Winamp Logo
CISO Series Podcast Cover
CISO Series Podcast Profile

CISO Series Podcast

English, Technology, 1 season, 328 episodes, 1 day, 6 hours, 42 minutes
About
Formerly named CISO/Security Vendor Relationship Podcast. Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.
Episode Artwork

Who Knows What Evil Lurks in the Heart of Low Code/No Code? (LIVE in Los Angeles)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Sasha Pereira, CISO, WASH. Joining us is Cyrus Tibbs, CISO, PennyMac. This episode was recorded live at ISSA-LA. In this episode: Building the foundation for data minimization No-code needs to be no problem Seeking alignment in a SOC career MFA is not a cybersecurity panacea  Thanks to our podcast sponsor, Nudge Security! Get a full inventory of all SaaS accounts ever created by anyone in your org, in minutes, along with automated workflows to scale SaaS security and governance. No agents, browser plug-ins or network changes required. Start today with a free 14-day trial.
10/22/202441 minutes, 52 seconds
Episode Artwork

Once the Panic Subsides You’ll Appreciate This Phishing Test (LIVE in Houston, TX)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Jerich Beason, CISO, WM. Joining us is Teresa Tonthat, vp, associate CIO, Texas Children's Hospital. This episode was recorded live at HOU.SEC.CON. In this episode: Connecting with the business   Keep the users in mind Ground security in reality Teach, don’t shame Thanks to our podcast sponsor, Vorlon Security! Vorlon helps organizations take back control of their data by providing continuous visibility of sensitive data shared via API across third-party applications. Know what data goes where, when, and how between third-party apps with external threat intelligence. Reduce the complexity of investigating and responding to third-party security incidents with Vorlon.
10/15/202442 minutes, 54 seconds
Episode Artwork

Does Burying Your Head in the Sand Count as a Security Posture? (LIVE in Boca Raton, FL)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Eduardo Ortiz, vp, global head of cybersecurity, Techtronic Industries. Joining us is Adam Fletcher, CSO, Blackstone. In this episode: Keeping our eyes on new risks The hiring disconnect Mental health in incident response Moving on from CrowdStrike Thanks to our podcast sponsors, Fortra, Quadrant Information Security, and Savvy Security! Fortra's Data Protection solutions protect sensitive data while keeping users productive. Our interlocking data loss prevention (DLP), data classification, and secure collaboration tools can be SaaS deployed or on-premises, and we offer managed services to extend your team and reduce risk. Visit www.fortra.com/solutions/data-security/data-protection for more information. Quadrant Security is bad news for bad dudes. Quadrant’s XDR solution combines the best people, processes, and technology — managing your security so you can manage business operations. For a limited time, our analysts will provide your organization a free dark web report, detailing the data leaving you vulnerable. Learn more: quadrantsec.com/darkweb. Despite significant investments in SSO, MFA, IGA, and PAM, organizations still face significant challenges in securing identities, particularly with SaaS apps. Savvy Security augments these tools with full app and identity visibility to discover and remediate shadow and shared accounts, misconfigured authentication, and weak, reused, or compromised credentials. Visit savvy.security/ciso-series to learn more.
10/8/202445 minutes, 54 seconds
Episode Artwork

We’re Lowering the Requirement for Entry Level to Just 8 Years of Experience

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Steve Person, CISO, Cambia Health. In this episode: The changing CISO landscape Rethinking the cybersecurity talent shortage Sharpening your CISO skills Do CISOs need to go back to school? Thanks to our podcast sponsor, Vanta! Whether you’re starting or scaling your security program, Vanta helps you automate compliance across SOC 2, ISO 27001, and more. Streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center. Over 7,000 global companies use Vanta to manage risk and prove security.
10/1/202436 minutes, 10 seconds
Episode Artwork

… And the Business Listened to the CISO and Everyone Lived Happily Ever After

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is Stephen Harrison, CISO, MGM Resorts International. In this episode: Understanding the AI attack surface Low code, low security? Chief information storytelling officer Finding the right partners Thanks to our podcast sponsor, Vectra AI! Vectra AI is the only extended detection and response (XDR) with AI-driven Attack Signal Intelligence. Vectra AI’s attack signal intelligence platform uses AI to find attacks on networks, identities, clouds and GenAI tools. Learn more at vectra.ai/showme.
9/24/202436 minutes, 45 seconds
Episode Artwork

Our Guardrails Only Fail When You Try To Go Around Them (LIVE in Seattle)

All links and images for this episode can be found on CISO Series. This week’s episode was recorded in front of a live audience in Seattle as part of the National Cybersecurity Alliance’s event Convene. Recording is hosted by me, David Spark (@dspark), producer of CISO Series and Nicole Ford, SVP and CISO, Nordstrom. Joining us is guest, Varsha Agrawal, head of information security, Prosper Marketplace. In this episode: Who guards the AI guardrails? What should security awareness training look like? The authentication point of failure Uncommon sense Thanks to our podcast sponsors, KnowBe4, Proofpoint, and Vanta! KnowBe4's PhishER Plus is a lightweight SOAR platform that streamlines threat response for high-volume, potentially malicious emails reported by users. It automatically prioritizes messages, helping InfoSec and Security Operations teams quickly address the most critical threats, reducing inbox clutter and enhancing overall security efficiency. Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber-attacks. Whether you’re starting or scaling your security program, Vanta helps you automate compliance across SOC 2, ISO 27001, and more. Streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center. Over 7,000 global companies use Vanta to manage risk and prove security.
9/17/202444 minutes, 36 seconds
Episode Artwork

Our Cybersecurity Journey Starts With a Single Overworked Staffer

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is Kush Sharma, Director Municipal Modernization & Partnerships, Municipal Information Systems Association, Ontario (MISA Ontario). In this episode: Your first security hire Moving beyond the basics with critical infrastructure Untangling the Gordian Knot of municipal cybersecurity Starting from square one Thanks to our podcast sponsor, Material Security! Material Security is a multi-layered email threat detection & response toolkit designed to stop attacks and reduce the threat surface across all of Microsoft 365 and Google Workspace. Learn more at material.security.
9/10/202441 minutes, 18 seconds
Episode Artwork

Red Flag? My Vendor Just Asked for My Mother’s Maiden Name

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is Bethany De Lude, CISO, the Carlyle Group. In this episode: CISOs as storytellers Grinding a CISO’s gears An evolving role Earning trust with vendors Thanks to our podcast sponsor, Scrut Automation! Scrut Automation allows compliance and risk teams of any size to establish enterprise-grade security programs. Our best-in-class features like process automation, AI, and 75+ native integrations reverse compliance debt and help manage risk proactively as your business grows. Visit www.scrut.io to learn more or schedule a demo.
9/3/202437 minutes, 50 seconds
Episode Artwork

Well, I Think My Relationship With the CIO Improved When I Took Their Job

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is Ty Sbano, CISO, Vercel. In this episode: Perception is the reality for insider threats Coaching rather than shaming Working to make DevOps redundant Fixing a strained relationship Thanks to our podcast sponsor, Backslash! Backslash Security is your modern AppSec solution, focusing on what truly matters—real risks. Gain clear visibility into your applications and fix only the code and open-source software that’s actually in use, making your AppSec smarter and more efficient. Learn more at https://www.backslash.security/.
8/27/202437 minutes, 21 seconds
Episode Artwork

I Said I Was Technically a CISO, Not a Technical CISO

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is Fredrick Lee (Flee), CISO, Reddit. In this episode: The case for the technical CISO Making Recall safe for business The aches and pains of cybersecurity hiring Leveling up municipal cybersecurity Thanks to our podcast sponsor, ThreatLocker! ThreatLocker® is a global leader in Zero Trust endpoint security offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit ThreatLocker.com.
8/20/202442 minutes, 14 seconds
Episode Artwork

Why Are Fortune 500 Companies Swiping Right on 3-Person Startups?

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is Justin Somaini, partner, YL Ventures. In this episode: The startup balancing act Giving back is its own reward When to pen test Getting ahead with generative AI policy Thanks to our podcast sponsor, Vanta! Whether you’re starting or scaling your security program, Vanta helps you automate compliance across SOC 2, ISO 27001, and more. Streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center. Over 7,000 global companies use Vanta to manage risk and prove security.
8/13/202439 minutes, 13 seconds
Episode Artwork

We Make Threat Actors Read Our Resiliency Policy Before Attacking Us

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is Patti Titus, CISO, Booking Holdings. In this episode: Defense vs. Resilience Communication is on par with mitigation Preparing like its post-quantum The challenges and opportunities of diversity Thanks to our podcast sponsor, Cyera! Cyera’s AI-powered data security platform gives companies visibility over their sensitive data, context over the risk it represents, and actionable, prioritized remediation guidance.
 As a cloud-native, agentless platform, Cyera provides holistic data security coverage across SaaS, PaaS, IaaS and on-premise environments. Visit www.cyera.io to learn more.
8/6/202437 minutes, 39 seconds
Episode Artwork

Incident Response Is So Important We Might Try Getting Good At It

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us is our sponsored guest, Amir Khayat, CEO and co-founder, Vorlon Security. In this episode: The evolving challenges of incident response Repetition isn’t always the mother of automation Third-party APIs, first-party risk You know what they say when you assume something Thanks to our podcast sponsor, Vorlon Security! Vorlon helps organizations take back control of their data by providing continuous visibility of sensitive data shared via API across third-party applications. Know what data goes where, when, and how between third-party apps with external threat intelligence. Reduce the complexity of investigating and responding to third-party security incidents with Vorlon.
7/30/202435 minutes, 26 seconds
Episode Artwork

Everyone Has a Zero-Trust Plan Until They Get Punched in the Face

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Danny Jenkins, CEO, ThreatLocker. In this episode: The limits of zero-trust Pentesting for SMBs An ounce of prevention is worth a pound of response The cream of the security crop Thanks to our podcast sponsor, ThreatLocker! ThreatLocker® is a global leader in Zero Trust endpoint security offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit ThreatLocker.com.
7/23/202439 minutes, 12 seconds
Episode Artwork

I Don’t Want Insider Risk. You Take It.

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our sponsored guest, Abhishek Agrawal, CEO and co-founder, Material Security. In this episode: What does defense in depth look like in the cloud? Collaborating on insider risk Email is a vector and a target Understand risk during an IPO Thanks to our podcast sponsor, Material Security! Material Security is a multi-layered email threat detection & response toolkit designed to stop attacks and reduce the threat surface across all of Microsoft 365 and Google Workspace. Learn more at material.security.
7/16/202434 minutes, 15 seconds
Episode Artwork

How to Get the Most for Yourself Through Altruism

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is Jana Moore, CISO, Belron. In this episode: SEC disclosure rules require cyber readiness Breaking up the “boys club” Building a threat intelligence ecosystem Blending InfoSec communities and careers Thanks to our podcast sponsor, Vanta! Whether you’re starting or scaling your security program, Vanta helps you automate compliance across SOC 2, ISO 27001, and more. Streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center. Over 7,000 global companies use Vanta to manage risk and prove security.
7/9/202438 minutes, 45 seconds
Episode Artwork

Who Owns AI Risk? NOT IT!

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Jason Clark, chief strategy officer, Cyera. In this episode: Does AI require new security measures?  Meeting the new SEC requirements Empowerment through data security Upskilling with Gen AI? Thanks to our podcast sponsor, Cyera! Cyera’s AI-powered data security platform gives companies visibility over their sensitive data, context over the risk it represents, and actionable, prioritized remediation guidance.
 As a cloud-native, agentless platform, Cyera provides holistic data security coverage across SaaS, PaaS, IaaS and On-premise environments. Visit www.cyera.io to learn more.
7/2/202438 minutes, 46 seconds
Episode Artwork

How About This? Only Attack the Endpoints We Configured

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest and winner of Season 2 of Capture the CISO, Russell Spitler, CEO and co-founder, Nudge Security. In this episode: The Gordian knot of EDR Can we keep up with patching? Making AI practical Standardization or granularity? Thanks to our podcast sponsor, ThreatLocker! ThreatLocker® is a global leader in Zero Trust endpoint security offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit ThreatLocker.com.
6/25/202440 minutes, 19 seconds
Episode Artwork

The Post-it Note Clearly Says “Don’t Share” Right Under My Password

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Allan Alford, CISO, Eclypsium. In this episode: Evolving public-private partnerships New technology, but not a new challenge Securing the hidden layers of the supply chain Balancing usability and control Thanks to our podcast sponsor, Eclypsium Eclypsium is helping enterprises and government agencies mitigate risks to their infrastructure from complex technology supply chains. Our cloud-based and on-premises platform provides digital supply chain security for software, firmware and hardware in enterprise infrastructure. Get started today at eclypsium.com/spark.
6/18/202437 minutes, 19 seconds
Episode Artwork

Who You Gonna Call? LEGAL COUNSEL!

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Ryan Bachman, evp and global CISO, GM Financial. In this episode: A changing of the executive guard? Playing nice with cyber insurance What does leadership want out of a CISO? Who does a CISO call first? Thanks to our podcast sponsor, Vanta Whether you’re starting or scaling your security program, Vanta helps you automate compliance across SOC 2, ISO 27001, and more. Streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center. Over 7,000 global companies use Vanta to manage risk and prove security.
6/11/202437 minutes, 53 seconds
Episode Artwork

I’m Rewarding Your Successful Use of the Security Budget by Giving You Less of It

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is my guest, Aamir Niazi, executive director and CISO, SMBC Capital Markets. In this episode: Communicating security accomplishments Spotting red flags in an interview What does offensive security look like today? Where Gen AI is fitting into cybersecurity Thanks to our podcast sponsor, Cyera Cyera’s AI-powered data security platform gives companies visibility over their sensitive data, context over the risk it represents, and actionable, prioritized remediation guidance.
 As a cloud-native, agentless platform, Cyera provides holistic data security coverage across SaaS, PaaS, IaaS and On-premise environments. Visit www.cyera.io to learn more.
6/4/202437 minutes, 25 seconds
Episode Artwork

Ransomware? Why’d It Have to Be Ransomware? (Live in San Francisco)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is Steve Zalewski, co-host, Defense in Depth. Recorded live at BSidesSF. In this episode: Are companies taking the air out of the open source balloon? What’s broken about cybersecurity hiring? Do we need minimum requirements for cybersecurity knowledge in sales? Thanks to our podcast sponsors, Devo, Eclypsium & NetSPI Devo replaces traditional SIEMs with a real-time security data platform. Devo’s integrated platform serves as the foundation of your security operations and includes data-powered SIEM, SOAR, and UEBA. AI and intelligent automation help your SOC work faster and smarter so you can make the right decisions in real-time. Eclypsium is helping enterprises and government agencies mitigate risks to their infrastructure from complex technology supply chains. Our cloud-based and on-premises platform provides digital supply chain security for software, firmware and hardware in enterprise infrastructure. Get started today at eclypsium.com/spark. NetSPI ASM continuously scans your external perimeter to identify, inventory, and reduce risk to both known and unknown assets. It blends scanning methodology with our consultants' human intelligence to identify previously undiscovered data sources and vulnerabilities so you can remediate what matters most.
5/28/202444 minutes, 3 seconds
Episode Artwork

You Can’t Leak What You Don’t Collect

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our sponsored guest, Jeremiah Roe, advisory CISO, OffSec. In this episode: What happens as data minimization in the US changes from a potential policy goal to a regulatory imperative? How does this impact the rest of the industry? How do CISOs start getting ready for compliance? Thanks to our podcast sponsor, OffSec OffSec helps companies like Cisco, Google, and Salesforce upskill cybersecurity talent through comprehensive training and resources. With programs ranging from red team and blue team training and more, your team will be ready to face real-world threats. Request a free trial for your team to explore OffSec’s learning library and cyber range.
5/21/202434 minutes, 30 seconds
Episode Artwork

Our Help Desk Plaque Reads “Over 100,000 Threat Actors Served”

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Martin Mazor, vp and CISO, onsemi. In this episode: Has the shine worn off the cybersecurity promise of MFA? Why are threat actors increasingly finding ways to get around it? Given the high profile attacks we've seen getting around MFA, how much security stock should we put into it going forward? Thanks to our podcast sponsor, Material Security Material Security is a multi-layered email threat detection & response toolkit designed to stop attacks and reduce the threat surface across all of Microsoft 365 and Google Workspace. Learn more at material.security.
5/14/202435 minutes, 48 seconds
Episode Artwork

Can’t Talk, I’m Onboarding My Kids To Their First Soccer Practice (Live in Mountain View, CA)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our guest, TC Niedzialkowski, CISO, Nextdoor. In this episode: Has the line between work and personal devices blurred? Why are we seeing signs that that line no longer exists for employees? What is the path of cybersecurity to keep company data secured when its continually commingling with personal devices? Thanks to our podcast sponsors, Eclypsium and Normalyze Eclypsium is helping enterprises and government agencies mitigate risks to their infrastructure from complex technology supply chains. Our cloud-based and on-premises platform provides digital supply chain security for software, firmware and hardware in enterprise infrastructure. Get started today at eclypsium.com/spark Where is my data? Is it sensitive? Who has access to the data? What are the risks? What is the cost of exposure? Am I compliant now? Enter Normalyze. Normalyze’s agentless, machine-learning scanning platform continuously discovers sensitive data, resources, and access paths in all cloud environments. Learn more.
5/7/202444 minutes, 55 seconds
Episode Artwork

I Really Shouldn’t Have Agreed to Variable Rate Technical Debt

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our sponsored guest, Aaron Shaha, CISO, CyberMaxx. In this episode: Is technical debt an inevitability in any organization? How do you go about "paying it down?" How do you decide when you need a systematic refresh and when can you kick the can down the road a little longer? Thanks to our podcast sponsor, CyberMaxx CyberMaxx offers MaxxMDR, our next-generation managed detection and response (MDR) solution that helps customers assess, monitor, and manage their cyber risks. MaxxMDR fuels defensive capabilities with insights from offensive security, DFIR, and threat hunting, on top of a technology-agnostic deployment model. We think like an adversary but defend like a guardian.
4/30/202435 minutes, 54 seconds
Episode Artwork

We’ll Invest in Resilience as Soon as the Ransom Payment Clears

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is my guest, Thom Langford, CISO, Velonetic. In this episode: Why do lots of businesses pledge to never pay ransomware demands? And why do their priorities quickly change when they need to get the business back to normal after an attack occurs? What good is a pledge like that without the infrastructure and organizational commitment to make it possible? Thanks to our podcast sponsor, CyberMaxx CyberMaxx offers MaxxMDR, our next-generation managed detection and response (MDR) solution that helps customers assess, monitor, and manage their cyber risks. MaxxMDR fuels defensive capabilities with insights from offensive security, DFIR, and threat hunting, on top of a technology-agnostic deployment model. We think like an adversary but defend like a guardian.
4/23/202435 minutes, 35 seconds
Episode Artwork

We Could Lower Risk If We Shrunk Our Business

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our sponsored guest, Matt Radolec, vp, incident response and cloud operations, Varonis. In this episode: Why is retaining cyber talent so hard? How can organizations keep an employee from going elsewhere? Why do organizations often not prioritize the factors to keep key employees? Thanks to our podcast sponsor, Varonis Ready to reduce your risk without taking any? Try Varonis’ free data risk assessment. It takes minutes to set up and in 24 hours you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. Get started for free today.
4/16/202438 minutes, 19 seconds
Episode Artwork

Our Benefits Include Medical, Dental, and Burnout

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Joshua Brown, vp and global CISO, H&R Block. In this episode: Why is retaining cyber talent so hard? How can organizations keep an employee from going elsewhere? Why do organizations often not prioritize the factors to keep key employees? Thanks to our podcast sponsor, CyberMaxx CyberMaxx offers MaxxMDR, our next-generation managed detection and response (MDR) solution that helps customers assess, monitor, and manage their cyber risks. MaxxMDR fuels defensive capabilities with insights from offensive security, DFIR, and threat hunting, on top of a technology-agnostic deployment model. We think like an adversary but defend like a guardian.
4/9/202443 minutes, 14 seconds
Episode Artwork

Your Biggest Threats Don’t Get a Ransom Payment, They Get a Paycheck

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Alex Green, CISO, Delta Dental. In this episode: Is it true that employees cause as many significant cybersecurity incidents as outside threat actors? Does this come down to a lack of awareness or poorly designed security implementation? And what can we do to improve this situation? Thanks to our podcast sponsor, Silk Security Silk makes it easy for security teams to resolve more critical cyber risks in a fraction of the time. Instead of toiling over spreadsheets, and watching alert backlog graphs go up, Silk helps security teams contextualize, prioritize and collaborate with stakeholders in IT to regain control over their risk posture.
4/2/202436 minutes, 21 seconds
Episode Artwork

A Stressed CISO Is a Happy CISO

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Shawn Bowen, svp and CISO, World Kinect Corporation. In this episode: Is it true that CISOs feel their jobs are harder than ever with higher levels of stress? Yet why does research also show that CISO job satisfaction increasing? How do we make sense of this contradiction? Thanks to our podcast sponsor, Silk Security Silk makes it easy for security teams to resolve more critical cyber risks in a fraction of the time. Instead of toiling over spreadsheets, and watching alert backlog graphs go up, Silk helps security teams contextualize, prioritize and collaborate with stakeholders in IT to regain control over their risk posture.
3/26/202438 minutes, 32 seconds
Episode Artwork

BREAKING: “Department of No” Upgraded to “Department of Slow”

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our sponsored guest, Nadav Lotan, product management team leader, Cisco. In this episode: How can security teams do their jobs without seeming like an impediment to developers? Why can this relationship seem oppositional? How can both sides work together to better secure software without seeming like a road block? Thanks to our podcast sponsor, Panoptica, Cisco’s Cloud Application Security Platform Panoptica, Cisco’s Cloud Application Security solution, provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments. Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility, contextual risk assessments, and actionable remediation insights for all your cloud assets.
3/19/202436 minutes, 47 seconds
Episode Artwork

A Threat Actor Just “Liked” My Dashboard Screenshot

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Jamil Farshchi, evp and CISO, Equifax. In this episode: Data leaks are hard enough to deal with when caused by threat actors, but how bad is a self-inflicted data leak? Why do these types of incidents happen? How should an organization assess the risk it introduced? Thanks to our podcast sponsor, Varonis Ready to reduce your risk without taking any? Try Varonis’ free data risk assessment. It takes minutes to set up and in 24 hours you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. Get started for free today.
3/12/202435 minutes, 21 seconds
Episode Artwork

We Can’t Fail at API Security If We Never Even Try

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our sponsored guest, Yoav Nathaniel, co-founder and CEO, Silk Security. In this episode: Why does it seem like securing APIs is so hard? Is it just a matter of complexity?  Why does it seem like we can’t go a week without hearing reports of a data leak caused by a failure in API security? Why do organizations struggle with API security? Thanks to our podcast sponsor, Silk Silk makes it easy for security teams to resolve more critical cyber risks in a fraction of the time. Instead of toiling over spreadsheets, and watching alert backlog graphs go up, Silk helps security teams contextualize, prioritize and collaborate with stakeholders in IT to regain control over their risk posture.
3/5/202435 minutes, 23 seconds
Episode Artwork

I’m Stuffed, I Just Couldn’t Take Another Credential

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our sponsored guest, Jay Trinckes, director of compliance, Thoropass. In this episode: Why do credential stuffing attacks put organizations in such a tricky spot? Why is blaming the victim rarely the right move? What kind of reasonable expectations can companies have about how much users will do to protect themselves? Thanks to our podcast sponsor, Thoropass Still spending time collecting evidence and worrying about breaking free of an infinite audit loop? Relax! We fixed audits. Thoropass provides complete infosec compliance management, continuous monitoring, and security audits through AI-infused software and expert guidance – allowing you to do business with confidence. Learn more at www.thoropass.com.
2/27/202438 minutes, 41 seconds
Episode Artwork

Is There a Konami Code For Cyber Talent?

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest Kelly Haydu, vp, infosec, technology, and enterprise applications, CarGurus. In this episode: What other career fields are rife with talent that could successfully transition into our industry? What kind of framework do we need to surface a more diverse array of talent? Also, what happens when a vendor goes over your head to the CEO? Thanks to our podcast sponsor, Panoptica, Cisco’s Cloud Application Security Platform Panoptica, Cisco’s Cloud Application Security solution, provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments. Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility, contextual risk assessments, and actionable remediation insights for all your cloud assets.
2/20/202438 minutes, 30 seconds
Episode Artwork

It’s Like a Trust Fall, But We Know You’ll Hit the Floor

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Grant Anthony, CISO, Orion Health. In this episode: Why getting buy-in to your security awareness program is so critical? Why do so many organizations get it so wrong? What framework can we apply to actually build trust with security awareness? Thanks to our podcast sponsors, Varonis Ready to reduce your risk without taking any? Try Varonis’ free data risk assessment. It takes minutes to set up and in 24 hours you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. Get started for free today.
2/13/202434 minutes, 42 seconds
Episode Artwork

How Can We Apply Our Shadow IT Failings to Botch Our AI Policy? (LIVE in Clearwater)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Brett Conlon, CISO, American Century Investments. Joining me is our guest, Mical Solomon, CISO, Port Authority of NY and NJ. In this episode: Does the hype around generative AI tools make it seem like these are a totally new technological challenge for cybersecurity? Are many of the challenges with securing them the same that we've seen from the rise of SaaS and proliferation of shadow IT? What lessons from that transition can we apply to AI? Thanks to our podcast sponsors, Living Security & KnowBe4 Living Security is the global leader in human risk management. Our HRM platform Unify transforms human risk into proactive defense by quantifying human risk and engaging the workforce with relevant training and communications proven to change human behavior. Living Security is trusted by security-minded organizations, including Mastercard, Verizon, Biogen, AmerisourceBergen, and Hewlett-Packard. Learn more at www.livingsecurity.com. KnowBe4's SecurityCoach enables real-time security coaching of your users in response to risky behavior. Based on the rules in your existing security software stack, you can configure your real-time coaching campaign to determine the frequency and type of SecurityTip that is sent to users at the moment risky behavior is detected.
2/6/202442 minutes, 26 seconds
Episode Artwork

Maybe If You Worked Harder Your Burnout Wouldn’t Be Such a Liability

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Shyama Rose, CISO and head of IT, Affirm. In this episode: What is the impact of burnout to your security team directly? Does burnout directly play a role in how an organization can respond to security incidents.? All jobs involve dealing with stress, but what should we consider normal in cybersecurity? And when does that stress endanger your security mission? Thanks to our podcast sponsors, Panoptica, Cisco’s Cloud Application Security Platform Panoptica, Cisco’s Cloud Application Security solution, provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments. Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility, contextual risk assessments, and actionable remediation insights for all your cloud assets.
1/30/202433 minutes, 47 seconds
Episode Artwork

For CISOs, It’s Less of a Golden Parachute and More a Pair of Brown Pants

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Trina Ford, CISO, iHeartMedia. In this episode: Why has the landscape for CISOs seemed particularly perilous in the past year? Does there  seem to be more responsibilities with very real legal consequences attached to the role? There is a lot of guidance out there for CISO candidates negotiating for a new position, but what can a current CISO do once they are already in the role? Thanks to our podcast sponsors, Thoropass Still spending time collecting evidence and worrying about breaking free of an infinite audit loop? Relax! We fixed audits. Thoropass provides complete infosec compliance management, continuous monitoring, and security audits through AI-infused software and expert guidance – allowing you to do business with confidence. Learn more at www.thoropass.com.
1/23/202444 minutes, 48 seconds
Episode Artwork

Elvis Is Alive and He’s Reusing Your Passwords

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Bob Schuetter, CISO, Ashland. In this episode: What should a company do when their name is in the press, but they didn't actually suffer a security incident? How much difference is there in responding to a fake data breach versus a real one? How would you handle responding to a fake breach claim? Thanks to our podcast sponsors, Thoropass Still spending time collecting evidence and worrying about breaking free of an infinite audit loop? Relax! We fixed audits. Thoropass provides complete infosec compliance management, continuous monitoring, and security audits through AI-infused software and expert guidance – allowing you to do business with confidence. Learn more at www.thoropass.com.
1/16/202437 minutes, 57 seconds
Episode Artwork

SSO No You Didn't (LIVE in La Jolla, CA)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Billy Norwood, CISO, FFF Enterprises. Joining us is our guest, Joshua Barons, head of information security at San Diego Zoo Wildlife Alliance. In this episode: Wasn't single sign-on supposed to solve all of our security woes? So why are we still seeing everything from phishing to session hijacking with SSO? Is this just growing pains for SSO or does this hint at a persistent problem? Thanks to our podcast sponsors, Praetorian Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.
1/9/202442 minutes, 36 seconds
Episode Artwork

This Security Crisis Is the Perfect Time to Tell You I Was Right

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures.  Joining me is our guest this week, Mike Kelley, CISO, EW Scrips. In this episode: Why do a lot of security professionals feel unheard? Does this frustration lead to some turning into scolds during a security incident, quick to say "I told you so"? How do you manage these security pros when they don't feel heard, both before and during a crisis? Thanks to our podcast sponsors, Praetorian Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.
1/2/202442 minutes, 42 seconds
Episode Artwork

You’re Not Leaving This House Until You Cover Up That LLM

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Richard Ford, CTO, Praetorian. In this episode: Why do many CISOs think adopting new LLM-based tools will make breaches more likely? Why the rush to throw money at them? How do you go about building a security program that doesn't depend on individuals? Thanks to our podcast sponsors, Praetorian Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.
12/12/202340 minutes, 36 seconds
Episode Artwork

We Got This Far Without Hiring a Prompt Engineer

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Suresh Vasudevan, CEO, Sysdig. In this episode: What will the employment landscape look like with Generative AI becoming the next big thing? Will we be hiring prompt engineers in a few years? Or will it become like putting "search engine proficiency" on your resume? Thanks to our podcast sponsors, Sysdig For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.
12/5/202345 minutes, 27 seconds
Episode Artwork

Ugh, Lawyers Take All the Fun Out of Surviving a Cyberattack (LIVE in Las Vegas)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and sponsored co-host Jason Sabin, CTO, DigiCert. Joining us is our guest, Alexandra Landegger, executive director of security, Collins Aerospace. In this episode: Are CISOs prepared for the legal surprises that can come in the aftermath of a cyberattack? What about the legal fallout that can occur afterward? How does a security team work with legal beforehand to address these issues when drawing up incident response? Thanks to our podcast sponsors, DigiCert DigiCert is a leading global provider of digital trust, the infrastructure that enables individuals and businesses to have confidence that their digital interactions are secure. DigiCert’s award-winning solutions enable organizations to establish, manage, and extend public and private trust across their digital footprint, securing users, servers, devices, software and content.
11/28/202344 minutes, 3 seconds
Episode Artwork

Dear Abby: Should I Sell to a CISO During a Cyberattack? (LIVE in Mountain View)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Kurt Sauer, CISO, Docusign. We recorded in front of a live audience at Microsoft’s offices in Mountain View, CA as part of the ISSA-Silicon Valley chapter meeting. Check out all the photos from the event. In this episode: Is a high profile cyberattack the best time for salespeople to come out of the woodwork asking if the affected CISO would like to see their product, which would have helped prevent the attack? Is there any way for a vendor to positively reach out to victims after a cyberattack? Also, what could be some effective ways to invest IP with generative AI to create value for the organization? Thanks to our podcast sponsors, Veza, Sysdig, and SlashNext 75% of breaches happen because of bad permissions. The problem is that you don’t know exactly WHO has access to WHAT data in your environment. For example, roles labeled as “read-only” can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second. SlashNext Complete delivers zero-hour protection for how people work today across email, mobile, and browser apps.  With SlashNext’s generative AI to defend against advanced business email compromise, smishing, spear phishing, executive impersonation, and financial fraud, your people are always protected anywhere they work.  Request a demo today.
11/21/202344 minutes, 44 seconds
Episode Artwork

We’re Not Home. Please Leave Your Company’s Data After the Beep

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Arvin Bansal, former CISO for Nissan Americas. In this episode: Why are so many companies unprepared for phone-based social engineering? Why do many orgs not give this attack surface the attention it deserves? Are we doing enough to support whistleblowers in cybersecurity? Thanks to our podcast sponsor, Palo Alto Networks As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.
11/14/202343 minutes, 31 seconds
Episode Artwork

Hey, Let’s Merge Our Technical Debt With Your Understaffed Security Team! (LIVE in Miami)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Adam Zoller, svp, CISO at Providence. Joining me is our guest Sam Jacques, vp of clinical engineering, McLaren Health Care. In this episode: When should cybersecurity be brought into the discussion when a merger is underway? Why is security always going to be an issue in a merger or acquisition? If we know it's so important, why does it always feel like we're reinventing the wheel each time? Thanks to our podcast sponsor, Claroty Claroty enables varied sectors to protect their cyber-physical systems, known as the Extended IoT. The platform integrates seamlessly, offering comprehensive controls for visibility, risk management, network protection, and more. Trusted by global leaders, Claroty operates in hundreds of organizations worldwide. Headquartered in NYC, it spans Europe, Asia-Pacific, and Latin America.
11/7/202344 minutes, 8 seconds
Episode Artwork

I Taught DeNiro Security Theater, I Can Teach You.

All links and images for this episode can be found on CISO Series. In principle, we can generally all agree that security theater is a waste of time for security teams. But the reality is that these are things that look good, so it can be hard to justify to non-technical leadership why you’re eliminating something they see as secure. So how can we positively identify actual security theater practices and how do we communicate that to the rest of the organization? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Davi Ottenheimer, vp of trust and digital ethics, Inrupt. Thanks to our podcast sponsor, Sysdig For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second. In this episode: Is security theater a waste of time for security teams? Why can it be hard to justify to non-technical leadership why you’re eliminating something they see as secure? How can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?
10/31/202339 minutes, 12 seconds
Episode Artwork

A CEO’s Guide To Ignoring Your Security Program (LIVE in Santa Monica)

All links and images for this episode can be found on CISO Series. Usually the buck stops with the CEO. But for a CISO, what do you do when a CEO wants to exempt themselves from your security program? Whether it's granting privileged network access or just ignoring protocols, it can put a CISO in a tough spot. So how do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position?  This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and John C. Underwood, VP, information security, Big 5 Sporting Goods. Joining me is our guest, Joshua Scott, Head of Security and IT, Postman. Thanks to our podcast sponsor, Veza 75% of breaches happen because of bad permissions. The problem is that you don’t know exactly WHO has access to WHAT data in your environment. For example, roles labeled as “read-only” can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. In this episode: For a CISO, what do you do when a CEO wants to exempt themselves from your security program? How do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position?
10/24/202344 minutes, 9 seconds
Episode Artwork

Security Awareness Lifecycle: Turn On, Tune In, Drop Out

All links and images for this episode can be found on CISO Series. When it comes to security awareness, the advice generally doesn't change. There are a set of best practices that have proven to be effective. So we know what we want to tell people. Communicate it consistently. So how do we relay that information without sounding like a broken record? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us is our sponsored guest, Daniel Krivelevich, CTO for Appsec, Palo Alto Networks. Thanks to our podcast sponsor, Palo Alto Networks As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program. In this episode: What security measures have been the most successful in preventing cyberattacks? What do we need to better understand about misconfigurations to better secure the cloud? How do we relay this information without sounding like a broken record?
10/17/202338 minutes, 2 seconds
Episode Artwork

Threats In SaaS Are Closer Than They Appear

All links and images for this episode can be found on CISO Series. Organizations know that securing SaaS is vital. But polls consistently show they also know their current security isn’t cutting it. With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our sponsored guest, Rohan Sathe, co-founder and CTO, Nightfall AI. Thanks to our podcast sponsor, Nightfall Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection. In this episode: With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses? How can we secure new technology without creating new risks? If security no longer owns SaaS security, then how can they go about closing these gaps?
10/10/202336 minutes, 53 seconds
Episode Artwork

We Can Name 50 CISOs. Let’s Give Them an Award!

All links and images for this episode can be found on CISO Series. If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Most of the time, these lists include CISOs from the biggest companies, or the ones with the best name recognition. But is that any kind of objective criteria? These lists generally serve the interest of boosting the credibility of the publisher, rather than being based on any kind of rigor. Is there any way to make these lists anything but fluff? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Janet Heins, CISO, iHeartMedia. Thanks to our podcast sponsor, LimaCharlie Whether you’re looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie’s SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io. In this episode: If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Is there any kind of objective criteria? Is there any way to make these lists anything but fluff?
10/3/202338 minutes, 1 second
Episode Artwork

C is for C-Suite, Except If You’re a CISO

All links and images for this episode can be found on CISO Series. CISOs are common among the Fortune 500. But it remains rare to see them listed in executive leadership. Given that every company says security is of prime importance, why aren’t CISOs named within the top company echelons? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series, and Allan Cockriel, CISO of Shell. Joining us is our special guest, Mary Rose Martinez, CISO, Marathon Petroleum. Thanks to our podcast sponsor, Censys Censys is the leading Internet Intelligence Platform for Threat Hunting and Exposure Management. We provide the most comprehensive, accurate, and up-to-date map of the internet, which scans 45x more services than the nearest competitor across the world’s largest certificate database (>10B). Learn more at www.censys.com.  In this episode: Given that every company says security is of prime importance, why aren’t CISOs named within the top company echelons? Can you think of a security action that did work at one organization that simply wouldn't work in another because of the culture? When it comes to communicating bad news to the board and c-suite, what techniques have worked the best?
9/26/202343 minutes, 27 seconds
Episode Artwork

Part Man. Part Machine. All CISO. (Live in D.C.)

All links and images for this episode can be found on CISO Series. We’ve heard a lot of talk about the security risks with emerging AI technologies. A lot of these center around employees using large language models. But what about the potential benefits of this technology for cybersecurity? Could we eventually see a de facto AI CISO on the job? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Rob Duhart, deputy CISO, Walmart. Joining us is our special guest, Aaron Hughes, CISO, Albertsons. Thanks to our podcast sponsor, KnowBe4 In this episode: What are the potential benefits of A.I. for cybersecurity? Could we eventually see a de facto AI CISO on the job? How does neurodiversity improve awareness in your security program? Where have you taken advantage of AI for your security program? And specifically so you can do your job better as a CISO, where does AI deliver opportunities?
9/19/202342 minutes, 24 seconds
Episode Artwork

Is This Just Bad Or “Call The Feds” Bad?

All links and images for this episode can be found on CISO Series. In everyday life, it's often clear when to call in the authorities. Someone egging your house might not rise to the occasion, but a break-in gets a call to the cops. It's less clear when it comes to a cyberattack. What constitutes a significant attack and what are the regulatory requirements? Once you make the call, how do they help in your response? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest, David Ring, section chief at FBI, Cyber Division. Thanks to our podcast sponsor, Hunters Hunters SOC Platform is a SIEM alternative, delivering data ingestion, built-in and always up-to-date threat detection, and automating correlation and investigation processes to reduce risk, complexity, and cost for security teams. Learn more at hunters.security. In this episode: What constitutes a significant attack and what are the regulatory requirements? Once you make the call, how do they help in your response? How do you approach "skills-and competency-based" hiring? And are there certain positions for which a 4-year degree is necessary?
9/12/202338 minutes, 33 seconds
Episode Artwork

Giving Slack Slack Will Lead Your Teams to Discord

All links and images for this episode can be found on CISO Series. Even before the pandemic, we've been increasingly living in online collaboration apps. So why are organizations still making basic security mistakes with them? Is this a case of shadow IT or do these apps present unique challenges? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Rich Dandliker, chief strategist, Veza. Thanks to our podcast sponsor, Veza 75% of breaches happen because of bad permissions. The problem is that you don’t know exactly WHO has access to WHAT data in your environment. For example, roles labeled as “read-only” can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. Learn more at Veza.com. In this episode: We've been increasingly living in online collaboration apps. So why are organizations still making basic security mistakes with them? Is this a case of shadow IT or do these apps present unique challenges? Startups are by nature a risky business, most fail. Why do they?
9/5/202337 minutes, 32 seconds
Episode Artwork

Please Take Some Pens and Our Company Data On Your Way Out

All links and images for this episode can be found on CISO Series. Every company deals with off-boarding employees. Yet it feels like many organizations make basic security mistakes in this process. Is it just a case of HR and IT being out of sync, or is this an inevitably leaky process? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest Lorna Koppel, CISO, Tufts University. Thanks to our podcast sponsor, LimaCharlie Whether you’re looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie’s SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io. In this episode: What can a vendor do that will actually make a CISO want to respond to a message? What are we doing right and wrong when it comes to hardening our environments? Do you think organizations are still struggling with hardening their environments and if so, why?
8/29/202340 minutes, 12 seconds
Episode Artwork

If You Care About Security, Maybe This Guilt Tactic Will Work

All links and images for this episode can be found on CISO Series. Security vendors want to engage with CISOs. Yet many choose tactics that seem blatantly insulting. It might seem obvious that asking a CISO if they care about security does nothing to ingratiate yourself, but we still have inboxes full of these types of messages. So what can a vendor do that will actually make a CISO want to respond to a message? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest, Jeff Hudesman, CISO, Pinwheel. Thanks to our podcast sponsor, Balbix Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs. In this episode: What can a vendor do that will actually make a CISO want to respond to a message? What are we doing right and wrong when it comes to hardening our environments? Do you think organizations are still struggling with hardening their environments and if so, why?
8/22/202339 minutes, 27 seconds
Episode Artwork

5 Years Required to Write a Better Job Description

All links and images for this episode can be found on CISO Series. We're seeing increasing recognition that cybersecurity jobs should focus on competency rather than years of experience. But how do you create job posts to encourage that? And how do applicants even show that on a resume? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for the episode is our special guest TC Niedzialkowski‌, CISO, Nextdoor. Thanks to our podcast sponsor, Reqfast Stop treating your various intelligence and security functions as if they are separate, unrelated activities and, instead, bring them together with Reqfast. Identify what’s needed, identify areas for improvement, and make data-driven decisions with confidence. In this episode: Are we finally seeing increasing recognition that cybersecurity jobs should focus on competency rather than years of experience? How do you create job posts to encourage that? How do applicants even show that on a resume?
8/15/202344 minutes, 59 seconds
Episode Artwork

When Do I Fix the Toilet Myself or Call the Plumber?

All links and images for this episode can be found on CISO Series. For some security problems, it can be tough to know when to try to fix the problem yourself or turn to a vendor. Deciding this shouldn't start with talking to someone that wants to sell you something. But how do you determine when it's time to call in a vendor? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for this episode is our special guest, Katie Ledoux, CISO, Attentive. Thanks to our podcast sponsor, Palo Alto Networks As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program. In this episode: Why do many organizations have a problem relating quantification to something meaningful to the business? Is there a way to understand risks on a continuum that will make relating these to business a little more manageable? What are the questions security professionals should be asking themselves?
8/8/202342 minutes, 5 seconds
Episode Artwork

Cyber Advice So Generic, You’ll Assume It Came from ChatGPT

All links and images for this episode can be found on CISO Series. Shifting Left is so five years ago. Advice and best practices are great, but context is king. Is there a mixture of best practices AND doing what's right for your business that's actually practical? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us for the episode is our sponsored guest Gaurav Banga, CEO, Balbix. Thanks to our podcast sponsor, Balbix Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs. In this episode: What are your most successful tactics when talking to the boardroom? Is there a mixture of best practices AND doing what's right for your business that's actually practical? What have you heard enough with automation and what would you like to hear a lot more?
8/1/202336 minutes, 4 seconds
Episode Artwork

Vendors Are From Mars. Their Security Is From Venus.

