All links and images for this episode can be found on CISO Series (https://cisoseries.com/say-it-loud-i-didnt-read-the-privacy-policy-and-im-proud/)

If we don't understand the purpose of a privacy policy, why should we bother reading it? We're claiming the cyber ignorance defense on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Roger Hale (@haleroger), CISO in residence, YL Ventures.

Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Roger Hale, CISO in residence, YL Ventures, David Spark, producer, CISO Series.

Thanks to this week's podcast sponsor Zix.

Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support.

On this week's episode

How CISOs are digesting the latest security news

We're blowing it with general cybersecurity education. According to a study by the Pew Internet Research Center, most Americans don't understand or can't identify basic cybersecurity concepts such as two-factor authentication, private browsing, or the purpose of a privacy policy. We talk a lot about the important of education and it appears we're not doing a good job. What are some creative ways we can dramatically improve these numbers?

Hey, you're a CISO, what's your take on this?

Cai Thomas, Tessian, has an article on TechRadar on the dangers of sending corporate work via personal email accounts. He outlines the issues. As per the previous story, chances are very high people are completely unaware of the risk their placing the company in by forwarding corporate email to personal accounts. No amount of education is going to solve this problem. What are the systems that companies can and should setup to give people a better alternative than sending emails to personal accounts?

What's Worse?!

How damaging can not having a seat on the board be?

Ask a CISO

Nick Sorensen, Whistic, asks, "What do you see the most proactive vendors doing to prepare for vendor security reviews from their customers?"

“Your bank account has been frozen.” That’s now an old chestnut in the scamming world, but it thrives through increasingly sophisticated spoofing activities that include a banks’ real phone number and real-looking pop-up websites for password refresh requests. Even IT experts can get caught by these things occasionally, as some have even confessed on this very podcast series.

This level of relentless innovation is worth keeping front of mind when considering the amounts of data that Internet of Things devices are creating but that organizations have no plan or space for. IBM, Forrester, and others have suggested that maybe 1 percent of data generated from IoT connectivity is being used, mostly for immediate learning or predictive activities.

More available on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

First 90 days of a CISO

Today is Roger's first official day as a CISO in residence at YL Ventures. What the heck does that mean, and how does that differ from being an operational CISO?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/ill-see-your-gated-whitepaper-and-raise-you-one-fake-email-address/)

We're all in with not wanting "follow up email marketing" on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Ian Amit (@iiamit), CSO, Cimpress.

Thanks to this week's podcast sponsor Trend Micro.

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com.

On this week's episode

Why is everyone talking about this now?

To gate or not to gate. Mike posted on LinkedIn about how much he appreciated vendors who don't gate their content behind a registration wall. The post blew up on LinkedIn. The overwhelming response got some vendors willing to change their tune.

Hey, you're a CISO, what's your take on this?

Kevin Kieda of RSA Security asks, "For an initial meeting what are the things you want the sales person to know about your business that many of them don't." Kevin says he gets frustrated that he gets the sense a prospect wants them to know what tools they're using even though he knows he often can't find out that information. What is the must know, nice to know, and boy I'm impressed you know that?

Mike Johnson recommends BuiltWith.com for basic OSINT on a company site.

What's Worse?!

Whose mistakes are worse? Your own or the vendor's?

The great CISO challenge

Factor Analysis of Information Risk (FAIR) is a risk framework (often laid ontop of others) that simplifies the understanding of risk by identifying the blocks that contribute to risk and their relationship to each other and then quantifying that in terms of money. Ian, can you give me an example of how you actually do this?

Since its inception back in 2010, Zero Trust Architecture has been gaining traction. Much of the interest stems from the nature of work and data today – people working from anywhere on any device, and data racing around networks and to and from the cloud means there is no single fortress where everything can exist safely. Operating on a belief that everything inside the perimeter is safe because it’s inside the perimeter is no match to today’s hacking, penetration and inside sabotage.

The establishment of new perimeter protections, including microtunnels and MFA is best applied to new cloud deployments but must still somehow be factored into a legacy architecture without becoming more inconvenient and vulnerable than what it is trying to replace.

More on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Why is this a bad pitch?

What's the polite way to hande the way too generic vendor request. We offer two examples of non-specific pitches that are obviously just begging for a CISO's time.

Is there a polite way to refute the request and let them know without talking down to them and letting them know that this isn't a tactic they should pursue?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/rated-1-in-irresponsible-security-journalism/)

No security alert is too small for us to completely misrepresent its severity. The sky is falling on the latest episode of CISO/Security Vendor Relationship Podcast.

Thanks to this week's podcast sponsor, Zix.

Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support.

On this week's episode

Why is everybody talking about this now?

Two recent stories showed some fallibility in multi-factor authentication or MFA. We repeatedly recommended MFA on this show. But, the FBI announced some technical and social engineering techniques that are being used to break multi-factor authentication. In addition, Twitter admitted that email addresses and phone numbers used to set up MFA might have been sent to third party advertisers. The FBI says its news shouldn't change our trust in MFA. William Gregorian, CISO, Addepar, posted on LinkedIn that the press is claiming that MFA is broken and that's irresponsible journalism.

Let's dig a little deeper

Security professionals thrive on hearing about and learning about the latest threats. It feeds the latest security headlines and conferences. While it's often fascinating and keeps everyone interested, to what level are security concerns based on well-known years old threats vs. the latest threats?

"What's Worse?!"

Whose mistakes are worse? Yours or the vendors'?

Please, enough. No, more.

