CISO Series Podcast
Formerly named CISO/Security Vendor Relationship Podcast. Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/were-90-confident-weve-lost-all-confidence/)

I don't think we're doing enough to protect ourselves against cyberattacks and I'm also pretty sure we're clueless as to what our third party vendors are doing.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Stephen Boyer (@swboyer), co-founder and CTO, BitSight.

Thanks to our sponsor, BitSight.

BitSight

BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach.

On this week’s episode

There’s got to be a better way to handle this

How confident are your employees in your cybersecurity efforts? And how does employee confidence affect corporate security? Tip of the hat to Tor Swanson of Premier IT for posting this survey from Nulab. The survey found that employees felt that their company's ability to secure digital data was a major to moderate problem. That percentage jumped up dramatically for companies with less than 100 employees. In addition, employees don't feel they're being heard with their cybersecurity concerns. For companies with less than 50 employees, 44 percent felt their employers were slightly or not at all responsive.

Perception is a huge part of successful cybersecurity. If you were to let these perceptions continue, how does it affect your overall security program?

Question for the board

Ross Young, CISO, Caterpillar Financial Services asked, "What are the cyber metrics that should be reported to the board each month or quarter? Is this standardized (example does the financial industry say we want these five metrics), and where would you go to see how you benchmark against the industry?"

I'll skip to one important metric we've mentioned on this show multiple times and that's "dwell time" or the time between an incident happening, discovering it, and then remediating it.

How do you go about finding benchmarks, and what other metrics tell a good story to the board so they can better wrap their heads around the security program's effectiveness?

What's Worse?!

Third party issues? We've got 'em.

Please, Enough. No, More.

Topic is third party risk management. What have we heard enough about third party risk management, and what would we like to hear a lot more?

Close your eyes and visualize the perfect engagement

We're all getting bombarded with virtual events. Interested to know what virtual events have you attended that you've really enjoyed. Also, what virtual events are the most engaging where you find yourself NOT multi-tasking while watching.

Plus, what does a virtual event need to offer for you to take time out in your day to attend?

Direct download: CISO_Vendor_11-24-20_FINAL.mp3
Category:podcast -- posted at: 3:00am PDT

All links and images for this episode can be found on CISO Series (https://cisoseries.com/networks-wobble-but-they-dont-fall-down/)

Eager cyberprofessional looking to really impress a CISO? Create a home network lab and show how you can handle incidents on that network without shutting it down.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Steve Zalewski, deputy CISO, Levi Strauss.

Thanks to our sponsor, BitSight.

BitSight

BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach.

On this week’s episode

Why is everybody talking about this now

Following the horrible terrorist attack in Vienna, the EU has proposed a ban on encryption, requiring companies like WhatsApp and Signal to provide backdoor keys to decipher their end-to-end encryption. It's questionable whether this attack could have been thwarted had the data they couldn't see been read, but regardless, it appears this ban is going to be approved. As you might imagine, the cybersecurity community blew up... on reddit.

This is obviously a complicated and thorny issue. What's at play here are authorities being blocked from doing their job because of technology. The loss of human life. And the loss of democratized privacy. Are there any checks and balances that can provide some benefit to any side of this equation?

What would you advise?

On a previous episode Mike mentioned that if you're an aspiring cybersecurity professional, one way to really impress a CISO is to setup a network and show how you can deal with incidents without taking down the network.

I get Mike to talk specifics of that. What if he was in the shoes of that aspiring cyberprofessional. If he were to set one up, what would it have on it and how would he do it?

"What's Worse?!"

Do you need experience or communications?

Close your eyes and visualize the perfect engagement

On CSO Online, Jaikumar Vijayan wrote a best practices guide to negotiating SaaS contracts for risk and security. It's a good primer. He mentioned know your risks, state what's non-negotiable, insist on early breach notifications, and be clear on terms for termination. What is the most important concern when negotiating a SaaS contract, and what has been the most difficult to manage?

"What Is It and Why Do I Care?"

The panoply of security products is very confusing. There are so many product categories and then there are so many companies delivering solutions for all these categories. As a security vendor, how do you know if your pitch is landing with CISOs? That's why we play "What Is It and Why Do I Care?" I ask vendor listeners to submit to our game which you can find under the Participate menu option and then "Challenge Us".

Today's category is penetration testing. We have four challengers. First, I will read four 25-word descriptions from four unnamed security vendors. That's our "What Is It?". Then I will read four 25-word differentiators from the same unnamed vendors. That's the "Why Do I Care?" It's up to our CISOs to pick their favorite. At the end I will announce the winners, and only the winners. Losers are not announced. YES, it's the only risk-free opportunity in cybersecurity. Ready to play?

Submit your pitches to "What Is It and Why Do I Care?" I'm looking for vendors in the following categories to submit: Data loss prevention, human-layer security, MSSPs, third party vendor assessment, and managed detection and response.

Direct download: CISO_Vendor_11-17-2020_FINAL.mp3
Category:podcast -- posted at: 3:00am PDT

All links and images for this episode can be found on CISO Series (https://cisoseries.com/why-dont-cybercriminals-attack-when-its-convenient-for-me/)

Hey cybercrooks, I've got a really great weekend planned, so could you do us all a favor and cool it this Friday and just let all of us enjoy the weekend?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Margarita Rivera, vp of information security, LMC.

Thanks to our sponsor, Netskope.

https://www.netskope.com/proveit

The Netskope security cloud provides unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Only Netskope understands the cloud and takes a data-centric approach that empowers security teams with the right balance of protection and speed they need to secure their digital transformation journey.

On this week’s episode

Is this the best solution?

Geoff Belknap, CISO, LinkedIn asks, "If you could only buy one off the shelf security tool / product. What would it be and why?"

Here’s some surprising research

We've discussed a lot of how COVID is changing security. Well Eli Migdal, CEO of Boardish sent me some interesting research his company conducted regarding the last six months since the start of COVID. According to Boardish's report the top three threats now are:

Immobility (not being able to work remotely)
Ransomware
Accidental Sharing

And the top 3 solutions now are:

User Awareness training
Remote conferencing
IAM (identity access management) Solutions

Does this track with your current threats and solutions?

What's Worse?!

Two guaranteed bad things will happen. But one will cost far more damage. Which one?

Pay attention. It’s security awareness training time.

Jackson Muhiwre, deputy CISO at UC Davis said his cyber team "Are now extra vigilant on Fridays or call it the new Monday for cyber folks." The reason for this increased awareness is the number of cyber incidents that happen on a Friday or just before a holiday seems to go up. Past cyber incidents seem to show that pattern said Muhiwre who believes that malicious hackers know that users have their guard down at these times and it's the easiest time to attack.

Are our CISOs of similar thinking and if so how do they prepare/warn/keep staff vigilant? What can be done on top of your existing protections if your staff lets its guard down?

What’s the best way to handle this?

On LinkedIn, Caitlin Oriel, wrote a very emotional post about her being unemployed for six months and how the non-stop stream of rejection has become overwhelming. The community response was equally overwhelming with nearly 80,000 reactions and 7,500 comments. Caitlin works in tech, not cyber, but the post was universal. The feelings she expressed about being rejected continuously and ghosted by companies left her sobbing in her car. All of this rejection made her question if she's doing the right thing and where she belongs. I have been in this position myself, as have my friends and family. I wish I knew the right things to say to someone or how to keep them moving. What are positive ways to combat ongoing rejection and get a sense you're still heading in the right direction?

Direct download: CISO_Vendor_11-10-20_FINAL.mp3
Category:podcast -- posted at: 3:00am PDT