All links and images for this episode can be found on CISO Series. There are so many third party vendors we want to work with, but uggh, their security and privacy is so troublesome. Is it only the security department's job to vet these partners or should everyone have a responsibility of keeping tabs on third party security? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Phil Beyer, former head of security, Etsy. Thanks to our podcast sponsor, Balbix Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs. In this episode: There are many third party vendors that CISOs & practitioners want to work with, but why is their security and privacy so troublesome? Is it only the security department's job to vet these partners or should everyone have a responsibility of keeping tabs on third party security? What can frontline employees do to manage third-party risk?
7/25/202339 minutes, 20 seconds
Episode Artwork

We're So Special Gartner Hasn't Even Thought Of Our Category Yet

All links and images for this episode can be found on CISO Series. Do you know what security categories were created this year? I have no idea. Do you know which ones were deleted? I don't think any. Is category growth designed to make more money for the industry? Does it help customers build a better security strategy? It seems like a necessary evil that just confuses customers. The number of categories never decreases or replaces old categories. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our sponsored guest is Maxime Lamothe-Brassard (@_maximelb), CEO and co-founder at LimaCharlie. Thanks to our podcast sponsor, LimaCharlie LimaCharlie is inviting you for the unveiling of the SecOps Cloud Platform during a two-hour LinkedIn Live event on Wednesday, July 19th, starting at 10:00am PST.  For every registrant, LimaCharlie will be donating $5 to the Internet Archive. Register for the event at limacharlie.io or on the LimaCharlie LinkedIn page. In this episode:  Do you know what security categories were created this year? Do you know which ones were deleted? Is category growth designed to make more money for the industry? Does it help customers build a better security strategy?
7/18/202341 minutes, 59 seconds
Episode Artwork

Who’s in Charge of Stopping Stupid Ideas? (LIVE in Tel Aviv)

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Jesse Whaley, CISO, Amtrak. Our guest was Paul Branley, CISO, TSB Bank. We recorded this episode in front of a live audience in Tel Aviv as part of Team8’s CISO Summit 2023. CISO Series is honored to have been invited to record our show at the event. Thanks to our podcast sponsor, Team8 Team8 is a global venture group that builds and invests in early stage companies focused on digital transformation: cybersecurity, data, fintech and digital health. Its strong expertise in cyber is the backbone of Team8’s CISO Village - a community of hundreds of CISOs who enjoy access to thought leadership, networking events, and partner with Team8 to support its company building process. In this episode: Why should you NEVER boast about how good your security is? When upskilling your staff, how do you identify the knowledge that must be learned? Who will learn it? Who will provide it? What does this do to your current security if people are spending time teaching and learning?
7/11/202342 minutes
Episode Artwork

Password Rules Make Us Feel More Secure

All links and images for this episode can be found on CISO Series. Troy Hunt's new site, "Dumb Password Rules," demonstrates yet another slice of security theater. Rules designed to make the creator believe they're making the business more secure, but appear to do nothing more than create unnecessary roadblocks and confusion. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Dave Hannigan (@davidhannigan), CISO, Nubank. Thanks to our podcast sponsor, Reqfast Stop treating your various intelligence and security functions as if they are separate, unrelated activities and, instead, bring them together with Reqfast. Identify what’s needed, identify areas for improvement, and make data-driven decisions with confidence. In this episode: Are dumb password rules the result of security theater or limitations of old technology? What really causes lack of sleep and burnout among IT and Security leaders? Why are we still struggling with cybersecurity hiring?
6/27/202338 minutes, 14 seconds
Episode Artwork

Make Them a Passwordless Offer They Can’t Refuse (LIVE in Denver)

This week’s episode was recorded in front of a live audience at the Colorado Convention Center in Denver as we kicked off the Rocky Mountain Information Security Conference (RMISC). See the blog post for this episode here. Joining me, David Spark (@dspark), producer of CISO Series, on stage was my guest co-host, Jay Wilson, CISO for Insurity. Our guest is Michelle Wilson, CISO, Movement Mortgage. HUGE thanks to our sponsor, Trend Micro The stakes are high for cybersecurity decision makers as the threat landscape and attack surface continue to evolve. Explore Trend Micro’s CISO Resource Center for research-driven strategic insights and best practices to help leaders better understand, communicate, and minimize cyber risk across the enterprise. Learn more.
6/20/202346 minutes, 25 seconds
Episode Artwork

After a Breach, Security and Privacy Are Very Important to Us

All links and images for this episode can be found on CISO Series. Why does it seem that the only time we hear about a company’s concern about security and privacy is after they’re compromised. It is only at that moment they feel compelled to let us know that they’re taking this situation very seriously because as we’ve ll heard before “security and privacy are very important to us.” This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Andrea Bergamini, CISO, Orbia. Thanks to our podcast sponsor, Varonis Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries. In this episode:  Why does it seem that the only time we hear about a company’s concern about security and privacy is after they’re compromised? Is it only because at that moment they feel compelled to let us know that they’re taking this situation very seriously? How do you get things going before you have a massive breach?
6/13/202340 minutes, 3 seconds
Episode Artwork

Your Lips Say “No,” But I’m Not Listening

All links and images for this episode can be found on CISO Series. There is a long history of security professionals complaining about the insecurity of new technologies. When new technologies take off, they rarely have lots of great security built in. The populace never comes around and says, "Security is right. We should stop using this thing we love." The popular technology ALWAYS wins. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Rinki Sethi (@rinkisethi), vp and CISO, BILL. Thanks to our podcast sponsor, OffSec With a Learn Enterprise plan, your employees get unlimited access to over 1,500 videos, 2,000 practical exercises, and more than 800 hands-on labs. The library is updated regularly with training content and modules defensive and offensive job role-specific content, from foundational to advanced. Google, Vmware, Microsoft all trust OffSec. In this episode: Is it a coincidence that there is a long history of security professionals complaining about the insecurity of new technologies? When new technologies take off, why do they rarely have lots of great security built in? How does a cyber aware c-suite/board make better decisions that help a CISO and the business?
6/6/202338 minutes, 8 seconds
Episode Artwork

Failure Is The Likely Option

All links and images for this episode can be found on CISO Series. When cybersecurity needs to cut budget, first move is to look where you have redundancy. That way you're not actually reducing the security effort. But after that, the CFO needs to know what are the most important areas of the business to protect. Where will they be willing to take on more risk? Because, with less security, the chances of failure increase. This show was recorded in front of a live audience in New Orleans as part of the BSidesNOLA 2023 reboot conference. The episode features me, David Spark (@dspark), host and producer of CISO Series. My guest co-host is my former co-host, Allan Alford (@allanalfordintx), CISO for Precedent and host of The Cyber Ranch Podcast. Our guest is Mike Woods, corporate CISO for GE. Thanks to our podcast sponsors: Conveyor, Nightfall AI, Rapid7 Love security questionnaires? Then you’re going to hate Conveyor: the end-to-end trust platform built to eliminate questionnaires. Infosec teams reduce the volume of questionnaires with a customer-facing trust portal and for any remaining questionnaires, our GPT-Questionnaire Eliminator response tool or white-glove questionnaire completion service will knock them off your to-do list. www.conveyor.com Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection. Rapid7 is the only connected, cloud to on-prem cybersecurity partner with unlimited incident response, unlimited automated workflows, unlimited vulnerability management, unlimited app security, you get the idea. Add it up – with Rapid7’s decades of practitioner-first problem solving – and there’s unlimited opportunity for you. See for yourself at Rapid7.com/ciso-series. In this episode:  We always say, “trust but verify,” but how do you actually verify? When it comes to cut budget, make sure you’re already in the mind of the CFO. What’s the difference between a good cybersecurity professional and a great one?
5/30/202345 minutes, 45 seconds
Episode Artwork

A Fireman? A Princess? How About a CISO?

All links and images for this episode can be found on CISO Series. As children, we don't dream of becoming a CISO, but yet we still have them. What is it a security professional can learn or even show, to demonstrate that they're getting ready for the position of a CISO? This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Our guest is Paul Connelly, former CISO, HCA Healthcare. Thanks to our podcast sponsor, Nightfall Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection. In this episode: What is it a security professional can learn or even show, to demonstrate that they're getting ready for the position of a CISO? How to tell that you are NOT CISO material? What don't CISOs know about physical security that they should know before they get into big trouble?
5/23/202338 minutes, 19 seconds
Episode Artwork

I’ve Got Plenty of Risk If You Want More

All links and images for this episode can be found on CISO Series. It seems anything that's added to a business, like a new app or a third party vendor, just adds more risk. Risk definitely piles up faster than CISOs can reduce it. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Kurt Sauer (@kurtsauer), CISO, DocuSign (when we recorded the show, Kurt was the vp of security for Workday). Thanks to our podcast sponsor, Stairwell The standard cybersecurity blueprint is a roadmap for attackers to test and engineer attacks. With Inception, organizations can operate out of sight, out of band, and out of time. Collect, search, and analyze every file in your environment – from malware and supply chain vulnerabilities to unique, low-prevalence files and beyond. Learn about Inception. In this episode:  Does it seem like anything that's added to a business, like a new app or a third party vendor, just adds more risk? Does risk pile up faster than CISOs can reduce it? How do you avoid creating new risks when you add new applications, or even just update applications?
5/16/202340 minutes, 32 seconds
Episode Artwork

What Kind of Challenges Do You Foresee In Firing Me?

All links and images for this episode can be found on CISO Series. This show was recorded in front of a live audience in New York City! This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series, and a special guest host, Aaron Zollman, CISO & vp, platform engineering, Cedar. Our guest is Colin Ahern, chief cyber officer for the State of New York. Thanks to our podcast sponsor, OpenVPN, SlashNext & Votiro Take the cost and complexity out of secure networking with OpenVPN. Whether you choose our cloud-delivered or self-hosted solution, subscriptions are based on concurrent connections, so you pay for what you actually use. Start today with free connections, no credit card required, and scale to paid when you’re ready. SlashNext, a leader in SaaS-based Integrated Cloud Messaging Security across email, web, and mobile has the industry’s first artificial intelligence solution, HumanAI, that uses generative AI to defend against advanced business email compromise (BEC), supply chain attacks, executive impersonation, and financial fraud. Request a demo today. No matter what technology or training you provide, humans are still the greatest risk to your security. Votiro’s API-centric product sanitizes every file before it hits the endpoint, so the files that your employees open are safe. This happens in milliseconds, so the business stays safe and never slows down. In this episode: If you hired someone today, how would you know in 3 months time that they were the right fit? Do you have any other questions you've heard from candidates that you think are better? What doesn't the government currently know about cloud providers that they should know?
5/9/202346 minutes, 18 seconds
Episode Artwork

I Wouldn’t Trust Everything You Read… On My Resume

All links and images for this episode can be found on CISO Series. Turns out cybersecurity professionals lie on their resumes. They add degrees and certifications they don't have. They omit degrees for fear of looking overqualified. And sometimes, they flat out invent jobs. But given the responses as to why people do it, it's because they're trying to get by the unnecessary barriers of cybersecurity hiring. Does that make the lying justified? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is David Nolan, vp, enterprise risk & CISO, Aaron's. Thanks to our podcast sponsor, Varonis Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries. In this episode:  Do some cybersecurity professionals really lie on their resumes? Is this because they're trying to get by the unnecessary barriers of cybersecurity hiring? Does that make the lying justified?
5/2/202338 minutes, 7 seconds
Episode Artwork

Can’t You Just Pop Out of Zeus’ Head a Fully Formed Security Professional?

All links and images for this episode can be found on CISO Series. Companies want to hire security professionals who know everything. Eager professionals who want all those skills are screaming please hire me and train me. But unlike the military which can turn a teenager into a soldier in 16 weeks, corporations in dire of cybersecurity help have little to no means to train. They're just hoping they'll show up perfect and ready to fight in a digital war. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Joe Lowis, CISO, CDC. Thanks to our podcast sponsor, Cyolo Too many critical assets and systems remain exposed because traditional secure access solutions are not able to protect the high-risk access scenarios and legacy applications that keep business operations running. With its trustless zero-trust access solution, Cyolo gives organizations the visibility and access control they need to secure every connection. In this episode: Is it realistic for companies to hire security professionals who know everything? Do companies realize that there are professionals who want all those skills and are eager to learn? Why isn’t there more emphasis on providing training like how the military trains all new recruits?
4/25/202338 minutes, 20 seconds
Episode Artwork

We’d Secure Our Data If We Knew Where It Was

All links and images for this episode can be found on CISO Series. Given the ease of sharing data, our sensitive information is going more places that we want it. We have means to secure data, but you really can't do that if you don't know where your data actually is. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Brian Vecci (@BrianTheVecci), field CTO, Varonis. Thanks to our podcast sponsor, Varonis Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis.  Discover more at www.varonis.com/cisoseries. In this episode: What exactly is “dark data”? Are we creating more problems for ourselves by holding onto dark data? What is this generated yet unused data? Is this the same as ROT data or redundant, obsolete, trivial data? How can it be discovered and classified?
4/18/202336 minutes, 40 seconds
Episode Artwork

Our Security Tool Can Do Everything But Mitigate Risk

All links and images for this episode can be found on CISO Series. No department is immune to budget cuts. When the budget cuts come in, where can security look first to save money? Mike Johnson said, "An expensive tool that doesn't mitigate risk should be at the top of the chopping block." This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Almog Apirion (@almogap), CEO and cofounder, Cyolo. Thanks to our podcast sponsor, Cyolo Too many critical assets and systems remain exposed because traditional secure access solutions are not able to protect the high-risk access scenarios and legacy applications that keep business operations running. With its trustless zero-trust access solution, Cyolo gives organizations the visibility and access control they need to secure every connection. In this episode: When the budget cuts come in, where can security look first to save money?  Where has change management gotten easier and more difficult for you over the years? And how do you engage with your team and affected users about making a change that works best for the business?
4/11/202334 minutes, 35 seconds
Episode Artwork

No Need for Chaos Engineering Since Our Architecture Is Always Failing

All links and images for this episode can be found on CISO Series. Is chaos engineering the secret sauce to creating a resilient organization? Purposefully disrupt your architecture to allow for early discovery of weak points. Can we take it even further to company environment, beyond even a tabletop exercise? How far can we test our limits while still allowing the business to operate? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Mike Wiacek, CEO, Stairwell. Thanks to our podcast sponsor, Stairwell The standard cybersecurity blueprint is a roadmap for attackers to test and engineer attacks. With Inception, organizations can operate out of sight, out of band, and out of time. Collect, search, and analyze every file in your environment – from malware and supply chain vulnerabilities to unique, low-prevalence files and beyond. Learn about Inception. In this episode: Is chaos engineering the secret sauce to creating a resilient organization?  Purposefully disrupt your architecture to allow for early discovery of weak points. Can we take it even further to company environment, beyond even a tabletop exercise? How far can we test our limits while still allowing the business to operate?
4/4/202339 minutes, 21 seconds
Episode Artwork

Why Aren’t You On Slack Where I Can Interrupt You?

All links and images for this episode can be found on CISO Series. In order to get any work done we try to shut out all possible distractions. That includes messaging apps. But those people who want to connect become annoyed that they can't reach you. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Howard Holton, CTO, GigaOm. Thanks to our podcast sponsor, Cyolo Too many critical assets and systems remain exposed because traditional secure access solutions are not able to protect the high-risk access scenarios and legacy applications that keep business operations running. With its trustless zero-trust access solution, Cyolo gives organizations the visibility and access control they need to secure every connection. In this episode: In order to get any work done, why do we try to shut out all possible distractions, including messaging apps?  What happens when those people who want to connect become annoyed that they can't reach you? Who are the true innovators in cybersecurity? Is it the attackers or the defenders?
3/28/202336 minutes, 32 seconds
Episode Artwork

Fast Track Burnout for Your Cyber Team with Layoffs

All links and images for this episode can be found on CISO Series. What happens to your team after the layoffs? Your overextended team now realizes they're going to have to pick up the slack for those who left. How do you shift responsibilities in such a situation? Does anything fall away? Because you can't still operate at the same level. How do you adjust while maintaining morale and not burning out those who are there? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Dan Walsh, CISO, VillageMD. Our guest is Nick Vigier, CISO, Talend. Thanks to our podcast sponsor, Sentra Sentra’s Data Security Posture Management Solution not only discovers and classifies cloud data, but ensures it always has the proper security posture. No matter where the data is moved or copied, Sentra can identify the type of data, who has access to it, and how it’s meant to be secured. In this episode:  What happens to your team after the layoffs? Your overextended team now realizes they're going to have to pick up the slack for those who left. How do you shift responsibilities in such a situation? How do you adjust while maintaining morale and not burning out those who are there?
3/21/202334 minutes, 29 seconds
Episode Artwork

We Look for Candidates Who Already Know Everything

All links and images for this episode can be found on CISO Series. Future cybersecurity talent is frustrated. The industry demand for cybersecurity professionals is huge, but the openings for green cyber people eager to get into the field are few. They want professional training, and they want the hiring companies to provide the training. Problem is not enough companies have training programs in place and as a result they can only hire experienced cyber talent, shutting out those who want to get in. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Matt Radolec, sr. director incident response and cloud operations, Varonis. Thanks to our podcast sponsor, Varonis Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries. In this episode:  The industry demand for cybersecurity professionals is huge, so why are the openings for green cyber people eager to get into the field so few? Should more hiring companies provide the training? Is the problem that not enough companies have training programs in place?
3/14/202338 minutes, 39 seconds
Episode Artwork

We're Experts At Telling You To Fix Your Problems

All links and images for this episode can be found on CISO Series. I don't need another vendor to find my problems. Finding my problems has not been the issue. That's the easy part. Fixing them with the staff I have is definitely "the problem." Vulnerability management must include ways to remediate, quickly. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is John C. Underwood, vp, information security, Big 5 Sporting Goods. Thanks to our podcast sponsor, Pentera Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale. In this episode:  Do you need another vendor to find your problems when finding your problems has not been the issue? Or is actually fixing them with your staff "the problem"? Do you think vendors are finally moving away from offering "just" visibility and giving proactive advice and some cases automation to fix it?
3/7/202336 minutes, 55 seconds
Episode Artwork

_Saying_ “We’re 100% Secure” Is Not the Problem

All links and images for this episode can be found on CISO Series. It's pretty darn easy to just utter the words "we're 100% secure." Pulling that off seems universally impossible, but some organizations are adamant about certain types of safety so they aim for 100%. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Yoav Regev (@yoav_regev), CEO, Sentra. Thanks to our podcast sponsor, Sentra Sentra’s Data Security Posture Management Solution not only discovers and classifies cloud data, but ensures it always has the proper security posture. No matter where the data is moved or copied, Sentra can identify the type of data, who has access to it, and how it’s meant to be secured. In this episode:  What does it take to have a successful security program? What are the things to focus on when speaking with executives? How do you stay innovative as a security professional and have new fresh perspectives?
2/28/202338 minutes, 1 second
Episode Artwork

This Unwanted Cold Call Made Possible Thanks to This Month’s Sales Quota

All links and images for this episode can be found on CISO Series. A CISO calls on security vendors to stop the spamming and cold calling. Are these annoyances the direct result the way salespeople are measured? Is that what drives the desperation and bad behavior? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Dmitriy Sokolovskiy, CISO, Avid. Thanks to our podcast sponsor, Varonis Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries. In this episode: What NEW ways could salespeople be measured that would encourage good behavior with CISOs? There's still this desire to draw a linear path to sales, but how often does it cleanly play out that way? Are integrators, MSSPs, and resellers leveling the playing field for cybersecurity vendors?
2/21/202334 minutes, 29 seconds
Episode Artwork

Adversaries Beef Up Their Shiny Object Distraction Campaign

All links and images for this episode can be found on CISO Series. We are all very easily distracted, and adversaries know that. So they'll try any little trick to make us not pay attention, look away, or do what we're not supposed to do all in an effort to break our human defenses. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Shaun Marion, CISO, McDonald's. Thanks to our podcast sponsor, Sentra Sentra’s Data Security Posture Management Solution not only discovers and classifies cloud data, but ensures it always has the proper security posture. No matter where the data is moved or copied, Sentra can identify the type of data, who has access to it, and how it’s meant to be secured. In this episode: Do you have a “security hive” and what does it do for you? What are the active behaviors you're deploying to reduce the stress in your life as a CISO and how are you doing it for your team, and all staff as well? ? Could volunteering help with burnout and recruitment?
2/14/202339 minutes, 48 seconds
Episode Artwork

21 “Dark Side”-Approved Ways to Threaten Your Prospects

All links and images for this episode can be found on CISO Series. For those security practitioners who leave a job to go work for a security vendor, please stop calling it "going to the dark side." This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Jason Mar-Tang, director of sales engineering, Pentera. Thanks to our podcast sponsor, Pentera Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale. In this episode: Why do we call security practitioners who leave a job to go work for a security vendor, "going to the dark side?" Do security professionals say this because once they go work for a vendor their motivation shifts from protecting to sales? Over the years what other small steps have we seen that have made improvements in the vendor/practitioner divide?
2/7/202336 minutes, 31 seconds
Episode Artwork

Let’s Pretend We’re Getting Hacked. Who Wants to Panic First?

All links and images for this episode can be found on CISO Series. Tabletop exercises are critical procedures to learn how everyone will react during an actual attack. Panic is usually the first response, so why don't we do that when we're playing our pretend game of getting our business compromised by a nefarious hacker? This week's episode of CISO Series Podcast was recorded in front of a live audience in Clearwater, Florida for the Convene conference produced by the National Cybersecurity Alliance (AKA StaySafeOnline.org). Joining me on stage for the recording was my guest co-host, Hadas Cassorla, CISO, M1 and our guest, Kathleen Mullin (@kate944032), CISO, Cancer Treatment Centers of America. Thanks to our podcast sponsors, Cofense, KnowBe4 & Terranova Cofense is the only company to combine a global network of 32 million people reporting phish with advanced AI-based automation to stop phishing attacks. Our global phishing defense centers work 24/7 to support more than 2,000 enterprise customers, providing the technology and insights needed to identify & block threats. KnowBe4 is the world’s largest integrated Security Awareness Training and Simulated Phishing platform. KnowBe4 helps organizations manage the ongoing problem of social engineering through a comprehensive new-school awareness training approach. Tens of thousands of organizations worldwide use KnowBe4’s platform to mobilize their end users as a last line of defense. Get free phishing benchmarking data to drive effective behavior change and grow your organization's security-aware culture with the latest edition of the Phishing Benchmark Global Report! Taken from this year's Gone Phishing Tournament, this report gives security and risk management leaders the insight they need to strengthen data protection. More at terranovasecurity.com. In this episode: Where do you see tabletops coming apart and being ineffective and what are the core elements that truly make them succeed? Have you ever seen a real incident play out where you can point to the tabletop as the reason you were able to handle the incident? Are people the safety net for your security controls OR should security controls the safety net for your people?
1/31/202345 minutes, 2 seconds
Episode Artwork

Today’s Agenda: When Will This Meeting End?

All links and images for this episode can be found on CISO Series. Everyone's favorite meeting is a short meeting. But does anyone want a fun or entertaining meeting? Or is that a bad idea? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jeremy Embalabala, CISO, HUB International. Thanks to our podcast sponsor, SlashNext With today’s transition to hybrid working, phishing attacks are becoming more prevalent than ever. Mobile phishing and credential harvesting are exploding and affecting business reputations, finances and most importantly, data loss. With new methods of phishing attacks appearing year over year, enterprises need more robust phishing protection to better protect this expanding attack surface and companies’ most valuable assets. Check out the report. In this episode: Everyone's favorite meeting is a short meeting. But does anyone want a fun or entertaining meeting? Or is that a bad idea? How do we make our security teams more productive? The cost of getting and paying for cybersecurity insurance is so darn high. Would it be worth it to just self-insure?
1/24/202334 minutes, 18 seconds
Episode Artwork

Your Password Is Too Long. Please Shorten It.

All links and images for this episode can be found on CISO Series. What happens when you want to adhere to more secure behavior, but the tool you're using forces you to be less secure, solely because they didn't architect in more stringent security when they created the program. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Terrance Cooley, CISO, Air Force JADC2 R&D Center. Thanks to our podcast sponsor, Varonis Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries. In this episode: What is the worst security behavior you've seen from an IT vendor? Are you applying talent-to-value recruiting techniques to reduce corporate risk? What are your predictions for the evolution of cyber threats?
1/17/202334 minutes, 6 seconds
Episode Artwork

Stir in a Little Merger and Acquisition, and Voilà, You’re a Target

All links and images for this episode can be found on CISO Series. There is a lot unknown before, during, and after a merger and that can make employees very susceptible to phishing attacks. But, at the same time, the due diligence that goes into an M&A can often open up signs of previous or active compromise, noted Rich Mason of Critical Infrastructure. What does a proposed merger do to a security program?" This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Nicole Ford (@nicoledgray), global vp and CISO, Rockwell Automation. Thanks to our podcast sponsor, Pentera Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale. In this episode: As a security leader, how does your security posture change when you know given your assets you are a specific target vs. just an opportunity? Could similar critical infrastructure agencies be grouped together and therefore share cybersecurity resources? What does a proposed merger do to a security program?
1/10/202339 minutes, 14 seconds
Episode Artwork

We’re Here. We’re Highly Unqualified. Get Used To It

All links and images for this episode can be found on CISO Series. "Does anyone else feel like the security field is attracting a lot of low-quality people and hurting our reputation," asked a redditor on the cybersecurity subreddit who remembers a time when security personnel were seen as highly experienced technologists. But now they believe people view cybersecurity as an easy tech job to break into for easy money. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Stephen Cicirelli, CISO, American Bureau of Shipping. Thanks to our podcast sponsor, Stairwell The standard cybersecurity blueprint is a roadmap for attackers to test and engineer attacks. With Inception, organizations can operate out of sight, out of band, and out of time. Collect, search, and analyze every file in your environment – from malware and supply chain vulnerabilities to unique, low-prevalence files and beyond. Learn about Inception. In this episode: Does anyone else feel like the security field is attracting a lot of low-quality people and hurting our reputation? Do people view cybersecurity as an easy tech job to break into for easy money? With all this talk of needing more cyber talent, are we attracting quality or just quantity?
1/3/202339 minutes, 58 seconds
Episode Artwork

Sound Security Advice That’s Perfect to Ignore

All links and images for this episode can be found on CISO Series. It appears our security awareness training is working, up to a point. Most people are well aware of the need for secure passwords, but they don't actually create secure passwords. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Patrick Harr, CEO, SlashNext. Thanks to our podcast sponsor, SlashNext With today’s transition to hybrid working, phishing attacks are becoming more prevalent than ever. Mobile phishing and credential harvesting are exploding and affecting business reputations, finances and most importantly, data loss. With new methods of phishing attacks appearing year over year, enterprises need more robust phishing protection to better protect this expanding attack surface and companies’ most valuable assets. Check out the report. In this episode: Why does it seem like our security awareness training is only working up to a certain point? Most people are well aware of the need for secure passwords, but why don't they actually create secure passwords? Is it true that, “people are not the weakest link, they're just the top attack vector?”
12/13/202238 minutes, 12 seconds
Episode Artwork

They’re Young, Green, and Very Hackable

All links and images for this episode can be found on CISO Series. It appears we're not providing security awareness training fast enough. That's because hackers are specifically targeting brand new employees who don't yet know the company's procedures. Illicit hackers are discovering they're far easier to phish. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Gene Spafford (@therealspaf), Professor, Purdue University. Gene's book available for pre-order Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us. 25th anniversary of CERIAS Thanks to our podcast sponsor, Lacework Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization’s AWS, Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at lacework.com/cisoseries. In this episode: Is cybersecurity awareness a long term marketing effort? Where are we making progress with the general populous when it comes to improving the human aspect of cybersecurity? How difficult and how long can it take to discover what a company's crown jewels are, and what needs to be done?
12/6/202238 minutes, 35 seconds
Episode Artwork

Entry Level Position Available. 15+ Years Experience Required.

All links and images for this episode can be found on CISO Series. That headline is not a joke. An actual job listing on LinkedIn requested just that. We're all hoping this was an error. Regardless, the community response to it was truly overwhelming, speaking much to the frustration of green and junior cybersecurity job seekers who are truly looking for entry level jobs.  This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Bryan Willett, CISO, Lexmark. Thanks to our podcast sponsor, AuditBoard CrossComply is AuditBoard’s award-winning security compliance solution that allows organizations to build trust and scale their security compliance program with a connected risk platform that unifies SOC 2, ISO 2700x, NIST, CMMC, PCI DSS, and more across your organization. In this episode: Why do some job listing seem to have unrealistic requirements for entry level job-seekers? Who needs 15+ years experience in practically anything? What is the value of security operations if you’re not detecting and dealing with incidents? What do you think cybersecurity awareness month should accomplish?
11/29/202239 minutes, 26 seconds
Episode Artwork

Get All the Stress You Want, With None of the Authority

All links and images for this episode can be found on CISO Series. CISOs and other security leaders have a lot of stress. But so do other C-level employees. Why does a CISO's stress seem that much more powerful? Is it that their job is still in constant development, or is the "C" in their name just in title, but not authority? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Aman Sirohi (@amangolf), CISO, People.ai. Thanks to our podcast sponsor, AuditBoard CrossComply is AuditBoard’s award-winning security compliance solution that allows organizations to build trust and scale their security compliance program with a connected risk platform that unifies SOC 2, ISO 2700x, NIST, CMMC, PCI DSS, and more across your organization. In this episode: Why does a CISO's stress seem that much more powerful? Is it that their job is still in constant development, or is the "C" in their name just in title, but not authority? What part of the supply chain security effort is truly building trust in your supplier and having ongoing reassurances that that trust is being maintained?
11/22/202236 minutes, 22 seconds
Episode Artwork

We Built This City on Outdated Software

All links and images for this episode can be found on CISO Series. "The biggest threat to national security is that many of the most vital systems on the planet CURRENTLY run on outdated and insecure software," said Robert Slaughter of Defense Unicorns on LinkedIn. That's at the core of the third-party security issue. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Richard Marcus, vp, InfoSec, AuditBoard. Thanks to our podcast sponsor, AuditBoard CrossComply is AuditBoard’s award-winning security compliance solution that allows organizations to build trust and scale their security compliance program with a connected risk platform that unifies SOC 2, ISO 2700x, NIST, CMMC, PCI DSS, and more across your organization. In this episode: How big of a problem is outdated software in our industry? Is insecurity just the result of a lack of efficient process? How much does a company’s transparency before, during, and after a breach tell us about their corporate character? What's the behavior after a breach you want to see that reaffirms your commitment to doing business with a vendor?
11/15/202236 minutes, 40 seconds
Episode Artwork

Wrong Answers to Revealing Interview Questions

All links and images for this episode can be found on CISO Series Security leaders will often ask challenging or potentially gotcha questions as barometers to see if you can handle a specific job. They're looking not necessarily for a specific answer, but rather a kind of answer and they're also looking to make sure you don't answer the question a specific way. Don't get caught in the trap. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Quincy Castro, CISO, Redis. Thanks to our podcast sponsor, Okta Auth0 is the leading provider of customer identity solutions. Watch Jameeka Aaaron, CISO for Auth0, explain how to balance security with friction to create a safe authentication experience without compromising on privacy. In this episode: What parts of cybersecurity can you comfortably outsource? What parts of cybersecurity do you want to outsource, but can't? One of the major arguments for outsourcing is "Finding cyber talent is really tough." Do you agree with that rationale to outsource? When building a security program for a startup, how do you establish scope and requirements?
11/8/202238 minutes, 7 seconds
Episode Artwork

Don’t Make Me Explain This, Because I Can’t

All links and images for this episode can be found on CISO Series If you know a difficult concept very well and you're incapable of explaining it simply to others who don't understand it, it's known as the "curse of knowledge." It is for this reason far too many talented cybersecurity professionals struggle to educate others. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Okey Obudulu (@okeyobudulu), CISO, Skillsoft. Thanks to our podcast sponsor, Trend Micro Trend Micro Cloud One, a security services platform for cloud builders, delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Discover your dynamic attack surface, assess your risk, and respond with the right security at the right time. Discover more! In this episode: How important is knowing the crown jewels in your security program? Wouldn't a "crown jewel"-focused security program be myopic? Have you been guilty of "curse of knowledge" when you tried to explain something and what did you do to improve? How often does a security leader come into a program and have the sense they're starting out at square one?
11/1/202233 minutes, 53 seconds
Episode Artwork

Where’s the “Single Pane of Glass” to My Level of Stress

All links and images for this episode can be found on CISO Series CISOs say stress and burnout are their top personal risks. Breaches, increased regulations, and the tech talent shortage are all contributors to the stress. Sure would be nice for the CISO and the rest of the team to look at a chart that showed the CISO's stress level in real time. This week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and special guest co-host Shawn Bowen (@SMbowen), CISO, World Fuel Services. Our guest is Meredith Harper (@mrhciso), svp, CISO, Synchrony. This episode was recorded in front of a live audience in Chicago at The City Hall nightclub for the opening night of Evanta's Global CISO Executive Summit. Thanks to our podcast sponsor, Cisco Cisco Secure delivers a streamlined, customer-centric approach to security that ensures it’s easy to deploy, manage, and use. We help 100 percent of the Fortune 100 companies secure work – wherever it happens – with the broadest, most integrated platform. Learn more at cisco.com/go/secure. In this episode: What do you think companies can do to alleviate this pressure and help a CISO better succeed? Why is there such a significant disconnect between companies’ increased commitment to diversity and inclusion and the day-to-day experiences of women of color? How can enterprise security maintain visibility into, and control over who and what is accessing their data?
10/25/202242 minutes, 21 seconds
Episode Artwork

Cyber Sales ABCs: Always Be Creepy

All links and images for this episode can be found on CISO Series For some reason, the ABCs of sales ("Always Be Closing") in the world of cybersecurity sales has translated into "Always Be Creepy." Eagerness to make just a connection, forget closing, has turned into extremely forward approaches that would make anyone feel uncomfortable. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and my guests will be Steve Tran, CSO, Democratic National Committee and Matt Crouse, CISO, Taco Bell. It was recorded in front of a live audience in Santa Monica as part of the ISSA-LA Information Security Summit XII. Thanks to our podcast sponsor, Ostrich Cyber-Risk Ostrich Cyber-Risk “Birdseye” is a unified qualitative and quantitative cyber risk management application that allows you to quickly assess, prioritize and quantify your organization’s financial and operational risks in real-time, in one place. Benchmarked against industry-standards (NIST, CIS, ISO), Birdseye simulates risk scenarios, continuously tracks roadmap progress, and creates shareable reports. In this episode: What do security leaders do when they can't push through security initiatives they know should be done? Is this a real concern for CISOs, and if so, how does a CISO handle their staff when best efforts get thwarted? What's your advice for new CISOs when dealing with unsolicited sales emails from security vendors? Do they just ignore it all? Should they filter it out?
10/18/202243 minutes, 10 seconds
Episode Artwork

We Take Security and Privacy Seriously… Seriously

All links and images for this episode can be found on CISO Series After every breach, you hear the same mantra from the attacked company: "We take security and privacy seriously." It's lost all its meaning. But what if you truly ARE serious about how you handle security and privacy? Should you say "seriously" twice? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Geoff Belknap (@geoffbelknap), CISO, LinkedIn and co-host of Defense in Depth. It was recorded in front of a live audience at Microsoft's Silicon Valley Campus in Mountain View, California as part of a regular ISSA-SV and ISSA-SF meeting. Check out all the fantastic photos from the event here. Thanks to our podcast sponsor, SafeBreach and Noname Security SafeBreach provides continuous security control validation powered by our breach and attack simulation (BAS) platform. We enable security leaders to proactively prioritize remediation efforts and drive ROI quickly by consolidating technology costs around what truly enhances your security posture. Real-world attacks. Real-time results. Prevent API attacks in real-time with automated AI and ML-based detection from Noname Security. Monitor API traffic for data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks. Integrate with your existing IT workflow management system like Jira, ServiceNow, or Slack for seamless remediation. Learn more at nonamesecurity.com/runtime-protection In this episode: If you truly ARE serious about how you handle security and privacy, should you say "seriously" twice? Given the immense complexity not just on integration but also training, are we going to see more consolidation of point solutions into suites? When would it make sense for a company to completely dump their security team and completely outsource it? And if you were to outsource it, what the heck would that look like?
10/11/202246 minutes, 20 seconds
Episode Artwork

How to Be a Security Vendor CISOs Can’t Ignore

All links and images for this episode can be found on CISO Series There are vendors that CISOs can't look away from. Who are they and what did they do to get so much attention from CISOs? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Saša Zdjelar, svp, security assurance, Salesforce. Thanks to our podcast sponsor, Sysdig Sysdig is driving the standard for cloud and container security. With Sysdig, teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance. Customers get a single view of risk from source to run, with no blind spots, no guesswork, no black boxes. In this episode: What’s a great approach from a security vendor? What techniques do CISOs deploy to cut through the marketing noise? Can you think of vendors that were so good that you couldn't ignore them. What made them achieve that status?
10/4/202241 minutes, 15 seconds
Episode Artwork

I Pity the Fool Who Builds a Homogeneous Cyber A-Team

All links and images for this episode can be found on CISO Series If you want to build a successful cybersecurity team, you need to be diverse, mostly in thought. But that diversity in thought usually is the result of people with diverse backgrounds who have had different experiences and have solved problems differently. It's actually really hard to hire a diverse team because what you want to do is simply hire people who look, talk, and sound like you. People who come from the same background as you. While that may work for building friends, it's not necessarily the best solution when building a team to secure your company. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is George Finney (@wellawaresecure), CISO, Southern Methodist University and author of “Well Aware: The Nine Cybersecurity Habits to Protect Your Future” and "Project Zero Trust." Thanks to our podcast sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Our automated, client-side, data protection capabilities increase web application visibility, facilitate threat analysis, and detect and protect from client-side attacks, such as Magecart, XSS, e-skimming, and other threats focused on front-end web applications. In this episode: What are the personality types you need on your staff? Can you be a vCISO if you're not a CISO first. And if you're a vCISO without ever being a CISO, are you just a cybersecurity consultant? Also, what are some creative uses of honeypots most users don't consider?
9/27/202236 minutes, 57 seconds
Episode Artwork

The Cybersecurity Hamster Wheel of Getting Nothing Done

All links and images for this episode can be found on CISO Series What are signs your team is getting burnt out? It's not an imbalance of work and family, it's feeling you're having no impact. That you're working your tail off and nothing is getting accomplished. This happens often in cybersecurity. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sara-Michele Lazarus, vp/head of trust and security, Stavvy. Thanks to our podcast sponsor, Sysdig Sysdig is driving the standard for cloud and container security. With Sysdig, teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance. Customers get a single view of risk from source to run, with no blind spots, no guesswork, no black boxes. In this episode: What are signs your team is getting burnt out? What's the most valuable skill in a cybersecurity analyst? Why are we seeing so many zero day exploits right now?
9/20/202240 minutes, 46 seconds
Episode Artwork

Who Do You Need to Trust When You Build a Zero Trust Architecture?

All links and images for this episode can be found on CISO Series Uggh, just saying "zero trust" sends shivvers down security professionals' spines. The term is fraught with so many misnomers. The most important is who are you going to trust to actually help you build that darn zero trust program? Are you going to look at a vendor that's consolidated solutions and has built programs like this repeatedly or are you going to look for the best solutions yourself and try to figure out how best to piece it together to create that "zero trust" program? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is David Chow, global chief technology strategy officer, Trend Micro. Thanks to our podcast sponsor, Trend Micro Trend Micro Cloud One, a security services platform for cloud builders, delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Discover your dynamic attack surface, assess your risk, and respond with the right security at the right time. Discover more! In this episode: Why is the term “zero trust” fraught with so many misnomers? Is there such a thing as privacy anymore? Do you agree with the term “good enough”, and if so what is a "good enough" factor, what does it entail, and what should we expect from that? Where has the United States done the most to improve national cybersecurity?
9/13/202237 minutes, 18 seconds
Episode Artwork

The Best Interview Questions and the Answers You Want to Run From

All links and images for this episode can be found on CISO Series. You want an awesome job in cybersecurity, and you want to ask the right questions. What are the right answers, and which ones are red flags that should cause you to run? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Renee Guttman, former CISO, Campbell's, Coca-Cola, and Time Warner. Thanks to our podcast sponsor, Okta Auth0 is the leading provider of customer identity solutions. Watch Jameeka Aaaron, CISO for Auth0, explain how to balance security with friction to create a safe authentication experience without compromising on privacy. In this episode: When interviewing, what are the right answers, and which ones are red flags that should cause you to run? Has the cloud just created a bigger security problem that's creeped up on us?  Are legacy systems just a ticking time bomb or have you seen success in managing them?
9/6/202232 minutes, 27 seconds
Episode Artwork

But I Spent All This Money. Why Are You Still Ignoring Me?

All links and images for this episode can be found on CISO Series Are RSA and other big conferences worth it? It seems that fewer CISOs are actually walk the floor at these big trade shows. The really big meetings are happening outside of the conference. Why would CISOs attend these big conferences with airfares costing over $1000 and hotel rooms costing $500 to $800 a night? Are the customers and vendors getting priced out? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jessica Ferguson, CISO, DocuSign. Thanks to our podcast sponsor, SlashNext SlashNext protects the modern workforce from phishing and human hacking across all digital channels. SlashNext Complete™ utilizes our patented AI SEER™ technology to detect zero-hour phishing threats by performing dynamic run-time analysis on billions of URLs a day through virtual browsers and machine learning. Take advantage of SlashNext's phishing defense services for email, browser, mobile, and API. In this episode: Are big conferences like RSA worth it? What's the value of the trade show floor at RSA? Why would CISOs attend these big conferences with airfares costing over $1000 and hotel rooms costing $500 to $800 a night? Are the customers and vendors getting priced out?
8/30/202237 minutes, 22 seconds
Episode Artwork

It’s OK to Look Like a Cyber Hero. Just Don’t Act Like One.

