro.

On this week's episode

How CISOs are digesting the latest security news

We simply don't hear enough good news cybersecurity stories that make those involved proud. What are the cybersecurity stories that aren't being told publicly that should be?

First 90 Days of a CISO

Michael Farnum, Set Solutions, said, "If you come into the job and aren’t willing to critically review existing projects AND put a stop to the ones that are questionable, then you are going to cause yourself problems later. It might seem like an unwise political move when new to the company, but you have to be willing to swing the axe (or at least push the pause button) on anything that doesn’t make sense." Not so easy, but where's the line where you can actually push and say, "We're changing course"?

It's time to play, "What's Worse?!"

We've got a split decision!

Hey, you're a CISO, what's your take on this?

On a previous episode of Defense in Depth, we talked about employee hacking or getting the staff on the same page as the CISO and the security program. I quoted instructor Sarah Mancinho who said, "I am a firm believer that CISOs/CIOs should have their own dedicated IT strategic communications person(s) that report to them, and not any other office. Most comms roles I've seen...had to report to HR/PR/General Comms....none of whom really knew anything about technology/technical comms/infosec....and had little to no interaction with the IT/security team."

My co-host, Allan Alford, loved this idea, never had it, but would love to have it. What value could a dedicated PR person bring to the security team?

The devious new Android malware called Cerberus steals credentials by using a downloaded fake Adobe Flash player. That is not really innovative in itself, but what’s interesting is the way it seeks to avoid detection by using the phone’s accelerometer to confirm that the infected target is a real device and not on the screen of a security analyst. According to ESET researcher Lukas Stefanko, quoted in Forbes, the app actually counts a number of physical footsteps taken by the phone’s owner, and deploys once the required number has been reached. 

For more, check out the full tip on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Why is everybody talking about this now?

What's behind the cybersecurity skills shortage? In an article on the Forbes Council, Mark Aiello, president of cybersecurity recruiting firm CyberSN, pointed out some ugly truths as to why it's so difficult to hire cybersecurity talent. He pointed to low pay, the desire to find unicorns, poor job descriptions, training and growth. Is the core issue that the cybersecurity industry just does a very poor job welcoming new entrants?

Today, what does a cybersecurity professional need walking in the door? And what are CISOs willing to accept no knowledge of, yet willing to train?

All images and links for this episode can be found on CISO Series (https://cisoseries.com/serious-hackers-wear-two-black-hoodies/)

We're doubling down and embracing the absolute worst of hacker tropes. Put on your black hoodie and then a second one. Boot up your Matrix screensaver and listen to the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Bruce Potter (@gdead), CISO, Expel.

Here are the links to the items Bruce mentioned on the show:

• Expel's third-party assessment framework
• NIST CSF (and soon to be PF) self assessment tool
• Oh Noes! The incident response role playing game

Thanks to this week's podcast sponsor Expel

Expel is flipping today’s managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have.

On this week's episode

We’ve got listeners, and they’ve got questions

A listener, who wishes to remain anonymous asks, "I am a one person security organization, and I get frustrated reading industry news and even listening to the CISO Series (love the show). My frustration is that so very often articles, blogs and podcasts assume that you/your organization has a security TEAM... How do you thrive and not just survive as a security shop of one?" What can a one-person shop expect to do, and not do?

Let's dig a little deeper

Bruce is also the founder of the Shmoo Group and his wife is the organizer for the annual ShmooCon which is a hacker conference held in DC every year. I'm stunned that his 2200-person event sells out in less than 20 seconds. There is obviously huge demand to attend and speak at your event. This year's event he had 168 submitted talks and 41 were accepted. Bruce tells us what makes a great ShmooCon submission and what were the most memorable talks from ShmooCon.

"What's Worse?!"

Today's game probably speaks to the number one problem with every company's security program.

Hey, you're a CISO, what's your take on this?

An issue that comes up in security all the time is "how do you do more with less." Are there ways to advance your security program when you don't have more budget or more people to do so?

Study after study shows a top priority for cloud users is having visibility into application and data traffic. But most are not getting it. Nine out of ten respondents believe that access to packet data is needed for effective monitoring. So even though the cloud providers maintain the fortress, the enterprise still needs to see what’s going on. They’re ultimately responsible, after all.

Cloud needs its own approach to monitoring, more closely based on how cloud customers interact with their data. It needs its own tools and greater level of communication between them and their providers.

More on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Why is everybody talking about this now?

We have talked in the past about the tired and negative image of the hacker in the black hoodie. It's pretty much all you see in stock photos. And since that's all any media outlet uses, that image just keeps getting reinforced. Poking fun and I think truly trying to find a better hacker image meme, Casey Ellis, founder of Bugcrowd, challenged others on LinkedIn to find a better "hacker stock photo" than the one he posted of hands coming out of a screen and typing on your keyboard with a cat looking on. We debate the truly worst hacker images we've seen and we propose a possible new stock image of the hacker.

Links and images for this episode can be found on CISO Series (https://cisoseries.com/ciso-confessions-its-not-you-its-me-/)

Vendors are trying to understand why CISOs are ghosting them and sometimes, it really isn't their fault. CISOs accept the blame on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and joining me is special guest co-host Betsy Bevilacqua (@HEALTHeSECURITY), CISO, Butterfly Network. Our guest will be Matt Southworth (@bronx), CISO of Priceline.

