All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-people-closest-to-you-will-hurt-you/)

Insider threats. We know some are malicious, and sometimes it's the unwitting result of someone trying to do their job. Aren't you supposed to trust the people you hire?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Dr. Deanna Caputo, chief scientist for behavioral sciences and cyber security capabilities, senior principal behavioral psychologist for MITRE.

Thanks to our sponsor, Dtex.

Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com.

On this week’s episode

What we've got here is failure to communicate

Breaking News! The cybersecurity skills shortage is growing. The ISSA and Enterprise Strategy Group released a report claiming the reason that 70 percent of companies feel that they're at risk is because of the increased workload for cyber professionals, unfilled open job requisitions, and poor education on the relevant technologies. This discussion appeared on the cybersecurity subreddit and complaints ranged from entry level jobs asking for 3+ years experience (something we've discussed many times before), and people with many more years of experience struggling to find a job. Others who were contemplating entering cybersecurity said the discussion was turning them off from entering the field.

There's supply and demand, yet there's frustration on both ends. Why aren't they connecting? What's going on?"

Are we making this situation better or worse?

What defines "usable security". We've discussed obvious things like trying to make it invisible to the user and just basic user experience. But what's unique to cybersecurity design that many don't consider when creating usable security. For example, for phishing there are an endless number of email programs AND we have lots of security awareness training. Could we do away with the awareness training if security was more usable?

What's Worse?!

Insider threats are no fun, but which one is the worst?

Please, Enough. No, More.

Topic is Insider Threats. What have we heard enough about with insider threats, and what would we like to hear a lot more?

There’s got to be a better way to handle this

What do you do after you get the certification? What are the next steps? Mo Shami reached out to me and mentioned that he was going to announce that he passed his CISSP or Certified Information Systems Security Professional exam. He wanted to share the excitement and I said when you post to LinkedIn ask everyone else what they did right after they passed. Most people ended up just saying congratulations, but a couple suggested more certifications or just research job openings (seems obvious). What should one do after you get the certification?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/when-should-you-stop-trusting-your-ciso/)

How technically capable does my CISO need to be? If they lose their technical chops, should we stop trusting them? Should they even be a CISO if they had no technical chops to begin with?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is James Dolph, CISO for Guidewire Software.

Thanks to our sponsor, Dtex.

Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com.

On this week’s episode

We mentioned past guest, Kelly Shortridge's new book with Aaron Rinehart, "Security Chaos Engineering".

First 90 days of a CISO

It's time for a CISO do-over. One of the great things about being a CISO is you get a chance to actually apply everything you learned from past jobs. Our guest, James, worked in product security with Salesforce before becoming a CISO. When we recorded the episode, James wasn't yet a full 90 days into his job. And Mike also came from Salesforce as well (they worked together) and working at Lyft was his first CISO job directly from Salesforce as well. Did they both have the same viewpoints of applying product security principles to the CISO role?

How do you go about discovering new security solutions

What criteria do you use to evaluate phishing solutions? GigaOM Research released a report earlier this year of the key criteria for evaluating phishing platforms. Some of the criteria they mentioned were phishing solutions that do and do not impede workflows, a security edge solution that's in-band vs. out-of-band, and do you need detonation chambers for potentially malicious emails.

What criteria do Mike and James use to evaluate, and have they seen those criteria change from company to company? What criteria are not as important?

What's Worse?!

Failing as a professional or being a mediocre professional?

What’s a CISO to do

On Defense in Depth, my co-host Allan Alford said, "I think the lack of technical skills in a CISO is expected to a certain degree. You have to have the foundation, but I don't expect my CISOs to be rolling up their sleeves and doing a lot of the hands on work." I turned that quote into a meme image and it caused a flurry of response from the community. How much of applying of security controls that your staff currently does, could a CISO do themselves today?

Let’s dig a little deeper

What are our passion projects that are tangentially related to cybersecurity? Are we adopting any and how is it helping us stay mentally healthy during COVID? Tony Jarvis of Check Point brought this up. He suggested that we should be sharing our passion projects. What have been our passion projects? How have they helped our mood and our work? And have we been able to keep up with them?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/why-is-pay-the-ransom-in-next-years-budget/)

With 25 percent of ransomware victims paying the ransomware, have we waved the white flag to the attackers? Should we just budget for it?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Les McCollum (@doinmorewithles), managing vp, CISO, ICMA-RC.

Thanks to our sponsor, BitSight.

BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach.

On this week’s episode

Why is everybody talking about this now

Are culture fit and diversity mutually exclusive? Allan Alford, co-host of Defense in Depth podcast, brought up the conversation of needing diversity in all areas: age, gender, ethnicity, city vs. country, country of origin, military vs. civilian, college educated vs. self-taught, socioeconomic status, and disabilities. But at the same time, I'm thinking we NEVER see those types of groups hanging out together or getting along. So how do you create a culturally sane group among such a diverse group? People are tribal by nature and even if you're successful creating diversity on your team they're going to bond with people of similar types. Won't this introduce new problems?

If you haven’t made this mistake you’re not in security

At the end of the year when you look at your security budget, what are the costs you didn't expect or budget appropriately at the beginning of the year? On CSO Online, John Edwards has an article about seven overlooked cybersecurity costs that may bust your budget. He mentioned items such as staff acquisition and retention, incident response, third-party analysis, and replacement costs. What has been a surprise for you and has adjusting things for the next year helped, or is there always a surprise? Which is the one everyone should prepare for but they don't?

More bad security advice

Over a quarter of companies that fall victim to ransomware, pay the ransom, according to a study by Crowdstrike. In a discussion thread on reddit, user yourdigitalmind said they had a client who remarked, "WHEN we get hit, it will force us to start doing things right, but right now, it's cheaper'" So he's accepted being hit by ransomware is inevitable. That falls in line with Crowdstrike's study that found after a ransomware attack 75 percent of the victims do increase their security spend on tools and hiring. Humor for me a moment. Most of us do not want to pay the ransom, but sometimes you can't think of the greater good and you have to think of the survival of the business.

Is this where I should put my marketing dollars?

What types of vendor stories do you respond to?

I bring this up because Mike O'Toole, president of PJA Advertising wrote a great piece about how to build a cybersecurity brand story. In the article, he offers up some really good advice such as "Position yourself against the category, not just your direct competitors," "Fear gets attention, but opportunity can drive purchase behavior," and "The strongest brand stories are about market change."

Which advice most resonates with how you're pitched, and can you think of either a customer story or offering that you overheard that pushed you into exploring a vendor's solution?