All links and images for this episode can be found on CISO Series Security professionals should turn in the cyber hero mentality for the "sidekick" role. Many cybersecurity leaders believe they need to save the company from all the stupid users who can't protect themselves. The reality is security professionals should lose the saviour mentality for a supporting role where they're running alongside different business units trying to find a way to make their process run smoother and more secure. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our wponsored guest Clyde Williamson, product management, innovations, Protegrity. Thanks to our podcast sponsor, Protegrity Protegrity empowers intelligence-driven organizations to use data to drive innovation with secure analytics and artificial intelligence, without fear of violating compliance or jeopardizing privacy. To make this vision a reality, we protect sensitive data anywhere and everywhere to create secure data agility that aligns with the speed of modern business. In this episode: Is it OK if users see security as heroes but security professionals shouldn't see themselves that way? What have you heard enough about when it comes to data protection, and what would you like to hear a lot more? How can we best create a cyber risk balance sheet?
8/23/202239 minutes, 38 seconds
Episode Artwork

How to Market “Zero Trust” Without Making CISOs Cringe

All links and images for this episode can be found on CISO Series Just the words "zero trust" often causes security professionals to shiver. In general, CISOs are on board with the concepts of "zero trust," we just think they're uncomfortable with how it's being used for branding and marketing efforts. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is David Cross (@mrdbcross), SVP/CISO for Oracle SaaS Cloud. Thanks to our podcast sponsor, Protegrity Protegrity empowers intelligence-driven organizations to use data to drive innovation with secure analytics and artificial intelligence, without fear of violating compliance or jeopardizing privacy. To make this vision a reality, we protect sensitive data anywhere and everywhere to create secure data agility that aligns with the speed of modern business. In this episode: Should certifications be a requirement on your job listings? Are the SIEMs failing or do the users not know how to configure them? Or is it both? Why do security professionals treat the term "zero trust" so negatively? How should vendors approach zero trust and how should the C-suite understand it?
8/16/202233 minutes, 40 seconds
Episode Artwork

When Good Decisions Go Bad

All links and images for this episode can be found on CISO Series You can make the right decision given the information you have, but everything is a risk, so there are times those good decisions are going to result in not the result you were hoping for. In essence, plenty of good decisions result in poor outcomes. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Aviv Grafi, founder and CTO, Votiro and winner of season one of Capture the CISO. In this episode: We welcome the winner of “Capture The CISO!” How did they prepare in terms of making the demo and for appearing on the show? And what advice would they give for contestants in season 2? What do employers look for or ask in an interview that would lead them to hire and promote someone into a CISO role in their company? How can cybersecurity professionals improve their decision making over time?
8/9/202240 minutes
Episode Artwork

When Does an Exaggeration Become a Lie?

All links and images for this episode can be found on CISO Series We explore the world of dishonesty in cybersecurity. Practitioners know that marketers will stretch the truth, but how far are we willing to let that go? Isn't this industry built on trust? Can cybersecurity continue to thrive if we can't trust each other? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Anna Belak (@aabelak), director of thought leadership, Sysdig. Thanks to our podcast sponsor, Sysdig Sysdig is driving the standard for cloud and container security. With Sysdig, teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance. Customers get a single view of risk from source to run, with no blind spots, no guesswork, no black boxes. In this episode: What are the questions a CISO should be able to answer? How much dishonesty do you find in cybersecurity? How does one LEAD a cloud migration? What are some lies about machine learning that everyone needs to be aware of?
8/2/202238 minutes, 32 seconds
Episode Artwork

Yuck! Now Everyone Has Touched My Data.

All links and images for this episode can be found on CISO Series What can you do when your data keeps passing through different third party applications? Your data is being accessed and manipulated by more people, more applications, and more security policies that may not be aligned with your security policies. It seems once it leaves your environment, it's out of your control. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Elliot Lewis (@ElliotDLewis), CEO, Keyavi. Thanks to our podcast sponsor, Keyavi Myth: Data can’t protect itself. Fact: Now it does! You control where your data goes in the world, who can access it and when. On any device. Anytime. Anywhere. FOREVER. Learn more at Keyavi.com. In this episode: Can the US government, through regulation, shift the tide of never-ending cybersecurity failures? Your network was just hit with ransomware. What do you do in your environment? What should we be discussing more of when it comes to protecting data in the supply chain? What's the biggest security flaw you've seen in every environment you've ever worked?  
7/26/202233 minutes, 47 seconds
Episode Artwork

“Bad” Security Practices That Really Aren’t All that Bad

All links and images for this episode can be found on CISO Series If they can find flaws, security professionals are quick to label it as bad security behavior. But often, what is marked as "bad" may have problems, but when looked at from a reducing risk perspective it's actually a very good security behavior. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Carla Sweeney, vp information security, Red Ventures. Thanks to our podcast sponsor, Protegrity Protegrity empowers intelligence-driven organizations to use data to drive innovation with secure analytics and artificial intelligence, without fear of violating compliance or jeopardizing privacy. To make this vision a reality, we protect sensitive data anywhere and everywhere to create secure data agility that aligns with the speed of modern business. In this episode: Is a CISO really an architect of choices, for themselves and the other business leaders? Why and how can controls impose friction or drag on business velocity? What are the types of questions you ask when you're referencing a resume and what are some examples of really impressive responses? What are some things that get a bad rap, but are actually quite secure?
7/19/202236 minutes, 1 second
Episode Artwork

How Many Forms of ID Do I Need to Buy This Gift Card?

All links and images for this episode can be found on CISO Series Getting someone to purchase gift cards is a popular vector for theft. Given that the gift card theft technique is so well known, many online sites have put up additional barriers to purchasing gift cards. Trying to buy them legitimately has become increasingly difficult. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Ariel Weintrab (@securitymermaid), CISO, MassMutual. Thanks to our podcast sponsor, PlexTrac PlexTrac is a powerful, yet simple, cybersecurity platform that centralizes all security assessments, pentest reports, audit findings, and vulnerabilities. PlexTrac transforms the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize analytics, and collaborate on remediation in real-time. Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the perfect platform for CISOs! In this episode: What areas should we focus on improving the security user experience for non-security people? Does it get easier at the top? What factors do you think result in the workload being tougher or easier for a CISO? How can radical transparency help and where can it backfire? What can we do to avoid poisoned systems and how can we tell if our systems have been poisoned?
7/12/202231 minutes, 35 seconds
Episode Artwork

Why Does Your Privacy Matter If I’m Paying You?

All links and images for this episode can be found on CISO Series Should you monitor your staff? I mean reallymonitor them. Some bosses are installing screen grabbing and click tracking software to monitor employees and by most estimates employees hate it so much that half of them would quit if their supervisors installed monitoring software on their computers. But in some cases an employee's behavior may lend themselves to being monitored. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Ian Hassard (@ihassard), director of product management, Okta. Thanks to our podcast sponsor, Okta Auth0 is the leading provider of customer identity solutions. Watch Jameeka Aaaron, CISO for Auth0, explain how to balance security with friction to create a safe authentication experience without compromising on privacy. In this episode: What are the real world positive impacts that result on the business in terms of risk reduction, product development, and prevention? What are some alternatives to address the authentication problem? What have you heard enough about with authentication, and what would you like to hear a lot more about? To what level should you and shouldn't you monitor your staff? What cases do you feel you would have to install monitoring software?
7/5/202234 minutes, 43 seconds
Episode Artwork

It Sure Is Fun to Complain About Security Vendors

All links and images for this episode can be found on CISO Series Next time you're annoyed by a security vendor's pitch, instead of firing back at them at what an idiot they are, or complaining about it on social media, why not see if you can find a friendly manager at the vendor company and explain what happened so they can actually address the problem appropriately? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Rob Suarez, CISO, BD. Thanks to our podcast sponsor, Trend Micro Trend Micro Cloud One, a security services platform for cloud builders, delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Discover your dynamic attack surface, assess your risk, and respond with the right security at the right time. Discover more! In this episode: Where could we possibly draw the line of what can be known to the public, but at the same time not offering insight to the attackers? We examine what makes medical establishments an attractive target. Why are medical records valuable and outside of havoc is there any other purpose of tampering with medical devices? How do you use industry-specific threat information to make better security decisions? Why do some cybersecurity companies succeed and others fail?
6/28/202235 minutes, 4 seconds
Episode Artwork

What Does It Cost to Prove Security Is Working?

All links and images for this episode can be found on CISO Series I have no idea what I need to spend to demonstrate our security program is working. What's it going to take? Or maybe I need just others on my team to just validate that they truly do care about security. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is John McClure (@johnmcclure00), CISO, Sinclair Broadcast Group. Thanks to our podcast sponsor, Keyavi Data that protects itself?  Now it does! We made data so smart it can think for itself. Secure itself. Stay continually aware of its surroundings. Control where, when and who is allowed access. And automatically report back to its owner. This changes the entire cybersecurity paradigm. Learn how. In this episode: What’s your best indicator that your security program is actually improving? We examine certifications and separate myth from reality for those trying to get into cybersecurity and also for more seasoned professionals? What security flaw often gets overlooked? How does one go about asking for a team building budget for a remote team?
6/21/202237 minutes, 12 seconds
Episode Artwork

I Have So Little. Just Let Me Control Access to the Mail Server.

All links and images for this episode can be found on CISO Series How dangerous is it for a cybersecurity professional to pull a G-d complex with the email server just because they didn't like the way one salesperson behaved? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Jadee Hanson (@jadeehanson), CIO/CISO, Code42. Thanks to our podcast sponsor, Code42. As the Insider Risk Management leader, Code42 helps security professionals protect corporate data and reduce insider risk while fostering an open and collaborative culture for employees. For security practitioners, it means speed to detection and response. For companies, it means a collaborative workforce that is productive and a business that is secure. Visit http://Code42.com/showme to learn more. In this episode: Is it alright to block a vendor because one salesperson is persistent and annoying? How can one go about creating a cybersecurity report card? Is it just inevitable that your staff is going to eventually violate policies? How to determine a delicate balance between a complete non-tolerance policy versus complete tolerance?
6/14/202240 minutes, 17 seconds
Episode Artwork

Security as a Profit Center? You’re Kidding, Right?

All links and images for this episode can be found on CISO Series What if we could convince management that security is not a cost center, but a means to actually make and save money for the business? The concept isn't so completely outrageous. Companies are using privacy and security as differentiators, and certain security tools such as single sign on, password managers, and passwordless reduce operational costs in support tickets. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Mary Gardner, CISO, The Greenbrier Companies. Thanks to our podcast sponsor, Buchanan Technologies Short staffed and overworked IT groups can be overwhelmed by the massive scope of a comprehensive cybersecurity program. Buchanan Technologies makes the complex simple with our twenty-four by seven, customized, vetted strategies that identify risks, detect threats, implement security controls, and protect the confidentiality, availability, and integrity of your data. Discover more. In this episode: What are areas we should focus on improving the security user experience for non-security people? We ask if CISOs have it easier than their middle managers. We think about the factors that result in the workload being tougher or easier for a CISO. And we examine how we can protect our machine learning algorithms and AI from absorbing poisoned data.
6/7/202235 minutes, 11 seconds
Episode Artwork

Finding That Perfect Time to Quit Your Job

To see the blog post and read the transcript, head over to CISO Series. We don't celebrate quitting. Maybe we should. When should you do it when you don't have another offer? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Hadas Cassorla, CISO, M1. On this episode: When a "good" security control is actually bad for business. A "how to" engage with a CISO during a presentation meeting. Losing your passion for cybersecurity. What next? Building a budget for remote team building. HUGE thanks to our sponsor, Keyavi Data that protects itself?  Now it does! We made data so smart it can think for itself. Secure itself. Stay continually aware of its surroundings. Control where, when and who is allowed access. And automatically report back to its owner. This changes the entire cybersecurity paradigm. Learn how.
5/31/202239 minutes, 59 seconds
Episode Artwork

Gartner Creates Another Category for Everyone to Ignore

All links and images for this episode can be found on CISO Series I have talked to vendors who get all excited about Gartner opening up a new category for them. All I can think is uggh, something new to confuse the security marketplace. I know there's a need to label products in categories to simplify sales. But the complexity is driving buyers nuts. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is RJ Friedman, CISO, Buchanan Technologies. Thanks to our podcast sponsor, Buchanan Technologies Short staffed and overworked IT groups can be overwhelmed by the massive scope of a comprehensive cybersecurity program. Buchanan Technologies makes the complex simple with our twenty-four by seven, customized, vetted strategies that identify risks, detect threats, implement security controls, and protect the confidentiality, availability, and integrity of your data. Discover more. In this episode:  Do we need another industry-produced acronym? How can a vendor better demonstrate they can become a partner? With the list of security “minimum requirements” constantly growing, do you believe more and more organizations are falling below the security poverty line? And we ask how best to reduce the amount of false positives?
5/24/202232 minutes, 58 seconds
Episode Artwork

A Look Back at Foolish Security Policies of Past and Present

All links and images for this episode can be found on CISO Series Are bad security policies of yesteryear just because we didn't know any better at the time, or were they some bozos idea of legitimate security yet the rest of us knew it was just security theater? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Dr. Diane M Janosek (@dm_janosek), deputy director of compliance, NSA and senior legal advisor for Women in Cybersecurity. Thanks to our podcast sponsor, Code42 As the Insider Risk Management leader, Code42 helps security professionals protect corporate data and reduce insider risk while fostering an open and collaborative culture for employees. For security practitioners, it means speed to detection and response. For companies, it means a collaborative workforce that is productive and a business that is secure. Visit http://Code42.com/showme to learn more. In this episode: We highlight obsolete security policies to steer clear of. We examine security in space and how can others who are not directly involved in these industries create some type of positive impact? And we ask how we can improve inclusion by decrypting the lack of diversity in our industry.
5/17/202239 minutes, 57 seconds
Episode Artwork

Decommission Our Legacy Tech or Just Shut Down the Business?

All links and images for this episode can be found on CISO Series Legacy tech can often be the anchor that prevents an organization from growing. Put the issue of dealing with legacy tech long enough and the problem could get bigger than the business itself. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is TJ Mann (@teejaymann), CISO, Children's Mercy Kansas City. Thanks to our podcast sponsor, CYREBRO Ninety percent of post mortems show that the high cost of damage from a cyberattack was avoidable, but no one knew in time to stop it. CYREBRO's SOC Platform is your cybersecurity central command, integrating all your security events with 24/7 strategic monitoring, proactive threat intelligence, and rapid incident response. More from CYREBRO. In this episode: How legacy technology impedes business agility? Are we doing anything better to deal with legacy technology Is there anything that can be done at the purchase point to understand how you'll sunset equipment and technology And we ask whether or not our industry is willing to take the time and effort to hire and train the talent they so desperately want and need.
5/10/202237 minutes, 18 seconds
Episode Artwork

Life’s Certainties: Death, Taxes, and Violating Security Policies

All links and images for this episode can be found on CISO Series People violate cybersecurity policies at a rate of one out of every 20 job tasks. It's just a matter of time before all your employees are in violation. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Bruce Schneier (@schneierblog), chief of security architecture, Inrupt and fellow and lecturer and Harvard Kennedy School. Thanks to our podcast sponsor, PlexTrac PlexTrac is a powerful, yet simple, cybersecurity platform that centralizes all security assessments, pentest reports, audit findings, and vulnerabilities. PlexTrac transforms the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize analytics, and collaborate on remediation in real-time. Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the perfect platform for CISOs! In this episode: Special tips for new CISOs just starting out and trying to establish their position. We examine where there are market forces fighting the most against achieving societal values in the digital space? What are signs that we're moving in the right direction of developing a digital social contract? And we ask, is "employees violating security policies" the top issue that needs to be resolved?
5/3/202233 minutes, 18 seconds
Episode Artwork

Is It a Promotion or a Red Flag Telling You To Get Out?

All links and images for this episode can be found on CISO Series A young woman is killing it in her first cybersecurity job out of college. Management is so thrilled with her that they want to give her a promotion. Problem is the promotion reveals a lot of other innerworkings that don't speak well of the company's culture. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Davi Ottenheimer (@daviottenheimer), vp trust and digital ethics, Inrupt. Thanks to our podcast sponsor, Code42 As the Insider Risk Management leader, Code42 helps security professionals protect corporate data and reduce insider risk while fostering an open and collaborative culture for employees. For security practitioners, it means speed to detection and response. For companies, it means a collaborative workforce that is productive and a business that is secure. Visit http://Code42.com/showme to learn more. In this episode: A student has some serious privacy concerns when they learn that "all data is being monitored and anonymously collected." We examine how we can break from the Internet Oligarchs who appear to be consuming, selling, and using so much of our data. How GDPR can benefit organizations to stay ahead of the competition. A young recruit facing imposter syndrome after receiving a promotion with added responsibilities.
4/26/202239 minutes, 41 seconds
Episode Artwork

It’s a Great Job, But I’m Alone and Terrified

All links and images for this episode can be found on CISO Series First job out of college and you get the cybersecurity job of your dreams... and nightmares. It's just too much, and you definitely don't have the experience to handle it all. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Rick Doten (@rick_doten), CISO, Carolina Complete Health. Check out Rick's Youtube channel with the CIS Critical Security Control videos. Thanks to our podcast sponsor, Kenna Security Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most. In this episode: We look at the #1 job according to a U.S. News & World Report. Hint: It’s Information Security Analyst. We examine the possibility & practicality of running a security program entirely based upon free and open-source software. We break down how to help brand new recruits on the ground as they start their careers in cybersecurity.
4/19/202236 minutes, 48 seconds
Episode Artwork

Instead of Increased Cybersecurity, Could We Just Order Less Risk?

All links and images for this episode can be found on CISO Series "No business wants more security, they want less risk," said a redditor on the cybersecurity subreddit. Executives seem to not care about cybersecurity because they're not talking in those terms. They talk in terms of managing risk. It's the InfoSec professional's job to do the translation. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Tom Doughty, vp and CISO, Prudential Financial. Thanks to our podcast sponsor, CYREBRO Ninety percnet of post mortems show that the high cost of damage from a cyberattack was avoidable, but no one knew in time to stop it. CYREBRO's SOC Platform is your cybersecurity central command, integrating all your security events with 24/7 strategic monitoring, proactive threat intelligence, and rapid incident response. More from CYREBRO. In this episode: How do you discuss cybersecurity with executives who don’t care about cybersecurity? Does cybersecurity insurance help motivate better cybersecurity awareness? Why are we still struggling with cybersecurity hiring? What does a great day in information security look like?
4/12/202235 minutes, 43 seconds
Episode Artwork

Why CISOs Avoid the Dreaded “Request a Demo” Button

All links and images for this episode can be found on CISO Series A CISO hears about your company's product from some other CISOs. Eager to find more information like a video demo they could watch on their own, they visit your site. They can't find anything except a prominently placed "Request a Demo" button. Fearing the marketing and salespeople who will hound them if they fill out the information, they just bail. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Jim Routh (@jmrouth1), former CISO for MassMutual and CVS/Aetna. Thanks to our podcast sponsor, Buchanan Technologies Short staffed and overworked IT groups can be overwhelmed by the massive scope of a comprehensive cybersecurity program. Buchanan Technologies makes the complex simple with our twenty-four by seven, customized, vetted strategies that identify risks, detect threats, implement security controls, and protect the confidentiality, availability, and integrity of your data. Discover more. In this episode: Why do vendors put the product demo videos behind gated walls? Tips for improving cybersecurity awareness within a large organization. The annoying pains of the vendor ecosystem. What are some really bad cybersecurity practices that need to be corrected right away?
4/5/202239 minutes, 6 seconds
Episode Artwork

What’s Next in Cybersecurity? Look at Last Year and Expect More

All links and images for this episode can be found on CISO Series The web is awash with sites claiming they know what the security trends will be for 2022. All of them were filled with quotes from security experts at different vendors who "surprise" we're saying the big trend is what their product can fix. One publication, eWEEK, had probably the only logical set of trends and they look a lot like what happened in 2021. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Ori Arbel, CTO, CYREBRO. Thanks to our podcast sponsor, CYREBRO Ninety percent of post mortems show that the high cost of damage from a cyberattack was avoidable, but no one knew in time to stop it. CYREBRO's SOC Platform is your cybersecurity central command, integrating all your security events with 24/7 strategic monitoring, proactive threat intelligence, and rapid incident response. More from CYREBRO. In this episode: How should you be handling your security operations center (SOC)? Tips for improving your incident response planning. What are the cloud security trends of 2022?
3/29/202233 minutes, 18 seconds
Episode Artwork

Are You Attending the “What to Worry About Next” Security Conference?

All links and images for this episode can be found on CISO Series Are security conferences really helpful in advising you on making your business more secure, or are they just adding more worries to your plate that aren't actually going to be threats your business is going to have to face? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Jason Witty, CSO, USAA. Thanks to our podcast sponsor, CyCognito By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network. In this episode: What is the board’s risk appetite? Is attending conferences helpful? What can security vendors do to help with board-level communications?
3/22/202235 minutes, 58 seconds
Episode Artwork

It's BAAAACK! The Return of “We Could Have Stopped That Breach”

All links and images for this episode can be found on CISO Series Our entire network launched because of the irritation CISOs had with vendors could have stopped some breach that happened to another company. Then the chest pounding subsided, and we thought we were making an impact, until Log4j appeared... This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Tim Rohrbaugh, CISO, JetBlue. Thanks to our sponsor, CyCognito By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network. In this episode: Questionable vendor marketing tactics Developing your threat intelligence Valuable skills that hiring managers look for
3/15/202234 minutes, 29 seconds
Episode Artwork

How to Be So Awesome CISOs Can’t Ignore You

All links and images for this episode can be found on CISO Series The trick to getting the attention of CISOs is to create an awesome company. Focus on that and the attention will follow. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Katie Stebbins (@ktlgs), board president, Global Epic. Thanks to our podcast sponsor, Kenna Security Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most. In this episode: So, how do you become so awesome that you can't be  ignored? What happens when you expand your view of the purpose of security metrics? Is it possible to have a Digital Geneva Convention?
3/8/202232 minutes, 36 seconds
Episode Artwork

Attract the Best Candidates with Crappy Benefits and Low Pay

All links and images for this episode can be found on CISO Series If you're up against Google, Facebook, or Apple for hiring talent, chances are pretty good that your company is not going to match their pay and benefits. So if they're the bar for salary and benefits, your business' offerings will inevitably be subpar. So how do you build your employer brand to contend in areas where you're deficient in areas you can't compete? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Dan DeCloss (@wh33lhouse), CEO, PlexTrac. Thanks to our podcast sponsor, PlexTrac In this episode: When setting up defenses against MITRE ATT&CK mappings, how much is enough? What are you doing to build your employer brand and attract cyber talent to your business? How should you review your pentest results?
3/1/202232 minutes, 32 seconds
Episode Artwork

If the Network Is Up, Somebody Is Violating Our Acceptable Use Policy

All links and images for this episode can be found on CISO Series Every organization has an Acceptable Use Policy (AUP) for their computers and network. Nobody reads it and everybody violates it. How the heck do you enforce or discipline people who violate your company's AUP? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Matt Radolec, senior director, incident response and cloud operations, Varonis. Thanks to our podcast sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to “Zero Trust.” Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: Why do tabletop exercises fail? How should we deal with AUPs that do not get read? Is cyber resiliency an overused term? How valuable are visual detection techniques?
2/22/202236 minutes, 1 second
Episode Artwork

What We Lack In Security We'll Make Up in School Spirit

All links and images for this episode can be found on CISO Series Yikes, this security hole one concerned student found in the school's network is going to require one heck of a pep rally to fix. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Dave Stirling, CISO, Zions Bancorporation. Thanks to our podcast sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to “Zero Trust.” Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: Should the CISO position be seen as an organization in itself? Is the current data loss prevention (DLP) model outdated? How can an MSSP show its value? What should a high school student do if they see that their school has horrible security practices?
2/15/202232 minutes, 57 seconds
Episode Artwork

What's the Least Annoying Way to Follow Up with a CISO?

All links and images for this episode can be found on CISO Series If we had such a great conversation at the conference, why don't you want to respond to my emails? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Julie Tsai (@446688), cybersecurity leader. Thanks to our podcast sponsor, Varonis What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn’t stand a chance. Get a free risk assessment. In this episode: Is there a "right" management structure for cybersecurity? Are there tools you can put in place to keep your DevOps program in check? What are the questions to ask during an interview that reveal how a company handles and prioritizes cybersecurity? How can we improve CISO / vendor relations?
2/8/202234 minutes, 13 seconds
Episode Artwork

Why Ignoring Most of Your Vulnerabilities Is the Best Strategy

All links and images for this episode can be found on CISO Series Winning at vulnerability management is not a numbers game. It's a tactical exercise of what matters most in your environment. Surprisingly, experts tell us close to two thirds of your vulnerabilities can and should be ignored. Why and which ones are those? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Ed Bellis (@ebellis), co-founder and CTO, Kenna Security (now a part of Cisco). Thanks to our podcast sponsor, Kenna Security Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most.  In this episode: What type of risk or compliance data should CISA collect for its proposed metrics? Which metrics are most valuable to determine the health of a company? Why the constant frustration with patch management? How often should you be conducting vulnerability scans?
2/1/202234 minutes, 16 seconds
Episode Artwork

Why We Quickly Reject 95% of All Applicants

 All links and images for this episode can be found on CISO Series If you're asking what certification you should go after to get the perfect cybersecurity job, you're asking the wrong question. Most hiring managers are inundated with resumes so they're looking for ways to get rid of yours. Don't be fooled thinking you're going to be seen because you have the "perfect" resume. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Mike Hanley (@_mp4h), CSO, GitHub. Thanks to our podcast sponsor, BitSight These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody’s, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com In this episode: What's the formula (experience vs testimonials) for hiring managers' attention? What are the most effective techniques to building a resilient security team? What are security vendors NOT doing now that would greatly improve their visibility? Have you had to make any security exceptions just because an executive needed something?
1/25/202236 minutes, 51 seconds
Episode Artwork

Security So Good Your Users Won't Use It

All links and images for this episode can be found on CISO Series CISOs agree that multi-factor authentication is the one security control that once deployed has the greatest impact to reduce security issues. Yet with all that agreement, it’s still so darn hard to get users to actually use it. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Arvind Raman (@arvind78), CISO, Mitel. Huge thanks to our sponsor, Horizon3.ai See your enterprise through the eyes of the attacker, identify your ineffective security controls, and ensure your limited resources are spent fixing problems that can actually be exploited. More from Horizon3.ai. In this episode: If MFA is so great, why is it not more widespread? Are high valuations for cloud security startups a vote against cloud providers doing cloud security well? What is the biggest challenge in deploying zero trust on existing infrastructure? Are there universal security red flags?
1/18/202235 minutes, 35 seconds
Episode Artwork

We've Never Taken On So Much Risk

All links and images for this episode can be found on CISO Series It's all risk, all show, for the entire show. It's just the kind of risk we like to take. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Derek Vadala (@derekvadala), chief risk officer, BitSight. Thanks to our podcast sponsor, BitSight These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody’s, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com In this episode: What cybersecurity risk is currently the most severe? What's important about of evaluating a startup's security protocols? What about third party risk management? Do you and your board know how resilient you are to a cyber attack?
1/11/202235 minutes, 24 seconds
Episode Artwork

The Perfect Gift for a Cyber Crook

All links and images for this episode can be found on CISO Series What do you give to the person who wants to learn how to steal everything? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest Jim Wachhaus (@imanapt), risk intelligence evangelist, CyCognito. Thanks to our podcast sponsor, CyCognito By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network. In this episode: How can we shore up our cybersecurity hygiene? What have we heard enough about with risk intelligence ? Gifts to buy someone who is looking into red teaming/vulnerability  
1/4/202233 minutes, 15 seconds
Episode Artwork

"I Love Being Monitored Online," Said No Employee Ever

All links and images for this episode can be found on CISO Series What do you do if your boss gave you a corporate laptop and you fear they installed some tracking software? Should you wipe the drive or simply quit? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Purandar Das (@dasgp), co-founder and president, Sotero. Thanks to our podcast sponsor, Sotero Today’s compliance requirements require a security mindset that focuses on the data itself. We can’t truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how. In this episode: Did the pandemic lead to innovations in cybersecurity? What should a company do when an employee makes a major mistake like emailing PII? Have we all heard enough about encryption? What do we do when the boss gives us a "new" computer with monitoring tech on board?
12/21/202134 minutes, 58 seconds
Episode Artwork

If We Don't Talk About Cyber Risk, Will It Go Away?

All links and images for this episode can be found on CISO Series Risk is scary. Cyber risk is scarier. Not because it's worse, but mostly because we barely understand it. We've gone this long not understanding it. Maybe just ignoring it will allow us to wish it away. On this week's episode of CISO/Security Vendor Relationship Podcast we have our first in-studio guest (since we moved the studio). Joining me, David Spark (@dspark), producer of CISO Series and Mike Johnson is our in-studio guest TJ Lingenfelter (@tj_555), sr. program manager, information security, Taylormade Golf. Thanks to our podcast sponsor, BitSight These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody’s, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com In this episode: How can competitive companies can help each other be more secure? What to do when you can't get time with your CIO to discuss plans? Are we fooling ourselves to think we can maintain privacy for ourselves and that organizations can do it for us as well? What new cybersecurity buzzwords should be put to rest?  
12/14/202135 minutes, 53 seconds
Episode Artwork

After a Breach It's Really Easy to Calculate Risk

All links and images for this episode can be found on CISO Series There's no question calculating risk is tricky. Because once you understand your risk then you can assign budget appropriately to reduce your risk. OR, you could just wait until you're breached and you'll know exactly what your risk is and how much it costs. This week's episode of CISO/Security Vendor Relationship Podcast is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Dan Walsh, CISO, VillageMD. Thanks to our podcast sponsor, deepwatch Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together. In this episode: What can we learn from a 10-year cybersecurity veteran? What can state governments do to 'hire better' in cybersecurity? What can companies do to attract cybersecurity professionals to their location? What are ways to bring a clearer understanding of risk to the business without being alarmist?    
12/7/202136 minutes, 56 seconds
Episode Artwork

I’ve Got Zero Trust In My Understanding of Zero Trust

All links and images for this episode can be found on CISO Series Don't look at me to explain zero trust to you, because I'm just as confused. I've heard plenty of definitions, and they all sound good. I just don't know which one is right, or maybe they're all right. This week's episode of CISO/Security Vendor Relationship Podcast was recorded in front of a live audience at KeyConf at the City Winery in New York City. My guest co-host for this special episode is JJ Agha, CISO, Compass. Joining us on stage were a host of guests, Admiral Rogers, former NSA director and Commander US Cyber Command, Oded Hareven, CEO and co-founder, Akeyless, and Dr. Zero Trust, Chase Cunningham (@cynjaChaseC). Thanks to our podcast sponsor, Akeyless As organizations embrace automation, they must control their secrets sprawl. Security teams must enable the transition with centralized access to secrets, and consistent policies to limit risk and maintain compliance. Akeyless provides a unified, SaaS based solution for Secrets Management, Secure Remote Access, and Data Protection. More about Akeyless In this episode: Is zero trust easy for organizations to deploy and control? Are we taking zero trust too far? Does it help to have more eyes on the problem? What are the problems with secure remote access that we're still struggling with?
11/30/202146 minutes, 8 seconds
Episode Artwork

We’re Very Good at SAYING We Care About Diversity

All links and images for this episode can be found on CISO Series It's extremely easy to say you want to diversify. In fact, I'll do it right now three times. We want diversity. We're very pro diversity and it's our focus for the next year. Diversity is a very important part of our security program. Please don't ask to though look at the lack of diversity on our staff. It doesn't match our rhetoric. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Sujeet Bambawale (@sujeet), CISO, 7-11. Thanks to our podcast sponsor, Vulcan Cyber Vulnerability scanners are commoditized. Cloud service providers provide free scanners. Open source scanners are plentiful. Your team doesn’t need another scanner, but they need to get better at identifying and prioritizing the risk that is buried in that scan data. Attend the Vulcan Cyber virtual user conference and learn how to assess and mitigate risk across all of your surfaces. Go to vulcan.io and click the button at the top of the screen to register for the event. In this episode: How are you overcoming the challenges of diversity hiring? Are robocalls defeating MFA? Are you collaborative in cyber with your direct competitors? Were you sold something differently when you started in cyber?    
11/23/202138 minutes, 48 seconds
Episode Artwork

Chances Are We'll Be Attacked the Day Before Your Vacation

All links and images for this episode can be found on CISO Series Do the cybercriminals know my vacation schedule? If they’re already in our network, they probably do. Why don’t they share their vacation schedule with me. That way we can all enjoy our time off. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Patti Titus (@rusecur), CISO, Markel. Thanks to our podcast sponsor, Sotero Today’s compliance requirements require a security mindset that focuses on the data itself. We can’t truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how. In this episode: What role is the quickest to a CISO role? How can we best correlate security behavior to business actions? Are attacks more likely on Fridays, just before a long weekend or vacation? Which breaches this year caused a shift in focus of your security program?    
11/16/202137 minutes, 15 seconds
Episode Artwork

Did You Get My Last Email? This One Has a Joke In It.

All links and images for this episode can be found on CISO Series At one point a sales representative will get so desperate trying to get a reply from a prospect that they'll resort to some tepid attempt a humor. We've all seen the email that is trying to understand why we're not replying. And the salesperson tries to make it easy for the recipient to respond by just pressing a single digit. 1: You're too busy, 2: You didn't see my email, 3: You really wanted to respond but you're stuck in a well. This week's episode of CISO/Security Vendor Relationship Podcast was recorded in front of a live audience at the SF-ISACA conference in San Francisco. It features me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is my other co-host Andy Ellis (@csoandy), operating partner, YL Ventures. Huge thanks to our podcast sponsors, Code42, Sotero, and Constella Intelligence As organizations gradually and cautiously move out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42. Today’s compliance requirements require a security mindset that focuses on the data itself. We can’t truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how. Threat actors target key employees due to their privileged access to sensitive data which can lead to credential theft, ATO, & ransomware attacks. Find out if your key employees and company have been exposed – without any obligation. More from Constella Intelligence. In this episode: How do you go about making a business case for further investment in cyber security initiatives? Is it possible to get people to get security people change their behaviors? Using humor in cold sales. Does it ever work? ...and what happens when it backfires?  
11/9/202150 minutes, 7 seconds
Episode Artwork

Hackers of the World Unite… When We Can Agree on a Time

All links and images for this episode can be found on CISO Series "Look, you wanna be elite? You have to do a righteous hack." This entire episode we pay tribute to the movie "Hackers" with quotes all throughout the programming. This episode is hosted by me, David Spark (@dspark), producer of CISO Series, and my guest co-host Roland Cloutier (@CSORoland), CISO, TikTok. Joining us in this discussion is Steve Tran (@steveishacking), CISO, MGM Studios. Thanks to our podcast sponsor, Code42 In this episode: Is it time to start thinking about protecting data differently? What is the biggest scam in tech that is deemed acceptable? Why is the convergence of security between physical and digital still not happening? Which part of your role is science vs art?
11/2/202137 minutes, 56 seconds
Episode Artwork

Is Our CISO Doing a Good Job? Our CISO Doesn't Even Know.

All links and images for this episode can be found on CISO Series It’s extremely hard to tell if a cybersecurity leader is doing a good job. In fact, it’s tough for even them to know. Our best bet is watching for an improvement in the cybersecurity program over time. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Mark Wojtasiak (@markwojtasiak), vice president, research & strategy, Code42 and co-author of “Inside Jobs.” Thanks to this week’s podcast sponsor, Code42 As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42. In this episode: What is your business's biggest frustration when managing cybersecurity? Aaaand...what is your biggest frustration when managing cybersecurity? How do you know when a Security Leader (including yourself) is doing a good job? Would it help if Security hired a marketing manager?        
10/26/202135 minutes, 13 seconds
Episode Artwork

BONUS Episode: Innovation Spotlight

Here's an awesome bonus episode of CISO/Security Vendor Relationship Podcast featured as the closing event at Evanta's Global CISO Virtual Executive Summit. Here's what went down. The day before our recording, three representatives presented their unique and innovative security solutions to a panel of CISOs and the virtual audience in attendance. The next day, everyone came back to offer up a quick elevator pitch and to be grilled by the CISOs. That's exactly what you get to hear on this bonus episode of CISO/Security Vendor Relationship Podcast. Thanks to all our sponsors for this bonus episode of the podcast Kasada Axis Security Ordr Ten Eleven Ventures
10/22/202141 minutes, 1 second
Episode Artwork

We Want to Hire Honest People Who Think Like Criminals

All links and images for this episode can be found on CISO Series What game should we play where we can trust you to behave fairly, but at the same time see how you could take advantage of us? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Deneen DiFiore (@deneendifiore), CISO, United Airlines. Thanks to our podcast sponsor, Code42 As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42. In this episode: Does becoming a business-minded security person take time? What does a qualified, entry level candidate have to do to get noticed? Without clear ROI, how does a CISO justify their budget? What game taught you the most about thinking like a hacker?    
10/19/202135 minutes, 49 seconds
Episode Artwork

A Quick Way to Tell Which Vendors You Should Avoid

All links and images for this episode can be found on CISO Series Do you really need hundreds of questions to know if you want to work with a vendor? Won’t just two or three well-pointed questions really give you a good idea? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Nick Selby (@fuzztech), CSO, Paxos Trust Company and co-host of Tech Debt Burndown podcast. Thanks to our podcast sponsor, Kenna Security In this episode: How do you suss out security vendors to make sure they're not a risk? How do you battle a typosquatter? What types of preparations do you have in place to know you're well prepared for an incident? How should CISOs and CIOs share cybersecurity ownership?
10/12/202134 minutes, 30 seconds
Episode Artwork

The Ostrich Approach To Vulnerability Management

All links and images for this episode can be found on CISO Series OK, you showed us our vulnerability. But we really don't want to fix it now. Could we just pay you off to keep quiet, and to buy us some more time to deal with this in a "not so timely" manner? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sameer Sait (@sameersait), CISO, Amazon - Whole Foods. Thanks to our podcast sponsor, Code42 As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42. In this episode: What if software developers used academic citations for code acquired from outside sources? What is a reported security vulnerability doesn't get fixed? Where do you go next? What if a 3rd party app developer needs access to a file/print share over the internet? What if you receive a pitch that makes a grandiose statement like "no false positives?" Follow-up or hard pass?  
10/5/202135 minutes, 12 seconds
Episode Artwork

Sorry, We’re Full. We Can’t Take Any More Market Segments

No, please not another acronym. I can't take another education cycle on another product segment. Oh, I'm sure Gartner is launching it. And I'm sure they'll make yet another Magic Quadrant to tell us which companies are in this new market segment. And we're going to have to buy this report so we understand this new category so we can create yet another line item on our budget sheet. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Ed Bellis (@ebellis), co-founder and CTO, Kenna Security (now a part of Cisco). Thanks to our podcast sponsor, Kenna Security In this episode: How do you develop unbiased knowledge about a new technology? Do you have advice on how to prepare for a SOC interview? Vulnerability management: what have we heard enough of? Do your parents know what you do for a living?  
9/28/202136 minutes, 59 seconds
Episode Artwork

What's the ROI of Nothing Happening?

You don’t want anything to happen, but you also want security to somehow to calculate ROI. Maybe the ROI could be calculated from actual sales that security allowed to actually happen. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Ryan Gurney, CISO-in-residence, YL Ventures. Thanks to our sponsor, YL Ventures YL Ventures, a global VC firm, manages over $300 million and exclusively invests in early-stage Israeli cybersecurity startups. YL Ventures accelerates the evolution of its portfolio companies via strategic advice and operational execution, leveraging a network of CISOs and industry veterans from Fortune 100 and high-growth companies. In this episode: What happens when Application Surface Management (ASM) vendors are purchased as Security assets? What do you do when your company wants to use a really insecure SaaS product? Does a startup need a CISO, or just a CISO-in-residence? Is there a better sign other than "nothing happened" that indicates you did a good job in cybersecurity today?"  
9/21/202137 minutes, 11 seconds
Episode Artwork

Could We Speak To Your CISO To Confirm He Received the Cupcakes?

All links and images for this episode can be found on CISO Series It’s imperative we speak to him. We want to make sure they landed safely. And if he has some available time, maybe we can show him our slide deck. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Branden Newman, svp, CISO, MGM Resorts. Thanks to our podcast sponsor, Grip Security Ask yourself – do I know what SaaS my company is using? How do users access them? What data is uploaded and downloaded? Enterprises today are using hundreds and thousands of different SaaS, and have lost control over it. Grip Security sees and secures every SaaS application. With simple deployment, you can have immediate visibility to the entire SaaS portfolio, and automated access and data governance at scale. This is the only way you could fight the SaaS Sprawl. In this episode: How do security vendors communicate their uniqueness and product quality? If you were to start a data security company - what gap would you fill? What's the pushiest sales tactic you've seen in InfoSec? Assessing vendor pitches on email security or human layer security  
9/14/202140 minutes, 51 seconds
Episode Artwork

Make Your Friends Jealous with Our Hand-Crafted Passwords

All links and images for this episode can be found on CISO Series I know your friends say they use excellent passwords, but they don't take the time and care we put into choosing the right combination of letters, numbers, and special characters that's unique to your personality. Once your friends and the dark web have a chance to see them, they'll want to emulate you by using your password over and over again. This week's CISO/Security Vendor Relationship Podcast was actually recorded in front of a small live audience at The Passwordless Summit in Newport, Rhode Island. The event was sponsored by HYPR, our sponsor for this episode as well. Joining me and my co-host, Andy Ellis (@csoandy), operating partner, YL Ventures, was our sponsored guest, Brian Heemsoth (@bheemsoth), head of cyber defense and monitoring, Wells Fargo. Thanks to our podcast sponsor, HYPR HYPR is the leader in Passwordless Multi-factor Authentication. We protect workforce and customer identities with the highest level of assurance while enhancing the end user’s experience. HYPR shifts the economics of attack to the enterprise’s favor by replacing password-based MFA with Passwordless MFA.  Welcome to The Passwordless Company®. It’s time to reimagine Identity Access Assurance. Learn More » In this episode: Ways to make a good impression about the quality of your security How’s passwordless access working for you? When an EULA says no to reviewing the product What does a good SOC look like to you?
9/7/202142 minutes, 37 seconds
Episode Artwork

Are You Asking "How Secure Are We?" or "How Insecure Am I?"

All links and images for this episode can be found on CISO Series We've heard the question "How secure are we?" many times, and we know what it really means. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Kevin Morrison, CISO, Alaska Air. Thanks to our podcast sponsor, Enso Enso, an Application Security Posture Management platform, helps security teams scale and gain control over their AppSec programs. Enso discovers application inventory, ownership and risk to easily build and enforce security policies and transform AppSec into an automated, systematic discipline. In this episode: Red flag-level bad security: run away or offer to help? How necessary is it to know patterns of where and how criminals are going to attack? How to manage the risk of onboarding entry level cybersecurity personnel who lack prior job experience? How do you answer the question, "Are we secure?"    
8/31/202133 minutes, 53 seconds
Episode Artwork

Tips to Finding an Incompetent Overpriced Cybersecurity Consultant

All links and images for this episode can be found on CISO Series What questions should we be asking of a consultant's referrals to see if they're really worth the money they're trying to overcharge us? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Ira Winkler (@irawinkler), CISO, Skyline Technology Solutions. Thanks to our podcast sponsor, Varonis Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis’ leading data security platform. In this episode: Fujifilm refused to pay ransomware demand, restored from backup. Be like Fujifilm. What to do with people who ask for your password and sign-on – and those who comply Best techniques for interviewing cybersecurity consultant candidates The importance of securing inter-organization Slack and Teams channels
8/24/202133 minutes, 50 seconds
Episode Artwork

We Shame Others Because We're So Right About Everything

All links and images for this episode can be found on CISO Series You think it's easy carrying around the burden of being so perfect all the time? It's tough to carry that responsibility to tell others what they need to do. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Ed Contreras (@cisoedwardc), CISO, Frost Bank. Thanks to our podcast sponsor, Varonis Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis’ leading data security platform. Does a quality tech stack help with recruitment and retention of talent? Should security features be free? And should those who charge be shamed? Failing phishing tests - is there a limit to how many?
8/17/202135 minutes, 46 seconds
Episode Artwork

Will You Accept "My Bad" As Our Breach Response?

