CISO Series Podcast
Formerly named CISO/Security Vendor Relationship Podcast. Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/rest-assured-were-confident-our-security-sucks/)

We may not have the protection you want, but what we lack in adequate security we make up in confidence. Sleep better at night after you listen to this week's episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Billy Spears (@billyjspears), CISO, loanDepot.

Thanks to this week's podcast sponsor, CyberInt.

CyberInt

The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505’s latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries.

On this week’s episode

Why is everybody talking about this now?

Tip of the hat to Eduardo Ortiz for forwarding this discussion Stuart Mitchell of Stott and May initiated on LinkedIn asking if there should be a "golden bullet" clause in a CISO's contract. He was referring to the CISO of Capital One who had to step down and take on a consulting role after the breach. What are arguments for and against?

Ask a CISO

Nir Rothenberg, CISO, Rapyd asks, "If you were given control of company IT, what would be the first things you would do?"

What's Worse?!

Should a CISO be closing sales or securing the company?

Hey, you're a CISO, what's your take on this?

According to Nominet's Cyber Confidence Report, 71 percent of CISOs say their organization uses the company's security posture as a selling point, even though only 17% of CISOs are confident about their security posture. There are probably many factors that contribute to this disparity. Is it a gap that will ever close, or is this just the nature of security people vs. sales?

Cloud Security Tip sponsored by OpenVPN

Bluetooth is a convenient and easy method of sharing data between devices, which, of course, qualifies it as a prime target for exploitation. A trio of researchers has discovered a vulnerability that has the potential of attacking billions of Bluetooth-enabled devices, including phones, laptops, IoT and IIoT technologies.

In short, this Key Negotiation of Bluetooth vulnerability, which has been given the acronym KNOB, exploits the pairing encryption protocol within the Bluetooth Classic wireless technology standard, which supports encryption keys with entropy between 1 and 16 bytes/octets. It inserts between the pairing devices forcing both to agree to encryption with 1 byte or 8 bits of entropy, after which it simply brute-forces the encryption keys.

More on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

What do you think of this pitch?

How targeted should your pitch have to be?

 

Direct download: CISO_Vendor_11-26-2019_FINAL.mp3
Category:podcast -- posted at: 5:00am PDT

All links and images for this episode can be found on CISO Series (https://cisoseries.com/what-security-advice-will-your-family-ignore/)

This Thanksgiving we wish you lots of luck convincing your family members to use a password manager. Would getting them to switch political allegiances be easier?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Jeff Hudesman, head of information security, DailyPay.

Thanks to this week's podcast sponsor Tenable.

Tenable

Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization.

On this week’s episode

Why is everybody talking about this now?

Rich Malewicz, CIO, Livingston County, started a thread of common threats and scams we should warn family and friends about over the holidays. Lots of great advice. We discuss our favorites, whether we turn into family tech support, and if you had one cyber holiday wish for every family member, what would it be?

Hey, you're a CISO, what's your take on this?

When is the right time and WRONG time to start red teaming? (the process of letting ethical hackers loose on your business to test your defenses, your blue team.) What exactly is it you're testing? Are you testing your network's resiliency or your business' resiliency?

"What's Worse?!"

Three options in this "What's Worse?!" scenario.

The great CISO challenge

We have repeatedly touted on the podcast the benefits of multi-factor authentication or MFA. Our guest implemented an MFA solution at his company. We talk about the challenges, criteria, and roll out like? And did they see any visible evidence of security improvements?

Cloud Security Tip sponsored by OpenVPN

Casey from accounting is getting frustrated, waiting for client files being held up by the firewall. Jordan is trying to join a video conference that needs a plugin, but the firewall won’t let it through. So they call the IT manager who then disables it.

This happens a lot. Maybe not in large companies, but small law firms, medical clinics, or small businesses that might use an old-school administrator who will either turn off the firewall or opt out of using one altogether, believing in the power of a cheap antivirus product to keep things safe.

More on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

What do you think of this pitch?

There is lots of disagreement over whether this pitch is any good.

Direct download: CISO_Vendor_11-19-2019_FINAL.mp3
Category:podcast -- posted at: 5:30am PDT

All links and images for this episode can be found on CISO Series (https://cisoseries.com/dos-and-donts-of-trashing-your-competition/)

We want to malign our competitors, but just don't know how mean we should be. Miss Manners steps in on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and special guest co-host, Mark Eggleston (@meggleston), CISO, Health Partners Plans, and our guest is Anahi Santiago (@AnahiSantiago), CISO, ChristianaCare Health System.

We recorded in front of a live audience at Evanta's CISO Executive Summit in Philadelphia on November 5th, 2019.

This image has an empty alt attribute; its file name is PhiladelphiaRoom.jpg

Recording CISO/Security Vendor Relationship Podcast in front of a live audience at Evanta's CISO Executive Summit in Philadelphia (11-05-19)

Thanks to this week's podcast sponsors Trend Micro, Thinkst, and Secure Controls Framework.

Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com.

Secure Controls Framework

The Secure Controls Framework (SCF) is a meta-framework – a framework of frameworks. This free solution is available for companies to use to design, implement and manage their cybersecurity and privacy controls in an efficient and sustainable manner. Our approach provides a comprehensive solution to manage complex compliance needs.

Thinkst Canary

Most companies find out way too late that they’ve been breached. Thinkst Canary changes this. Find out why the Thinkst Canary is one of the most loved products in the business and why the smartest security teams in the world run Canary. Visit https://canary.tools.