This episode was recorded live in WeWork's Times Square location on September 5th, 2019. Here are all the photos.

Enormous thanks to WeWork for hosting this event. They're hiring! Contact JJ Agha, vp of information security at WeWork.

Also, huge thanks to David Raviv and the NY Information Security Meetup group for partnering with us on this event.

Thanks to this week's podcast sponsor Tehama, Tenable, and Devo.

Tehama provides secure and compliant virtual desktops on the cloud, and all the IT infrastructure needed for enterprises to connect and grow global and remote teams. Tehama's built-in SOC 2 Type II controls reduce the risk of malware intrusion from endpoint devices, data breaches, and other vulnerabilities.  Learn more at tehama.io.

Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization.

SOC teams have been struggling with many of the same issues for years – lack of visibility, too much noise – all while the threat landscape grows more complex. Devo Security Operations is a next-gen cloud SIEM that enables you to gain complete visibility, reduce noise, and focus on the threats that matter most to the business.

On this week's episode

How are CISOs digesting the latest security news?

An article on Bloomberg and an ensuing discussion on LinkedIn pointed out that costs after a breach go beyond fines and lost reputation. It also includes the cost to keep top cybersecurity talent. Salaries for a CISO post-breach can range from $2.5-$6.5 million, that includes stock. What could a security professional show and demonstrate in this time of crisis that they are the one to hire to garner such a salary?

Hey, you're a CISO, what's your take on this?

Michael Mortensen of Risk Based Security asks a question about when there's considerable dialogue with a prospect, and they go cold. Michael wants to know what causes this? He has theories on sales people being impatient or wrong set of expectations, but he's interested in the CISO's viewpoint. Assuming you have had conversations with a vendor, have you gone cold on their outreach? If so, what was the reason?

It's time to play, "What's Worse?!"

Two rounds lots of agreement, but plenty of struggle.

Why is everybody talking about this now?

Cryptography firm Crown Sterling has sued Black Hat for breaching its sponsorship agreement and also suing 10 individuals for orchestrating a disruption of the company's sponsored talk at the conference in which the CEO presented a finding on discovering prime numbers which are key to public-key encryption. The crowd didn't like it and they booed him. You can see a video of one individual yelling, "Get off the stage, you shouldn't be here." Crown Sterling argued that Black Hat was in violation of their sponsorship agreement because they didn't do enough to stop it.

At Black Hat and related parties I saw many printed signs about codes of conduct. It doesn't appear anyone had a plan to enforce those rules.
What has happened in the security community that some security professionals feel they have the right to shout down a speaker like this?
If one of these 10 disruptors was your employee, how would you respond?

What's a CISO to do?

So much of a job of a CISO is to change behavior. How do CISOs change behavior to a more secure posture? Where should a CISO start? What's the low hanging fruit?

It’s time for the audience question speed round

Our audience has questions, and our CISOs tried to come up with as many answers as possible. Our closing question put my guest co-host in the hot seat.

Links and images for this episode can be found on CISO Series (https://cisoseries.com/getting-over-our-security-%e2%89%a0-compliance-obsession/)

We repeat "Security ≠ Compliance" so often it's become our mantra. Does anyone pay attention to it anymore? We're unpacking our compulsion to keep saying it on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Chris Hymes (@secwrks), head of information security, enterprise IT, and data protection officer, Riot Games, makers of League of Legends.

Thanks to this week's podcast sponsor Expel

Expel is flipping today’s managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have.

On this week's episode

Why is everyone talking about this now?

On LinkedIn, Omar Khawaja, CISO, Highmark Health, argued that every time a security person repeats the "Security does not equal compliance" trope, it translates to a belief that compliance is useless. This caused a flurry of discussion. Is compliance useless? If not, Omar asks what should "Security does not equal compliance" be replaced with? Essentially, how should compliance be viewed in an overall security program?

Ask a CISO

Scott Holt, sales engineer, cmd, asked our CISOs how they're balancing keeping their information and infrastructure private while at the same time working with vendors to fill security needs?

"What's Worse?!"

We've got a question based on the build vs. buy debate.

Hey, You're a CISO, what's your take on this?

Paul Makowski, Polyswarm, asks a question that's very relevant to their business. He said, "Enterprises often subscribe to multiple feeds [of threat intelligence]. They learn their strengths and weaknesses and develop weighting algorithms to divine highest quality intelligence in the context of what's being analyzed. How can the industry close the feedback loop with threat intelligence providers, providing them with an opportunity to improve coverage and efficacy (false positive / false negative rates)?"

The Shared Responsibility Model for cloud is, as Amazon and others describe it, the difference between the “security OF the cloud” and “security IN the cloud,” with cloud service providers taking care of the OF, and clients taking care of the IN. “In the cloud” means the data, the access – especially guest access, and the usage.

More on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Close your eyes. Breathe in. It’s time for a little security philosophy.

Steven Trippier, Group CISO, Anglian Water Services, asked, "What are the right metrics to use to illustrate the success / performance of the security team?" We've asked this question before and one of the most popular answers was "mean time to identify and remediate." But here's the philosophical question that Steven asks, "How does this change in an environment where breaches/malware outbreaks are uncommon and stats such as mean time to identify and mean time to contain are not relevant?"