All links and images for this episode can be found on CISO Series We know we've got to say something about this breach, but geez, the details are really sordid and it would just be easier if we could just wrap it up with one giant "oops." You cool with that? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Matt Radolec, senior director, incident response and cloud operations, Varonis. Thanks to our podcast sponsor, Varonis Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis’ leading data security platform. In this episode: How have insider threats morphed since the onset of Covid? Should paying ransomware be illegal? What goes into a good post-breach public incident response? Should ransomware focus more on backups?
8/10/202132 minutes, 57 seconds
Episode Artwork

I'll Show You My Risk Profile If You Show Me Yours

All links and images for this episode can be found on CISO Series Managing my own risk is tough enough, but now I have to worry about my partners' risk and their partners' risk? I don't even know what's easier to manage: the risk profile of all my third parties or all the exclusions I've got to open up to let third parties into my system. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Bruce Potter (@gdead), CISO, Expel. Thanks to our podcast sponsor, Expel Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one. In this episode: What's easier to manage, 3rd party risk profiles or exclusions? Do you need a Git repository to apply for a job? What else? What's in your happy-grab-bag for hybrid work environments? Is there anything new to say about ransomware strategy?  
7/29/202134 minutes, 44 seconds
Episode Artwork

How Much Charisma Do I Need to Push My Team to the Edge?

All links and images for this episode can be found on CISO Series If I'm going to be riding my team really hard, how much charisma will I need to keep the team frightened so they stay motivated, yet don't want to leave? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jason Fruge (@jasonfruge), CISO, Rent-a-Center. Thanks to our podcast sponsor, Expel Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one. In this episode CISO's second job: applying lessons learned from the first one Experts weigh in on what to do when a breach drops malware on you How to motivate staff to push themselves beyond initial expectations? What level of autonomy do you give your staff to make purchase decisions?
7/27/202133 minutes, 32 seconds
Episode Artwork

How Would You Like Your Cloud Misconfigured?

All links and images for this episode can be found on CISO Series Great, you just purchased the cloud. Are you a little confused as to what you're going to do with it? Not a problem. Let's get you set up right with a world class misconfiguration. That should leave you open to all kinds of breaches. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Johnathan Keith, CISO, Viacom/CBS Streaming. Thanks to our podcast sponsor, AppOmni AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data. Why do we hear so many stories about poor & misconfigured cloud services? The benefits of Infrastructure as Code (IaC) What makes a vendor meeting worth your time? What's the best way to learn about a company's culture in a job interview?    
7/20/202134 minutes, 25 seconds
Episode Artwork

It’s Only a Matter of Time Before We Lose Your Data

All links and images for this episode can be found on CISO Series We're trying really hard to keep our customers' data safe, but we all know given the number of attacks happening, our number will eventually come up, and we'll lose your data just like every other organization you trusted. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sandy Dunn (@sub0girl), CISO, Blue Cross of Idaho. Thanks to our podcast sponsor, Expel Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one. Dissecting Allen Gwynn's "one strike" opinion piece Transitioning cybersec into a mindset for all employees Shifting the risk: buying cyberinsurance instead of tools What's the proper way to behave during a breach?
7/13/202131 minutes, 47 seconds
Episode Artwork

His Credentials Say “Yes” But His Behavior Says “No Way”

All links and images for this episode can be found on CISO Series As good as our virtual bouncers are, they often let in people with what seems to be a valid ID, and then once they're in our nightclub they cause a disruption and we have to kick them out. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Sandy Wenzel (@malwaremama), cybersecurity transformation engineer, VMware.  Sandy also recommends participating in Pro's vs. Joe's CTF. Thanks to our podcast sponsor, VMware In this episode: How we have become more agile (and how we define agile) Five skills every SOC analyst needs (and how to build them) Lateral movement by threat actors (what have we heard enough of) What are some good assignments to give a cybersecurity intern (and are there better ones?)    
7/6/202136 minutes, 22 seconds
Episode Artwork

We’re Experts at Finding Everything You’re Doing Wrong

All links and images for this episode can be found on CISO Series We're a brand new consultancy and we promise if you just let us poke around your network, we'll find something wrong. Because everyone has something wrong in their network. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Phil Huggins (@oracuk), CISO, NHS Test & Trace, Department of Health and Social Care. Thanks to our podcast sponsor, VMware In this episode: Prioritizing the security challenges around risk and compliance What to consider before starting your own security consulting business The most valuable things you should learn from peers in your network or community  
6/29/202132 minutes, 44 seconds
Episode Artwork

Hey Old Man, Go Rotate Your Own Passwords

All links and images for this episode can be found on CISO Series If you're happy with your best practice of rotating passwords, that's great for you. Just don't lay your old-timey "rules for better security" on me boomer. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Robb Reck (@robbreck), CISO on sabbatical and co-founder Colorado=Security, a podcast and Slack community. Thanks to our podcast sponsor, VMware In this episode: Who is supposed to put “security” into the shifted left SDLC? What's the scarcest resource to a CISO? Is it headcount or money? What's the hardest part about being a CISO? How to choose the “best” best practices.  
6/22/202133 minutes, 50 seconds
Episode Artwork

How CISOs Make It Worse for Other CISOs

All links and images for this episode can be found on CISO Series https://cisoseries.com/how-cisos-make-it-worse-for-other-cisos/ Are CISOs inappropriately putting pressure on themselves and is that hurting the rep of all CISOs as a result? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Andy Ellis (@csoandy), operating partner, YL Ventures. Thanks to our podcast sponsor, Orca Security Orca Security provides instant-on security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents or sidecars. Orca detects and prioritizes risk in minutes ﹣ not months ﹣ and is trusted by global innovators, including Databricks, Lemonade, Gannett, and Robinhood. In this episode: Is the hiring process for CISOs broken? Why CISOs aren’t willing to share samples of their risk assessments Working with a vCISO through an MSSP What are the biggest misconceptions cybersecurity people have about CISOs?
6/15/202138 minutes, 35 seconds
Episode Artwork

Excuse Me, What Bribes Do You Accept?

All links and images for this episode can be found on CISO Series https://cisoseries.com/excuse-me-what-bribes-do-you-accept/ The security vendor/practitioner sales cycle would go a lot faster and smoother if CISOs would just take an "incentive" for a meeting. Just tell me what "incentive" you would like. I'm sure it'll cost me a lot less than what I'm spending on marketing and sales. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Allison Miller (@selenakyle), CISO, reddit. Allison is available on reddit at /u/UndrgrndCartographer. Thanks to our podcast sponsor, Living Security Why We're Breaking Security Awareness (And You Should Too) Attend This Free, Virtual Conference From Your Home, Office, Or Even Your Couch. Living Security is breaking the mold of security awareness to wage war on the human risk factor with evolved strategies for the way we live, work, and play today. Join cybersecurity industry thought leaders for fresh, modern perspectives designed to help you change behaviors and reduce your organization's risk in a world where life happens online. This year’s sessions will cover: Human Risk Management Social Engineering DEI In Cybersecurity Enterprise Security Awareness Remote Working Security Ransomware In this episode: Relying on the end-user to make an app secure is, in essence, shipping insecure software It's official: mandatory password changes are no longer in vogue What incentives would you accept to take a meeting with a vendor
6/8/202131 minutes, 40 seconds
Episode Artwork

Holy Crap! We’ve Been Doing This for Three Years!

All links and images for this episode can be found on CISO Series https://cisoseries.com/holy-crap-weve-been-doing-this-for-three-years/ On this day three years ago, Mike Johnson and I released the first episode of CISO Series’ CISO/Security Vendor Relationship Podcast. Our primary goal was to talk about the strained yet much needed relationship between security practitioners and vendors. With the help of our guest Dan Walsh, CISO, VillageMD and plenty of contributors we look back and ask ourselves, “What’s changed and has anything improved?” If you're interested in hearing the full story of how CISO Series started, listen to this episode of Defense in Depth with Mike Johnson and Allan Alford where we walk through the origins of what has become a rather sizable media network. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode: What listeners get out of the show & what has changed in the industry How communication has changed among CISOs in three years Is there more compassion for vendors now? How is the vendor landscape changing?  
6/1/202133 minutes, 2 seconds
Episode Artwork

Something Stinks In Here. I Think It’s Your Code.

All links and images for this episode can be found on CISO Series https://cisoseries.com/something-stinks-in-here-i-think-it's-your-code/ The problem isn't our users, it's you and your past due code. Something happened. It's either been tainted or expired, but whatever it is, it smells and you need to clean it up. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Brian Fox (@brian_fox), co-founder and CTO, Sonatype. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode: How do you know if your DevSecOps effort is going to fail? How does an analyst justify their existence? Managing malicious intruders in code libraries Managing cybersecurity hygiene in the software chain  
5/25/202135 minutes, 39 seconds
Episode Artwork

Our Top Ten List of Vendors That Aren’t You

All links and images for this episode can be found on CISO Series https://cisoseries.com/our-top-ten-list-of-vendors-that-arent-you/ You look at a top ten list is to see if you made the list. Don't bother. You're not on it. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Nancy Hunter, vp, CISO, Federal Reserve Bank of Philadelphia. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Threat tracking: what’s better? Your SOC’s data or reading industry trends? Finding good security people -what’s better?: existing skills/experience, or a hunger to learn? Listing the things we like about security vendors Diversity hiring still has some challenges
5/18/202132 minutes, 25 seconds
Episode Artwork

Do We Have to Let the CISO Sit With Us?

All links and images for this episode can be found on CISO Series https://cisoseries.com/do-we-have-to-let-the-ciso-sit-with-us/ I guess because it's a pandemic, and we really need them, just this one time, we'll let the CISO hang out at the cool kids' table. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Jadee Hanson (@jadeehanson), CISO, Code42. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Apparently, CIOs have become really hot commodities within the organization Do compliance checkboxes to third party surveys provide any security for the supply chain? Insider risk should look more at mistakes as well as intentional acts The real value of vendor white papers
5/7/202134 minutes, 6 seconds
Episode Artwork

Why Commute When You Can Stay Home and Be Overworked?

All links and images for this episode can be found on CISO Series https://cisoseries.com/why-commute-when-you-can-stay-home-and-be-overworked/ Work from home seemed ideal until you realized you were working at all hours with people all over the world. It would actually be a nice respite to have to commute and leave work at a reasonable hour. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Adam Glick, CISO, Rocket Software. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Work-from-home – the joys and the sorrows What do we want the board and C-Suite to know about cybersecurity? Are you a cybersecurity or infosec hiring manager? What kind of interview questions do you ask? CISOs working with young cybersecurity entrepreneurs      
5/4/202134 minutes, 31 seconds
Episode Artwork

Pushing This to the Top Of Your Inbox So You Can Delete It Again

All links and images for this episode can be found on CISO Series https://cisoseries.com/pushing-this-to-the-top-of-your-inbox-so-you-can-delete-it-again/ We're following up on our previous email because we love to engage in self-defeat. We assume you don't want to hear from me again, but just to make sure, I've delivered another email for you to delete. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Rinki Sethi (@rinkisethi), CISO, Twitter. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode It takes a while to hire an awesome cybersecurity team. It takes even more work to keep them. Breaches are bad, but handling them badly might be worse The unique aspects of work from anywhere security that take time to discover More of "what not to do" as a vendor pitching a cybersec prospect  
4/27/202134 minutes, 55 seconds
Episode Artwork

OK, I Get It. You’re All Special Snowflakes.

All links and images for this episode can be found on CISO Series https://cisoseries.com/ok-i-get-it-youre-all-special-snowflakes/ This department manager thinks their data is the most important. But then this department manager thinks their data is the most important. Can there really be so many crown jewels in your company that are all equally important? How's a CISO supposed to prioritize? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), executive vp, consumer products and engineering, and CISO, Fox Thanks to our podcast sponsor, Herjavec Group Herjavec Group excels in complex, multi-technology environments and keeps enterprise organizations secure with best of breed products and comprehensive service offerings. With 5 global Security Operations Centers, emerging technology partners, and a dedicated team of security specialists, we are well-positioned to be your organization’s trusted advisor in cybersecurity. Let’s connect! On this week's episode Hey, you're a CISO, what's your take? Recently, we did a Friday video chat on "Hacking the Crown Jewels" where we talked about what's really important, where it resides, and who's accessing it and when. One of the questions that came up from consultant Ian Poynter was how do you handle the conflicts from the different department leaders as to what the crown jewels are? And Jakub Kaluzny of SecuRing asked, "What's harder, identifying your crown jewels, or protecting them?" Can you change Mike's mind? Our guest, Melody Hildebrandt mentioned that as of recently she was in a pro-vendor mood Only three months into the year she has taken more new vendor meetings than in all of 2020. What changed? And can she convince Mike to do the same? "What's Worse?!" As always, this will be a surprise on the show. And no one will like the options. If you haven’t made this mistake, you’re not in security Even if you've configured your email security platform correctly, you can still fail early and often as our guest Melody discovered. But she actually published her findings on Tech Insiders, along with Paul Cheesbrough. Examples she provided included email account compromises that resulted in full evasion of standard email defenses. And given that her business is often an early target for new attacks, protection through threat analysis has become essentially useless. Her solution for enterprise email is to adopt an API-based solution instead of gateways, along with deep machine learning, and continuous protection of email rather than initial scanning and approval. Let's look at how difficult this shift was and how Melody is managing it. There’s got to be a better way to handle this On Twitter I asked, "Since security people don’t get applause when nothing happens, how do you let the rest of the company know how well the security team is doing?" One mentioned a slide on reports that says "X days without a breach" others suggested showing improvements to metrics like vulnerability and mean time to response. So what do we say to the whole company, not just the board?    
4/20/202139 minutes, 29 seconds
Episode Artwork

What to Expect When You’re Expecting a Network Breach

All links and images for this episode can be found on CISO Series https://cisoseries.com/what-to-expect-when-youre-expecting-a-network-breach/ Are you expecting a little intrusion into your network any day now? You better be prepared. Are there some vulnerabilities you should have managed, but didn't? Don't worry, first time security professionals are always scared about their first incident. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Scott Kuffer, co-founder and COO, Nucleus Security Thanks to our podcast sponsor, Nucleus Security Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo On this week's episode There’s got to be a better way to handle this We constantly hear security leaders talk about "people, process, and technology". Overwhelmingly, most security vendors are selling technology, then after a very steep drop there is the sale to managing people, and then "process" feels like a neglected stepchild. Let's talk about one process change made in the past year that had a significant impact on security posture? AND what is the "process" in security that needs the most help? Is there an opportunity in this area for security vendors or this just a combination of project management and increased automation? What do you think of this vendor marketing tactic Are security vendors eating their own dog food? The next time a security vendor pitches you, Chris Roberts of Hillbilly Hit Squad said on LinkedIn, "Ask them if they are using their own systems to protect themselves OR if they’re relying on someone else’s technology to protect their arses." An excellent question and HOW a vendor answers that question is very telling. So, is our sponsored guest using his own product to protect his business? "What's Worse?!" Jeremy Kempner, BT Americas offers up two really crappy communications options for Scott and Mike to wrestle with. Please, Enough. No, More. This week's topic: Risk-based vulnerability management, which can be defined as prioritizing your vulnerability remediation based on the risk it poses to your organization. What have we heard enough about with risk-based VM and what should we hear more about? How have you actually pulled this off? One of the key parts of a successful pentest is the reconnaissance phase where the necessary background information is generated. Let's walk through that process. How much involves planning vs. discovering? It's assumed that a lot of creativity goes into making a successful pentest. What are some of the techniques and information needed to increase success?    
4/13/202134 minutes, 23 seconds
Episode Artwork

We Recommend a “Know the Right People” Certification

All links and images for this episode can be found on CISO Series https://cisoseries.com/we-recommend-a-know-the-right-people-certification/ There are so many fantastic certifications out there for security professionals. But we've found the one certification that will really help you land the right job really quickly, is to provide proof that you know some people at our company who can vouch for you. Remember, we are a business that operates on trust, not giving people their first chances in cybersecurity. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Jesse Whaley, CISO, Amtrak Thanks to our podcast sponsor, Adaptive Shield Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats. In this week's episode Why is everybody talking about this now? Should cybersecurity professionals fight back rather than block and tackle? former US government cyber security chief Chris Krebs, has called on law enforcement and others to fight back against ransomware attackers. Krebs, suggested posting private information of the hackers, with malicious intent, AKA doxxing. "Hacking back" is dangerous as it's hard to determine the attacker, and you're essentially taking the law into your own hands, but Chris Krebs is recommending this, seeing that ransomware is the biggest threat. Dan Lohrmann of Security Mentor shared this article from the Financial Times and it drove a lot of debate. We've heard this before, but from someone like Chris Krebs, that's astonishing. What level of fighting back should people be comfortable with? Are we having communication issues? "I push back [on vendors] because I want depth and context from first contact," said John Keenan, director of Information Security, at Memorial Hospital at Gulfport. In this post on LinkedIn he said he's annoyed with vendors' generic first outreach and when he declines their response is "Well, I had to give it a shot". If they want a real connection, include "What's In It for Me". A generic response of "I think you'll really like what we've got to show," does not qualify. Let's talk about who has ever received a first (or heck any) contact that did have depth and context and could clearly articulate the "what's in it for you" message. "What's Worse?!" This week's challenge is from Nir Rothenberg, CISO, Rapyd. How have you actually pulled this off? Hiring in cybersecurity is a bear. As we've discussed before on this show, there's actually plenty of supply and demand in cybersecurity, yet jobs are not getting filled, possibly because of unreasonable requirements. Let's talk about what percentage of all the ideal skills people are willing to accept in a new hire, and situations where someone was hired who didn't possess that must have-skill for the job. ? And also let's look at the most effective training or mentoring technique used to get employees to adopt those skills. Hey you’re a CISO. What’s your take? On Twitter, Alyssa Miller AKA @alyssaM_InfoSec asked: "You're the CISO, rank the priority of the following list from a security perspective and explain your reasons: A. A well-defined vulnerability management program B. A reliable configuration management database/Asset Inventory C. A comprehensive metrics and reporting practice. A slight majority voted BAC or asset management, vulnerability management, then metrics. But there was plenty of disagreement. Let's look at that.        
4/6/202134 minutes, 4 seconds
Episode Artwork

My Backup Plan Is Hoping My Cloud Provider Has a Backup Plan

All links and images for this episode can be found on CISO Series https://cisoseries.com/my-backup-plan-is-hoping-my-cloud-provider-has-a-backup-plan/ I think maybe I should check to see if we paid for cloud backup protection. Or maybe, we're doing it. Who knows? This episode is hosted by me, David Spark (@dspark), producer of CISO Series, and Mike Johnson. Our guest this week is Ty Sbano (@tysbano), chief security and trust officer, Sisense Thanks to our podcast sponsor, Adaptive Shield Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats. On this week's episode Why is everybody talking about this now? Is your cloud service provider backing up your data, or should you be doing that? Many users of OVHcloud realized they should have been doing it because they didn't realize what they had bought. OVH suffered a fire that destroyed one of its data centers making some of the customer data unrecoverable. They had backup of some services, but no backups of other data. As of now, OVH is backing up all customer data for free, but this speaks to a big problem with trusting cloud providers, noted Enrico Signoretti of GigaOm in a post on LinkedIn. Did you pay for backups? How are they being provided? Where physically are they? And how often do you test restoring? Everyone knows they should do this, but how often is it actually being done? Someone has a question on the AskNetSec subreddit On the AskNetSec subreddit, the question was asked, "What's the advantage of reporting bugs to official sources over brokers?" Some really good pro and con discussions of both ranged from brokers usually pay more, to going straight to the source seems "the right thing to do." But there were so many variances that it wasn't that cut and dry. As a bug bounty hunter, if you find a significant bug, where should you go first?  "What's Worse?!" Rick Woodward from Gibbs & Cox asks, "which kind of dishonesty is the worst?" Hey you’re a CISO, what’s your take? Another redditor on the AskNetSec subreddit asks, what kinds of questions should the interviewee ask about a company's environment so they know they're not walking into a giant mess? There were a ton of good suggested questions in the thread. If you could only ask three, which three would you ask that would give you the most information about both the stability and challenge of the security environment? What would you advise? Ross Young asked, I want to be a board advisor, how am I going to be paid? How much effort do I want to spend on this? What compensation should I expect? What do companies expect a CISO as an advisor to do? You both are advisors, so what's your experience, advice, and what have you heard from others?  
3/30/202137 minutes, 42 seconds
Episode Artwork

Patches? Yes, We Need Stinkin' Patches!

All links and images for this episode can be found on CISO Series https://cisoseries.com/patches-yes-we-need-stinkin-patches/ There was a time we could trust a patch, but now our adversaries are actually looking at the patches to find even more vulnerabilities. And we keep patching those as well. Our patches' patches need patches. When does it stop?! This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Travis Hoyt (@travisehoyt), managing director, exec cybersecurity technology, TIAA Thanks to our podcast sponsor, Adaptive Shield Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats. On this week's episode What’s the best way to handle this The vulnerability landscape is changing, according to a new report from Rapid7. One issue, as Rob Lemos of DarkReading reports, is that you can't necessarily trust patches. They're often incomplete, and attackers look at existing patches as an opportunity to find more flaws, which they do. And the threats come from different angles: they're widespread, targeted, often using a zero-day, and there are other vulnerabilities that are impending threats. It seems that the portion of the threats you know about and can defend against is shrinking, and you're battling more of the unknown. Have you seen similar, and if so how has your security program shifted as a result? That’s something I would like to avoid The NSA recently provided guidance on creating a Zero Trust security model. In the piece, the NSA says, "transitioning to a [zero trust] system requires careful planning to avoid weakening the security posture along the way." So what is the NSA talking about? What are common transitioning moves to zero trust that can make you vulnerable? "What's Worse?!" Jonathan Waldrop from Insight Global delivers a challenge specifically tailored for Mike. Please, Enough. No, More. Let's look at SaaS posture management, or just the ongoing management of potential issues that may come across SaaS platforms - and consider what we have heard enough about with regard to SaaS posture management, and what we would like to hear a lot more about. Umm is this a good idea OSINT should go beyond finding out a security practitioner's email and phone number, argued Alyssa Miller of S&P Global Ratings. Alyssa received an email pitch from a vendor offering a gift and she declined. That same vendor then followed up and called her. The vendor was pitching her something that wasn't in her department, that she had no control of, and she couldn't accept gifts because her company is in a heavily regulated market. In summary, Alyssa said if you're going to use OSINT, understand the person's business, their role, and if making such a request would be counterproductive. What types of vendor OSINT tactics work well and what types work poorly?      
3/23/202134 minutes, 21 seconds
Episode Artwork

I Think Possibly Maybe We've Solved Diversity in Cybersecurity

All links and images for this episode can be found on CISO Series https://cisoseries.com/i-think-possibly-maybe-weve-solved-diversity-in-cybersecurity/ We're tired of hearing "we're trying" when it comes to the subject of how companies are trying to inject diversity into their organizations. It's a lopsided game and diverse candidates have to make ten times the number of attempts as their non-diverse counterparts. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Jimmy Sanders (@jfireluv), cybersecurity, Netflix DVD. Our guest this week is Jerich Beason (@blanketSec), svp, CISO, Epiq. Thanks to our podcast sponsor, Living Security Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers. On this week's episode How have you actually pulled this off? As discussed before on this show, being the next CISO at a company that was recently breached can be very lucrative. We've had guests that have very successfully negotiated huge salaries as the post-breach CISO. Are CISOs setting themselves up for far too much responsibility to be seen as a the company's digital savior? What are the responsibilities of a post breach CISO? Got a better answer than "we're trying?" Over the years we have interviewed dozens of business owners, security professionals, and hiring managers about diversity. Almost all their answers fall into the following buckets: We're trying but there's no pipeline. We're working with XXX group to improve. Diversity is needed because diversity of thought it needed to create a more secure organization. No one will admittedly say they're against diversity. Yet systemic racism, sexism, or just boys' clubism in general continues to exist. It appears most of the non-diverse business leaders are being pressured into admitting it's a problem. So they do it, and we even get token hires, but it all comes off as diversity theater and not the business actually making a shift. What is the story of diversity in cybersecurity many people don't get and need to actually be doing, not just giving lip service to? "What's Worse?!" Eugene Kogan, CSO at a confidential company sets it up: Who do you want on our side: executives or employees? And now a listener drops knowledge "Learn cybersecurity in public," suggests AJ Yawn of ByteChek who recommends joining a training program and then publishing what you've learned on a blog. As AJ explains, "Doing this will help you build relationships & prove to potential employers you’re applying your new knowledge." He concludes with the advice, "Don’t learn in silence." The community responded to AJ's advice. It's great advice, which everyone agreed to in the comments, but why then do so few people actually do it? There’s got to be a better way to handle this Zero trust is not a technology that can be purchases as a solution. It's an architecture, methodology, and framework that you have to consciously adopt, noted Stephen Lyons of F5 on a post on LinkedIn. Can solutions already in-house be rejiggered to adopt a zero trust methodology? And if so, what changes would need to be made to existing systems to have a more zero trust environment?
3/16/202131 minutes, 48 seconds
Episode Artwork

Unnecessary Research Reveals CISOs Hate Cold Calls

All links and images for this episode can be found on CISO Series https://cisoseries.com/unnecessary-research-reveals-cisos-hate-cold-calls/ In a study we never actually conducted, our fellow security leaders said unequivocally that there never has been a time they welcome a phone call from someone they don't know trying to book a demo to see a product they have no interest in. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Andy Steingruebl (@asteingruebl), CISO, Pinterest. Our guest this week is Andy Purdy (@andy_purdy), CSO, Huawei Thanks to our podcast sponsor, Living Security Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers. On this week's episode Here’s some surprising research As compared to small and medium companies, big enterprises don't appear to trust the big telcos to execute their 5G strategy. This according to new research from Omdia as reported by Iain Morris of Light Reading. When asked, "do you trust a communications service provider, AKA big telco, to execute your security strategy," SMEs overwhelmingly supported the telcos over all other options, and big enterprises didn't. They trusted their own expertise or wanted to lean on a cloud service provider like Amazon or Google. Let's investigate this discrepancy. If you're not paranoid yet here’s your chance As if you didn't know it already, get ready for some sobering news about third-party risk: According to a survey by BlueVoyant, as reported by SC Magazine, 80 percent of those surveyed had at least one breach caused by a third party vendor within the past year. Most of those surveyed didn’t monitor third-party suppliers for cyber risk. But, even if they wanted to, it's often a point in time measurement, sometimes only yearly, and organizations have an average of 1409 vendors. UK's National Cyber Security Center puts the focus of securing against third party risk squarely on the development of the software supply chain, and the need for isolation and proven security checks throughout the development process. That may be good advice, but it still seems so overwhelming given the volume and how much you can't control. "What's Worse?!" A vulnerability response and incident detection conundrum from Jonathan Waldrop, Insight Global What’s the best way to handle this Lessons learned from a big security incident and how these will be applied to the next big security incident. What do you think of this vendor marketing tactic Very few, if any, security leaders like cold calls. Yet, even with all the expressed distaste of them, they still exist, and that's probably because they still work, and still deliver significant ROI. But when these companies calculating that ROI, are they calculating all the people they've annoyed? One vendor sales rep who said after searching their CRM for "Do Not Call" there was a slew of vitriol from CISOs screaming to never contact them again. And as we all know, CISOs talk to other CISOs. So if you've angered one CISO sufficiently to never consider you, they've probably told a few friends as well. Let's discuss getting pushed over the edge by a vendor's aggressive sales tactics and what was done to essentially shut them off, including telling others about their actions.    
3/9/202134 minutes, 55 seconds
Episode Artwork

One Day You'll Grow Up to Know Less Than You Do Now

All links and images for this episode can be found on CISO Series https://cisoseries.com/one-day-youll-grow-up-to-know-less-than-you-do-now We know so little when we're born. We're just absorbing information. But then we get older, and get the responsibility to secure the computing environment of a large company, we actually see that knowledge we absorbed start slipping away. What we thought we knew of what's in our network is so far afield from reality. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Tomás Maldonado (@tomas_mald), CISO, NFL. Thanks to our podcast sponsor, Nucleus Security Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo It’s time to measure the risk Outside of security basics and popular controls like SSO, MFA, and password management, what are the most effective means (or security control) to reduce risk? People have been offering some great suggestions on LinkedIn such as reducing attack surface, knowing what you're protecting, education, more conversations about risk, and actually having someone in charge of security and risk. All reduce risk, but what truly gives the biggest bang for the buck in terms of risk reduction? Are we making this situation better or worse? When things break, what's the best tactic to remediation? A bigger/better version of the last thing, or critical thinking? Both actually have serious costs associated to them. The first being equipment and maintenance, and the second having the talent that's able to think of unique and innovative soluitons. In a post on LinkedIn, Greg van der Gaast of cmcg argues that bigger walls just result in continued security problems at a more expensive, yet slower rate. He argues many issues could be avoided with critical examination, especially in IT. It's time to play, "What's Worse?!" Ross Young asks how badly do you need to measure your security program. How would you handle this situation? Our guest, Tomás Maldonado, describes what's unique about being a CISO for the NFL - the specific security concerns that aren't necessarily on the radar at his previous organizations, and the security issues around huge global events like the Super Bowl. Well that didn’t work out the way we expected Perception vs. reality in security. On LinkedIn, Ross Young, CISO at Caterpillar Financial Services said, "In April 2018, McAfee published a survey asking 1,400 IT professionals to estimate the number of cloud services in use within their organization. The average response was 31, with only 2% of respondents believing that they had more than 80—yet the real average is 1,935." This supports the great need of asset inventory. There are many instances CISOs have to make an estimate of what they have given the best information. We look at examples of when the reality of a situation was far from the initial perception, and how to manage this.
3/2/202134 minutes, 59 seconds
Episode Artwork

Would You Look at that Unrealistic Licensing Deal?

All links and images for this episode can be found on CISO Series https://cisoseries.com/would-you-look-at-that-unrealistic-licensing-deal/  CISOs know that salespeople want to make the best licensing deal they can possibly get. But unpredictability in the world of cybersecurity makes one-year licensing deals tough, and three-year licensing deals impossible. This episode is hosted by David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Mark Eggleston, (@meggleston) CISO, Health Partners Plans. This recording was recorded live in front of a virtual audience at the "SecTalks - Leading with grit in security" virtual conference brought to you by our sponsor, Cobalt. Thanks to our podcast sponsor, Cobalt Cobalt offers a faster more effective pentesting solution through its Pentest as a Service (PtaaS) platform. With it, you can schedule a pentest in as little as 24 hours for all kinds of assets. The platform also connects you with a global pool of pentesters called the Cobalt Core, whose skills can match what you need. And instead of sending you a huge PDF that raises more questions you can’t answer, they engage with your team throughout the pentest. Findings can land straight into Jira and GitHub, helping you fix vulnerabilities as soon as they’re discovered. Cobalt makes pentesting easy, quick to deploy, scalable, and simple to remediate. On this week's episode Why is everybody talking about this now? A redditor is struggling and overwhelmed! The person is in school studying, working, and loving cybersecurity, but has completely and utterly failed the foundations course and is on academic probation. The person told their story to the cybersecurity subreddit community, and the support came out in droves. We've seen this before. People hit a major wall professionally and they just reach out to the anonymous masses for support. The story hits a nerve and the community is eager to show encouragement. In fact, just this past week, the New York Times had an article about the unemployment subreddit offering advice and information to those struggling. We'll take a look at this tactic of reaching out for support and guidance through discussion boards. What do you think of this vendor marketing tactic? "Pro tip to vendors: don’t claim that you can’t do a one-year licensing deal. You might end up with a zero-year license deal", said Ian Amit, CSO, Cimpress on LinkedIn. We'll look at the art of negotiating a contract with a vendor: What is it ultimately you want? What are you willing to concede on and what must you have? And what are the situations that cause this to change? It's time to play, "What's Worse?!" Jason Dance of Greenwich Associates suggests two scenarios that others believe is security, but actually isn't. If you haven’t made this mistake, you’re not in security On Twitter, the CISO of Twitter, Rinki Sethi, said, "A career mistake I made, I rolled out a phishing testing program before the company was ready for it. The HR team said it was against the company culture and if I tried a trick like that again, I would be fired. Lesson - communication is important in #cybersecurity." Rinki asked for others' stories of failure. Let's explore a few. What Is It and Why Do I Care? For this week's game, the topic is vulnerability management. We look at four pitches from four different vendors. Contestants must first answer what "vulnerability management" is in 25 words or less, and secondly must explain what's unique about their vulnerability management solution. These are based on actual pitches - company names and individual identities are hidden. The winners will be revealed at the end.  
2/23/202138 minutes
Episode Artwork

This Is the Year I'm Going to Lose Weight and Care About Security

All links and images for this episode can be found on CISO Series https://cisoseries.com/this-is-the-year-im-going-to-lose-weight-and-care-about-security/ Every year I say I'm going to do it. I'm going to get healthy and be much better about securing my digital identity and my data. But then after about two weeks I give up, use the same password across multiple accounts, and eat a pint of Häagen-Dazs. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Dan Walsh, CISO, VillageMD. Our sponsored guest this week is Drew Rose, (@livsecaware)CSO, Living Security Thanks to our podcast sponsor, Living Security Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers. On this week's episode What would you advise? Over on the AskNetSec subreddit, a pentester wants out. The redditor is looking for exit opportunities into another job in cybersecurity. Other redditors suggested IT audit, SOC operations, incident response, forensics. What would be an ideal next step for a pentester? We don’t have much time. What’s your decision? What happens when a previous employer of yours gets hacked and your information is potentially stolen. This happened to a redditor who asked this question on the cybersecurity subreddit. If nothing has actually happened, what can they do and what can potentially happen? Is a warning of "I may be compromised" to anyone going to do anything? "What's Worse?!" Jason Dance of Greenwich Associates delivers a really annoying "What's Worse?!" scenario. Please, Enough. No, More. The topic is "Security Awareness Training". David prefaces this with a top finding from a Forrester report that said, "Unless You Capture Hearts And Minds, No Amount Of Training Will Work". So with that said, what have people heard enough about with regard to security awareness training and what would they like to hear a lot more? Pay attention. It’s security awareness training time What if security behavior was rated as a performance score, suggested Ashish Paliwal of SONY. In his LinkedIn article, he agreed you can't train yourself to better security. It requires positive reinforcement. He suggested psychometric tests and a scoring system where you would gain points for good security behavior and lose points for bad security behavior (-10 for clicking on a phish, +10 for reporting). Creative ideas that he acknowledges have lots of challenges. The focus here is changing human behavior, possible the hardest feature to implement. What user experience does change behavior? And why would or why wouldn't Ashish's suggestions work?
2/16/202133 minutes, 26 seconds
Episode Artwork

Please Accept This Not-a-Bribe Gift as an Act of Desperation

All links and images for this episode can be found on CISO Series https://cisoseries.com/please-accept-this-not-a-bribe-gift-as-an-act-of-desperation/ Offering me a gift for a meeting was definitely not Plan A. Or was this a situation that you ran out of creative ideas and it's actually more cost efficient to buy your way into meeting with me? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is John Overbaugh, (@johnoverbaugh) vp, security, CareCentrix. Thanks to our podcast sponsor, Nucleus Security Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo. On this week's episode OK, what’s the risk? People hear all too often that risk security isn't compliant security and vice versa, but isn't compliance just another form of risk? Shouldn't it be given quantitative and qualitative ratings like any other risk, prioritized, and remediated especially in highly regulated environments? Why is everyone talking about this now? On LinkedIn, LinkedIn CISO, Geoff Belknap asked, "Tech Vendors: Please, stop offering cash or gift cards for meetings. It throws into question the entire basis for a relationship and It's not ethical." Vendors take CISOs out for lunch all the time. That is a form of a gift. One vendor said because they can't take a CISO out they send a Starbucks card in lieu of the coffee they were going to purchase. Then there are the gifts that arrive for attending an event. Edward Kiledjian at OpenText, said, "I recently had a vendor get upset with me that I wasn't willing to accept his gifts. He said others in my position accept it and he couldn't understand why I was being so 'stubborn.'" How should this situation be handled and does a CISO's opinion of the vendor change as a result? "What's Worse?!" David tried to second guess Mike and was wrong on this bad idea from Jesse Whaley, CISO, Amtrak. If you haven’t made this mistake you’re not in security When Zero Day bugs arrive, security flaws just keep perpetuating. Garrett Moreau of Augury IT posted an article from MIT Technology Review about Google's research finding that when patches are released for zero days, they're often incomplete. Hackers can actually find the vulnerability sitting on the next line of code right next to the patched line of code, making it very easy for a hacker to reignite the zero day vulnerability. How can this problem stop perpetuating itself? Someone has a question on the cybersecurity subreddit A frustrated redditor eager to learn cybersecurity is getting stuck on CTFs (Capture the Flags ) and is losing the motivation as a result. The person is worried that relying on walkthroughs will be harmful. Responses from the reddit community were that the walkthroughs are there to help people learn, and that most CTFs don't resemble real life. They're there to teach a few tricks. So, is that the case?
2/9/202136 minutes, 22 seconds
Episode Artwork

Foul! That Interview Question Is Unfair

All links and images for this episode can be found on CISO Series https://cisoseries.com/foul-that-interview-question-is-unfair/ Pick a side. You either want your employees to have a work/life balance, or you want them to be obsessed with security 24/7. You can't have both. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Arpita Biswas, (@0sn1s) senior incident response engineer, Databricks Thanks to our podcast sponsor, StackRox StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle. What would you advise? People speak a lot about the importance of integrating security and DevOps. Now it's time to learn some specifics, like how to energize developers to be more security minded in their development. What works? What hasn't worked? "What's Worse?!" You just learned something was breached. Uggh. (Thanks to Mike Toole, Censys) What’s the best way to handle this ? What questions should be asked to see if a security team is cloud incident ready? A good article over on F5 by Sara Boddy, Raymond Pompon, and Sander Vinberg, provides some suggestions such as "Can you describe our attack surface and how have you reduced it to the bare minimum?" and "How are we managing access control?" and "What do we do when systems or security controls fail?" Which of the questions is the most revealing to cloud security readiness and why? Should you ignore this security advice? On the AskNetSec subreddit someone inquired about a good hiring question. One redditor suggested asking "What do you do on your own home network with respect to security?" to which another redditor argued that the question was unfair. He left the security and networking for work. He had other hobbies and interests for home life. Another person said, yes it is unfair, but there are plenty of candidates who do breathe security 24/7 and if given a choice, the redditor would take that person. The politically correct thing to say is you want the person with the work-life balance, but wouldn't we be more impressed with the person who has security in their blood day and night? Close your eyes and visualize the perfect engagement Another question on AskNetSec subreddit asked "What are the most important skills you see missing among other coworkers or your team?" The two most common answers I saw on the thread were communications and critical thinking. Are these correct. or should something else go there? ? And if those two did improve, what would be the resulting effect to a company's security program?
2/2/202133 minutes, 41 seconds
Episode Artwork

Why Do We Fire the CISO? Tradition!