We've talked a lot about machine learning on this show and the definition of it is broad. What's ML's value in threat protection. We discuss what we've heard enough about with regard to machine learning being used for threat protection And what would we like to hear a lot more.

When companies in retail or enterprise remind their online visitors to change their passwords, are they doing them a favor or causing them grief? Password managers exist, of course, as do newer forms of passwordless authentication, multifactor authentication and behavioral and biometric data.

But ultimately, whose responsibility is this? Should a merchant website place the onus of personal security back on the customer? And if so, how would this protect the merchant’s own property? If this jeopardizes a sale or transaction, the cost of proactive security, at least for the short term appears too great. And it’s obvious, from the avalanche of data breaches of recent years that stored data of any sort becomes a permanent liability.

More available on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Ask a CISO

Gina Yacone, a consultant with Agio, asks, "If you’re performing a table top exercise. Who are the only three people you would want to have a seat at that table?"

All links and images for this episode can be found on CISO Series (https://cisoseries.com/cybercrimes-solved-in-an-hour-or-your-next-ones-free/)

In the real world, cybercrimes just don't get solved as fast as they do on CSI. So we're offering a guarantee. If we don't catch the cyber-perpetrator in an hour (including commercial breaks) we'll make sure you're attacked again.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Jason Hill (@chillisec), lead researcher at CyberInt Research Lab.

Thanks to this week's podcast sponsor, Cyberint.

The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505’s latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries.

On this week's episode

What annoys a security professional

Question on Quora asks, "What does everybody get wrong about working in the field of forensics?" There were a handful of answers from looking to TV and film dramas to that it's only a post mortem analysis. What are the biggest misconception of digital forensics?

Why is everybody talking about this now?

Tip of the hat to Stu Hirst of Just Eat who posted this Dilbert cartoon that got a flurry of response. Read for yourself, but in essence, it's a boss that thought technology would solve all his problems. Not realizing that people and process are also part of the equation.

All too familiar. The "I've been hearing a lot about __________" phenomenon. What causes this behavior and how do you manage it?

"What's Worse?!"

How much flexibility to you require in your security team and the business?

Please, Enough. No, More.

How far can AI go? Where does the human element need to exist? What are the claims of the far reaching capabilities of AI? We discuss what we'd like to hear regarding the realistic capabilities and limitations of AI.

Every year, the Fall season sees billions of dollars being spent on home-based IoT devices. The back-to-school sales are the starting point, Cyber Monday is the clubhouse turn and the year-end holiday season is the finish line.

As usual, these devices – printers, DVRs, IP cameras, smart home assistants, are relatively inexpensive and provide plug and play convenience, to satisfy an impatient customer base.

For the rest of the cloud tip, head to CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

We don't have much time. What's your decision?

What are the best models for crowdsourcing security? There are entire businesses, such as bug bounty firms, that are dedicated to creating crowdsourced security environments. Our guest this week is passionate about investigative work. We asked him and Mike what elements they've found that inspire and simplify the community to participate in a crowdsourced security effort.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/mapping-unsolvable-problems-to-unattainable-solutions/)

We're busting out the Cyber Defense Matrix to see what our security program we'll never be able to achieve.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Sounil Yu (@sounilyu), former chief security scientist for Bank of America and creator of the Cyber Defense Matrix.

David Spark, producer, CISO Series, Sounil Yu, creator, Cyber Defense Matrix, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast

Thanks to this week's podcast sponsor, Zix.

Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support.

On this week's episode

Why is everybody talking about this now?

Mike asked the LinkedIn community, "What's bad security advice that needs to die?" We had an entire episode of Defense in Depth on this very topic called "Bad Best Practices." The post got nearly 300 responses, so it's obviously something many people are passionate about. Is there a general theme to bad security advice?

The great CISO challenge

Sounil Yu is the creator of a very simple problem-to-solution chart for security professionals called the Cyber Defense Matrix. This simple chart allows a cyber professional to see how their tools, processes, and people are mapped to all different levels of security protection. We discuss the purpose of the matrix and all the real world applications.

"What's Worse?!"

We have a real world "What's Worse?!" scenario and Mike and Sounil compete to see if they answered the way the real world scenario actually played out.

Hey, you're a CISO, what's your take on this?

Last week on Defense in Depth we talked about a discussion initiated by Christophe Foulon of ConQuest Federal on cyber resiliency. Some people argued that it should be a security professional's primary focus because its action is in line with the interests of the business. Should a cyber professional shift their focus to resiliency over security? Would that facilitate better alignment with the business?

Exploitable weaknesses measured in decades. Not a comforting thought. But this is a reality that exists in at least two major IT ecosystems. The first is Microsoft and the second is firmware. Teams belonging to Google’s Project Zero have found exploitable security flaws affecting all versions of Windows going back to Windows XP – which presents a logistical nightmare for admins the world over.

Sarah Zatko, Chief Scientist at the Cyber Independent Testing Lab spoke recently at Red Hat and DEF CON in Las Vegas about deficiencies in the security of firmware, including those from companies that manufacture the world’s best-known routers.

More available at CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Ask a CISO

Thanks to Chris Castaldo, CISO at Dataminr, for this post on new research from the firm Marsh and Microsoft. According to the study, half of the respondents didn't consider cyber risk when adopting new tech. A full 11 percent did no due diligence to actually evaluate the risk a new technology may introduce.

Does it take that much effort to understand the basic risks of introducing a new technology? What are some first level research efforts that should be done with any new tech consideration or adoption?