On this week’s episode

Why is everyone talking about this now?

Greg van der Gaast, former guest who runs security at The University of Salford, initiated a popular LinkedIn discussion on the topic of human error. According to his colleague Matthew Trump of the University of Sussex, in critical industries, such as aerospace, oil & gas, and medical, “human error” is not an acceptable answer. You simply have to prevent the incident. If not, a mistake can be both a regulatory violation and lethal.

But people are a part of the security equation. It’s unavoidable.

We know zero erros is impossible, but can you accept “human error” as a fail point?

Hey, you’re a CISO, what’s your take on this?

Listener David said, “One thing I have experienced at my last two jobs is integrating with a ‘global’ security team whose security program is effectively and functionally inferior to our own. In these occasions, the global security team wanted us to remove current safeguards, processes/procedures and tooling that reduced the preparedness and effectiveness of our security program and introduced risk(s) that we have not been exposed to in years. All of these changes were always touted as a ‘one team’ initiative but never once was due diligence on security posture taken into account.

“What is the best way to go about a consolidation like this? Do you not mess with a good thing and ask the ‘better’ security program to report up incidents, conform to compliance check boxes etc. or as a CISO do you sign off on a risk acceptance knowing that the operating company is now in a worse state of security.”

“What’s Worse?!”

We’ve got two rounds of really bad scenarios.

What annoys a security professional

Geoff Belknap, former guest and CISO of LinkedIn, appreciates a vendor’s desire to “bring like minds” together around food or drink, but the invite is not welcome on a weekend. Belknap feels that the weekend intrudes into a CISO’s personal/family space. There was a lot of debate and disagreements on this, but there were some solutions. One mentioned a vendor invite that included round trip Lyft rides and childcare.

Oh, they did something stupid on social media again

Jason Hoenich, CEO of Habitu8 posted on LinkedIn that he didn’t appreciate Fortinet writing about security training for CSO Online, something for which Jason’s business does and for which he believes Fortinet does not have any expertise. It appears this was a sponsored article, but Jason didn’t point to the article nor did he isolate specifically what he felt was wrong with Fortinet’s advice.

Here at the CISO Series, we like Jason and Habitu8. They’ve been strong contributors to the community. But complaining and not pointing to any concrete evidence is not the best way to convince an audience. Earlier this year we saw something similar with the CEO of Crowdstrike going after the CEO of Cybereason claiming an underhanded sales tactic that was not specified nor anyone at Cybereason knew what he was talking about.

Is it OK to go after your competition in a public forum? If so, what’s the most professional and respectful way to handle it?

It’s time for the audience question speed round

Our Philadelphia audience has questions and our CISOs had some answers. We rattle off a quick series of questions and answers to close the show.

Direct download: CISO_Vendor_11-12-2019_FINAL.mp3
Category:podcast -- posted at: 5:30am PDT

All links and images for this post can be found on CISO Series (https://cisoseries.com/get-out-the-fud-is-coming-from-the-inside/)

On this week's CISO/Security Vendor Relationship Podcast, we're pointing fingers at practitioners, not vendors, for promoting the FUD (fear, uncertainty, and doubt) scare-a-thon.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Eddie Contreras (@CISOEdwardC), CISO, Frost Bank.

Thanks to this week's podcast sponsor Trend Micro.

Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com.

On this week's episode

Why is everyone talking about this now?

On LinkedIn, Ron C. of CoreSolutions Software said, "Cybersecurity is no longer just a technical problem. It’s now more of a people problem! So why aren’t businesses prioritizing security awareness training for their staff?" There was a massive response and mixed agreement. Regardless, are we falling short on security awareness training? Is it not effective? Is it too complicated to pull off? Is the cost not justified? More importantly, has security awareness training had any impact?

Hey, you're a CISO, what's your take on this?

accidentalciso on our reddit channel, r/cisoseries, asks, How does a security professional know if "CISO truly is the right career goal for them? I don’t think the reality of the role is consistent with what one might think early on in their career." What was it about the CISO role that makes a security professional want to pursue it and how does that previous perception of what a CISO did counter or align with what was really experienced?

It's time to play, "What's Worse?!"

Is there a worst type of attack?

Ask a CISO

James Dobra, Bromium, asks, "Are security organizations guilty of using FUD internally, e.g. with the board and with users, while complaining that vendors use it too much?" Does FUD happen internally? Do security teams do it to get the money they want and/or shame users into submission?

Cloud Security Tip sponsored by OpenVPN

On August 30, 2019, white hat hacker Tavis Ormandy discovered a vulnerability in a LastPass browser extension. This was a vulnerability, not a breach and was very quickly remedied without damage. But it still causes chills when the last bastion of password security reveals its Achilles heel. It’s like seeing your family doctor contract a terminal disease.

But for CISOs, this might be a good thing. Password complacency and sloppy security hygiene are the scourge of security specialists everywhere. A SaaS-based password manager that uses hashes and salts to remove the existence of physical passwords in their own vaults, is still a highly proactive solution.

More found on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

First 90 Days of a CISO

Both Mike and our guest, Ed, are second time CISOs in their first 90 days at the role. We review what mistakes they made the first time as a CISO that they're actively avoiding this time. Are there any hurdles that are simply unavoidable and they're just going to have to face it like any new CISO would.

 

Direct download: CISO_Vendor_11-05-2019_FINAL.mp3
Category:podcast -- posted at: 5:30am PDT