All links and images for this episode can be found on CISO Series (https://cisoseries.com/why-do-we-fire-the-ciso-tradition/) Yes, firing the CISO probably won't solve our security issues. But our community has a multi-generational heritage of relying on scapegoats to make them feel good about their decisions. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Kirsten Davies (@kirstendiva), CISO, Estee Lauder Companies. Thanks to our podcast sponsor, Kenna Security With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer’s unique environment across infrastructure, applications and IoT. Why is everybody talking about this now? On the AskNetSec subreddit one redditor asked, "Why do people always get fired over a breach?" to which one responded, like many others, "it’s just tradition. Military, government, corporations. It’s an old-fashioned thing really, but a lot of people still believe a 'blood sacrifice' is required to restore faith from the public or the shareholders." How tenable is it to keep doing this with so many breaches? After a breach what are the different actions needed to appease shareholders, executives, employees, and customers? And when is blood letting warranted? How to become a CISO Over on the CISOseries subreddit, a hopefully soon-to-be-CISO asked, "What should I ask before being a CISO at a startup?" This startup is pre-IPO. 2000 employees. About $1B in valuation. The redditor is looking for advice beyond asking what's the current security strategy and what the reporting structure would look like. What would you want to ask in such a situation? "What's Worse?!" Probably the ultimate "What's Worse?!" scenario. Hey you’re a CISO. What’s your take? On LinkedIn, Kris Rides asked, "If you can only do one thing to retain your staff what would that be?" What have you done and has any of your staff let you know that certain actions you took meant a lot to them. According to research from leadership consulting firm DDI, 57 percent of employees who walk out the door, do so because they can't stand their boss. For that reason, the pressure is heavily on the CISO to make sure they're well-liked by their staff. There’s got to be a better way to handle this Can you think of a moment you had to make a significant shift in your security program? What did you do and why? Was there a specific event that triggered it?  
1/26/202134 minutes, 33 seconds
Episode Artwork

Click This Link to Fail a Phishing Test

All links and images for this episode can be found on CISO Series (https://cisoseries.com/click-this-link-to-fail-a-phishing-test/) Our phishing tests are designed to make you feel bad about yourself for clicking a link. We're starting to realize these tests are revealing how insensitive we are towards our employees. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Yaron Levi, (@0xL3v1) former CISO, Blue Cross Blue Shield of Kansas City. Thanks to this week’s podcast sponsor, Stackrox StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle. Is this a cybersecurity disinformation campaign? On reddit, an explosive discussion formed around a ComputerWeekly.com article by Saj Huq of Plexal about the importance of making disinformation a security issue. The problem though has primarily fallen into the hands of social media companies mostly because that's where disinformation spreads. While we've seen disinformation being used as a political tool, for businesses, it can tarnish your corporate brand, consumer trust, and ultimately the value of your product. It's also used in phishing campaigns. Breaches are compromising your data. Disinformation is questioning the validity and value of data without even stealing it. How do you combat that? Are we having communication issues? We're recording this episode shortly after GoDaddy sent its infamous phishing test email that promised employees a $650 bonus check. Those who clicked on the email were rewarded with additional security training. It took the entire Internet to point out how insensitive this was, GoDaddy's response was "We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologized." They argued that while it may be insensitive, these types of well-timed phishing emails do happen. A lot of people do not like phishing tests and Yaron has proven that if creative enough, anyone can fall for a phish. How can the company and security be more sensitive to employees, respect them, while also letting them know they may receive a malicious email just like this? "What's Worse?!" An international What's Worse conundrum. How do you go about discovering new security solutions? Julia Wool, Evolve Security said, "I just finished a Splunk course and wanted to explore other SIEM platforms and I am having a difficult time understanding how an enterprise should choose a vendor in this space. I couldn't imagine being the guy at an enterprise that has to consider all these different vendors that seem to be doing the same thing." Julia brings up a really good concern: If you were completely green, didn't have CISO connections, and were going to choose a SIEM for the first time how would you go about determining your needs and then researching and deciding? What sources would you use? And how do you limit this effort so you're not overwhelmed? There’s got to be a better way to handle this Brian Fanny, Orbita, asks, "Vendor scope can change over time within a project or the start of another and harder to control than the initial evaluations. They start off when non-critical requirements/needs eventually grow into handing assets of greater value and/or gaining access to more critical systems. How do you keep up with vendor/project scope creep from the security sidelines?"
1/19/202133 minutes, 8 seconds
Episode Artwork

Our "Hope It Doesn't Happen to Me" Security Strategy

All links and images for this episode can be found on CISO Series https://cisoseries.com/our-hope-it-doesnt-happen-to-me-security-strategy/  We're thinking it just might be possible to wish our security problems away. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Steve Giguere, (@_SteveGiguere_) director of solution architecture and community, StackRox. Thanks to this week’s podcast sponsor, Stackrox StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle. On this week's episode That’s something I would like to avoid Security theater is a security placebo. We're being told that it's effective, and we may fool ourselves into believing it is, but the reality is there's no real security medicine there. Over on Infosecurity Magazine, Danny Bradbury has identified a few key ones I want to call out. In particular, technology buzzwords - like getting a solution with AI, data collection - more data, more insights, right?, and endless security alerts - for practitioners and end users. All of these seem to be in regular practice today. Does calling out security theater result in pushback? And if so, how do you handle calling it out and how would you shift each of these security placebos into a more medicated version? There’s got to be a better way to handle this On reddit, kautica0 asks, "If a company becomes aware of a 0-day vulnerability and it impacts their production web application serving customers, what actions should be taken? Should it even be considered an incident?" Just because it's a 0-day vulnerability does that make it more threatening than any of the known vulnerabilities? There was a lot of logical advice that was akin to how we would handle any vulnerability, but the 0-day nature had the looming feeling of this could be an incident very quickly and would require an incident response plan. "What's Worse?!" A "What's Worse?!" entry from our youngest listener. Please, enough. No, more. The topic is Kubernetes Security. We discuss what we have heard enough about when it comes to Kubernetes security and what we would like to hear more. Where does a CISO begin Is being cloud first a security strategy? Over on the UK's National Cyber Security Centre, an article argues that we should not ask if the cloud is secure, but whether it is being used securely. What does that mean? And is there an argument for and against cloud first being a valid security strategy?  
1/12/202130 minutes, 28 seconds
Episode Artwork

Hey Reseller, What's the "Value" You're Adding?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/hey-reseller-whats-the-value-youre-adding/) It seems that you're offering so much more when you add the VA ("value added") in front of your title. What is that? Why am I working with you rather than buying directly from the vendor? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Doug Cahill (@dougcahill), vp, and group director, cybersecurity, Enterprise Strategy Group. Thanks to this week’s podcast sponsor, Dtex Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com. On this week's episode How a security vendor helped me this week From Trevor Marcatte, The SCE Group, asks a question about the "value added reseller" or VAR vs. the "large account reseller" or LAR. I'm paraphrasing, but Trevor wants to know what we're seeing as the value of this middleman. Trevor said, "Being the middle man is tough and battling the big guys is tough. CDW's, SHI's of the world. The smaller guys have so much more to offer than a price. Price is dictated by the vendor anyways." What do the smaller VARs have to offer that the larger LARs can't offer? How do you go about discovering new security solutions How do we evaluate DevSecOps solutions? Mike hates the term, so I'll say how do we evaluate solutions that will improve the security of the DevOps pipeline? GigaOM Research has a report where they evaluate these solutions, but they also have another report that goes into detail on evaluation criteria. There is a lot of criteria such as seamless integration into tools, process, and dashboards, plus role-based access controls, automation driven by policy, management of secrets, and dependency analysis. What criteria do we look at? How does it change from company to company? And how do we supplement when a solution looks great, but misses a key criteria? "What's Worse?!" A question about DevSecOps. What’s the best way to handle this? Is cloud identity management going to stick? According to David Vellante over at Wikibon and The Cube, the pandemic has forced that shift for everyone and there's probably no turning back. For cloud-first companies this was business as usual before the pandemic. But what about all the new businesses that are going to the cloud and doing business with you. It's a very broad field and there are a lot of industry players, so actually skip the obvious stuff and just mention the items that have become sticking points or are still in need of development. Is this the best solution The "X" in XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors. We talked about this on our other podcast, Defense in Depth, and one of the issues came up was the disruptive nature of XDR. How much was real. David Thomas, Computacenter, said, "The aspiration to get fully integrated insights of all your tools and create the ultimate feedback loop responsive system is a worthy aim... Current vendor XDR pitches are up selling opportunities but customers have a challenge to adopt or shift to a single vendor platform due to a vast array of displace/replace challenges. It’s a great marketing story but the pragmatic reality is it’s a tough and long journey to realise the platform / single (pain) pane promise, unless you are a greenfield organisation." Is XDR a worthy goal and what is the marketing hype buyers should question?  
1/5/202136 minutes, 55 seconds
Episode Artwork

The People Closest to You Will Hurt You

All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-people-closest-to-you-will-hurt-you/) Insider threats. We know some are malicious, and sometimes it's the unwitting result of someone trying to do their job. Aren't you supposed to trust the people you hire? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Dr. Deanna Caputo, chief scientist for behavioral sciences and cyber security capabilities, senior principal behavioral psychologist for MITRE. Thanks to our sponsor, Dtex. Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com. On this week’s episode What we've got here is failure to communicate Breaking News! The cybersecurity skills shortage is growing. The ISSA and Enterprise Strategy Group released a report claiming the reason that 70 percent of companies feel that they're at risk is because of the increased workload for cyber professionals, unfilled open job requisitions, and poor education on the relevant technologies. This discussion appeared on the cybersecurity subreddit and complaints ranged from entry level jobs asking for 3+ years experience (something we've discussed many times before), and people with many more years of experience struggling to find a job. Others who were contemplating entering cybersecurity said the discussion was turning them off from entering the field. There's supply and demand, yet there's frustration on both ends. Why aren't they connecting? What's going on?" Are we making this situation better or worse? What defines "usable security". We've discussed obvious things like trying to make it invisible to the user and just basic user experience. But what's unique to cybersecurity design that many don't consider when creating usable security. For example, for phishing there are an endless number of email programs AND we have lots of security awareness training. Could we do away with the awareness training if security was more usable? What's Worse?! Insider threats are no fun, but which one is the worst? Please, Enough. No, More. Topic is Insider Threats. What have we heard enough about with insider threats, and what would we like to hear a lot more? There’s got to be a better way to handle this What do you do after you get the certification? What are the next steps? Mo Shami reached out to me and mentioned that he was going to announce that he passed his CISSP or Certified Information Systems Security Professional exam. He wanted to share the excitement and I said when you post to LinkedIn ask everyone else what they did right after they passed. Most people ended up just saying congratulations, but a couple suggested more certifications or just research job openings (seems obvious). What should one do after you get the certification?
12/15/202035 minutes, 59 seconds
Episode Artwork

When Should You Stop Trusting Your CISO?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/when-should-you-stop-trusting-your-ciso/) How technically capable does my CISO need to be? If they lose their technical chops, should we stop trusting them? Should they even be a CISO if they had no technical chops to begin with? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is James Dolph, CISO for Guidewire Software. Thanks to our sponsor, Dtex. Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com. On this week’s episode We mentioned past guest, Kelly Shortridge's new book with Aaron Rinehart, "Security Chaos Engineering". First 90 days of a CISO It's time for a CISO do-over. One of the great things about being a CISO is you get a chance to actually apply everything you learned from past jobs. Our guest, James, worked in product security with Salesforce before becoming a CISO. When we recorded the episode, James wasn't yet a full 90 days into his job. And Mike also came from Salesforce as well (they worked together) and working at Lyft was his first CISO job directly from Salesforce as well. Did they both have the same viewpoints of applying product security principles to the CISO role? How do you go about discovering new security solutions What criteria do you use to evaluate phishing solutions? GigaOM Research released a report earlier this year of the key criteria for evaluating phishing platforms. Some of the criteria they mentioned were phishing solutions that do and do not impede workflows, a security edge solution that's in-band vs. out-of-band, and do you need detonation chambers for potentially malicious emails. What criteria do Mike and James use to evaluate, and have they seen those criteria change from company to company? What criteria are not as important? What's Worse?! Failing as a professional or being a mediocre professional? What’s a CISO to do On Defense in Depth, my co-host Allan Alford said, "I think the lack of technical skills in a CISO is expected to a certain degree. You have to have the foundation, but I don't expect my CISOs to be rolling up their sleeves and doing a lot of the hands on work." I turned that quote into a meme image and it caused a flurry of response from the community. How much of applying of security controls that your staff currently does, could a CISO do themselves today? Let’s dig a little deeper What are our passion projects that are tangentially related to cybersecurity? Are we adopting any and how is it helping us stay mentally healthy during COVID? Tony Jarvis of Check Point brought this up. He suggested that we should be sharing our passion projects. What have been our passion projects? How have they helped our mood and our work? And have we been able to keep up with them?
12/8/202033 minutes, 44 seconds
Episode Artwork

Why Is 'Pay the Ransom' In Next Year's Budget?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/why-is-pay-the-ransom-in-next-years-budget/) With 25 percent of ransomware victims paying the ransomware, have we waved the white flag to the attackers? Should we just budget for it? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Les McCollum (@doinmorewithles), managing vp, CISO, ICMA-RC. Thanks to our sponsor, BitSight. BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach. On this week’s episode Why is everybody talking about this now Are culture fit and diversity mutually exclusive? Allan Alford, co-host of Defense in Depth podcast, brought up the conversation of needing diversity in all areas: age, gender, ethnicity, city vs. country, country of origin, military vs. civilian, college educated vs. self-taught, socioeconomic status, and disabilities. But at the same time, I'm thinking we NEVER see those types of groups hanging out together or getting along. So how do you create a culturally sane group among such a diverse group? People are tribal by nature and even if you're successful creating diversity on your team they're going to bond with people of similar types. Won't this introduce new problems? If you haven’t made this mistake you’re not in security At the end of the year when you look at your security budget, what are the costs you didn't expect or budget appropriately at the beginning of the year? On CSO Online, John Edwards has an article about seven overlooked cybersecurity costs that may bust your budget. He mentioned items such as staff acquisition and retention, incident response, third-party analysis, and replacement costs. What has been a surprise for you and has adjusting things for the next year helped, or is there always a surprise? Which is the one everyone should prepare for but they don't? More bad security advice Over a quarter of companies that fall victim to ransomware, pay the ransom, according to a study by Crowdstrike. In a discussion thread on reddit, user yourdigitalmind said they had a client who remarked, "WHEN we get hit, it will force us to start doing things right, but right now, it's cheaper'" So he's accepted being hit by ransomware is inevitable. That falls in line with Crowdstrike's study that found after a ransomware attack 75 percent of the victims do increase their security spend on tools and hiring. Humor for me a moment. Most of us do not want to pay the ransom, but sometimes you can't think of the greater good and you have to think of the survival of the business. Is this where I should put my marketing dollars? What types of vendor stories do you respond to? I bring this up because Mike O'Toole, president of PJA Advertising wrote a great piece about how to build a cybersecurity brand story. In the article, he offers up some really good advice such as "Position yourself against the category, not just your direct competitors," "Fear gets attention, but opportunity can drive purchase behavior," and "The strongest brand stories are about market change." Which advice most resonates with how you're pitched, and can you think of either a customer story or offering that you overheard that pushed you into exploring a vendor's solution?
12/1/202034 minutes, 19 seconds
Episode Artwork

We're 90% Confident We've Lost All Confidence

All links and images for this episode can be found on CISO Series (https://cisoseries.com/were-90-confident-weve-lost-all-confidence/) I don't think we're doing enough to protect ourselves against cyberattacks and I'm also pretty sure we're clueless as to what our third party vendors are doing. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Stephen Boyer (@swboyer), co-founder and CTO, BitSight. Thanks to our sponsor, BitSight. BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach. On this week’s episode There’s got to be a better way to handle this How confident are your employees in your cybersecurity efforts? And how does employee confidence affect corporate security? Tip of the hat to Tor Swanson of Premier IT for posting this survey from Nulab. The survey found that employees felt that their company's ability to secure digital data was a major to moderate problem. That percentage jumped up dramatically for companies with less than 100 employees. In addition, employees don't feel they're being heard with their cybersecurity concerns. For companies with less than 50 employees, 44 percent felt their employers were slightly or not at all responsive. Perception is a huge part of successful cybersecurity. If you were to let these perceptions continue, how does it affect your overall security program? Question for the board Ross Young, CISO, Caterpillar Financial Services asked, "What are the cyber metrics that should be reported to the board each month or quarter? Is this standardized (example does the financial industry say we want these five metrics), and where would you go to see how you benchmark against the industry?" I'll skip to one important metric we've mentioned on this show multiple times and that's "dwell time" or the time between an incident happening, discovering it, and then remediating it. How do you go about finding benchmarks, and what other metrics tell a good story to the board so they can better wrap their heads around the security program's effectiveness? What's Worse?! Third party issues? We've got 'em. Please, Enough. No, More. Topic is third party risk management. What have we heard enough about third party risk management, and what would we like to hear a lot more? Close your eyes and visualize the perfect engagement We're all getting bombarded with virtual events. Interested to know what virtual events have you attended that you've really enjoyed. Also, what virtual events are the most engaging where you find yourself NOT multi-tasking while watching. Plus, what does a virtual event need to offer for you to take time out in your day to attend?
11/24/202035 minutes, 28 seconds
Episode Artwork

Networks Wobble But They Don't Fall Down

All links and images for this episode can be found on CISO Series (https://cisoseries.com/networks-wobble-but-they-dont-fall-down/) Eager cyberprofessional looking to really impress a CISO? Create a home network lab and show how you can handle incidents on that network without shutting it down. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Steve Zalewski, deputy CISO, Levi Strauss. Thanks to our sponsor, BitSight. BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach. On this week’s episode Why is everybody talking about this now Following the horrible terrorist attack in Vienna, the EU has proposed a ban on encryption, requiring companies like WhatsApp and Signal to provide backdoor keys to decipher their end-to-end encryption. It's questionable whether this attack could have been thwarted had the data they couldn't see been read, but regardless, it appears this ban is going to be approved. As you might imagine, the cybersecurity community blew up... on reddit. This is obviously a complicated and thorny issue. What's at play here are authorities being blocked from doing their job because of technology. The loss of human life. And the loss of democratized privacy. Are there any checks and balances that can provide some benefit to any side of this equation? What would you advise? On a previous episode Mike mentioned that if you're an aspiring cybersecurity professional, one way to really impress a CISO is to setup a network and show how you can deal with incidents without taking down the network. I get Mike to talk specifics of that. What if he was in the shoes of that aspiring cyberprofessional. If he were to set one up, what would it have on it and how would he do it? "What's Worse?!" Do you need experience or communications? Close your eyes and visualize the perfect engagement On CSO Online, Jaikumar Vijayan wrote a best practices guide to negotiating SaaS contracts for risk and security. It's a good primer. He mentioned know your risks, state what's non-negotiable, insist on early breach notifications, and be clear on terms for termination. What is the most important concern when negotiating a SaaS contract, and what has been the most difficult to manage? "What Is It and Why Do I Care?" The panoply of security products is very confusing. There are so many product categories and then there are so many companies delivering solutions for all these categories. As a security vendor, how do you know if your pitch is landing with CISOs? That's why we play "What Is It and Why Do I Care?" I ask vendor listeners to submit to our game which you can find under the Participate menu option and then "Challenge Us". Today's category is penetration testing. We have four challengers. First, I will read four 25-word descriptions from four unnamed security vendors. That's our "What Is It?". Then I will read four 25-word differentiators from the same unnamed vendors. That's the "Why Do I Care?" It's up to our CISOs to pick their favorite. At the end I will announce the winners, and only the winners. Losers are not announced. YES, it's the only risk-free opportunity in cybersecurity. Ready to play? Submit your pitches to "What Is It and Why Do I Care?" I'm looking for vendors in the following categories to submit: Data loss prevention, human-layer security, MSSPs, third party vendor assessment, and managed detection and response.
11/17/202037 minutes, 25 seconds
Episode Artwork

Why Don't Cybercriminals Attack When It's Convenient for Me?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/why-dont-cybercriminals-attack-when-its-convenient-for-me/) Hey cybercrooks, I've got a really great weekend planned, so could you do us all a favor and cool it this Friday and just let all of us enjoy the weekend? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Margarita Rivera, vp of information security, LMC. Thanks to our sponsor, Netskope. The Netskope security cloud provides unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Only Netskope understands the cloud and takes a data-centric approach that empowers security teams with the right balance of protection and speed they need to secure their digital transformation journey. On this week’s episode Is this the best solution? Geoff Belknap, CISO, LinkedIn asks, "If you could only buy one off the shelf security tool / product. What would it be and why?" Here’s some surprising research We've discussed a lot of how COVID is changing security. Well Eli Migdal, CEO of Boardish sent me some interesting research his company conducted regarding the last six months since the start of COVID. According to Boardish's report the top three threats now are: Immobility (not being able to work remotely) Ransomware Accidental Sharing And the top 3 solutions now are: User Awareness training Remote conferencing IAM (identity access management) Solutions Does this track with your current threats and solutions? What's Worse?! Two guaranteed bad things will happen. But one will cost far more damage. Which one? Pay attention. It’s security awareness training time. Jackson Muhiwre, deputy CISO at UC Davis said his cyber team "Are now extra vigilant on Fridays or call it the new Monday for cyber folks." The reason for this increased awareness is the number of cyber incidents that happen on a Friday or just before a holiday seems to go up. Past cyber incidents seem to show that pattern said Muhiwre who believes that malicious hackers know that users have their guard down at these times and it's the easiest time to attack. Are our CISOs of similar thinking and if so how do they prepare/warn/keep staff vigilant? What can be done on top of your existing protections if your staff lets its guard down? What’s the best way to handle this? On LinkedIn, Caitlin Oriel, wrote a very emotional post about her being unemployed for six months and how the non-stop stream of rejection has become overwhelming. The community response was equally overwhelming with nearly 80,000 reactions and 7,500 comments. Caitlin works in tech, not cyber, but the post was universal. The feelings she expressed about being rejected continuously and ghosted by companies left her sobbing in her car. All of this rejection made her question if she's doing the right thing and where she belongs. I have been in this position myself, as have my friends and family. I wish I knew the right things to say to someone or how to keep them moving. What are positive ways to combat ongoing rejection and get a sense you're still heading in the right direction?
11/10/202034 minutes, 36 seconds
Episode Artwork

Archaeologists Dig Up the Remains of An Optimistic CISO

All links and images for this episode can be found on CISO Series (https://cisoseries.com/archaeologists-dig-up-the-remains-of-an-optimistic-ciso/) It it believed that in ancient times cybersecurity was successfully fought with a glass half full approach. Today's pessimistic CISOs have yet to confirm the findings. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is George Finney (@wellawaresecure), CISO, Southern Methodist University and author of "Well Aware: The Nine Cybersecurity Habits to Protect Your Future". Thanks to our sponsor, Netskope. The Netskope security cloud provides unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Only Netskope understands the cloud and takes a data-centric approach that empowers security teams with the right balance of protection and speed they need to secure their digital transformation journey. On this week's episode Vendors have questions our CISOs have answers Neil Saltman of Anomali runs a CISO meetup group and he asks, "A common topic is CISOs going back to platform vendors versus best of breed because they are overwhelmed. When do you buy best of breed vs. just add it to the stack from Microsoft or other large vendors… When I worked at Bromium I had a CISO tell me 'I’ll buy your product when Microsoft buys you.'" Mike Johnson leans more to best-of-breed or in some cases build it yourself. Can Mike sympathize with these other CISOs and what would his situation have to be to make a platform play? What I learned from a CISO One of the main tenets of George's new book, "Well Aware: The Nine Cybersecurity Habits to Protect Your Future" is that optimists outperform pessimists in productivity, wealth, and longevity. The "Department of No" cybersecurity people are just hurting themselves. You argue that the more positive attitude can be garnered by learning from people who have successfully protected their communities. What are examples of watching another's success, and what can you learn? What's Worse?! Both are going to cause problems. It's tough to say which one's worse. It's time for "Ask a CISO" We've got a request for career advice, from an anonymous listener. We'll call him Steve. Steve has been with his company 14 years and they were recently acquired and the new company was calling the shots. After the acquisition, the CISO and Steve were working on bringing the merged companies up to compliance standards and dealing with audits: SOC 2, Sarbanes-Oxley, PCI, etc. CISO was planning on leaving the company in 2021 and grooming Steve to replace him. Then COVID hit and the company gave the CISO a beautiful severance package leaving Steve with all the CISO's responsibilities, but not the title change or salary. Steve asked the CIO about plans to replace the CISO and the CIO said Steve could apply once the position was announced. That was 5 months ago. Steve likes his job and the people he's working with but he's frustrated with no clear vision of future plans. We offer up some advice for Steve. What’s the best way to handle this Can we opt-in to cybersecurity awareness? At one of our live shows I asked the audience, "Who has gone through security awareness training?" Every hand went up with a loud audible groan. Most of us would like to opt-out of this mandated training. What if our coworkers could be enticed to opt-in? It's the end of cybersecurity awareness month. What have you done or seen others do that's actually worked? And now the far trickier question, what has worked over a long time?
10/27/202035 minutes, 11 seconds
Episode Artwork

Can a Robot Be Concerned About Your Privacy?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/can-a-robot-be-concerned-about-your-privacy/) I want AI to be efficient, but I also want my space. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Rebecca Weekly (@rebeccalipon), senior director of hyperscale strategy and execution, senior principal engineer, Intel. Thanks to this week's podcast sponsor, Intel. Intel’s new suite of security features in the upcoming Xeon Scalable platform improves data confidentiality and integrity in a world that increasingly relies on it. Features like Intel SGX further enable confidential computing scenarios — crucial for organizations in regulated industries to meet growing security requirements and protect sensitive data. On this week's episode Why is everybody talking about this now "The lack of women in cybersecurity leaves the online world at greater risk," stated Naomi Schalit of The Conversation. Mollie Chard of Capgemini shared the article that generated a lot of conversation. Naomi hit many issues we've discussed before like diversity offers different viewpoints, which is critical for building a cybersecurity program. I would like to focus on the dynamic of the security team. I've been in testosterone-fueled environments and things change dramatically when just one woman enters the room. And it changes even more when there are more women. What is that dynamic, why is it valuable, and what's the danger of the all-male environment? Well that didn’t work out the way we expected At the end of every show I ask our guests, "Are you hiring?" And prior to COVID, almost everyone said desperately, "YES, we're hiring." That has changed dramatically for the worse since COVID started. Emma Brighton has a story on InfoSecurity Magazine about the real shortage that's happening. Problems she points to are the need to secure more communications channels, security people being offloaded to do IT support, and the competition for skilled talent. What is COVID doing to our security environment and our staff? What's Worse?! Everyone in the loop or out of the loop? Please, Enough. No, More. Today's topic is security on the chipset. We have never talked about this on the show, but now we've got someone from Intel and it seemed appropriate now would be the time to do just that. What have we heard enough about chip-level security, and what would we like to hear a lot more? Are we having communication issues Will the fight to maintain privacy always be in conflict? The people who collect data always want more information so they can get greater insights. Outside of regulations, they have no incentive to maintain privacy. As we're collecting more and more information automatically and artificial intelligence systems are making decisions for us, can AI systems be made privacy aware while still being effective at gaining insights? What would that even look like?
10/20/202034 minutes, 11 seconds
Episode Artwork

BONUS EPISODE: Innovators Spotlight

All links and images for this episode can be found on CISO Series (https://cisoseries.com/bonus-episode:-innovators-spotlight/) What makes a security solution innovative? Where do you think security desperately needs innovation? And what do you look for in a security vendor's presentation? On this very special bonus episode of CISO/Security Vendor Relationship Podcast, I invite two special guests, David Tyburski, CISO, Wynn Resorts and Matt Crouse (@mattcrouse), CISO, Taco Bell to answer that very question AND determine if any of the three competing security vendors during the Evanta 2020 Global CISO Virtual Executive Summit were in fact innovative. Our three competitors (and also sponsors) were: John Worrall (@jworrall), CEO, ZeroNorth Nick Halsey (@nickhalsey), CEO, Okera Demetrios Lazarikos, CEO and co-founder, Blue Lava Thanks to these sponsors and Evanta for their support on this episode.
10/18/202032 minutes, 16 seconds
Episode Artwork

A Phish So Insidious You Can't Help But Be Jealous

All links and images for this episode can be found on CISO Series (https://cisoseries.com/a-phish-so-insidious-you-cant-help-but-be-jealous/) Wait, that's a phish even I'd fall for. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Matt Crouse, CISO, Taco Bell. Huge thanks to our sponsor, CloudKnox. CloudKnox Security is the market leader within Gartner’s newly defined Cloud Infrastructure Entitlement Management (CIEM) segment. CloudKnox transforms how organizations implement the principle of least privilege in the cloud and empowers security teams to proactively address accidental and malicious credential misuse by continuously detecting and mitigating insider risks. On this week's episode Here’s some surprising research Here's a depressing statistic. Ninety four percent of security and business leaders say they've suffered "one or more business-impacting cyberattacks in the last year — that is, an attack resulting in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property." This according to a Forrester Consulting study sponsored by Tenable. Do we accept the sobering fact that a business-impacting cyberattack is an annual inevitability? And if so, what percentage of a CISO's job is putting systems in place to minimize damage, and what are ways you do that? If you're not paranoid yet here’s your chance Get ready for a really nasty phishing attack. Craig Hays, bug bounty hunter particularly interested in phishing, tells a story of a wormable phish that after taking over one user's email account began to reply to legitimate email threads from that account. The phisher would actually read the thread and create a relevant response, but with a phishing link which would then compromise another user's email account in the same way. And the phisher would repeat the process from yet another account, causing this wormable phish to spread not just through the initially targeted company, but through their partners, suppliers, and their partners and suppliers. At the time Craig's company didn't have multi-factor authentication (MFA) implemented to which Craig realizes that would stop such an attack. Yet, in the end he was very impressed with this type of attack because it has so many indicators of legitimacy. Have we experienced a similar attack and/or do we have a "favorite" phishing attack in terms of its effectiveness? What's Worse?! Audit season is about to begin. What would you advise? On the Cybersecurity subreddit, GenoSecurity asks, "What types of projects would look good on a resume since I have no work experience. I am also open to projects that might not look as good but are good for beginners since I’m currently working on my Net+ cert." Close your eyes and visualize the perfect engagement Last Friday we had an online after party using a new tool called Toucan which simulates a real party in a virtual setting. We've also used a platform called Icebreaker that allows for one-on-one random meetups. And last week I participated in a table top cyberthreat exercise with Bruce Potter of Expel and Shmoocon that ran like a Dungeons and Dragons role playing game. All were fun and had their value. Since the launch of the pandemic, how have we been able to socialize and stay connected in fun and unique ways?
10/13/202033 minutes, 39 seconds
Episode Artwork

Whether It's Vulnerabilities or Children, We Like to Pick Favorites

All links and images for this episode can be found on CISO Series (https://cisoseries.com/whether-its-vulnerabilities-or-children-we-like-to-pick-favorites/) While you do have to claim all of your vulnerabilities and your children, you don't have to like all of them. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Ben Sapiro, global CISO, Great-West LifeCo. HUGE thanks to our sponsor, Kenna Security. With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer’s unique environment across infrastructure, applications and IoT. On this week's episode Why is everybody talking about this now Do you have a clear overall picture of how you're protecting your environment? The Cyber Defense Matrix, an open source tool created by Sounil Yu, a former guest, offers a simple five-by-five grid with the x-axis being the five operational functions of the NIST Cybersecurity Framework and the Y-axis are the five asset classes cyber professionals are trying to secure (devices, applications, networks, data, users). The idea is you are supposed to fill in all 25 squares as best as possible to see where you might have gaps in your security program. Ross Young, CISO, Caterpillar Financial Services Corporation, and a recent guest on this show, has adapted the matrix, by changing the Y-axis to four risks of phishing, ransomware, web app attacks, third party risks. So what's a better way of building out at your security program: by the assets that you're trying to protect or the risks that you're facing? What are the pros and cons of each method? Can you change Mike's mind On a previous show Mike said he is NOT a fan of security through obscurity. Utku Sen of HackerOne argues that security through obscurity is underrated. His argument was that adding "obscurity" is often costless and it adds another layer in your defense in depth program. It is far from bulletproof, but obscurity reduces the likelihood which lowers your overall risk. Examples he included were obfuscating your code in your program, and/or using random variables in the code. Can we change Mike's mind? Is there a level of security through obscurity he has deployed and/or would consider? What's Worse?! What's better? Good and bad data or no data? Please, enough! No, more. Today's topic is vulnerability management, or specifically, vulnerability remediation. What have you heard enough of on vulnerability management, and what would you like to hear a lot more? Question for the board What misconceptions does the board have of the role of the CISO? On LinkedIn, Amar Singh of Cyber Management Alliance Limited, listed off what the CISO is and, isn't, and what inappropriate demands are made on them. He said the CISO is -NOT a super-being or a magician -NOT there to fix IT blunders -NOT the only guardian of the realm -Unable to STOP all cyber-attacks. -NOT a scapegoat/sacrificial lamb -NOT accountable but responsible We often get the sense that CISOs do play these roles as they come in and out. What can be done to temper these beliefs? "
10/6/202041 minutes, 1 second
Episode Artwork

I Want to, but... I Just Can't Trust Your Single Pane of Glass

All links and images for this episode can be found on CISO Series (https://cisoseries.com/i-want-to-but-i-just-cant-trust-your-single-pane-of-glass/) I've already got a view into my company's security. It's going to take a lot to get me to to dump it for your solution. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Joshua Scott (@joshuascott94), former CISO, Realtor.com. HUGE thanks to our sponsor, Kenna Security. With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer’s unique environment across infrastructure, applications and IoT. On this week's episode First 90 days of a CISO How do you define the likelihood of impact? Yaron Levi, CISO, Blue Cross Blue Shield of Kansas City, shared an article by Brian Spanswick of Splunk who discussed this process of building out a company's security program, and that mission should be "mitigate the likelihood and potential business impact of a breach while supporting an organization's strategic goals and business objectives." Our guest was Realtor.com's first CISO. He built their cybersecurity program from scratch. We talked about how he reduced impact while staying keen to the organization's objectives. How do you go about discovering new security solutions In the last three years, where have our guests successfully innovated in cybersecurity? Why did they do it? And where do they think they need the next innovation? What's Worse?! How much battle damage do you want your CISO to have? Can you change Mike's mind Mike inspired me to ask this question on Twitter, "What would a single pane of glass need to have for you to dump your current pane of glass?" This was has major argument that each single pane of glass requires him to dump his current one. The question is what type of mountain does a security vendor need to climb for him to unload his current view of his security program. What Is It and Why Do I Care? Today's topic is threat detection and I'm a little loose on this as I got slight variations on threat detection from insider threats, to SIEM, to just threat detection. I'm lumping them all into the umbrella of threat detection, but it'll be obvious which is which. Vendors send various pitches explaining their category and also explaining what differentiates them. Mike and our guest will determine which is the best and from that and I will announce the winners, but only the winners.
9/29/202038 minutes, 5 seconds
Episode Artwork

Security Is Suffering From DevOps FOMO

All links and images for this episode can be found on CISO Series (https://cisoseries.com/security-is-suffering-from-devops-fomo/) Darn it. DevOps is having this awesome successful party and we want in! We've tried inserting ourselves in the middle (DevSecOps) and we launched a pre-party (shift left), but they still don't like us. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Dayo Adetoye (@dayoadetoye), senior manager - security architecture and engineering, Mimecast. Thanks to our sponsor, Capsule8. Capsule8 is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure. On this week’s episode Are we making the situation better or worse? What makes a successful phish? On Sophos' blog Paul Ducklin writes about their most successful phishing emails. Ducklin noted that most of the successful phishes dealt with mundane and undramatic issues that still had a sense of importance. Looking at these examples they do seem to follow a similar pattern of something looking official that is being requested from the company and could you click here to check it out. Is that the majority of what you're testing? If so, what exactly is the value in conducting phishing tests on employees? Can the testing have a negative effect in security or even morale? There’s got to be a better way to handle this What is the right approach to threat modeling? In a blog post, Chris Romeo of Security Journey opines that formal training or tools won't work. Security needs to ask questions of developers about features and then show them how a threat evolves, thus allowing them to ultimately do it themselves. Adam Shostack of Shostack and Associates advocates for formal training. He says Romeo's informal approach to threat modeling sounds attractive, but doesn't work because you're trying to scale threat modeling across developers and if you tell one developer the information it's going to be passed down like a game of telephone where each successive person tells a distorted version of what the last person said. So what's the right approach to building threat models across a DevOps environment? What's Worse?! What's the worst place to find your company assets? Close your eyes and visualize the perfect engagement Shifting Left. DevSecOps, These are the mechanisms that have been used to infuse security into the DevOps supply chain. While noble, both concepts break the philosophy and structure of DevOps which is based on automation, speed, and delivery. But, DevOps is also about delivering quality. So rather than inserting themselves, how does security participate in a way that DevOps already loves? If you haven’t made this mistake, you’re not in security On AskNetSec on reddit, Triffid-oil asked, "What was something that you spent effort learning and later realized that it was never going to be useful?" And let me add to that, it's something either someone told you or you believed for some reason it was critical for your cybersecurity education and you later realized it wasn't valuable at all.
9/22/202033 minutes, 28 seconds
Episode Artwork

Enjoying My Blissful Ignorance of Cyber Vulnerabilities

All links and images for this episode can be found on CISO Series (https://cisoseries.com/enjoying-my-blissful-ignorance-of-cyber-vulnerabilities/) What keeps me up at night? Nothing! That's because I hold onto cybersecurity myths because it makes me believe I don't have a security problem. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Dustin Wilcox, CISO, Anthem. Thanks to our sponsor, Capsule8 Capsule8 is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure. On this week’s episode Why is everybody talking about this now Kris Rides of Tiro Security asks, "When writing a job description in cybersecurity, what's your process?" What in the job description is most important that you want potential candidates to know? And do you have any universal requirements of all candidates? Is this a cyber security disinformation campaign? Stuart Mitchell of Stott and May posted an article from FoxNews on cybersecurity myths, such as I don't have anything worth protecting, I will know when something bad happens. From this list, or possibly another myth, which one do you think is the most damaging? What's Worse?! Public or government interference? There’s got to be a better way to handle this Why are InfoSec professionals still struggling to secure their cloud environments? According to a study by Dimension Research, sponsored by Tripwire, 76 percent admit to having trouble. And only 21 percent they're assessing their overall cloud security posture in real time or near real time. What are the quarter of security professionals doing who are not struggling with securing the cloud? Close your eyes and visualize the perfect engagement Do we need more cybersecurity professionals, or do we just need our general workforce to be more cybersecurity minded? Phil Venables, Board Director - Goldman Sachs Bank, makes a good argument for the latter. Mike has mentioned that when he can make cybersecurity personal, like offering employees a password manager, they start to see the value. Assuming making security personal is the best tactic, what is the ripple effect of that? How do they approach security at your business and how do the efforts of the security team change?
9/15/202035 minutes, 46 seconds
Episode Artwork

Tell Me We're Secure So I Can Go Back to Ignoring Security

All links and images for this episode can be found on CISO Series (https://cisoseries.com/tell-me-were-secure-so-i-can-go-back-to-ignoring-security/) I don't know anything about our state of security. I don't want to know either. But I do want to know you know about security and there's nothing I have to worry about. You can do that, right? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Dan Walsh, CISO, Rally Health. Thanks to our sponsor, Capsule8. Capsule8 is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure. On this week's episode Why is everybody talking about this now How do you respond to "Are we secure?" It's a loaded question that we've addressed previously. Daniel Hooper, CISO, Varo Money brought up this topic again that caused a flurry of discussion on LinkedIn. In the past Mike has mentioned that he talks about the state of his security program and where it's heading. The core of this question is anxiety about something a non-security person doesn't understand. How does a security leader break down this question into small parts, and what question should a CEO be asking if not "Are we secure?" There’s got to be a better way to handle this The engineering team at Rally Health is around 800 and our guest Dan has a security team of 30+ of which only 5 of them are application security people. Those five are definitely going to need some help if they're going to have an impact on how secure the applications are. I ask Dan Walsh what he's doing with the engineers that's turning them into application security force multipliers. What's Worse?! How damaging is a bad reputation? What do you think of this vendor marketing tactic? CISOs have ways to retalilate against aggressive sales tactics. George Finney, CISO at Southern Methodist University told a story on LinkedIn about an unsolicited sales invite that was sent to 65 people at his school. He blocked the email. He asked the community if that was too harsh. Similarly Steve Zalewski, deputy CISO of Levi's said if he sees aggressive tactics by a company, the security team has the ability to block the whole domain from their servers. Are these tactics too harsh? Have Mike and our guest taken similar tactics, and/or is there something else they do in response to extremely aggressive sales tactics? If you haven’t made this mistake, you’re not in security How prepared do you need to handle your next cyber job? A question was asked on reddit from someone who wasn't sure they should take a job because they didn't have all the skills to do the job. Most people just said, "Do it." How would Mike and our guest answer this question as an employee and a manager. What level of unpreparedness for a job is acceptable and possibly even exciting? Could too much result in imposter syndrome?
9/8/202033 minutes, 34 seconds
Episode Artwork

Request a Demo of Our Inability to Post a Demo

All links and images for this episode can be found on CISO Series (https://cisoseries.com/request-a-demo-of-our-inability-to-post-a-demo/) It's really easy to include "Request a Demo" button on our site. But potential buyers would actually like to just watch a demo on our site. Should we actually expend just a little more effort to record a demo and upload it to our site? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Ross Young, CISO, Caterpillar Financial Services Corporation. Thanks to our sponsor, Kenna Security. With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer’s unique environment across infrastructure, applications and IoT. On this week's episode Why is everybody talking about this now? Our guest posted about the 10+ daily product pitches he receives and he suggested that vendors place a product demo on their site. It just so happens, I also posted about this on LinkedIn. I am astonished that not every vendor spends their first marketing dollars on creating a product demo and posting that video. If a security practitioner is interested in a company, how do they begin their research? What do they look for? Do they watch product demo videos? Do they click the "request a demo" button? First 90 Days of a CISO Our guest shared a study from PWC that points out what management thinks are the most important roles for a CISO. Eighty four percent considered the ability to educate and collaborate across the business was critical making it the top most skill they look for in a CISO. At the same time, it appears investing in a talent management program for leadership was the least important with only 22 percent responding. What I read from this is management wants you to lead, and get the whole company on board, but do it alone. Plus, they expect you to be a perfect cybersecurity leader out of the box. Is that feasible? Is this why we're having so much burnout of CISOs? It's not just the pressure of protecting, but taking on all leadership responsibilities with no ongoing support? What's Worse?! How are you advertising for new hires? There’s got to be a better way to handle this Turns out half of employees are cutting corners on security when working from home. This includes using home computers for corporate work, emailing sensitive documents from personal accounts. It's not malicious, but the distractions of work from home life and demands to deliver quickly are forcing employees to take the less secure route. Also, being away from the watchful IT and security gives them the breathing room to be less careful. Tip of the hat to Gina Yacone of Agio for posting this article from ZDnet about Tessian's work from home study. How can security leaders stay in contact with employees so they don't stray? How CISOs are digesting the latest security news What makes a security podcast valuable? What elements does a cybersecurity podcast need to have for you to say to yourself, "I'm glad I spent the time listening to that"?
9/1/202034 minutes, 33 seconds
Episode Artwork

The "Do What We Tell You" Technique Isn't Working

All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-do-what-we-tell-you-technique-isnt-working/) We've yelled, we've screamed, we've complained, and we've whined. Those darn users simply don't do what they tell them to do. I guess we're going to have to give empathy a try. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Michelle Valdez (@scauzim), CISO, OneMain Financial. Thanks to this week’s podcast sponsor, PlexTrac. PlexTrac is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time. On this week's episode Why is everybody talking about this now Why hasn't COVID spurned more disaster recovery and business continuity planning roles? This is what Stuart Mitchell, a recruiter at Stott and May, noticed. Obviously, he's not getting that much demand. The community says it's assumed already into many roles. I have to think BCP and DR are everyone's responsibility. If that's the case, has BCP and DR planning increased during this time? Why or why not? How to become CISO Are two CISOs better than one? Our guest mentioned that her company has split the CISO role. One, the head of tech, reports to the CTO and the other, our guest's role, CISO and head of cyber risk reports to the chief risk officer. How exactly does this work? And what does our guest believe are the pros and cons of splitting the CISO role this way? What's Worse?! This time, no matter what the answer, everyone's going to get in trouble. And now for a little security philosophy Chad Loder, Habitu8, said, "Us InfoSec experts spend too much time asking 'How do we get users to care more about security?' and not enough time asking 'How do we get security to care more about users?'" So I asked my host and guest that question, and more importantly, how has that learning about users improved their security team and overall security? First 90 days of a CISO William Birchett, CIO of Required Team Gear, asked, "When you start, how much do you know of what security posture you've inherited?" We've talked about this before, but I want you to answer in reflection. What were the biggest surprises (positive or negative) between what you knew starting out and what you discovered after 90 days on the job?
8/25/202034 minutes, 38 seconds
Episode Artwork

Set It. Forget It. Reset It. Repeat.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/set-it-forget-it-reset-it-repeat/) As long as you reset it and repeat, everything in cybersecurity is "set it and forget it". This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Brett Conlon (@DecideSecurity), CISO, Edelman Financial Engines. Check out Tricia Howard's dramatic readings of cold emails. Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com. On this week's episode Why is everybody talking about this now On LinkedIn and on Twitter, I asked "Is there anything in cybersecurity that's 'set it and forget it'?" There were plenty of funny answers like "Passwords" and the "Off" switch. But there were some interesting answers like whitelists from Brian Haugli of Sidechannel security and ethics from Stephen Gill of Russel Holdings. So many treat security as "set it and forget it" but we know that's a path to insecurity. Regardless, is there ANYTHING in security we can set and forget? Question for the board Our guest claims he's got an awesome board. I don't think we've ever heard that on our show. In most cases there's either fear of the board or the CISO doesn't even get direct conversation with the board. I asked our guest what is it about his board that's so awesome and what tips could he give to CISOs to move their board into that territory? What's Worse?! Who is going to handle physical assets the worst? If you haven’t made this mistake, you’re not in security Alexander Rabke, Splunk, asked, "How should sales people handle situations when, in fact, you are a security company with a security vulnerability (he also talked about a product not working) - what do you tell customers. How do you like to see this handled by the vendor?" I know a first response is to be honest, but they want to hold onto your business. What's a way salespeople could go about doing that? What do you think of this pitch? We're not talking vendor pitches in this segment. We're talking candidate pitches. Gary Hayslip, CISO, Softbank Investment Advisers and former guest on this show has an article on Peerlyst, a platform which is unfortunately going away, about finding your first job in security. Hayslip's first tip asks, "What information do you have?" Researching yourself is good advice, but I want to extend that to a question that I think puts you ahead of the pack and ask, "What's your unfair advantage?" It's a question that I heard investor Chris Sacca ask startups and I think it can also apply to individuals applying for jobs. Agree? If so, what are some good unfair advantages from candidates that have put them over the top?
8/18/202033 minutes, 10 seconds
Episode Artwork

