All links and images for this episode can be found on CISO Series (https://cisoseries.com/cleaning-those-tough-to-reach-digital-identity-stains/)

We're trying to erase our past and it's becoming harder and harder to clean that history.

This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Davi Ottenheimer (@daviottenheimer), vp of trust and digital ethics, Inrupt.

Thanks to this week's podcast sponsor, Reciprocity.

ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com.

On this week's episode

Why is everybody talking about this now?

On Quora, the question was asked, "What are some ways to protect identities on the Internet?" Mike and Davi offer their advice.

It's time for "Ask a CISO"

The Three As: Authentication, Authorization, and Auditing or Accounting. How do they interrelate? What's the order? And have we been doing it wrong?

It's time to play, "What's Worse?!"

How are you going to handle having a very well known exploit?

Close your eyes, breathe in. It's time for a little security philosophy.

On Quora, the question was asked, "What should I do to completely erase my digital identity for good?" It seems impossible, and probably is, but how what steps would one need to get rid of our online identities?

It's time to play, "What Is It and Why Do I Care?"

We're introducing a brand new game today called "What Is It and Why Do I Care?" Here's how the game is played. I have three pitches from three different vendors who are all in the same category, application security. I have asked the reps to first, in 25 words or less, just explain their category. So give me a simple explanation of application security. That's the "What Is It?" and then for the "Why Do I Care?" I asked them to explain what differentiates them or makes them unique also in 25 words or less. It is up to Mike and Davi to pick your favorite of each and explain why. I only reveal the winning contestants and their companies.

If you would like to be a contestant for "What Is It and Why Do I Care?" just go here and fill out the simple SurveyMonkey form.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-just-dump-on-zooms-security-and-offer-no-solutions/)

Sure, we're all in this together, but isn't it fun just to trash a popular product's really bad security?

This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our sponsored guest is Brian Johnson, CEO and co-founder, DivvyCloud.

Thanks to this week's podcast sponsor, DivvyCloud.

DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what’s in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes.

On this week's episode

Why is everybody talking about this now?

Yaron Levi, CISO, Blue Cross Blue Shield of Kansas City a frequent and recent guest of the podcasts, had an incendiary post on LinkedIn where he challenged the long held belief in cybersecurity that "we're all in this together." Well that theory was put to the test with the outcries of Zoom's security and privacy flaws. Levi believes the security industry failed. Instead of trashing Zoom we should be offering suggestions of how they could fix a now universally used application. His challenge exploded online with over 200 comments. How could we/can we handle this situation better?

Look at this, another company breached

Oh Marriott. You blew it again. Two massive data breaches in two years. This one just gave too much access to too many customers from a branch office. Years ago this would be a front page story we'd be talking about for weeks if not months. Now they're just another breach and it doesn't seem that the affected users seem to care. How much damage are these breaches doing to companies if the customers have breach fatigue and can't see the damage immediately or even directly? And what percentage of these breaches do you believe are the result of poorly architected or implemented security programs?

It's time to play "What's Worse?!"

We get a chance to talk about Mike's favorite topic, toxic team members.

Please, Enough. No, More.

Today's topic is Identity Access Management or IAM. We discuss what we've heard enough about with IAM and what would we'd like to hear a lot more.

It’s time for “Ask a CISO”

We have a question from a listener, a college student. Here's her question:

"I'm a college student interested in majoring in cybersecurity. However I'm more of a people person and I'm afraid cybersecurity is just dealing with computers and having no people interaction. I'm just wondering what I should expect if I continue to pursue a cybersecurity major."

All links and images for this episode can be found on CISO Series (https://cisoseries.com/weve-got-a-dozen-features-only-two-work/)

If you don't focus too much on quality you'll really be impressed with the quantity of features our product has.

This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Yaron Levi (@0xL3v1), CISO, Blue Cross Blue Shield of Kansas City.

Thanks to this week's podcast sponsor, DivvyCloud.

DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what’s in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes.

On this week's episode

Hey, you’re a CISO. What’s your take on this?