I Need Resources to Free Up My Resources

All links and images for this episode can be found on CISO Series (https://cisoseries.com/i-need-resources-to-free-up-my-resources) Automation sounds wonderful and I'd love to have some free time, but geez, who do I need to hire to make that happen? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Aaron Ansari (@theanswar), VP, Cloud One, Trend Micro. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode There’s got to be a better way to handle this How well has the cybersecurity automation gambit played itself out? Last year, Ericka Chickowski wrote a piece on Dark Reading about the cybersecurity automation paradox. She said that "security teams find that a lack of automation expertise keeps them from getting the most out of cybersecurity automation." According to a Ponemon study, that accounts for 56% of organizations. That's the number one obstacle. It's more than legacy IT challenges, lack of budget, and interoperability issues. 40% of respondents say they'll need to hire more people to support security automation. Everyone speaks of wanting automation, but is it more of an aspiration and a marketing pitch? Has it specifically alleviated any pain over the past year. And if so, what? What annoys a CISO? For my co-host MIke Johnson, the annoyance is the "single panes of glass" that so many security vendors offer. Our guest, Aaron Ansari is ready to challenge Mike on his grand distaste for "the single pane of glass" as the window to your security status/infrastructure/whatever you like it to be. "What's Worse?!" What's worse, failure but honesty, or success and deception? Please, Enough. No, More. Topic is "cloud configuration." What have we heard enough about with cloud configuration, and what would we like to hear a lot more? Ummm. Maybe you shouldn’t have done that We're talking about vendor lock-in. It makes recurring sales for vendors super easy. But it makes exit strategies very difficult. On Quora, the question was asked, "How do huge companies like Netflix avoid vendor lock-in with a cloud computing provider?" So I ask the question to both of you, what safeguards can you setup to prevent vendor lock-in or at least make an exit from a cloud provider as painless as possible? Creative Commons photo attribution to Alden Jewell (CC BY 2.0)
8/11/202034 minutes, 31 seconds
Episode Artwork

We're Not Fooled By Your Diversity Theater

All links and images for this episode can be found on CISO Series (https://cisoseries.com/were-not-fooled-by-your-diversity-theater/) We're casting for our diversity theater program on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Matt Conner, CISO, National Geospatial Intelligence Agency. Thanks to this week's podcast sponsor, PlexTrac PlexTrac is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time. How CISOs are digesting the latest security news If you thought tech firms were abysmal with diversity hiring, it appears venture capital firms are even worse. In a Washington Post article by Nitasha Tiku, just 1 percent of VC dollars went to black start-up founders in 2018, and that same year and percentage reflects the number of black decision-makers at VC firms as well. With the scrutiny turned up, small minority-focused funds have spurned, and there has been some cosmetic title inflation of minority employees at VC firms, but black tech entrepreneurs are brushing it off as diversity theater. What opportunities and money are VC firms leaving on the table by not taking diversity seriously? What should VC firms do to prove that their efforts are not diversity theater? We don’t have much time. What’s your decision? Interesting question on reddit by throwawaycostam who asks, "How do you create easy to memorize, yet relatively strong passwords?" A password manager is first and foremost recommended, but there are cases where you do have to remember a few passwords, like the one to get into your password manager and desktop screen lock. If you have to memorize five really good complex passwords, what technique do you recommend to create those passwords? What's Worse?! Is clueless better than not being engaged? It’s time for “Ask a CISO” On a previous episode, CISO, Dennis Leber, now with University of Tennessee Health Science Center, but previously with a state government agency said there's no perfect pitch a vendor could make to him that would facilitate a sale. Heck, he couldn't even write the perfect pitch to himself that would work. We know the government is a different beast when it comes to procurement. What are the stumbling blocks vendors need to concern themselves when pitching a government agency? We’ve got listeners and they’ve got questions Jesse Rosenbaum of Varonis brought a job posting to my attention that showed requests for extremely specific experiences with different applications. Jesse asks, does the listing the name of products or protocols you're using expose the company to additional security risks? Isn't this the reason so many customers of security vendors are not willing to give testimonials? But if they're putting these products and protocols in job descriptions, isn't this the same darn thing?
8/4/202034 minutes, 16 seconds
Episode Artwork

How to Tell If Your CISO Sucks at Their Job

All links and images for this episode can be found on CISO Series (https://cisoseries.com/how-to-tell-if-your-ciso-sucks-at-their-job/) If your CISO wants to be a 'visionary' but they can't seem to pull off basic security functions, they probably suck at their job. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Lee Parrish (@leeparrish), CISO, Hertz. Thanks to this week's podcast sponsor, Keyavi Data. Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com. On this week's episode Is this the best use of our Money On CSO Online, Terena Bell has a piece on how to cut your budget without hurting security. The suggestions are well known: Identify overlaps in technology, renogiate contracts, and use tech to lower the need for manhours. Her last tip was a warning about layoffs. Are you always looking to reduce costs or is it something you do when it's mandated? And how are you supported by the business if and when you proactively reduce costs? Or does that not ever happen because the demand is ever growing. Is this where I should put my marketing dollars? I'm not sure, but it's possible that our guest is our first CISO that has an MBA. In his role as CISO he's mentioned he uses common marketing techniques to advance your organization's cybersecurity program. He said, "Security is just an inside sales job and that marketing creates the demand that sales fulfills." Lee tells us about what he learned in his MBA training that was so critical for your growth as a CISO. What's Worse?! We have a split decision on third party risk management. How a security vendor helped me this week We haven't done this segment in a long time and we got a request from a listener to bring it back. So I ask Mike and our guest, recently, how has a security vendor helped you. And were any of those security vendors who helped not customers? We’ve got listeners and they’ve got questions A listener, who wishes to remain anonymous asks this question: "How do you convince a CISO to focus on the basics?" The listener goes on and says, "I'm not a CISO but have seen and talked to many that want to be seen as 'visionaries' so they focus on 'new hotness' things like 'zero trust' instead of the basics things that are missing like patching, asset management, etc." The listener understand this, and he's obviously talking about his own CISO, hence the anonymity, but how do you approach your CISO and get him or her to balance their own time with basics or as Yaron Levi, CISO of Blue Cross Blue Shield of Kansas City says, "fundamentals" while also having a forward looking vision of security?
7/28/202035 minutes, 37 seconds
Episode Artwork

How Will the Candidate Respond to "What's Worse?!"

All links and images for this episode can be found on CISO Series (https://cisoseries.com/how-will-the-candidate-respond-to-whats-worse/) A potential candidate's response to a "What's Worse?!" question will show how they can handle risk decisions. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Elliot Lewis (@elliotdlewis), CEO, Keyavi Data. Thanks to this week's podcast sponsor, Keyavi Data (formerly Encryptics) Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Keyavi Data today and see for yourself. On this week's episode Why is everybody talking about this now If we could change one thing about the cybersecurity industry, what would it be? Rilhouse on reddit brought this post by Naomi Buckwalter of Energage to my attention. What you can change are processes and behavior currently in the industry. Is this the best solution? Both Mike and Elliot hire cybersecurity talent. Here's a question from bubblehack3r on reddit who asked during our AMA. "What are your different methods and tools you use to verify and test the professionally of a new hire in the cyber security domain?" "What's Worse?!" The shortest ever "What's Worse?!" question. Please, Enough. No, More. Encryption. We've had it around for decades, but people and companies still don't use it. What have you heard enough about regarding encryption and what would you like to hear a lot more? It’s time for “Ask a CISO” What have Mike and Elliot learned from a product deployment that they didn't realize until after they deployed it.
7/21/202037 minutes
Episode Artwork

"I LOVE Cold Calls", Said the CISO on Opposite Day

All links and images for this episode can be found on CISO Series (https://cisoseries.com/i-love-cold-calls-said-the-ciso-on-opposite-day/) While CISOs are not excited to receive your unexpected phone call, they are excited to listen to this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Helen Patton, CISO, The Ohio State University. GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline. On this week's episode Why is everybody talking about this now Are we making ourselves safer by calling end users "dumb"? On LinkedIn, Shaun Marion, CISO, Republic Services called out those security professionals who chose to put down the end user. As a result, security professionals in aggregate are getting a bad wrap. What do you do to change this long held belief of security professionals as putting down the end user? Rich Mason of Critical Infrastructure said, "offer something beyond training to mitigate the damage potential of that click. You can bash those who don't heed your advice on running with scissors or you can design better processes and safer scissors." How do you go about building systems and behavior of the security team with the end user in mind? Are we having communication issues? There is ENDLESS debate on cold calling. I know most CISOs despise it, but as evidenced by Ross Gustavson of Reciprocity, he met 120% of his sales quota solely on cold calling. He posted all his stats so you simply can't argue with that success rate. And Jay Jensen of Sales Evolution said the conversation of cold calling should be about how to do it effectively, and not whether it should be eradicated. And Allan Alford said he wants the conversation to be about partnering with sales staff. What is the communication you're open to having with a security vendor to which you don't currently have a relationship? What's Worse?! Those miserable team building exercises. Is there a worse way to do them? If you haven’t made this mistake, you’re not in security Eli Migdal of Boardish ran a poll on LinkedIn asking how many cyber professionals suffer from impostor syndrome. Sixty two percent believed most did, and Allan Alford, who admitted having it himself, said he was on a call with 25 other security professionals and all of them admitted to suffering at one time from impostor syndrome. Why does this come about and is it healthy or detrimental? RESOURCE: Do You Suffer From Impostor Syndrome? You Are Not Alone Is this where I should put my marketing dollars? On LinkedIn, I published an article entitled, "Formula for Creating a Successful Security Podcast." In it I just talked about my experience publishing successful and not successful shows. I'm a proponent of security vendors using their marketing dollars to produce podcasts because it's a means to create a one-to-many and many-to-many relationship with the audience. Focusing on other security and technology podcasts, what makes us excited to listen to a show and actually engage with the show or other listeners. And have we for any reason stopped listening to a show and why? NOTE: CISO Series and its parent company Spark Media Solutions is now offering consulting and production services for others, including vendors, who want to launch and maintain their own successful podcast. Please contact me, David Spark, for more information.  
7/14/202037 minutes, 46 seconds
Episode Artwork

NYTimes Critic Called Our Security Theater "Unconvincing"

All links and images for this episode can be found on CISO Series (https://cisoseries.com/nytimes-critic-called-our-security-theater-unconvincing/) We tried to pull off the Hamilton of security theater and we fell short. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Shawn Bowen (@smbowen), CISO, Restaurant Brands International which handles restaurants such as Burger King, Popeye's, Tim Hortons, and Louisiana Kitchen. Thanks to this week's podcast sponsor GitGuardian. GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline. On this week's episode How CISOs are digesting the latest security news We recorded this episode on June 24th, just a five days after Trump's first rally in Oklahoma where purportedly TikTok fans en masse were able to register for Trump's rally and fool his entire staff into believing that 1 million people had registered and were planning to attend his rally. In the end, the arena was less than half full. We are all well aware that some cyber protests can cause serious damage, but does this one? Is this the kind of peaceful cyber protests that we should encourage or not encourage? Dan Lohrmann at Security Mentor posted this discussion and said no matter what political affiliation you're on this is a call for more cybersecurity because this will happen again. But is this the fault of Trump's cyber team or his social media team for not keeping an eye on TikTok? Why is everybody talking about this now? On AskNetSec on reddit, NoInterestingGuy, a college student starting his first internship at a security firm, posted he likes to participate in "extracurricular activities". He then asked, "If I were to get caught with a crime related to cyber security, would that impact my chances significantly of getting hired in the future for a security company?" The community almost resoundingly said, "Stop," but has Mike and our guest ever hired someone with a cybercrime past or caught an employee engaging in cybercrime? How did they handled it. Is there an "it depends" meter? We all do stupid stuff in college. What's Worse?! Is the unknowing always the worst? It's security awareness training time On CSO Online, J.M. Porup wrote a piece about five examples of security theater and how to spot them. Security theater refers to the practice having a show of implementing security where its effectiveness is in question. Some examples are purposefully complex passwords, checkbox compliance, and bad security awareness training. How do we spot security theater? Is there any value to security theater? What's the antidote? If it's in place, how do we eradicate it? What Is It and Why Do I Care? We played this game before and like the "What's Worse?!" game, the title pretty much explains it. I have three pitches from three different vendors who are all in the same category, Security Awareness Training. I have asked the reps to first, in 25 words or less, just explain their category. That’s the “What Is It?” and then for the “Why Do I Care?” I asked them to explain what differentiates their product or makes them unique also in 25 words or less. It is up to Mike and Shawn pick their favorite of each and explain why. I only reveal the winning contestants and their companies.
7/7/202035 minutes, 16 seconds
Episode Artwork

Why Am I Working Harder During This Pandemic?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/why-am-i-working-harder-during-this-pandemic/) Is it the increased work or the pandemic itself that's causing us all to work more than we've ever worked before? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Christopher Zell, vp, head of information security, The Wendy’s Company. Thanks to this week's podcast sponsor GitGuardian. GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline. On this week's episode Why is everybody talking about this now? On TechRepublic, Scott Matteson wrote an article about cybersecurity pros working harder than ever during the pandemic. Stuart Mitchell of Stott and May posted the article to LinkedIn and asked if anyone has taken a day off since COVID-19 started, and the general consensus is no. I see a multitude of factors affecting this: increased surface area to protect, compliance is more difficult, I also have to deal with my family, and where the heck is anyone going to go for vacation? I guess I'll just work. Close your eyes and visualize the perfect engagement On LinkedIn, our guest Chris Zell asked others to be more welcoming when you see someone post "aspiring cybersecurity professional." We discussed the approach and what the community could teach us. What's Worse?! Three options of how to talk to the board. There’s got to be a better way to handle this On CSO Online, Mary Pratt has a guide for CISOs on securely laying people off. What are critical technical considerations during layoff time, and as a manager how do you manage security for those people who are still there. Have either of you made a massive security mistake during a layoff that was a great learning experience for you? What Is It and Why Do I Care? We played this game before and like the "What's Worse?!" game, the title pretty much explains it. I have three pitches from three different vendors who are all in the same category of governance, risk and compliance or GRC. I have asked the reps to first, in 25 words or less, just explain their category. That’s the “What Is It?” and then for the “Why Do I Care?” I asked them to explain what differentiates their product or makes them unique also in 25 words or less. It is up to Mike and Chris to pick their favorite of each and explain why. I only reveal the winning contestants and their companies. Ready to play?
6/30/202036 minutes, 53 seconds
Episode Artwork

I Have the Perfect Job for You (But Probably Not)

All links and images for this episode can be found on CISO Series (https://cisoseries.com/i-have-the-perfect-job-for-you-but-probably-not/) You put those qualifications on your resume, and I queried. So don't blame me for getting your hopes up. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Brandon Greenwood, vp, security, Overstock.com. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode How CISOs are digesting the latest security news Paul Martini of iboss asks, "What network weaknesses has the current pandemic revealed?" Close your eyes and visualize the perfect engagement As evidenced by a previous episode, security recruiters have a hard time getting some respect. Let's discuss this issue from the viewpoint of the candidate. On Peerlyst, David Froud of Concept Security felt that the recruiter approach of saying I have a perfect job for you was misguided. Mike and our guest talk about their early security careers and how welcome they were to approaches from security recruiters. What's Worse?! Crappy tools or crappy team? What's worse? I tell ya, CISOs get no respect On CSO Online, Neal Weinberg has a story about hard truths security professionals have to deal with. One item was the outright lack of respect, being misunderstood and underappreciated, from the board and your coworkers. I know the generic response is communications and listen, but I want to know what are ways to command leadership so those do pay attention to you and you do get that respect. We discuss specific turning points in security leadership careers that allowed Mike and our guest to do this. Vendors have questions. Our CISOs have answers Dennis Underwood of Cyber Crucible asks if you can you be a threat hunter if you have to sign NDAs. Are NDAs the cover up so companies don't have to reveal information about their failed defenses? And are NDAs a common occurrence in bug bounties?
6/23/202036 minutes, 12 seconds
Episode Artwork

We Compensate Our Low Paying CISO Jobs with High Stress

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-compensate-our-low-paying-ciso-jobs-with-high-stress/) On this week's episode we're seeking candidates for unrealistically low-paying CISO positions. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Nir Rothenberg, CISO, Rapyd. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? On LinkedIn, Farhan Khan, a recruiter at CyberApt Recruitment, told a tale of getting a call asking if he could help his company recruit a seasoned CISO for their 300+ person company. He was excited until he found out the salary they were offering the CISO was in the range of $90-$105K. We've talked before about unrealistic CISO salaries before, but this is actually below the rate of entry level cyber positions in the Bay Area. How do CISOs or heck any cybersecurity professional handle someone's unrealistic expectations? Do you say something or just say, "No thank you"? Also, Davi Ottenheimer of Inrupt, brought this story to my attention and argued that high CISO salaries are just attracting fraudsters. Does our panel agree, and if so, what would a company have to be wary of? Mike's Confused. Let’s help him out On previous shows Mike has admitted he would not want to (not confused although that may be part of it) run the IT department. Nir mentioned that he feels that getting out of one's comfort zone is critical, no matter what department you're in. What are the pros and cons of other departments not just being security aware, but taking on cybersecurity responsibilities? And vice versa, cybersecurity taking on other department responsibilities? How far can/should it go? What's Worse?! Too much flexibility or too many restrictions? We’ve got listeners and they’ve got questions Anya Shpilman of Swiss Gulf Partners sent recorded this question: "I'm a recruiter and I specialize in cybersecurity recruitment. At the end of the show everyone says they're hiring. But I have a hard time getting traction from CISOs. So what would you like to see/hear in those initial emails or LinkedIn messages." Go here to record a question to be played on one of our shows. Umm, Is this good idea? I recently published an article on CISO Series entitled "25 API Security Tips You're Probably Not Considering”. The very first tip, from Gary Hayslip, CISO, Softbank Investment Advisers, is K.I.S.S. or Keep It Simple Stupid. I then went on to provide 24 more tips from experts which if you were to deploy them all would in no way be simple. KISS sounds great in theory, but how the heck do you pull it off in practice. Can you point to an example of how you took something that was complicated and simplified it?
6/16/202032 minutes, 2 seconds
Episode Artwork

Keep Pouring. I'll Tell You When I've Had Enough Security.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/keep-pouring-ill-tell-you-when-ive-had-enough-security/) When do we hit the diminishing returns of too much cybersecurity? How will we know? Will a bell go off? Will our cup runneth over? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Tony Sager, svp, chief evangelist, Center for Internet Security. Thanks to this week's podcast sponsor, AppOmni. AppOmni is the leading provider of SaaS security and management platform for the enterprise. AppOmni provides unprecedented data access visibility, management and security of SaaS, enabling organizations to secure mission-critical and sensitive data. With AppOmni, organizations can automatically and continuously enforce rules for data access, data sharing and third-party applications. On this week's episode Looking down the security roadmap Dean Webb of ForeScout asked this great question on Peerlyst. "What are the things that are the hardest to fix that leave organizations the most vulnerable?" These are not the quick security fixes or low hanging fruit, but rather the big projects that nobody wants that often never get finished. What are they and is there any way to make them not so painful? It’s time for “Ask a CISO” sitdownson on reddit's AskNetSec asked, "How and when did you decide to specialize?" Sultan_of_Ping answered, "For most people it's not a decision, the specialization comes to them." Do you get a taste of everything and then determine which one you're passionate about? Do you read market demands (e.g. cloud security) and go in that route? What have you seen your colleagues do? What's Worse?! A "What's Worse?!" first - FOUR scenarios. Which one is worst? Here's some surprising research We're revisiting the Verizon Data Breach Investigations Report. Tony's organization, Center for Internet Security had a hand in the report and specifically at the end where you map the CIS top 20 to the breach findings. In particular, the report notes that there are 171 safeguards that are grouped based on the resources and risks the organizations are facing. Has anything shifted significantly in this most recent report? What’s the return on investment? Tip of the hat to Norman Hunt, Deputy CISO, GEICO, who sent this article from HelpNet Security about a study on CEOs and CISOs approaches to "When is security enough security?" There seems to be a disparity with CEOs being more confident with the security that CISOs. I have to assume that mature understanding of risk is the biggest contributor, and the nature of the job of a CISO who sees more threats than the CEO, but only in a cyber context. A CEO sees all the other risks. What causes such swings in opinions?
6/9/202037 minutes, 54 seconds
Episode Artwork

Facebook Personality Quiz Asks, "What's Your Favorite Password?"

All links and images for this episode can be found on CISO Series (https://cisoseries.com/facebook-personality-quiz-asks-whats-your-favorite-password/) What's your favorite combination of letters, numbers, and symbols you like to use to log onto your favorite app or financial institution? Let us know and we'll see if it matches any of your friends! This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Lakshmi Hanspal (@lakshmihanspal), CISO, Box. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this week's episode Why is everybody talking about this now? On AskNetSec on reddit, user u/L7nx asks, "How do you handle alert fatigue?" Many vendors out there listening want to scream, "We've got a single pane of glass solution!" On reddit, Kamwind commented that it's not so much managing the output, but rather the input and false positives. "What are you doing to tune those rules and IOCs (indicators of compromise) to reflect your network vs accepting them from whatever vendor you're getting them from." Is alert fatigue a real thing and what can be done to manage input and output? It's security awareness training time There's a meme resurfacing that pokes fun at Facebook personality quizzes that ask seemingly innocuous questions such as "What's Your Favorite Band?" and "What's Your Favorite Teacher's Name?" In the meme, the answers to each question are just one word of the sentence, "Stop giving people your personal info to guess your passwords and security questions." We've talked about training programs that rely on fear. Humor seems rather effective here, but heck, I don't know. Does humor in security training work? Does fear? What tone have you seen actually foster behavioral change? What's Worse?! Do you likeable or useful vendors? Sometimes they're not both. Here's some surprising research The Verizon DBIR is out. Mike's favorite. There's a ton to unpack as there always is, but for this segment I just want to visit one item in this report and that's configuration errors. From a quote by Larry Dignan on ZDNet: "Errors definitely win the award for best supporting action this year. They are now equally as common as social breaches and more common than malware... hacking remains higher, and that is due to credential theft and use." I get the sense that second to black hat hackers, we're our own worst enemy. One argument for the increase in cloud breaches is because security researchers and others are discovering exposed storage in the cloud. Could it be just poor training of cloud security? Or poorly maintained cloud providers? Vendors have questions. Our CISOs have answers Landon Winkelvoss of Nisos asks, "What do your good vendors do on an ongoing basis (quarterly, monthly, weekly, etc) that make renewals easier around budget season? How often should they do it? What metrics and impacts to the business should they document and present that make this relatable to people outside of security such as the CFO?"
6/2/202034 minutes, 45 seconds
Episode Artwork

Great Security Program! Too Bad We Can't Implement It.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/great-security-program-too-bad-we-cant-implement-it/) Security theory only goes so far. If you want your security program to work, everyone has to do their part. This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our sponsored guest is Scott McCormick, CISO, Reciprocity. Thanks to this week's podcast sponsor, Reciprocity. ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com. On this week's episode How CISOs are digesting the latest security news The Wall Street Journal has a story about cybersecurity budgets during the COVID-19 crisis. Many companies are dealing with budget cuts across the board. One issue mentioned was that the first items to go from the cybersecurity budget would probably be big projects that require a lot of integration. So as to avoid getting left on the cutting room floor, what would be your advice to vendors on how better to situate themselves, prepare, and prove to potential buyers that they can help with the ease of that integration? Also, for those security leaders, how do they best show compassion to the rest of the business and don't just fight for their slice of the budget pie? It’s time for “Ask a CISO” On reddit, countvonruckus states and then asks, "It's great to see CISOs giving back through mentorship. As a younger professional looking to become a CISO someday, it can be difficult to get a minute of a senior leader's time even for critical work decisions. How should someone looking to find a mentor or to benefit from the mentorship of a particular leader go about asking in a respectful but effective way? Is there anything a mentee can do to provide value in exchange that will make it more worthwhile for mentors?" It's time to play, "What's Worse?!" Two "What's Worse?!" scenarios nobody likes but many have faced especially now. Please, Enough. No, More. Operationalizing GRC. What have you heard enough about operationalizing GRC, and what would you like to hear a lot more? Looking down the security roadmap On Quora, the question was asked, "Do cloud providers implement governance, risk management and compliance (GRC) well?" I didn't know how one would define "well" and what we should expect from cloud providers to help with GRC efforts. This harkens back to our last segment, because we would hope that cloud providers could actually help us operationalize GRC. What are cloud providers doing to help in GRC efforts?
5/26/202030 minutes, 54 seconds
Episode Artwork

We Promoted the Competition and Still Won

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-promoted-the-competition-and-still-won/) If you're having a problem getting people to discover your space, then maybe you have to do a better job promoting the space even when it involves the competition. This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Zohar Rozenberg, former head of cyber department in the Israel Defense Force, and current CSO of Elron Electronic Industries. Thanks to this week's podcast sponsor, Reciprocity. ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com. On this week's episode Why is everybody talking about this now? On this podcast we have sponsored guest episodes in which we dedicate a segment of the show for the sponsor to talk about their category. I was just given the heads up by a listener that a competitor of one of our sponsored guests, actually promoted that episode via an email marketing campaign. I asked the community why they thought that happened. Did the company know they were promoting a direct competitor's solution, or were they of the philosophy of let's promote the space. The more people who know about this problem that benefits the entire industry and in turn that helps our competitor and us. Most people on LinkedIn agreed with the latter and actually thought it was a savvy marketing move possibly demonstrating that the competitor was confident with their product. It’s time for “Ask a CISO” Tip of the hat to Sounil Yu, CISO in residence at YL Ventures for bringing up Mike's comment in a Slack channel of your frustration with cybersecurity startups who end up having an "us too" attitude towards creating the next cybersecurity solution. It seemed their only credentials was a successful exit, but not presenting a unique solution to an actual problem. You claimed a criteria that you would only meet with a founder who had a committed idea to a product. But how do you differentiate between an "also ran" and a unique solution? What's Worse?! One of our most challenging debates ever Close your eyes. Breathe in. It’s time for a little security philosophy On our CISO Series Video Chat, Bob Henderson of Intelligence Services Group asked, "Has measuring risk itself become a risk? Since risk is primarily arbitrary depending on who defines the risk wouldn’t the solutions be arbitrary and thus add complexity and uncertainty. Which are contributors to risk." Let's dig a little deeper What are the intrinsic training elements of Israel's elite 8200 that results in so many of the graduates going on to become cybersecurity entrepreneurs? What if anything can other organizations, military units or schools learn from this?
5/19/202035 minutes, 55 seconds
Episode Artwork

Three Years Experience Required for Sub-Entry Level Positions

All links and images for this episode can be found on CISO Series (https://cisoseries.com/three-years-experience-required-for-sub-entry-level-positions/) Our motto for hiring: We never give up on our unreasonable expectations. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Brandon Traffanstedt, global director of systems engineering, CyberArk. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. Are we making the situation better or worse? On LinkedIn, Gabriel Friedlander of Wizer asked, "Should we be doing home risk assessments?" Could we create bigger problems if we do that? Gabriel's post generated a debate on what actions can significantly reduce risk. Is there value in a home risk assessment and if so, what's it going to reveal? It’s time for “Ask a CISO” On reddit, crossfire14 asks, "Why are helpdesk roles requiring 2-3 years experience? I thought they were entry level friendly? Im trying to start at lower positions to work my way into infosec yet I cant seem to qualify for any helpdesk roles because of exp?" I looked and actually these entry level positions are often asking for 3-5 years experience. Is this required? If not, what IS required for an entry level help desk role and what's the best way to show that? "What's Worse?!" Two horrible company debilitating options that have happened in real life. How would you survive either one? Please, Enough. No, More Our topic is Privileged Access Management, or PAM. What have Mike and Brandon heard enough about with PAM, and what would they like to hear a lot more? The great CISO challenge Outsider attacks, insider attacks, your assets, networks, people, and controls - what DOESN'T always change in security? If we assume that consistency is synonymous with simplicity, is it always an uphill battle to try to keep security simple especially if we're expanding into new services and cloud environments? Could this be why the foundations are still a struggle for everyone?
5/12/202034 minutes, 57 seconds
Episode Artwork

LOOK! Freshmen CISOs. Get Ready to POUNCE!

All links and images for this episode can be found on CISO Series (https://cisoseries.com/look-freshmen-cisos-get-ready-to-pounce/) What could possibly be a better way to welcome newly hired CISOs to the security community than with a shiny new sales pitch? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Wayne Reynolds, CISO, Toyota Financial Savings Bank. Thanks to this week's podcast sponsor, AppOmni. AppOmni is the leading provider of SaaS security and management platform for the enterprise. AppOmni provides unprecedented data access visibility, management and security of SaaS, enabling organizations to secure mission-critical and sensitive data. With AppOmni, organizations can automatically and continuously enforce rules for data access, data sharing and third-party applications. On this week's episode Why is everyone talking about this now? Our guest, Wayne Reynolds posted the good news about his new CISO role. While he got the expected kudos, he also got lots of sales emails. In the short conversation we had in preparation for this episode, six pitches came in. He counted 731 vendor pitches in just five days. Given the situation, we have all seen an uptick in pitches, across all industries, not just cybersecurity. Vendors want to make some type of connection. If they weren't pitching, what would be a more acceptable outreach? It’s time for “Ask a CISO” What can security startups do to prepare for and prove to prospects that their solution won't slow down operations? Thanks to John Prokap, CISO, HarperCollins for pointing me to this great article on CIO.com by Yoav Leitersdorf of YL Ventures on mistakes security startups make. One concern was on the issue of startups losing this specific focus. From the article, Peter Bodine, AllegisCyber Capital said, "I cannot stress how much of a difference productivity makes to the CISOs we consult with. So, as an investor, our attention is immediately piqued when we learn that a POC took fewer resources than a regular POC, because it often means that they developed their process early enough with a customer satisfaction person. We really don't see that very often, but when we have, we've written a check almost right on the spot, just because they take so much sand out of the gears and make it so much easier for a yes decision to occur.” "What's Worse?!" Do you want to be the one to reveal the cybersecurity incident or do you want somebody else to reveal it? What's a CISO to do? In the world of DevOps I'm constantly seeing the desire for developers to be security aware. But the point of DevOps is to be aggressively competitive. That's something I often don't see security people understanding or literally being aware of. Nicolas Valcarcel of NextRoll gave me heads up on a post by Mike Sherma of Square about having dev champions on the security team to advocate for the software engineering experience and design principles. Is this a good idea, and if so how would it be rolled out and what would be the benefits? How to become a CISO Prior to the unfortunate COVID-19 crisis we at the CISO Series were planning on hosting our very own one-day event to train security leaders. That event will happen eventually, but right now it's on hold. The whole idea is we were going to have a group of CISOs training a group of wannabe CISOs to be CISOs. Wayne is a strident mentor for wannabe CISO. At any time he's got 4 or 5 security professionals you're mentoring. We discuss the core skills security professionals are lacking to become CISOs, and what mentorship does to help you get those skills.
5/5/202034 minutes, 52 seconds
Episode Artwork

Cleaning Those Tough to Reach Digital Identity Stains

All links and images for this episode can be found on CISO Series (https://cisoseries.com/cleaning-those-tough-to-reach-digital-identity-stains/) We're trying to erase our past and it's becoming harder and harder to clean that history. This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Davi Ottenheimer (@daviottenheimer), vp of trust and digital ethics, Inrupt. Thanks to this week's podcast sponsor, Reciprocity. ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com. On this week's episode Why is everybody talking about this now? On Quora, the question was asked, "What are some ways to protect identities on the Internet?" Mike and Davi offer their advice. It's time for "Ask a CISO" The Three As: Authentication, Authorization, and Auditing or Accounting. How do they interrelate? What's the order? And have we been doing it wrong? It's time to play, "What's Worse?!" How are you going to handle having a very well known exploit? Close your eyes, breathe in. It's time for a little security philosophy. On Quora, the question was asked, "What should I do to completely erase my digital identity for good?" It seems impossible, and probably is, but how what steps would one need to get rid of our online identities? It's time to play, "What Is It and Why Do I Care?" We're introducing a brand new game today called "What Is It and Why Do I Care?" Here's how the game is played. I have three pitches from three different vendors who are all in the same category, application security. I have asked the reps to first, in 25 words or less, just explain their category. So give me a simple explanation of application security. That's the "What Is It?" and then for the "Why Do I Care?" I asked them to explain what differentiates them or makes them unique also in 25 words or less. It is up to Mike and Davi to pick your favorite of each and explain why. I only reveal the winning contestants and their companies. If you would like to be a contestant for "What Is It and Why Do I Care?" just go here and fill out the simple SurveyMonkey form.
4/28/202039 minutes, 54 seconds
Episode Artwork

Let's Just Dump On Zoom's Security and Offer No Solutions

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-just-dump-on-zooms-security-and-offer-no-solutions/) Sure, we're all in this together, but isn't it fun just to trash a popular product's really bad security? This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our sponsored guest is Brian Johnson, CEO and co-founder, DivvyCloud. Thanks to this week's podcast sponsor, DivvyCloud. DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what’s in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes. On this week's episode Why is everybody talking about this now? Yaron Levi, CISO, Blue Cross Blue Shield of Kansas City a frequent and recent guest of the podcasts, had an incendiary post on LinkedIn where he challenged the long held belief in cybersecurity that "we're all in this together." Well that theory was put to the test with the outcries of Zoom's security and privacy flaws. Levi believes the security industry failed. Instead of trashing Zoom we should be offering suggestions of how they could fix a now universally used application. His challenge exploded online with over 200 comments. How could we/can we handle this situation better? Look at this, another company breached Oh Marriott. You blew it again. Two massive data breaches in two years. This one just gave too much access to too many customers from a branch office. Years ago this would be a front page story we'd be talking about for weeks if not months. Now they're just another breach and it doesn't seem that the affected users seem to care. How much damage are these breaches doing to companies if the customers have breach fatigue and can't see the damage immediately or even directly? And what percentage of these breaches do you believe are the result of poorly architected or implemented security programs? It's time to play "What's Worse?!" We get a chance to talk about Mike's favorite topic, toxic team members. Please, Enough. No, More. Today's topic is Identity Access Management or IAM. We discuss what we've heard enough about with IAM and what would we'd like to hear a lot more. It’s time for “Ask a CISO” We have a question from a listener, a college student. Here's her question: "I'm a college student interested in majoring in cybersecurity. However I'm more of a people person and I'm afraid cybersecurity is just dealing with computers and having no people interaction. I'm just wondering what I should expect if I continue to pursue a cybersecurity major."
4/21/202035 minutes, 14 seconds
Episode Artwork

We've Got a Dozen Features. Only Two Work.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/weve-got-a-dozen-features-only-two-work/) If you don't focus too much on quality you'll really be impressed with the quantity of features our product has. This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Yaron Levi (@0xL3v1), CISO, Blue Cross Blue Shield of Kansas City. Thanks to this week's podcast sponsor, DivvyCloud. DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what’s in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes. On this week's episode Hey, you’re a CISO. What’s your take on this? What's the value of a vendor-derived security meter? I sat down for a vendor presentation that was chock full of dashboards with meters. Some made sense and others appeared they were derived through some mysterious black box. When do you trust a vendor-derived meter? Can you? If not you, who are they for? Is it possible to ignore the absolute numbers in a vendor-derived formula and value only the changes over time? If you don't trust a vendor-derived meter, what meters do you create for yourself that you do trust? How do you go about discovering new security solutions? Tip of the hat to John Prokap, CISO, HarperCollins for forwarding me this excellent CIO.com article by Yoav Leitersdorf of YL Ventures. How feature rich should a startup product be? In the article, Richard Rushing, CISO, Motorola Mobility talks about the need to trust a startup and the quality of each feature. “It's not enough to just focus on three out of five. All five have to be spot on because I can't miss, which means you can't miss." How does a vendor avoid the classic case of trying to be everything to everybody and really you're serving no one? What's Worse? What's better for the business, compromised security occasionally, or unnecessary overhead that grows over time? Close your eyes and visualize the perfect engagement There's a well-known paradox in the healthcare industry when it comes to working with third party vendors. Because of HIPAA regulations there's a desire to keep information private, but at the same time, what about all these wonderful third party tools. Let them have access to our data. What's the advice for vendors eager to work with a healthcare organization? How should they demonstrate their awareness of this paradox (e.g., scope of responsibilities, efficacy of controls, attestation, accountability)? Why is everyone talking about this now? We recorded this episode on March 30th as we talk about this next topic and that is should companies challenge their employees with a COVID-19 phishing test? Tip of the hat to Louisa Vogelenzang of Kroll who pointed me to this active discussion started by Grant McKechnie, Telstra, who asked this very question. There was a lot of debate. We debate both sides and offer an ultimate recommendation.
4/14/202032 minutes, 39 seconds
Episode Artwork

Let's Ask CISOs If They're Concerned About Data Security

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-ask-cisos-if-theyre-concerned-about-data-security/) I'm just learning about cybersecurity and I just realized that data security is really important. I don't know if everybody knows this. Do CISOs know? I should email all of them and ask. This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Steve Zalewski, deputy CISO, Levi Strauss & Co. Thanks to this week's podcast sponsor, DivvyCloud. DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what’s in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes. On this week's episode Why is everyone talking about this now? On Quora, the question was asked, "What is the most common unaddressed cybersecurity risk at companies?" Looking through the list, we've talked about all of these issues: people (malicious and negligence), program maturity, data privacy, and just basic network. They're all important, but we discuss which one we believe is least addressed. There’s got to be a better way to handle this What happens when a cloud provider breaks a service level agreement or SLA? On a recent episode of Defense in Depth, Taylor Lehmann, CISO, athenahealth said that putting ultimatums in SLAs just doesn't work in reality. No one really pulls the plug just because a cloud provider fell short on providing a certain level of uptime. We walk through the steps of the SLA. What's needed? What's too much? What do you do when something is violated? How do you right the ship and maintain the relationship? What's Worse? What happens when there's a political motivation to select a vendor? What do you think of this pitch? and Why is this a bad pitch? We put a good one and a bad one back to back so you can hear the range of what comes in a CISO's inbox. Um… maybe you shouldn't have done that As a security vendor, how do you catch yourself if you're cybersplaining? Brian Haugli of Sidechannel Security offered the following definition: "When a salesperson or company representative explains in detail how a basic attack, ransomware, BEC, or other threat works to a CISO or current cybersecurity expert in order to push a sale." From what I see, it appears that cybersplaining is the norm mostly for those who are very green in cybersecurity. I'll also say I've seen the complete opposite where someone at a much higher level assumes you're already in their head and agree to the same assumptions they have about cybersecurity as well. This plays out that they'll state an issue in cybersecurity and conclude with "right?" not waiting for an answer but just assuming you're on the same page so that they can go on with their rant. What are ways to check yourself on both sides of the spectrum and what's the happy medium?
4/7/202036 minutes, 43 seconds
Episode Artwork

I Don't Need Anymore Advice On How To Work Remotely

All links and images for this episode can be found on CISO Series (https://cisoseries.com/i-dont-need-anymore-advice-on-how-to-work-remotely/) It appears everyone has tips on how to work remotely. And after the deluge the past two weeks, most people have hit their wall. We don't care. We're pushing through with even more advice, just for security professionals. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Brendan O'Connor, CEO, AppOmni. Thanks to this week's podcast sponsor, AppOmni. AppOmni is the leading provider of SaaS security and management platform for the enterprise. AppOmni provides unprecedented data access visibility, management and security of SaaS, enabling organizations to secure mission-critical and sensitive data. With AppOmni, organizations can automatically and continuously enforce rules for data access, data sharing and third-party applications. On this week's episode Why is everyone talking about this now? Adapting a line from Wendy Nather of Duo Security, what's the security poverty line for remote work? Gabriel Friedlander of Wizer started a thread of best advice for employees working at home. And then he compiled a list of the best tips. We talk about our favorite tips and add a few of our own. There’s got to be a better way to handle this Mike and our sponsored guest, Brendan, are both security leaders who have been thrust into managing their entire team virtually for an extended period of time. On top of that, their teams are going to have new pressures on them (e.g., kids at home) that are going to conflict with their ability to be efficient employees. We talk about what they're doing to adapt and their greatest concerns. What's Worse?! How are you dealing with patch management when you've got an all-remote workforce? Please, Enough. No, More. Our topic security cloud or specifically SaaS apps. What have we heard enough about on this topic and what would we like to hear a lot more? A serious confounding feature of public activities like elections and climate change discussions is the proliferation of actual fake news – stories created by bad actors and distributed by bots and which include deepfaked video and propaganda that lead audiences into a state of not knowing who to believe anymore. Security experts including the International Security Forum categorize this as a cyberthreat called Distortion, the loss of trust in the integrity of information. As threat actors continue to hammer away at the cyber defenses however they can, it is extremely likely that Distortion attacks will be yet one more way of bringing organizations to a point of extreme vulnerability, just like ransomware and siegeware. Though the Distortion content may be generated externally, it has the potential to be implanted in a company’s environment through phishing, MFA fraud and hacking, leading to media crises, drops in market valuation, destruction of public credibility and of internal stability. More from our sponsor, ExtraHop. Um… maybe you shouldn't have done that Some really well-intentioned people are responsible for some really bad data practices. When I was in Tel Aviv I ran into a number of companies offering discovery solutions to show you where your data is, identify the sensitive data, the PII, and who has access. We learn a lot about sensitive data after it's breached, but there are also plenty of bad data practices happening internally which lend themselves to misuse or greater damage when there is a breach.
3/31/202035 minutes, 21 seconds
Episode Artwork

The Department of "No, Thank You"

All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-department-of-no-thank-you/) Just go to the front desk, sign in, and then the receptionist will say “no” in the most polite way possible. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Nina Wyatt, CISO, Sunflower Bank. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this week's episode There’s got to be a better way to handle this The hot new cybersecurity threat is the Coronavirus. Not the virus itself or the possible fake phishing emails connected to it, but our overall fear and its impact on work. According to data from Boardish, there is a 42% increase over baseline in fear of immobility, or staff not being able to operate effectively remotely. To put that number in perspective, phishing and ransomware have each seen an 8% threat increase. I read immobility's huge number to mean companies are simply not prepared for how their staff may need to operate. What we’ve got here is failure to communicate What's the best way to say 'no' to a vendor? This was a question that was asked of me by Eric Gauthier, CISO at Scout Exchange. He wants to say no because his cloud business has no need for certain services, and he doesn't want to be rude, but just saying no doesn't seem to work. What are the most successful techniques of saying no to a security vendor? And what different kinds of "no" are there? "What's Worse?!" A tough decision on a company built on acquisitions. Walk a mile in this CISO’s shoes For many CISOs, there is a "What's Next?" as they don't necessarily expect "CISO" to be their final resting place professionally. Gary Hayslip, a CISO for Softbank Investment Advisers and frequent guest, wrote on both LinkedIn and Peerlyst about next steps for CISOs who want to move out of the role. The recommendations were other C-level positions, going independent, and starting a new company. On January 2 of this year, parking meters in New York City stopped accepting credit and parking cards. At fault? Security software that had expired on the first day of 2020. Reminiscent of Y2K, this draws attention to the next two time-related bugs predicted for 2036 and 2038. The 2038 problem affects 32-bit systems that rely on timecodes that max out on January 19 of that year. A similar rollover is expected in 2036 for Network Time Protocol systems. In all likelihood, affected systems either have been or will be replaced over the next 18 years, but the dangers still exist, in situations where vulnerable devices remain buried in a legacy system or in cases where advanced calculation of expiry dates are needed, or like New York City, where the upgrade was apparently overlooked.  It serves as a reminder that data security must look to its past while it plans for the future. More from our sponsor ExtraHop. Hey, you're a CISO. What's your take on this? What's the impact of Europe's Right to Be Forgotten (RTFB)? It's been five years and Google has received ~3.2 million requests to delist URLs, from ~502,000 requesters. Forty five percent of those URLs met the criteria for delisting, according to Elie Bursztein, leader of Google's anti-abuse research team. Search engines and media sites hold the greatest responsibility, but what responsibility are companies forced to deal with and do they have the capacity to meet these requests?  
3/24/202035 minutes, 17 seconds
Episode Artwork

We Pick the Best Security Awareness Programs for Your Staff to Ignore

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-pick-the-best-security-awareness-programs-for-your-staff-to-ignore/) It doesn’t matter which security awareness training program you purchase. Your staff is going to do whatever they can to either tune out or get out of this annual compulsory exercise. This week’s episode of CISO/Security Vendor Relationship Podcast was recording in front of a live audience at athenahealth in Watertown, Massachusetts. The recording features me, David Spark (@dspark), producer of CISO Series, my guest co-host, Taylor Lehmann (@BostonCyberGuy), CISO, athenahealth, and guest Marnie Wilking, global head of security & technology risk management, Wayfair. David Spark, producer of CISO Series, Taylor Lehmann, CISO, athenahealth, Marnie Wilking, global head of security & technology risk management, Wayfair Check out all the photos from our recording. Thanks to this week's podcast sponsors, Check Point and Skybox Security. It's no secret that today's cyber attacks are targeted and sophisticated. Leaving even one point of entry vulnerable to a cyber attack endangers your entire organization. Check Point created the Secure Your Everything Resource Center to help you develop a comprehensive approach to prevent cyber attacks. At Skybox, we remove complexities from cybersecurity management. By integrating data, delivering new insights and unifying processes, we help you control security without restricting business agility. Our comprehensive solution unites security perspectives into the big picture, minimizes risk and empowers security programs to move to the next level. On this week's episode Pay attention, it’s security awareness training time Jinan Budge of Forester finished a report on security awareness training programs. She found a trend that supported both the need for compliance and the need to actually train employees to be more security aware. We discuss what actually works to get people to be more aware of cybersecurity. What do you think of this vendor marketing tactic? At RSA, I talked to a vendor who told me about their new solution. It was so unique that Gartner was creating a new category for their product with yet another acronym. UGGH, another category for which you have to educate the market? And now you have to convince buyers to create a new line item for this category? And now what is that going to do to your marketing budget? It didn't take much convincing for me to point out that their product was just third-party risk management. Admittedly, cybersecurity professionals love the new and shiny, but where do we draw the line about learning something new in cybersecurity and adding confusion to the marketplace? It's time to play, "What's Worse?!" Two rounds, lots of debate. Where does a CISO begin? When we hear about digital transformation, it is being done for purposes of speed, accuracy, and business competitiveness. Scott McCool, former CIO at Polycom was on our show Defense in Depth, disputed the common notion that security serves the business. Instead, he believes that security IS the business. And if you deem that to be true, then security can no longer can take a consultative role. It must take the role of brand and value building. This is more than just a discussion of "shifting left." What are actions that security must take to make it clear that they are part of making the business fast, innovative, and competitive? Um... maybe you shouldn't have done that We tell talks of the worst proof of concept (POC) efforts. Audience question speed round We close out the show with a series of quick answers to audience questions.
3/17/202043 minutes, 25 seconds
Episode Artwork

Buy Our Product. We Have No Idea What We're Selling.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/buy-our-product-we-have-no-idea-what-were-selling/) What do you think of our confusing non-descriptive ad copy? We think it’s brilliant. We’re patting ourselves on the back on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience in NYC at the coworking space, Rise NYC. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and JJ Agha, vp, head of information security at WeWork. Our guest is Mike Wilkes (@eclectiqus), CISO, ASCAP. David Spark, producer, CISO Series, JJ Agha, vp, head of information security, WeWork, and Mike Wilkes, CISO, ASCAP Thanks to this week's podcast sponsor, Check Point It's no secret that today's cyber attacks are targeted and sophisticated. Leaving even one point of entry vulnerable to a cyber attack endangers your entire organization. Check Point created the Secure Your Everything Resource Center to help you develop a comprehensive approach to prevent cyber attacks. On this week's episode There’s got to be a better way to handle this How well are you configuring your controls today and tomorrow? At RSA, I chatted with Adam Glick, CISO, Rocket Software. He said what he'd like is a tool to test the maturity of his deployed controls. How are his controls optimized over time? What does it looks like today vs. a year from now? How are we currently trying to solve that problem and what could be done to improve it? Hey, you're a CISO, what's your take on this? "Which cybersecurity certification should I get?" It's a question I see repeated often, especially on Quora and Peerlyst. Your best bet would probably be the one that most employers are looking for. And according to job board searches, conducted by Business News Daily, CISSP is the overwhelming favorite. Do our CISOs prefer certain certifications over others? Is it a requirement for hiring? And what does a security professional with certifications vs. experience tell us about that person? What’s Worse?! Split decisions on both and the audience plays along as well. Is this the best use of my money? "One of the common complaints I repeatedly hear is that cybersecurity vendors are not solving real problems. They're just looking to make money. I think that's a rather unfair blanket statement, but regardless, I hear it a lot. I think why I hear that so often is that we're all in the cybersecurity fight together and we need to help each other. Helping each other is often done by participating in the open source community. Why is it critical to contribute to the open source community? Um... What do they do? I read copy that appeared on various booths at RSA 2020. Most are confusing and non-descriptive and don’t appear to assume a pre-existing understanding of cybersecurity. The expo hall at RSA is filled with security professionals who are already security minded. I honestly don't know exactly the reaction they're looking to get or what type of information these vendors are trying to convey. Audience question speed round We close out the show with a series of quick answers to audience questions.
3/10/202044 minutes, 28 seconds
Episode Artwork

We're Market Leaders in Customer Confusion

All links and images for this episode can be found on CISO Series (https://cisoseries.com/were-market-leaders-in-customer-confusion/) We could offer a simpler explanation of our technology, but if we confuse you we can charge a lot more. This episode was recorded in front of a live audience at BsidesSF 2020 in San Francisco. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Olivia Rose, former CISO, Mailchimp. Look at that screen! We were in a movie theater. Those small people in the lower right are David Spark, producer, CISO Series, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, and Olivia Rose, former CISO, Mailchimp. Photo credit to @ash1warya. Thanks to this week's podcast sponsors, Vulcan Cyber and CyberArk. Vulcan is a vulnerability management platform built for remediation. By orchestrating the entire remediation process, Vulcan ensures that vulnerabilities aren’t just found, they’re fixed. Pioneering a remediation orchestration approach, the platform enables security, operational and business teams to effectively remediate cyber risks at scale. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this week's episode How to become a CISO What is some actionable "let's start today" advice. What could an individual do right now to develop the skills to be a cyber leader and make it clear to management, that's what they're gunning for? What we’ve got here is failure to communicate If all vendors stopped sending cold emails, which is what we constantly hear CISOs say they should do, how should they spend their time and money instead to greatly improve their success? If a CISO played the role of a vendor, which happens often, what should you do, to get to you? What's Worse?! We play TWO rounds. What do you think of this vendor marketing tactic? According to a recent study by Valimail, CISOs are very suspect of security vendors' claims. In general, the numbers are horrible for vendor credibility. Close to half of security professionals claim the following: Vendors' tech and explanation are confusing Practitioners have a hard time seeing and measuring value Practitioners don't know how a vendor's product will stay valid on their security roadmap.   What could cybersecurity vendors do to make their claims more believable? Close your eyes and visualize the perfect engagement Rafal Los, Armor Cloud Security asked, "If you could implement one thing in your organization that would receive universal adoption without push-back, what would it be?" The question, which seems reasonable, but in the security world often feels impossible, generated a ton of responses on both LinkedIn and Twitter. Many wanted company-wide adoption of one solution, such as MFA or vulnerability management. Others wanted widespread and ongoing security education. Our CISOs debate the one pushback-free solution that would yield the greatest results.
3/3/202041 minutes, 34 seconds
Episode Artwork

Last Chance to Vote for "Most Stressed-Out CISO"

All links and images for this episode can be found on CISO Series (https://cisoseries.com/last-chance-to-vote-for-most-stressed-out-ciso/) Think you or your CISO has what it take to shoulder all the tension, risk, and security issues of your organization? You may be a perfect candidate for "Most Stressed Out CISO". This episode was recorded in person at Zenefits' offices in San Francisco. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Keith McCartney (@kmflgator), CISO, Zenefits. Keith McCartney, CISO, Zenefits and Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast Thanks to this week's podcast sponsor, CyberArk At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this week's episode There’s got to be a better way to handle this CISO Stress. We've talked about it before on the show, and now Nominet just released a new study that claims stress levels are increasing. 8% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year (27%). 31% of CISOs said that stress had affected their ability to do their job. Almost all surveyed CISOs (90%) said they’d take a pay cut if it improved their work-life balance. How could a CISO negotiate better work/life balance upfront and have either of our CISOs done it? Hey, you're a CISO. What's your take on this? Gary Hayslip shared this Peerlyst article by Ian Barwise of Morgan Computer Services about the incredible array of OSINT tools. What OSINT tools do our CISOs find most valuable and for what purposes. What's Worse?! A little too much agreement on this week's "What's Worse?!" Here's some surprising research Why are cloud security positions so much harder to fill? Robert Herjavec of the Herjavec Group posted a number of disturbing hiring statistics. Most notably was one from Cyber Seek that stated jobs requesting public cloud security skills remain open 79 days on average — longer than almost any other IT skills. Why isn't supply meeting demand? Why is it such a difficult security skill to find? And how easy and quickly can you train for it? EKANS is the backward spelling of SNAKE. It is also the name of new ransomware code that targets the industrial control systems in oil refineries and power grids. Not only does it extort a ransom, it also has the ability to destroy software components that do things like monitor the status of a pipeline, or similar critical functions in a power grid or utility. A recently documented attack on Bahrain’s national oil company reveals the architecture and deployment of EKANS not to be the work of a hostile nation-state, but of cybercriminals. The chilling message behind that, of course, is that penetrating and sabotaging critical components of a country’s infrastructure is no longer exclusive to sophisticated national intelligence agencies. Lower level criminal agencies may have motives that are far less predictable and trackable, and when combined with the complexities of an industrial control system, these may have cascading effects beyond the wildest dreams of the instigators themselves. More from our sponsor ExtraHop. What do you think of this pitch? We get a pitch with some suggestions on how best to improve the pitch. We want more pitches!  
2/25/202036 minutes, 26 seconds
Episode Artwork

Let's Blow Our Entire Marketing Budget at RSA

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-blow-our-entire-marketing-budget-at-rsa/) Security professionals only think about security one week out of the year, right? So let's drop every single dollar we have budgeted for marketing on the last week of February. Whaddya say? This episode was recorded in person at Intel's offices in Santa Clara, California. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Tom Garrison (@tommgarrison), vp and gm of client security strategy at Intel (@IntelNews). David Spark, CISO Series, Tom Garrison, Intel, and Mike Johnson, CISO/Security Vendor Relationship Podcast. Thanks to this week's podcast sponsor, Intel. The globalization of technology has created an environment of complicated supply chains with limited transparency. Intel’s Compute Lifecycle Assurance (CLA) initiative solves this through a range and tools and solutions that deliver assurances of integrity throughout the entire lifetime of a platform --from build to retire. On this week's episode There’s got to be a better way to handle this Next week is RSA and by podcast law we're required to talk about it. We offer up tips on maximizing the following: education, engagement, and follow up. What’s the return on investment? On Peerlyst, John Mueller, a security architect with the US Navy, suggested ways to use incident response metrics to help determine whether your cybersecurity program is improving. But as Mueller points out, it's not easy as you could fool yourself into believing you're doing well if you don't valuable discovery tools. We discuss methods to measure improvements in security programs. What's Worse?! A really tough one that delivers a split decision. Please, enough. No, more. Our topic is trust and hardware manufactures. We discuss what we've heard enough about with trusting hardware manufacturers of tech products, and then we discuss what we'd like to hear a lot more. The fable of Walt Disney having been cryogenically frozen to be revived in an age where the science to do so existed is just that – a fable. But there is still something to be taken from that when it comes to documents archived on the cloud or consigned to data landfills. Just because encrypted data cannot be easily decrypted by hackers using today’s tools, that doesn’t mean tomorrow’s tools can’t do the job and revive the information stored inside. When threat actors take it upon themselves to steal data, through hacking, ransomware, or AI, they might, of course be searching for material that is immediately exploitable, such personal data, or data that has immediate value in being returned or unlocked as in the case of ransomware. But other players are in it for the long game, counting on the fact that the inexorable momentum of progress will lead to a decryption solution in time for stolen archived data to still be of use for future crimes, frauds and deep fakery. More from our sponsor ExtraHop. Close your eyes. Breathe in. It’s time for a little security philosophy. I got back from Tel Aviv where cybersecurity professionals find themselves innovating out of necessity. They're often short on resources. We discuss the kinds of exercises we've tried to help ourselves and our team to think creatively about cybersecurity. One suggestion is the interrogation technique of "Five Whys" to get at the root reason of why we make our choices.
2/18/202035 minutes, 20 seconds
Episode Artwork

Empowered! Working Together to Pile on the Cyber Guilt

All links and images for this episode can be found on CISO Series (https://cisoseries.com/empowered-working-together-to-pile-on-the-cyber-guilt/) We can all be more secure if we work together as a team to shame those who don't agree with how we approach security. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Chris Hatter, CISO, Nielsen. On this week's episode Mike's confused. Let's help him out. Mike inspired this brand new segment with his question to the LinkedIn community, asking what's the big deal with 5G security? The story I heard about 5G is just sheer volume over unsecured networks. But Mike said, we've been dealing with unsecured networks since 2G and 3G and we dealt with them using Transport Layer Security or TLS, and implementing other services such as multi-factor authentication or MFA. Mike called out to the community to clue him in as to why we should be more concerned with 5G. Does shaming improve security? Thanks to Mark Eggleston, CISO, Health Partners Plans for alerting me to Chris Castaldo, CISO of Dataminr, and his post about Rob Chahin's "Single Sign-On or SSO Wall of Shame". Chahin, who is the head of security at Eero, purports that SSO should be a standard feature in applications and websites that allow for secure sign on through third party identity services, such as Google and Okta. Single sign-on is a significant boon for security and management simplicity and Chahin argues that many companies force users to pay dearly to enable SSO. What's Worse?! A grand financial decision in this scenario. Is this the best solution? According to a recent article in the Wall Street Journal, there is an ever slight trend of CISOs moving away from reporting to the CIO, opting instead to report directly to the CEO. Why is this trend happening? What are the benefits and disadvantages?   With hacks and breaches becoming all too commonplace and even encrypted data still vulnerable to hackers who can read and copy it, focus is now being placed on Quantum Communication as a potential next option. This is a technique that encodes data into photons of light, each of which can carry multiple copies of ones and zeroes simultaneously, but which collapses into a single one-and-zero if tampered with. Basically, the scrambling of data to an unusable format. Although Quantum communication has been development for a few years, researchers in China have apparently already outfitted a fleet of drones that will soon be able to communicate upwards to its already launched Quantum satellites and downwards to ground stations while remaining stable in flight. This paves the way for the field of quantum teleportation, a glamorous term whose uses and actual development are no longer just the realm of science fiction. For data at least. More from our sponsor ExtraHop. Close your eyes. Breathe in. It’s time for a little security philosophy. Simon Goldsmith, adidas, said, "I’ve been having some success in replacing risk with uncertainty. By which I mean not having a threat, vulnerability or impact made tangible creates uncertainty which is next to impossible to factor into any modern decision making process. If I make it tangible, it becomes a risk and I can help you make a better decision. Puts value on turning uncertainty to risk and fights FUD."
2/11/202032 minutes, 15 seconds
Episode Artwork

You're Mistaken. I'm Not Annoying. It's Chutzpah.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/youre-mistaken-im-not-annoying-its-chutzpah/) We're pushing just to the edge of irritation on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience in Tel Aviv on the eve of the 2020 Cybertech conference. Special thanks to Glilot Capital for hosting this event. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and my special guest co-host, Bobby Ford, global CISO for Unilever. Our guest is John Meakin, veteran financial CISO, and currently CISO for Equiniti. David Spark, producer, CISO Series, Bobby Ford, CISO, Unilver, and John Meakin, CISO, Equiniti. Thanks to this week's podcast sponsors, Polyrize and Intsights. As newly adopted SaaS and IaaS services add an additional layer of risk for security teams, Polyrize provides a cloud-centric approach to simplifying the task of protecting user identities and their access across the public cloud by right-sizing their privileges and continuously protecting them through a unified authorization model. IntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response. To learn more, visit intsights.com. On this week's episode How do you go about discovering new security solutions? In an article on LinkedIn entitled, "Why do CISOs take a vendor meeting?" Dutch Schwartz, of AWS said that they take meetings per a recommendation of their staff, their peers, or they have an explicit problem that they've already researched, or they have known unknowns. Are those the reasons to take a meeting with a security vendor? We discuss what meetings CISOs take, and which ones are the most attractive. It's time for "Ask a CISO" Israel is known for a thriving startup community. But what I always see is cross pollination between Israel and Silicon Valley when it comes to startups. We discuss what Israeli startups can learn from Silicon Valley and vice versa. What's Worse?! We've got two rounds. One agreement and one split vote. It’s time to measure the risk Five years ago I wrote an article for CIO.com about the greatest myths of cloud security, The first myth was the cloud is inherently insecure. And the other 19 are ones I'm still hearing today. My conclusion for the whole article was if you can overcome these myths about cloud security, you can reduce risk. In this segment we dispel cloud security myths and explain how the cloud helps reduce risk possibly in ways many of us are not aware. Close your eyes. Breathe in. It’s time for a little security philosophy. On this podcast we talk a lot about CISOs needing to understand the business. In a thought-provoking post on Peerlyst, Eh-den Biber, a student of information security at Royal Holloway, University of London, noted that the job of cybsecurity is more than that. It's about understanding the flow of business and being present in the individuals' lives and their stories. We discuss the importance of being present in your users' lives. It's time for the audience question speed round The audience has questions and our CISOs have answers. We get through a lot really quickly.  
2/4/202041 minutes, 2 seconds
Episode Artwork

Revisiting a Whole Career of Cyber Screw Ups

All links and images for this episode can be found on CISO Series (https://cisoseries.com/revisiting-a-whole-career-of-cyber-screw-ups/) This episode was recorded in front of a live audience at Malwarebytes' offices in Santa Clara, California for the Silicon Valley ISSA chapter meeting. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Peter Liebert, former CISO, state of California. Peter is now an independent consultant and commander of cyber operations for California State Guard. (left to right) David Spark, producer, CISO Series, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, and Peter Liebert, commander, cyber operations, California State Guard Thanks to this week's podcast sponsor, Malwarebytes. Malwarebytes secures endpoints, making workplaces resilient. Our adaptive cyber protection predicts and detects attacks with multi-layer detection across the kill chain. We enable active threat response with machine learning that is actionable and automated, allowing for full recovery when a compromise occurs. We empower enterprise endpoint orchestration across siloed IT and Security organizations, simplifying security management and making responses effective. Malwarebytes makes endpoints resilient so workplaces can protect and remediate, and employees can regain control of their digital lives. On this week's episode Why is everybody talking about this now? Chris Roberts of Attivo Networks posted about his video game addiction as he admitted one certain game ate up 475 hours of his life. He really struck a chord with the community as he got hundreds of comments of people admitting to the same but also recognizing that video games are great stress relievers and that the problem solving in games actually helps keep your mind sharp. There is the obvious need for a break, but is there a correlation between how gaming in any form can help someone with their job in cybersecurity? Hey, you're a CISO, what's your take on this?' Are we doing a good job defining the available jobs in cybersecurity? The brand that we see out there is the image of the hacker and the hoodie. In a post on Peerlyst, Nathan Chung lists off eleven other cybersecurity jobs that don't fall under that well known cybersecurity trope. Jobs such as data privacy lawyers, data scientists developing AI and machine learning algorithms, law enforcement, auditors who work on compliance, and even project managers. We discuss some of the concrete ways to explain the other lesser known opportunities in cybersecurity. What's Worse?! We play two rounds with the CISOs. Um… maybe you shouldn't have done that In an article on Peerlyst, cybersecurity writer Kim Crawley, asked her followers on Twitter, "What mistakes have you made over the course of your career that you would recommend newbies avoid?" There was some great advice in here. We discuss our favorite pieces of advice from the list and our CISO admit what is the mistake they've made in their cybersecurity career that they specifically recommend newbies avoid. We’ve got listeners, and they’ve got questions Chris Hill of Check Point Software, asked, "How can non-technical people working their way up in the security industry improve their knowledge and abilities from a CISO perspective." Chris is a newbie and he wants advice on being a “trusted advisor” and he's trying to figure out the best/most efficient way to get there. It's time for the audience question speed round We go through a ton of questions the audience has for our CISOs
1/28/202045 minutes, 19 seconds
Episode Artwork

Debunking the Misused "Chased By Bear" Cybersecurity Metaphor

All links and images for this episode can be found on CISO Series (https://cisoseries.com/debunking-the-misused-chased-by-bear-cybersecurity-metaphor/) We don't want anyone to be caught by the bear on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Elliot Lewis (@ElliotDLewis), CEO, Encryptics. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Is this the best solution? On LinkedIn, Rich Malewicz of Wizer opened up a discussion of security is really just about making the lives difficult for attackers, or more difficult than another target. Rui Santos summed Rich's theory succinctly, "you don't have to be Fort Knox, just make it not worth the effort of hacking your organization." Let's dive into the specifics of this. Provide some examples of how you architect a security program that makes it too difficult or too costly for an attacker. Obviously, this would change given the asset you're trying to protect. The great CISO challenge Brad Green, Palo Alto Networks, asks, "What are the most important functions of the SOC (security operations center), and what are the most important activities that support them? What's Worse?! As always, both options stink, but one is worse. Please, Enough. No, More. Today's topic is data security. What have you heard enough about with data security, and what would you like to hear a lot more? Mike? Communicating cyberthreats to the general public has always been a challenge for cybersecurity specialists, especially when it comes to eliciting cooperation in areas like cyberhygiene. Sometimes it helps to give people an awareness that the need for proactive security doesn’t exist only on screens, but everywhere. One fascinating example of this can be seen in the research of Dina Katabi of MIT, who has shown how WiFi signals can be monitored – not for their content, but as a form of radar that can see through walls, and which can accurately observe people physically moving around, or even detecting heartbeats and sleep patterns. Remote espionage opens up all kinds of opportunities for bad actors to build ergonomic profiles of anyone and then deploy AI and ML enabled analysis to influence and impersonate them. Showing people just how many different dimensions can be used in cybercrime may one day shift public perception of cybersecurity into the center spotlight where it belongs. More from our sponsor ExtraHop. There’s got to be a better way to handle this For years security professionals have talked about trying to secure the exponentially expanding surface area. One way to simplify, that we've all heard before, is driving security to the data level. Could we let networks run wild, within reason, and just have a data-security first approach? How is that different from zero trust, if at all? To what extent does this work/not work? We've all been having conversations about encryption for decades. It's not a new story. But it's still not universally used. There are billions of user accounts available in open text. After decades, why has the encryption story still not been getting through? What's holding back universal usage?
1/21/202036 minutes, 33 seconds
Episode Artwork

We Put the FUN in InFunSec

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-put-the-fun-in-infunsec/) We're cranking up the entertainment value on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Adrian Ludwig, CISO, Atlassian. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Close your eyes and visualize the perfect engagement What should a CISO's relationship with the board be and how much should a CISO be involved in business decisions? According to a Kaspersky survey, 58% of CISOs say they're adequately involved in business decision making. 34% say they're summoned by the board for data/security related manners. 74% of CISOs are not part of the board and of that group, Of that group, 25% think they should be. What are the pros and cons of a CISO being heavily involved in the business? The great CISO challenge On Dark Reading, Joan Goodchild asked CISOs what were their New Year's resolution. Most said obvious stuff about visibility, being a business enabler, work on human element, and privacy. But I was most intrigued by Jason Haward Grau, CISO of PAS Global, who said he wanted to make security a little more fun. Keeping it fun and interesting is my obsession with this show. If you want to attract, and more importantly retain, security talent, a little bit of fun is critical. So what is currently fun about cybersecurity and what can CISOs do to make it more fun? What's Worse?! First time Mike Johnson admits to being wrong! Looking down the security roadmap On LinkedIn, Mike recommended that security professionals line up tools with their comparable threat models, and then compare that list with their company's actual threat models. Mike admittedly offered the advice but never actually had done itself until he wrote the post and then he started. We delve into what actually happened and how one could actually do it. The Cyber Defense Matrix is a handy, yet easy to use grid plan that helps IT and cybersecurity professionals formulate a plan of proactive defense and effective response. Devised by security specialist Sounil Yu and discussed in detail on the October 17, 2019 episode of Defense in Depth, the matrix continues to gain ground as a vital tool for not only understanding the required spread of technologies, people and process, but also in performing gap analysis and crisis planning. The matrix creates a logical construct across two axes, creating a five by five fill-in grid. Although some experts debate whether it is sufficiently broad in scope, cybersecurity organizations such as OWASP tend to agree that its role in organizing a jumble of concepts products and terminologies into a coherent inventory helps cybersecurity specialists measure their security coverage, discover gaps in their IT strategy, and create a better project plan. More from our sponsor ExtraHop. And now, a listener drops some serious knowledge "Sandor Slijderink (SLY-DUR-INK), CISO at undisclosed company, offered a quick tip on a new phishing scam. Type in some text that looks like a foreign language, then create a hyperlink that reads: ""See translation"" We discuss some attack vectors that we think others may not be fully aware of but need to pay attention.
1/14/202031 minutes, 59 seconds
Episode Artwork

We Lower the Security and Pass the Savings on to You

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-lower-the-security-and-pass-the-savings-on-to-you/) We're racing to the bottom in terms of price and security on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Seth Rosenblatt (@sethr), editor-in-chief, The Parallax. Thanks to this week's podcast sponsor, Encryptics. Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself. On this week's episode Are we making the situation better or worse? Are big Internet giants' privacy violations thwarting startup innovation? That's been presidential candidate Elizabeth Warren's argument, and it's why she wants to break up companies like Facebook and Google for what she sees as anti-competitive practices. According to Seth Roseblatt's article, it appears all of a sudden Facebook and Google are very concerned about privacy. Nine years ago, I remember seeing Eric Schmidt, then CEO of Google, proudly admit that they tracked people's movements so thoroughly that they can accurately predict where you're going to go next. Nobody blinked about the privacy implications. But today, users are upset but they don't seem to be leaving these services at all. Is it all talk on both sides? Have you seen any movement to improve privacy by these companies and would regulation be the only answer? And heck, what would be regulated? Here's some surprising research Over the past 15 years, home WiFi routers have been manufactured to be less secure. Seth reported on this study by the Cyber Independent Testing Lab, which we also discussed on an episode of Defense in Depth. The most notorious weakening is the use of default passwords, but there's a host of other firmware features that don't get updated. Is there any rationale to why this happens? And has this study done anything to turn things around? Is this a cybersecurity disinformation campaign? Fighting "fake news" like it's malware. In Seth's story, he noted there are structural and distribution similarities. I envision there are some similarities between fake news and adware which isn't necessarily designed for negative intent. Fake news appears to be an abuse of our constitutional acceptance of free speech. How are security tactics being used to thwart fake news and how successful is it? When you set up your new home assistant, try not to position it close to a window, because someone across the street might be preparing to send voice commands, such as “open the garage door” by way of a laser beam. Researchers from the University of Michigan and The University of Electro-Communications in Tokyo have successfully used laser light to inject malicious commands into smart speakers, tablets, and phones across large distances and through glass windows. They use standard wake commands modulated from audio signals and pair them with brute forcing of PINS where necessary. They have also been successful in eavesdropping, and in unlocking and starting cars. Their research shows how easy it is and will be to use lasers to not only penetrate connected devices but to deploy acoustic injection attacks that overwhelm motion detectors and other sensors. More information including access to the white paper is available at lightcommands.com. More from our sponsor ExtraHop. Look at this, another company got breached Tip of the hat to Malcolm Harkins at Cymatic for posting this story on Forbes by Tony Bradley of Alert Logic who offers a rather pessimistic view of the cybersecurity industry. It's broken, argues Bradley. We spend fortunes on tools and yet still get hacked year over year using the same tools. The article quotes Matt Moynahan, CEO, Forcepoint, who said we wrongly think of security as an "us" vs. "them" theory or "keeping people out" when in actuality most hacks are because someone got access to legitimate user credentials, or a user within our organization did something unintentional or potentially malicious. Are we wrongheaded about how we envision cybersecurity, and if so, is there a new overarching philosophy we should be embracing?
1/7/202036 minutes, 42 seconds
Episode Artwork

Ah, Here's The Problem. You've Got a Leaky CEO.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/ah-heres-the-problem-youve-got-a-leaky-ceo/) We're waking up the C-suite to the realization that they're the prime target for cyberattacks. This episode was recorded in front of a live audience at Evanta's CISO Executive Summit in Los Angeles. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. CISO/Security Vendor Relationship Podcast live at Evanta CISO Executive Summit in Los Angeles 12/11/19 PLUS, joining us live was Jewels Nation, the voice of the CISO Series. You hear her voice on all the bumpers on our podcasts. Jewels Nation, the voice of the CISO Series podcasts, and David Spark, producer of CISO Series Thanks to this week's podcast sponsor Evanta. Evanta, a Gartner Company, creates exclusive communities of C-level executives from the world’s leading organizations. These invaluable networks are built by and for C-level executives to share innovative ideas, validate strategies and solve critical leadership challenges through peer-to-peer collaboration. Evanta’s trusted communities serve CISOs and their C-suite peers around the world. On this week's episode Where does a CISO begin? Gary recently brought up an excellent discussion pointing out that executives are the backdoor into your organization. Do they understand that they're critical cogs? Do they and are they willing to take on responsibility? What is the patching process? Walk a mile in this CISO's shoes Gary, talked a lot about the importance of work/life balance with cyber professionals. Robert Carey of RSA Security said your actions do most of the talking, "As a CISO, you're a model of work life balance. If you stay 14 hours a day, that's what is expected of employees. If you leave at 5pm they'll realize that's ok for them to do." How do our CISOs handle presenting to their staff what is and isn't OK, when they're in the office or when their employees are remote? What's Worse?! You've got a new hire. Which one do you choose? Is this the best solution? Does the email pitch still serve a function? On a recent CISO Series video chat, we talked about how CISOs get 50-80% of their information about products from other CISOs and that yeah maybe sometimes they read an email pitch. Is there still room for the email pitch or should it just die? And if it should die, what should it be replaced with? Security Squares: Where CISOs Put Vendors in Their Place A brand new game that asks CISOs how well do they know the vendor landscape? This one was a nail biter. It’s time for the audience question speed round Our audience has questions, and our CISOs will have answers.
12/17/201942 minutes, 30 seconds
Episode Artwork

Trust Me, We're Using "Advanced" AI

All links and images for this episode can be found on CISO Series (https://cisoseries.com/trust-me-were-using-advanced-ai/) We're looking for a good reason to trust your AI on the latest CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience at Evanta's CISO Executive Summit in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week, is Jimmy Sanders (@jfireluv), head of information security, Netflix DVD. Mike Johnson, Jimmy Sanders, head of information security, Netflix DVD, and David Spark Thanks to this week's podcast sponsors: Trend Micro, SentinelOne, and FireMon.  FireMon provides persistent network security for hybrid environments through a powerful fusion of real-time asset visibility, continuous compliance and automation. Since creating the first-ever network security policy management solution, FireMon has delivered command and control over complex network security infrastructures for more than 1,700 customers. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. Are you looking to leave legacy antivirus? Proactively protect every device in realtime with AI. Deploy SentinelOne for EPP, EDR, IoT, and container security today. Autonomous technology is the future. We deliver it now across your endpoints, servers, cloud workloads, and IoT devices. What we’ve got here is failure to communicate Is the privacy message getting out to the right people? I argue we need to go to the source and we're not. I was at Dreamforce, the Salesforce conference, and I got the sense I was the only person of the 100K people there that didn't want to be scanned. This crowd is obsessed with the collection of personal data given this conference is mostly about how do I create greater understanding from personal data. Are we as security people in a bubble in this privacy conversation? We need to go to the source of the people who are actually collecting the data and I'm getting the sense we're not getting through. Are we making the situation better or worse? We've talked a lot about AI on this show, and many vendors are selling intelligent solutions, but the factor that seems to hang up usage is trust. Cyber professionals don't think twice about trusting their AI-powered spam filter, but so many other tools are met with skepticism. What's missing from the vendor side and what trust barriers are practitioners putting up? What should the barometers be for trusting AI? What's Worse?! Two bad types of people wanting to do you harm. Which one is worse? Is this the best solution? Should you hire staff from companies that have fallen victim to cybercrime? According to a study by Symantec and Goldsmiths, University of London, as reported by ZDNet, more than half of respondents said they don't discuss breaches or attacks with peers. And more than a third said they fear that sharing breach information on their organization would negatively impact their future career prospects. I would think that asking a prospect, "Have you lived through a breach and how did you handle it?" would be very revealing. Mike? Security Squares: Where CISOs Put Vendors in Their Place A brand new game that asks CISOs how well do they know the vendor landscape? It’s time for the audience question speed round Our audience has questions, and our CISOs will have answers.  
12/10/201944 minutes, 43 seconds
Episode Artwork

Isn't That Adorable? Our Little CISO Has An Opinion.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/isnt-that-adorable-our-little-ciso-has-an-opinion/) We're spoon-feeding "respect" to the CISO on this week's CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week, thanks to Trend Micro, is Jim Shilts, founder, North American DevOps Group. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? Gary Hayslip, CISO, Softbank Investment Advisers and regular guest, posted an article about a growing trend of CISO frustration and why they don't last at an organization. This article addresses many issues around burnout, but I want to focus on this one stat from an ISC(2) study which states, "Sixty three percent of respondents said they wanted to work at an organization where their opinions on the existing security posture were taken seriously." Hard to keep any security staff in place if they're not respected. We talk a lot about being able to talk to the board, but the communications has to be two way. How clear are executives in understanding that respect and listening to their cyberstaff is in their best interest? What annoys a security professional Deidre Diamond of CyberSN, asks this very pointed question, "We are short 500k cyber professionals in the US and 89% of our current cyber professionals are open to new opportunities; why are jobs taking on average 4-9 months to fill?" That last stat is CyberSN's data estimates. She's arguing there is plenty of supply. Why is this taking so darn long? Nobody's happy. What's Worse?! We've got a question tailored for our DevOps guest this week. Please, enough. No, more. DevOps and security. This is a topic that has grown over time, evolved in branding, and Mike has spoken out about how much he don't like the term DevSecOps. As we regularly do in this segment, what have you heard enough of on the DevOps and security debate and what would you like to hear a lot more? Two factor authentication is a smart step towards more secure password management but what happens the moment after you have convinced the employees of your company to adopt 2FA, when you then say, “Oh yes, don’t forget your SIM PIN.” 2FA might stop hackers from using easily searchable information like someone’s mother’s maiden name, but these bad actors have already discovered the weak link in this particular chain. They call the phone provider, pretend to be that specific victim and ask to swap the victim’s SIM account information to a new SIM card – one that is in their possession. That way, everything the victim did with their phone – texting, banking, and receiving 2FA passcodes – all goes to this new phone. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Hey, you're a CISO, what's your take on this? Nigel Hedges, CISO, CPA Australia, asked, "Should security operations exist in infrastructure/operations teams?" Nigel asked this questions to colleagues and got mixed results. One CISO said it was doomed to fail, others said its up to leadership and a CISO doesn't need to own secops. "Other people were adamant that the focus required to manage secops, and streamlined incident response cant work within infra because the primary objectives of infra are towards service availability and infra projects," said Nigel who went on to ask, "Is this important prior to considering using a security vendor to provided managed security operations? Is it important to 'get the house in order' prior to using managed secops vendors? And is it easier to get the house in order when secops is not in infra?"
12/3/201933 minutes, 42 seconds
Episode Artwork

Rest Assured, We're Confident Our Security Sucks

All links and images for this episode can be found on CISO Series (https://cisoseries.com/rest-assured-were-confident-our-security-sucks/) We may not have the protection you want, but what we lack in adequate security we make up in confidence. Sleep better at night after you listen to this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Billy Spears (@billyjspears), CISO, loanDepot. Thanks to this week's podcast sponsor, CyberInt. The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505’s latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. On this week’s episode Why is everybody talking about this now? Tip of the hat to Eduardo Ortiz for forwarding this discussion Stuart Mitchell of Stott and May initiated on LinkedIn asking if there should be a "golden bullet" clause in a CISO's contract. He was referring to the CISO of Capital One who had to step down and take on a consulting role after the breach. What are arguments for and against? Ask a CISO Nir Rothenberg, CISO, Rapyd asks, "If you were given control of company IT, what would be the first things you would do?" What's Worse?! Should a CISO be closing sales or securing the company? Hey, you're a CISO, what's your take on this? According to Nominet's Cyber Confidence Report, 71 percent of CISOs say their organization uses the company's security posture as a selling point, even though only 17% of CISOs are confident about their security posture. There are probably many factors that contribute to this disparity. Is it a gap that will ever close, or is this just the nature of security people vs. sales? Bluetooth is a convenient and easy method of sharing data between devices, which, of course, qualifies it as a prime target for exploitation. A trio of researchers has discovered a vulnerability that has the potential of attacking billions of Bluetooth-enabled devices, including phones, laptops, IoT and IIoT technologies. In short, this Key Negotiation of Bluetooth vulnerability, which has been given the acronym KNOB, exploits the pairing encryption protocol within the Bluetooth Classic wireless technology standard, which supports encryption keys with entropy between 1 and 16 bytes/octets. It inserts between the pairing devices forcing both to agree to encryption with 1 byte or 8 bits of entropy, after which it simply brute-forces the encryption keys. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. What do you think of this pitch? How targeted should your pitch have to be?  
11/26/201937 minutes, 19 seconds
Episode Artwork

What Security Advice Will Your Family Ignore?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/what-security-advice-will-your-family-ignore/) This Thanksgiving we wish you lots of luck convincing your family members to use a password manager. Would getting them to switch political allegiances be easier? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Jeff Hudesman, head of information security, DailyPay. Thanks to this week's podcast sponsor Tenable. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. On this week’s episode Why is everybody talking about this now? Rich Malewicz, CIO, Livingston County, started a thread of common threats and scams we should warn family and friends about over the holidays. Lots of great advice. We discuss our favorites, whether we turn into family tech support, and if you had one cyber holiday wish for every family member, what would it be? Hey, you're a CISO, what's your take on this? When is the right time and WRONG time to start red teaming? (the process of letting ethical hackers loose on your business to test your defenses, your blue team.) What exactly is it you're testing? Are you testing your network's resiliency or your business' resiliency? "What's Worse?!" Three options in this "What's Worse?!" scenario. The great CISO challenge We have repeatedly touted on the podcast the benefits of multi-factor authentication or MFA. Our guest implemented an MFA solution at his company. We talk about the challenges, criteria, and roll out like? And did they see any visible evidence of security improvements? Casey from accounting is getting frustrated, waiting for client files being held up by the firewall. Jordan is trying to join a video conference that needs a plugin, but the firewall won’t let it through. So they call the IT manager who then disables it. This happens a lot. Maybe not in large companies, but small law firms, medical clinics, or small businesses that might use an old-school administrator who will either turn off the firewall or opt out of using one altogether, believing in the power of a cheap antivirus product to keep things safe. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. What do you think of this pitch? There is lots of disagreement over whether this pitch is any good.
11/19/201933 minutes, 35 seconds
Episode Artwork

Do's And Don'ts of Trashing Your Competition

All links and images for this episode can be found on CISO Series (https://cisoseries.com/dos-and-donts-of-trashing-your-competition/) We want to malign our competitors, but just don't know how mean we should be. Miss Manners steps in on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and special guest co-host, Mark Eggleston (@meggleston), CISO, Health Partners Plans, and our guest is Anahi Santiago (@AnahiSantiago), CISO, ChristianaCare Health System. We recorded in front of a live audience at Evanta's CISO Executive Summit in Philadelphia on November 5th, 2019. Recording CISO/Security Vendor Relationship Podcast in front of a live audience at Evanta's CISO Executive Summit in Philadelphia (11-05-19) Thanks to this week's podcast sponsors Trend Micro, Thinkst, and Secure Controls Framework. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. The Secure Controls Framework (SCF) is a meta-framework – a framework of frameworks. This free solution is available for companies to use to design, implement and manage their cybersecurity and privacy controls in an efficient and sustainable manner. Our approach provides a comprehensive solution to manage complex compliance needs. Most companies find out way too late that they’ve been breached. Thinkst Canary changes this. Find out why the Thinkst Canary is one of the most loved products in the business and why the smartest security teams in the world run Canary. Visit https://canary.tools. On this week’s episode Why is everyone talking about this now? Greg van der Gaast, former guest who runs security at The University of Salford, initiated a popular LinkedIn discussion on the topic of human error. According to his colleague Matthew Trump of the University of Sussex, in critical industries, such as aerospace, oil & gas, and medical, “human error” is not an acceptable answer. You simply have to prevent the incident. If not, a mistake can be both a regulatory violation and lethal. But people are a part of the security equation. It’s unavoidable. We know zero erros is impossible, but can you accept “human error” as a fail point? Hey, you’re a CISO, what’s your take on this? Listener David said, “One thing I have experienced at my last two jobs is integrating with a ‘global’ security team whose security program is effectively and functionally inferior to our own. In these occasions, the global security team wanted us to remove current safeguards, processes/procedures and tooling that reduced the preparedness and effectiveness of our security program and introduced risk(s) that we have not been exposed to in years. All of these changes were always touted as a ‘one team’ initiative but never once was due diligence on security posture taken into account. “What is the best way to go about a consolidation like this? Do you not mess with a good thing and ask the ‘better’ security program to report up incidents, conform to compliance check boxes etc. or as a CISO do you sign off on a risk acceptance knowing that the operating company is now in a worse state of security.” “What’s Worse?!” We’ve got two rounds of really bad scenarios. What annoys a security professional Geoff Belknap, former guest and CISO of LinkedIn, appreciates a vendor’s desire to “bring like minds” together around food or drink, but the invite is not welcome on a weekend. Belknap feels that the weekend intrudes into a CISO’s personal/family space. There was a lot of debate and disagreements on this, but there were some solutions. One mentioned a vendor invite that included round trip Lyft rides and childcare. Oh, they did something stupid on social media again Jason Hoenich, CEO of Habitu8 posted on LinkedIn that he didn’t appreciate Fortinet writing about security training for CSO Online, something for which Jason’s business does and for which he believes Fortinet does not have any expertise. It appears this was a sponsored article, but Jason didn’t point to the article nor did he isolate specifically what he felt was wrong with Fortinet’s advice. Here at the CISO Series, we like Jason and Habitu8. They’ve been strong contributors to the community. But complaining and not pointing to any concrete evidence is not the best way to convince an audience. Earlier this year we saw something similar with the CEO of Crowdstrike going after the CEO of Cybereason claiming an underhanded sales tactic that was not specified nor anyone at Cybereason knew what he was talking about. Is it OK to go after your competition in a public forum? If so, what’s the most professional and respectful way to handle it? It’s time for the audience question speed round Our Philadelphia audience has questions and our CISOs had some answers. We rattle off a quick series of questions and answers to close the show.
11/12/201942 minutes, 55 seconds
Episode Artwork

Get Out! The FUD Is Coming from the Inside

All links and images for this post can be found on CISO Series (https://cisoseries.com/get-out-the-fud-is-coming-from-the-inside/) On this week's CISO/Security Vendor Relationship Podcast, we're pointing fingers at practitioners, not vendors, for promoting the FUD (fear, uncertainty, and doubt) scare-a-thon. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Eddie Contreras (@CISOEdwardC), CISO, Frost Bank. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? On LinkedIn, Ron C. of CoreSolutions Software said, "Cybersecurity is no longer just a technical problem. It’s now more of a people problem! So why aren’t businesses prioritizing security awareness training for their staff?" There was a massive response and mixed agreement. Regardless, are we falling short on security awareness training? Is it not effective? Is it too complicated to pull off? Is the cost not justified? More importantly, has security awareness training had any impact? Hey, you're a CISO, what's your take on this? accidentalciso on our reddit channel, r/cisoseries, asks, How does a security professional know if "CISO truly is the right career goal for them? I don’t think the reality of the role is consistent with what one might think early on in their career." What was it about the CISO role that makes a security professional want to pursue it and how does that previous perception of what a CISO did counter or align with what was really experienced? It's time to play, "What's Worse?!" Is there a worst type of attack? Ask a CISO James Dobra, Bromium, asks, "Are security organizations guilty of using FUD internally, e.g. with the board and with users, while complaining that vendors use it too much?" Does FUD happen internally? Do security teams do it to get the money they want and/or shame users into submission? On August 30, 2019, white hat hacker Tavis Ormandy discovered a vulnerability in a LastPass browser extension. This was a vulnerability, not a breach and was very quickly remedied without damage. But it still causes chills when the last bastion of password security reveals its Achilles heel. It’s like seeing your family doctor contract a terminal disease. But for CISOs, this might be a good thing. Password complacency and sloppy security hygiene are the scourge of security specialists everywhere. A SaaS-based password manager that uses hashes and salts to remove the existence of physical passwords in their own vaults, is still a highly proactive solution. More found on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 Days of a CISO Both Mike and our guest, Ed, are second time CISOs in their first 90 days at the role. We review what mistakes they made the first time as a CISO that they're actively avoiding this time. Are there any hurdles that are simply unavoidable and they're just going to have to face it like any new CISO would.  
11/5/201935 minutes, 15 seconds
Episode Artwork

Say It Loud! I Didn't Read the Privacy Policy and I'm Proud!