What's the value of a vendor-derived security meter? I sat down for a vendor presentation that was chock full of dashboards with meters. Some made sense and others appeared they were derived through some mysterious black box.

1. When do you trust a vendor-derived meter? Can you? If not you, who are they for?
2. Is it possible to ignore the absolute numbers in a vendor-derived formula and value only the changes over time?
3. If you don't trust a vendor-derived meter, what meters do you create for yourself that you do trust?

How do you go about discovering new security solutions?

Tip of the hat to John Prokap, CISO, HarperCollins for forwarding me this excellent CIO.com article by Yoav Leitersdorf of YL Ventures.

How feature rich should a startup product be? In the article, Richard Rushing, CISO, Motorola Mobility talks about the need to trust a startup and the quality of each feature. “It's not enough to just focus on three out of five. All five have to be spot on because I can't miss, which means you can't miss."

How does a vendor avoid the classic case of trying to be everything to everybody and really you're serving no one?

What's Worse?

What's better for the business, compromised security occasionally, or unnecessary overhead that grows over time?

Close your eyes and visualize the perfect engagement

There's a well-known paradox in the healthcare industry when it comes to working with third party vendors. Because of HIPAA regulations there's a desire to keep information private, but at the same time, what about all these wonderful third party tools. Let them have access to our data.

What's the advice for vendors eager to work with a healthcare organization? How should they demonstrate their awareness of this paradox (e.g., scope of responsibilities, efficacy of controls, attestation, accountability)?

Why is everyone talking about this now?

We recorded this episode on March 30th as we talk about this next topic and that is should companies challenge their employees with a COVID-19 phishing test? Tip of the hat to Louisa Vogelenzang of Kroll who pointed me to this active discussion started by Grant McKechnie, Telstra, who asked this very question. There was a lot of debate. We debate both sides and offer an ultimate recommendation.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-ask-cisos-if-theyre-concerned-about-data-security/)

I'm just learning about cybersecurity and I just realized that data security is really important. I don't know if everybody knows this. Do CISOs know? I should email all of them and ask.

This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Steve Zalewski, deputy CISO, Levi Strauss & Co.

Thanks to this week's podcast sponsor, DivvyCloud.

DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what’s in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes.

On this week's episode

Why is everyone talking about this now?

On Quora, the question was asked, "What is the most common unaddressed cybersecurity risk at companies?" Looking through the list, we've talked about all of these issues: people (malicious and negligence), program maturity, data privacy, and just basic network. They're all important, but we discuss which one we believe is least addressed.

There’s got to be a better way to handle this

What happens when a cloud provider breaks a service level agreement or SLA? On a recent episode of Defense in Depth, Taylor Lehmann, CISO, athenahealth said that putting ultimatums in SLAs just doesn't work in reality. No one really pulls the plug just because a cloud provider fell short on providing a certain level of uptime. We walk through the steps of the SLA. What's needed? What's too much? What do you do when something is violated? How do you right the ship and maintain the relationship?

What's Worse?

What happens when there's a political motivation to select a vendor?

What do you think of this pitch? and Why is this a bad pitch?

We put a good one and a bad one back to back so you can hear the range of what comes in a CISO's inbox.

Um… maybe you shouldn't have done that

As a security vendor, how do you catch yourself if you're cybersplaining?

Brian Haugli of Sidechannel Security offered the following definition: "When a salesperson or company representative explains in detail how a basic attack, ransomware, BEC, or other threat works to a CISO or current cybersecurity expert in order to push a sale."

From what I see, it appears that cybersplaining is the norm mostly for those who are very green in cybersecurity. I'll also say I've seen the complete opposite where someone at a much higher level assumes you're already in their head and agree to the same assumptions they have about cybersecurity as well. This plays out that they'll state an issue in cybersecurity and conclude with "right?" not waiting for an answer but just assuming you're on the same page so that they can go on with their rant.

What are ways to check yourself on both sides of the spectrum and what's the happy medium?