All links and images for this episode can be found on CISO Series (https://cisoseries.com/say-it-loud-i-didnt-read-the-privacy-policy-and-im-proud/) If we don't understand the purpose of a privacy policy, why should we bother reading it? We're claiming the cyber ignorance defense on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Roger Hale (@haleroger), CISO in residence, YL Ventures. Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Roger Hale, CISO in residence, YL Ventures, David Spark, producer, CISO Series. Thanks to this week's podcast sponsor Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support. On this week's episode How CISOs are digesting the latest security news We're blowing it with general cybersecurity education. According to a study by the Pew Internet Research Center, most Americans don't understand or can't identify basic cybersecurity concepts such as two-factor authentication, private browsing, or the purpose of a privacy policy. We talk a lot about the important of education and it appears we're not doing a good job. What are some creative ways we can dramatically improve these numbers? Hey, you're a CISO, what's your take on this? Cai Thomas, Tessian, has an article on TechRadar on the dangers of sending corporate work via personal email accounts. He outlines the issues. As per the previous story, chances are very high people are completely unaware of the risk their placing the company in by forwarding corporate email to personal accounts. No amount of education is going to solve this problem. What are the systems that companies can and should setup to give people a better alternative than sending emails to personal accounts? What's Worse?! How damaging can not having a seat on the board be? Ask a CISO Nick Sorensen, Whistic, asks, "What do you see the most proactive vendors doing to prepare for vendor security reviews from their customers?" “Your bank account has been frozen.” That’s now an old chestnut in the scamming world, but it thrives through increasingly sophisticated spoofing activities that include a banks’ real phone number and real-looking pop-up websites for password refresh requests. Even IT experts can get caught by these things occasionally, as some have even confessed on this very podcast series. This level of relentless innovation is worth keeping front of mind when considering the amounts of data that Internet of Things devices are creating but that organizations have no plan or space for. IBM, Forrester, and others have suggested that maybe 1 percent of data generated from IoT connectivity is being used, mostly for immediate learning or predictive activities. More available on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 days of a CISO Today is Roger's first official day as a CISO in residence at YL Ventures. What the heck does that mean, and how does that differ from being an operational CISO?
10/29/201932 minutes, 57 seconds
Episode Artwork

I'll See Your Gated Whitepaper and Raise You One Fake Email Address

All links and images for this episode can be found on CISO Series (https://cisoseries.com/ill-see-your-gated-whitepaper-and-raise-you-one-fake-email-address/) We're all in with not wanting "follow up email marketing" on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Ian Amit (@iiamit), CSO, Cimpress. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode Why is everyone talking about this now? To gate or not to gate. Mike posted on LinkedIn about how much he appreciated vendors who don't gate their content behind a registration wall. The post blew up on LinkedIn. The overwhelming response got some vendors willing to change their tune. Hey, you're a CISO, what's your take on this? Kevin Kieda of RSA Security asks, "For an initial meeting what are the things you want the sales person to know about your business that many of them don't." Kevin says he gets frustrated that he gets the sense a prospect wants them to know what tools they're using even though he knows he often can't find out that information. What is the must know, nice to know, and boy I'm impressed you know that? Mike Johnson recommends BuiltWith.com for basic OSINT on a company site. What's Worse?! Whose mistakes are worse? Your own or the vendor's? The great CISO challenge Factor Analysis of Information Risk (FAIR) is a risk framework (often laid ontop of others) that simplifies the understanding of risk by identifying the blocks that contribute to risk and their relationship to each other and then quantifying that in terms of money. Ian, can you give me an example of how you actually do this? Since its inception back in 2010, Zero Trust Architecture has been gaining traction. Much of the interest stems from the nature of work and data today – people working from anywhere on any device, and data racing around networks and to and from the cloud means there is no single fortress where everything can exist safely. Operating on a belief that everything inside the perimeter is safe because it’s inside the perimeter is no match to today’s hacking, penetration and inside sabotage. The establishment of new perimeter protections, including microtunnels and MFA is best applied to new cloud deployments but must still somehow be factored into a legacy architecture without becoming more inconvenient and vulnerable than what it is trying to replace. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Why is this a bad pitch? What's the polite way to hande the way too generic vendor request. We offer two examples of non-specific pitches that are obviously just begging for a CISO's time. Is there a polite way to refute the request and let them know without talking down to them and letting them know that this isn't a tactic they should pursue?
10/22/201934 minutes, 20 seconds
Episode Artwork

Rated #1 in Irresponsible Security Journalism

All links and images for this episode can be found on CISO Series (https://cisoseries.com/rated-1-in-irresponsible-security-journalism/) No security alert is too small for us to completely misrepresent its severity. The sky is falling on the latest episode of CISO/Security Vendor Relationship Podcast. Thanks to this week's podcast sponsor, Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support. On this week's episode Why is everybody talking about this now? Two recent stories showed some fallibility in multi-factor authentication or MFA. We repeatedly recommended MFA on this show. But, the FBI announced some technical and social engineering techniques that are being used to break multi-factor authentication. In addition, Twitter admitted that email addresses and phone numbers used to set up MFA might have been sent to third party advertisers. The FBI says its news shouldn't change our trust in MFA. William Gregorian, CISO, Addepar, posted on LinkedIn that the press is claiming that MFA is broken and that's irresponsible journalism. Let's dig a little deeper Security professionals thrive on hearing about and learning about the latest threats. It feeds the latest security headlines and conferences. While it's often fascinating and keeps everyone interested, to what level are security concerns based on well-known years old threats vs. the latest threats? "What's Worse?!" Whose mistakes are worse? Yours or the vendors'? Please, enough. No, more. We've talked a lot about machine learning on this show and the definition of it is broad. What's ML's value in threat protection. We discuss what we've heard enough about with regard to machine learning being used for threat protection And what would we like to hear a lot more. When companies in retail or enterprise remind their online visitors to change their passwords, are they doing them a favor or causing them grief? Password managers exist, of course, as do newer forms of passwordless authentication, multifactor authentication and behavioral and biometric data. But ultimately, whose responsibility is this? Should a merchant website place the onus of personal security back on the customer? And if so, how would this protect the merchant’s own property? If this jeopardizes a sale or transaction, the cost of proactive security, at least for the short term appears too great. And it’s obvious, from the avalanche of data breaches of recent years that stored data of any sort becomes a permanent liability. More available on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Ask a CISO Gina Yacone, a consultant with Agio, asks, "If you’re performing a table top exercise. Who are the only three people you would want to have a seat at that table?"
10/15/201934 minutes, 2 seconds
Episode Artwork

Cybercrimes Solved in an Hour or Your Next One's Free

All links and images for this episode can be found on CISO Series (https://cisoseries.com/cybercrimes-solved-in-an-hour-or-your-next-ones-free/) In the real world, cybercrimes just don't get solved as fast as they do on CSI. So we're offering a guarantee. If we don't catch the cyber-perpetrator in an hour (including commercial breaks) we'll make sure you're attacked again. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Jason Hill (@chillisec), lead researcher at CyberInt Research Lab. Thanks to this week's podcast sponsor, Cyberint. The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505’s latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. On this week's episode What annoys a security professional Question on Quora asks, "What does everybody get wrong about working in the field of forensics?" There were a handful of answers from looking to TV and film dramas to that it's only a post mortem analysis. What are the biggest misconception of digital forensics? Why is everybody talking about this now? Tip of the hat to Stu Hirst of Just Eat who posted this Dilbert cartoon that got a flurry of response. Read for yourself, but in essence, it's a boss that thought technology would solve all his problems. Not realizing that people and process are also part of the equation. All too familiar. The "I've been hearing a lot about __________" phenomenon. What causes this behavior and how do you manage it? "What's Worse?!" How much flexibility to you require in your security team and the business? Please, Enough. No, More. How far can AI go? Where does the human element need to exist? What are the claims of the far reaching capabilities of AI? We discuss what we'd like to hear regarding the realistic capabilities and limitations of AI. Every year, the Fall season sees billions of dollars being spent on home-based IoT devices. The back-to-school sales are the starting point, Cyber Monday is the clubhouse turn and the year-end holiday season is the finish line. As usual, these devices – printers, DVRs, IP cameras, smart home assistants, are relatively inexpensive and provide plug and play convenience, to satisfy an impatient customer base. For the rest of the cloud tip, head to CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. We don't have much time. What's your decision? What are the best models for crowdsourcing security? There are entire businesses, such as bug bounty firms, that are dedicated to creating crowdsourced security environments. Our guest this week is passionate about investigative work. We asked him and Mike what elements they've found that inspire and simplify the community to participate in a crowdsourced security effort.
10/8/201931 minutes, 14 seconds
Episode Artwork

Mapping Unsolvable Problems to Unattainable Solutions

All links and images for this episode can be found on CISO Series (https://cisoseries.com/mapping-unsolvable-problems-to-unattainable-solutions/) We're busting out the Cyber Defense Matrix to see what our security program we'll never be able to achieve. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Sounil Yu (@sounilyu), former chief security scientist for Bank of America and creator of the Cyber Defense Matrix. David Spark, producer, CISO Series, Sounil Yu, creator, Cyber Defense Matrix, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast Thanks to this week's podcast sponsor, Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support. On this week's episode Why is everybody talking about this now? Mike asked the LinkedIn community, "What's bad security advice that needs to die?" We had an entire episode of Defense in Depth on this very topic called "Bad Best Practices." The post got nearly 300 responses, so it's obviously something many people are passionate about. Is there a general theme to bad security advice? The great CISO challenge Sounil Yu is the creator of a very simple problem-to-solution chart for security professionals called the Cyber Defense Matrix. This simple chart allows a cyber professional to see how their tools, processes, and people are mapped to all different levels of security protection. We discuss the purpose of the matrix and all the real world applications. "What's Worse?!" We have a real world "What's Worse?!" scenario and Mike and Sounil compete to see if they answered the way the real world scenario actually played out. Hey, you're a CISO, what's your take on this? Last week on Defense in Depth we talked about a discussion initiated by Christophe Foulon of ConQuest Federal on cyber resiliency. Some people argued that it should be a security professional's primary focus because its action is in line with the interests of the business. Should a cyber professional shift their focus to resiliency over security? Would that facilitate better alignment with the business? Exploitable weaknesses measured in decades. Not a comforting thought. But this is a reality that exists in at least two major IT ecosystems. The first is Microsoft and the second is firmware. Teams belonging to Google’s Project Zero have found exploitable security flaws affecting all versions of Windows going back to Windows XP – which presents a logistical nightmare for admins the world over. Sarah Zatko, Chief Scientist at the Cyber Independent Testing Lab spoke recently at Red Hat and DEF CON in Las Vegas about deficiencies in the security of firmware, including those from companies that manufacture the world’s best-known routers. More available at CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Ask a CISO Thanks to Chris Castaldo, CISO at Dataminr, for this post on new research from the firm Marsh and Microsoft. According to the study, half of the respondents didn't consider cyber risk when adopting new tech. A full 11 percent did no due diligence to actually evaluate the risk a new technology may introduce. Does it take that much effort to understand the basic risks of introducing a new technology? What are some first level research efforts that should be done with any new tech consideration or adoption?  
10/1/201935 minutes, 3 seconds
Episode Artwork

Wait… What? Good News in Cybersecurity?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/wait-what-good-news-in-cybersecurity/) On this episode of CISO/Security Vendor Relationship Podcast, cybercrime fails and we brag about it. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Geoff Belknap, CISO, LinkedIn, and David Spark, producer, CISO Series. Thanks to this week's podcast sponsor Trend Micro. On this week's episode How CISOs are digesting the latest security news We simply don't hear enough good news cybersecurity stories that make those involved proud. What are the cybersecurity stories that aren't being told publicly that should be? First 90 Days of a CISO Michael Farnum, Set Solutions, said, "If you come into the job and aren’t willing to critically review existing projects AND put a stop to the ones that are questionable, then you are going to cause yourself problems later. It might seem like an unwise political move when new to the company, but you have to be willing to swing the axe (or at least push the pause button) on anything that doesn’t make sense." Not so easy, but where's the line where you can actually push and say, "We're changing course"? It's time to play, "What's Worse?!" We've got a split decision! Hey, you're a CISO, what's your take on this? On a previous episode of Defense in Depth, we talked about employee hacking or getting the staff on the same page as the CISO and the security program. I quoted instructor Sarah Mancinho who said, "I am a firm believer that CISOs/CIOs should have their own dedicated IT strategic communications person(s) that report to them, and not any other office. Most comms roles I've seen...had to report to HR/PR/General Comms....none of whom really knew anything about technology/technical comms/infosec....and had little to no interaction with the IT/security team." My co-host, Allan Alford, loved this idea, never had it, but would love to have it. What value could a dedicated PR person bring to the security team? The devious new Android malware called Cerberus steals credentials by using a downloaded fake Adobe Flash player. That is not really innovative in itself, but what’s interesting is the way it seeks to avoid detection by using the phone’s accelerometer to confirm that the infected target is a real device and not on the screen of a security analyst. According to ESET researcher Lukas Stefanko, quoted in Forbes, the app actually counts a number of physical footsteps taken by the phone’s owner, and deploys once the required number has been reached.  For more, check out the full tip on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Why is everybody talking about this now? What's behind the cybersecurity skills shortage? In an article on the Forbes Council, Mark Aiello, president of cybersecurity recruiting firm CyberSN, pointed out some ugly truths as to why it's so difficult to hire cybersecurity talent. He pointed to low pay, the desire to find unicorns, poor job descriptions, training and growth. Is the core issue that the cybersecurity industry just does a very poor job welcoming new entrants? Today, what does a cybersecurity professional need walking in the door? And what are CISOs willing to accept no knowledge of, yet willing to train?
9/24/201938 minutes, 28 seconds
Episode Artwork

Serious Hackers Wear TWO Black Hoodies

All images and links for this episode can be found on CISO Series (https://cisoseries.com/serious-hackers-wear-two-black-hoodies/) We're doubling down and embracing the absolute worst of hacker tropes. Put on your black hoodie and then a second one. Boot up your Matrix screensaver and listen to the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Bruce Potter (@gdead), CISO, Expel. Here are the links to the items Bruce mentioned on the show: Expel's third-party assessment framework NIST CSF (and soon to be PF) self assessment tool Oh Noes! The incident response role playing game Thanks to this week's podcast sponsor Expel Expel is flipping today’s managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have. On this week's episode We’ve got listeners, and they’ve got questions A listener, who wishes to remain anonymous asks, "I am a one person security organization, and I get frustrated reading industry news and even listening to the CISO Series (love the show). My frustration is that so very often articles, blogs and podcasts assume that you/your organization has a security TEAM... How do you thrive and not just survive as a security shop of one?" What can a one-person shop expect to do, and not do? Let's dig a little deeper Bruce is also the founder of the Shmoo Group and his wife is the organizer for the annual ShmooCon which is a hacker conference held in DC every year. I'm stunned that his 2200-person event sells out in less than 20 seconds. There is obviously huge demand to attend and speak at your event. This year's event he had 168 submitted talks and 41 were accepted. Bruce tells us what makes a great ShmooCon submission and what were the most memorable talks from ShmooCon. "What's Worse?!" Today's game probably speaks to the number one problem with every company's security program. Hey, you're a CISO, what's your take on this? An issue that comes up in security all the time is "how do you do more with less." Are there ways to advance your security program when you don't have more budget or more people to do so? Study after study shows a top priority for cloud users is having visibility into application and data traffic. But most are not getting it. Nine out of ten respondents believe that access to packet data is needed for effective monitoring. So even though the cloud providers maintain the fortress, the enterprise still needs to see what’s going on. They’re ultimately responsible, after all. Cloud needs its own approach to monitoring, more closely based on how cloud customers interact with their data. It needs its own tools and greater level of communication between them and their providers. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Why is everybody talking about this now? We have talked in the past about the tired and negative image of the hacker in the black hoodie. It's pretty much all you see in stock photos. And since that's all any media outlet uses, that image just keeps getting reinforced. Poking fun and I think truly trying to find a better hacker image meme, Casey Ellis, founder of Bugcrowd, challenged others on LinkedIn to find a better "hacker stock photo" than the one he posted of hands coming out of a screen and typing on your keyboard with a cat looking on. We debate the truly worst hacker images we've seen and we propose a possible new stock image of the hacker.
9/17/201938 minutes, 4 seconds
Episode Artwork

CISO Confessions: "It's Not You. It's Me."

Links and images for this episode can be found on CISO Series (https://cisoseries.com/ciso-confessions-its-not-you-its-me-/) Vendors are trying to understand why CISOs are ghosting them and sometimes, it really isn't their fault. CISOs accept the blame on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and joining me is special guest co-host Betsy Bevilacqua (@HEALTHeSECURITY), CISO, Butterfly Network. Our guest will be Matt Southworth (@bronx), CISO of Priceline. This episode was recorded live in WeWork's Times Square location on September 5th, 2019. Here are all the photos. Enormous thanks to WeWork for hosting this event. They're hiring! Contact JJ Agha, vp of information security at WeWork. Also, huge thanks to David Raviv and the NY Information Security Meetup group for partnering with us on this event. Thanks to this week's podcast sponsor Tehama, Tenable, and Devo. Tehama provides secure and compliant virtual desktops on the cloud, and all the IT infrastructure needed for enterprises to connect and grow global and remote teams. Tehama's built-in SOC 2 Type II controls reduce the risk of malware intrusion from endpoint devices, data breaches, and other vulnerabilities.  Learn more at tehama.io. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. SOC teams have been struggling with many of the same issues for years – lack of visibility, too much noise – all while the threat landscape grows more complex. Devo Security Operations is a next-gen cloud SIEM that enables you to gain complete visibility, reduce noise, and focus on the threats that matter most to the business. On this week's episode How are CISOs digesting the latest security news? An article on Bloomberg and an ensuing discussion on LinkedIn pointed out that costs after a breach go beyond fines and lost reputation. It also includes the cost to keep top cybersecurity talent. Salaries for a CISO post-breach can range from $2.5-$6.5 million, that includes stock. What could a security professional show and demonstrate in this time of crisis that they are the one to hire to garner such a salary? Hey, you're a CISO, what's your take on this? Michael Mortensen of Risk Based Security asks a question about when there's considerable dialogue with a prospect, and they go cold. Michael wants to know what causes this? He has theories on sales people being impatient or wrong set of expectations, but he's interested in the CISO's viewpoint. Assuming you have had conversations with a vendor, have you gone cold on their outreach? If so, what was the reason? It's time to play, "What's Worse?!" Two rounds lots of agreement, but plenty of struggle. Why is everybody talking about this now? Cryptography firm Crown Sterling has sued Black Hat for breaching its sponsorship agreement and also suing 10 individuals for orchestrating a disruption of the company's sponsored talk at the conference in which the CEO presented a finding on discovering prime numbers which are key to public-key encryption. The crowd didn't like it and they booed him. You can see a video of one individual yelling, "Get off the stage, you shouldn't be here." Crown Sterling argued that Black Hat was in violation of their sponsorship agreement because they didn't do enough to stop it. At Black Hat and related parties I saw many printed signs about codes of conduct. It doesn't appear anyone had a plan to enforce those rules. What has happened in the security community that some security professionals feel they have the right to shout down a speaker like this? If one of these 10 disruptors was your employee, how would you respond? What's a CISO to do? So much of a job of a CISO is to change behavior. How do CISOs change behavior to a more secure posture? Where should a CISO start? What's the low hanging fruit? It’s time for the audience question speed round Our audience has questions, and our CISOs tried to come up with as many answers as possible. Our closing question put my guest co-host in the hot seat.
9/10/201941 minutes, 26 seconds
Episode Artwork

Getting Over Our "Security ≠ Compliance" Obsession

Links and images for this episode can be found on CISO Series (https://cisoseries.com/getting-over-our-security-%e2%89%a0-compliance-obsession/) We repeat "Security ≠ Compliance" so often it's become our mantra. Does anyone pay attention to it anymore? We're unpacking our compulsion to keep saying it on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Chris Hymes (@secwrks), head of information security, enterprise IT, and data protection officer, Riot Games, makers of League of Legends. Thanks to this week's podcast sponsor Expel Expel is flipping today’s managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have. On this week's episode Why is everyone talking about this now? On LinkedIn, Omar Khawaja, CISO, Highmark Health, argued that every time a security person repeats the "Security does not equal compliance" trope, it translates to a belief that compliance is useless. This caused a flurry of discussion. Is compliance useless? If not, Omar asks what should "Security does not equal compliance" be replaced with? Essentially, how should compliance be viewed in an overall security program? Ask a CISO Scott Holt, sales engineer, cmd, asked our CISOs how they're balancing keeping their information and infrastructure private while at the same time working with vendors to fill security needs? "What's Worse?!" We've got a question based on the build vs. buy debate. Hey, You're a CISO, what's your take on this? Paul Makowski, Polyswarm, asks a question that's very relevant to their business. He said, "Enterprises often subscribe to multiple feeds [of threat intelligence]. They learn their strengths and weaknesses and develop weighting algorithms to divine highest quality intelligence in the context of what's being analyzed. How can the industry close the feedback loop with threat intelligence providers, providing them with an opportunity to improve coverage and efficacy (false positive / false negative rates)?" The Shared Responsibility Model for cloud is, as Amazon and others describe it, the difference between the “security OF the cloud” and “security IN the cloud,” with cloud service providers taking care of the OF, and clients taking care of the IN. “In the cloud” means the data, the access – especially guest access, and the usage. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Close your eyes. Breathe in. It’s time for a little security philosophy. Steven Trippier, Group CISO, Anglian Water Services, asked, "What are the right metrics to use to illustrate the success / performance of the security team?" We've asked this question before and one of the most popular answers was "mean time to identify and remediate." But here's the philosophical question that Steven asks, "How does this change in an environment where breaches/malware outbreaks are uncommon and stats such as mean time to identify and mean time to contain are not relevant?"
9/3/201931 minutes, 12 seconds
Episode Artwork

Open this Email for an Exclusive Look at Our Clickable Web Links

All images and links for this episode can be found on CISO Series (https://cisoseries.com/open-this-email-for-an-exclusive-look-at-our-clickable-web-links/) You'll be dazzled by the clickability of our web links on this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Aanchal Gupta (@nchlgpt), head of security for Calibra, Facebook. Aanchal Gupta, Head of Security for Calibra, Facebook, Mike Johnson, Co-Host, CISO/Security Vendor Relationship Podcast, David Spark, Producer, CISO Series Thanks to this week's podcast sponsor Expel. Expel is flipping today’s managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have. On this week's episode Hey, You're a CISO, what's your take on this? Last month, Brian Krebs reported a breach from the 6th-largest cloud solutions provider PCM Inc. which let intruders rifle through Office365 email/documents for a number of customers. In response, listener Alexander Rabke, Unbound Tech, asked, "Would CISOs continue to do business with ‘security’ companies that are breached?" What's your recommendation for sales people who are at such an organization? How should they manage news like this? Ask a CISO We know there are plenty of pros and cons of telecommuting. I'm eager to hear from both of you how security leaders value telecommuting. What are the challenges to a CISO of managing a virtual staff? What's Worse?! We've got two extreme scenarios you'd never see in the real world. Why is everybody talking about this now? Mike, on LinkedIn you ranted about the term DevSecOps that it was a distraction and that "It's really no different (at a high level) than building security into an Agile development process, or a Waterfall process." I agree but I would argue that when DevOps was introduced it was about getting two groups working in tandem. At the time it was a mistake to omit security. Last year at Black Hat I produced a video where I asked attendees, "Should security and DevOps be in couples counseling together?" Everyone universally said, "Yes", but I was taken aback that many of the security people responded, "that they should just listen to me." Which, if you've ever been in couples counseling knows that the technique doesn't work. I argue that the term DevSecOps was brought about to say, "Hey everybody, you have to include us as well." Mike recommends Kelly Shortridge and Nicole Forsgren presentation at Black Hat 2019, "The Inevitable Marriage of DevOps and Security". Companies continue to take advantage of the economies of scale offered by multi-tenant cloud services, but complacency is dangerous. Multi-tenant cloud is often described as being like a big apartment building, but the big difference is that the walls that separate tenants from each other are not solid, but software. Software is built by humans which closes the circle: unpredictable humans in an unpredictable world. I’m not just talking about hacking here. What about compliance? GDPR’s austere and perhaps old-world view that data on a German citizen must stay in Germany, is nonetheless the law, and carries substantial fines for transgression. This requires data centers to be run from multiple countries, but so long as they’re connected by a cable no data is ever truly isolated. Future regulations affecting health records or patents or blockchain transactions might find themselves in limbo when it comes to coming to rest in a certain section of a certain cloud. For the moment, companies are focusing mostly on the cost-efficiencies of shacking up with other tenants in the same building, but very soon, this too might not be enough. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. The great CISO challenge Lauren Zink of Amtrust posted an article from Infosec Institute asking, "What are you to do with repeat offenders in social engineering exercises?" The article offers some helpful suggestions. In the discussion, there was some pointing fingers at security training designed to purposefully trick employees. Have either of you had to deal with repeat offenders? What did you do? What's your advice for other security leaders... and HR?  
8/27/201937 minutes, 30 seconds
Episode Artwork

Like Fine Wine Our Vendor BS Meter Gets Better with Age

All links and images for this episode can be found on CISO Series (https://cisoseries.com/like-fine-wine-our-vendor-bs-meter-gets-better-with-age/)  The bouquet of this particular vendor BS is a mixture of FUD, unnecessary urgency, and a hint of pecan. Look to your left and grab the spittoon because we don't expect everyone to swallow what you're about to hear on this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Olivia Rose, CISO for MailChimp. Thanks to this week's podcast sponsor Remediant Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant’s SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this week's episode Why is everyone talking about this now? One of the reasons we hate hearing security buzzwords is because it doesn't help us understand what it is a vendor is trying to sell. When a vendor says we have a "zero trust" product, what does that mean? We delve into some of the tell-tale signs that a vendor or consultant is trying to BS you. According to Olivia Rose, if you're going to pitch a CISO, make sure you can answer the following simply and succinctly: What does our product/service do? What specific security problem does it solve? How will it affect the typical strategic/business drivers for a company? It's time for "Ask a CISO" Fernando Montenegro, analyst for 451 Research, asked, "How can the CISO be a change agent for the security team so it can better align with the business?" What's Worse?! For this week's game I picked a question very apropos for our guest's current situation. Um… maybe you shouldn't have done that Unconscious bias towards women in professional settings is not always overt nor intentional, but it happens. We discuss some examples of unconscious bias for both women and men. And we discuss how too much of it can really push women out of the security industry. A distributed denial of service attack is the scourge of IT security. According to Verisign, one-third of all downtime incidents are attributed to DDoS attacks, and thousands happen every day. Are they created by sophisticated black hatted evil doers from an underground lair? Of course not. Welcome to the world of cybercrime-as-a-service. You too can silence a competitor or cause havoc for pretty much anyone for as low as $23.99 a month. Just have your credit card or Bitcoin ready. For more, go to CISOSeries.com. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 days of a CISO Being just six weeks in, our guest, Olivia Rose is living the first 90 days of a CISO. We asked her and Mike what it's like those first few weeks. And to no one's surprise, it's beyond overwhelming.
8/20/201939 minutes, 7 seconds
Episode Artwork

If Capital One Listened to Our Podcast They Still Would Have Been Breached

All links and images for this episode can be found on CISO Series (https://cisoseries.com/if-capital-one-listened-to-our-podcast-they-still-would-have-been-breached/)  We guarantee listening to our show would have done absolutely nothing to prevent the Capital One breach. We've consulted our lawyers and we feel confident about making that claim. It's all coming up on this week's episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in the ExtraHop booth during Black Hat 2019. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Tom Stitt (@BlinkerBilly), sr. director, product marketing - security, ExtraHop. Thanks to this week's podcast sponsor ExtraHop Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop. On this week's episode Why is everyone talking about this now? I have noticed an either disturbing or coincidental trend. Every year, just before either RSA or Black Hat conferences, there is some massive breach. This year it was Capital One. In the past we've had Ashley Madison, Target, Marriott - all within a few months of the shows. I know I know I know that CISOs absolutely hate being sold on FUD (fear, uncertainty, and doubt), but all conferences are affected by industry relevant news. You simply can't avoid it. Capital One was brought up multiple times during the Black Hat conference. We discuss the do's and don'ts of bringing up the most recent breach at a huge trade show. We don't have much time. What's your decision? On LinkedIn, you asked "When your risk and threat models all agree that this feature/product/decision is of low concern but your gut tells you otherwise, what do you do?" It appears most people said go with your gut to which Richard Seiersen of Soluble pointed out that guts are models too. What happens when you're faced with such a scenario and what causes the tools and threat models to be so off your gut? "What's Worse?!" We've got a split decision and a really fun scenario. Please, Enough. No, More. Today's topic is "network behavior analysis." In the world of anomaly detection, what have Mike and Tom heard enough about and what would you like to hear a lot more? It’s been two weeks. Time to change your password again. How many times have we all bumped up against this wall – intended to help keep us secure, but extremely annoying when you have things do do? The battle for password security has been a long and arduous one, moving and evolving, sometimes ahead of, but more often lagging behind the activities of the hackers and bad guys, whose limitless resources seek out every possible weakness. Challenge questions and strings of letters, numbers and characters might soon be coming to the end of their functional life, as security companies start to roll out biometric and behavioral security protocols in their place. Paired with increased access to data and artificial intelligence, it will become easier for organizations to contemplate a switch from basic strings of words to something more esoteric – a retinal scan paired with an extensive ergonomic behavior database for every individual. These things are not new to the consumer marketplace of course. Apple iPhones are one of many devices that can be unlocked by a fingerprint, and credit card companies and web applications routinely call out unusual login behaviors. But the new secret sauce in all of this is the availability of huge amounts of data in real time, which can be used to analyze a much larger set of behavioral activity, not simply an unusually timed login. This can then be managed by an Identity-as-a-service (IDaaS) company that would take over the administration, upkeep and security of its clients using the as-a-service model. A retinal scan paired with a secure knowledge of which hand you carry your coffee in and where you bought it might very soon replace the old chestnut challenge of your mother’s maiden name. That one should stay safe with Mom. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. And now, a listener drops some serious knowledge On LinkedIn, Ian Murphy of LMNTRIX put together an incredibly funny presentation with great graphics entitled the BS Cybersecurity Awards which included such impressive glass statuettes like the "It'll Never Happen to Us" Award and the "Cash Burner" Award. In general, they were awards for all the bad repeated behavior we see from vendors and users in cybersecurity. What are the awards that are not given out that we'd actually like to see?
8/13/201932 minutes, 4 seconds
Episode Artwork

Improve Security By Hiring People Who Know Everything

All links and images for this episode can be found on CISO Series (https://cisoseries.com/improve-security-by-hiring-people-who-know-everything/) If you're having a hard time securing your infrastructure, then maybe you need to step up the requirements for expertise. Why not ask for everything? We're offering unreasonable advice on this week's episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience at ADAPT's CISO Edge conference in Sydney, Australia. This special episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Liam Connolly, CISO of Seek. Our guest is Matt Boon (@mattjboon), director of strategic research for ADAPT. Plus, we have a special sponsored guest appearance from John Karabin, vp, cybersecurity, Dimension Data. Thanks to this episode's sponsors Dimension Data/NTT and ADAPT By 1 October 2019, all 28 NTT companies, including Dimension Data, will be branded as NTT. Together we enable the connected future. Visit NTT at hello.global.ntt. ADAPT’s mission is to equip IT executives with the knowledge, relationships, inspiration and tools needed to gain competitive advantage. ADAPT’s membership platform provides business leaders with fact-based insights, actionable patterns of success and the collective experience of 3,000 peers to improve strategic IT, security, and business decisions. Visit ADAPT for more. On this week's episode Why is everyone talking about this now? Independent security consultant Simon Goldsmith sent this post from Stu Hirst, a security engineer at JUST EAT who posted a job listing that requested subject matter expertise on 12 different aspects of security. This highly demanding request resulted in well over 200 responses from the community. Is it laziness on the part of the company posting? Is it an attempt to just capture job seekers' search queries? Or is it simply an editorial mistake that they shouldn't have requested subject matter expertise but rather basic knowledge across 12 different aspects of security? Ask a CISO Mitch Renshaw, Fortinet, describes a problem that many vendors are having. He says: "Fortinet’s broad portfolio makes it hard to give a concise yet effective overview of our value. As a result I’m worried my emails are going long. Customers know us for our firewalls – and a full firewall refresh is hard to come by as a sales rep. So if I get more targeted in my demand generation techniques, I’m met with an 'I’m all set, I’ve got Palo/checkpoint/juniper/etc.'" Mitch has got a conundrum. He's looking for the happy medium on how to sell a company with a wide variety of products, some of which are highly commoditized in the industry. How should he reach out to security professionals? "What's Worse?!" We play two rounds and the audience gets to play along as well. Hey, you're a CISO, what's your take on this?' My American co-host, Mike Johnson, asked this question of the LinkedIn community, and I ask you this as well. "Why do sites still **** out the password field on a login page?" It's designed to stop shoulder surfing. Is this really the main problem? What else is it helping or hurting, like password reuse? Passwords are a broken system that are easily hacked. We have solutions that add layers on top of it, like multi-factor authentication. What solutions do we have for the password process itself? OK, what's the risk? Ross Young of Capital One, asks this question about what risk should you be willing to take on? "What should cyber professionals do when they can’t contract or outsource services like pen testing however they struggle to acquire the talent they need. If they train folks they find them poached sooner and if they don’t they are stuck without the talent they need to survive." Why is this a bad pitch? We've got a pitch sent in to us from Eduardo Ortiz. It's not his pitch, but one he received. You may need to strap in when you hear this. It’s time for the audience question speed round Yep, it's just like it sounds. I ask the panel to ask some questions submitted from our audience.    
8/6/201943 minutes, 31 seconds
Episode Artwork

Just Click "Accept" As We Explain Informed Consent

Find all images and links for this episode on CISO Series (https://cisoseries.com/just-click-accept-as-we-explain-informed-consent/) Even if you do give "informed" consent, do you really understand what we're doing with your data? Heck, we don't know what we're going to do with it yet, but we sure know we want a lot of it. It's all coming up on this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Francesco Cipollone (@FrankSEC42), head of security architecture and strategy, HSBC Global Banking and Markets. Thanks to this week's podcast sponsor ExtraHop Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop. On this week's episode Should you ignore this security advice? This is advice you should not ignore. It comes from an article by Jonathan Jaffe, director of information security at People.ai where he offered up a great recipe for startup security. We discussed standout tips and were there any disagreements or omissions? Close your eyes. Breathe in. It's time for a little security philosophy. Phil Huggins, GoCardless, said, "If we don't know what value is in our data until it has been enriched and analysed can we give informed consent as to its use?" What's Worse?! We're concerned with the state of data in this game. Ask a CISO Mike Baier, Takeda Pharmaceuticals, asks, "When faced with the scenario of the vendor providing a recent SOC 2 Type 2 report, and then tells you that their internal policies/procedures are considered 'highly confidential' and cannot be shared, what tips would you provide for language that could help cause the vendor to provide the required documentation?" The 1979 movie When a Stranger Calls gave us that unforgettable horror moment when the police informed Jill that the calls from the stalker were coming from inside the house. Nineteen years earlier, Hitchcock’s Psycho did a similar type of thing with the shower scene. We humans have a real problem when danger pops up in the place we feel safest – our homes. A similar problem happens in corporate IT security. We place a great deal of attention on watching for external hackers, as well as those that seek to dupe our overstressed employees into clicking that spearfishing link. What was it that Edward Hermann’s character, the vampire, said in the Lost Boys? “You have to invite us in.” But what about internal bad actors? There are those who see great opportunity in accessing, stealing and selling company resources – data – like social security numbers, credit card numbers and medical files. More on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. OK, what's the risk? A question from Robert Samuel, CISO, Government of Nova Scotia that I edited somewhat. It's commonly said that the business has the authority for risk-trade off decisions and that security is there just to provide information about the risk and measurement of the risk. I'm going to push this a little. Is this always the case? Do you sometimes disagree with the business or is it your attitude of "I communicated the risk, it's time for me to tap out."
7/30/201935 minutes, 2 seconds
Episode Artwork

Who Are the Perfect Targets for Ransomware?

All images and links for this episode can be found on CISO Series (https://cisoseries.com/who-are-the-perfect-targets-for-ransomware/) If you've got lots of critical data, a massive insurance policy, and poor security infrastructure, you might be a perfect candidate to be hit with ransomware. This week and this week only, it's an extortion-free episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Walls (@sean_walls2000), vp, cybersecurity, Eurofins. Thanks to this week's podcast sponsor Core Security Assigning and managing entitlements rapidly to get employees the access they need is critical, but it can come at the cost of accuracy and security. Core Security’s identity governance and administration (IGA) solutions provide the intelligent, visual context needed to efficiently manage identity related security risks across any enterprise. On this week's episode How CISOs are digesting the latest security news An article in the NYTimes points to a new trend in ransomware that is specifically attacking small governments with weak computer protections and strong insurance policies. Payments from $400-$600K. Lake City, Florida, population 12K paid $460K to extortionists. They got some of their information back but they have been set back years of what will require rescanning of paper documents. Mike, I know your standard philosophy is to not pay the ransom, but after a ransomware attack against the city of Atlanta, the mayor refused to pay $51,000 in extortion demands, and so far it's cost the city $7.2 million. Probably more. These payments by the small cities must be incentivizing more attacks. Does this information change the way you're willing to approach ransomware. What can a small city with zero cybersecurity staff do to create a program to reduce their risk to such a ransomware attack? Ask a CISO Bindu Sundaresan, AT&T Consulting Solutions, asks a very simple question, "How is each security initiative supporting the right business outcome?" Do you find yourself selling security into the business this way? If not, would you be more successful selling security to the business if you did do this? What's Worse?! We've got a split decision on what information we prefer after a breach. Listen up, it’s security awareness training time Jon Sanders, Elevate Security, said, "Security awareness involves A LOT of selling… there’s no cookie cutter approach in security awareness or sales!" Is the reason security training is so tough because so many security people are not born salespeople? I've interviewed many and there's a lot of "just listen to me attitude," which really doesn't work in sales. Cloud Security Tip, sponsored by OpenVPN We talk a lot about penetration testing here, given that it remains a staple of proactive IT security. But not everyone feels it’s all it’s cracked up to be. Or should that be, all it’s hacked up to be?” More than one cybersecurity organization points out there are a few flaws in the pen testing concept that make it worth a second look. Pen testing often consists of a small collection of attacks performed within a set time period against a small sample of situations. Some experts doubt the efficacy of testing against a limited field of known vulnerabilities, without knowing what other weaknesses exist in plain sight, or merely invisible to jaded eyes. More on CISO Series... What do you think of this pitch? We have a pitch from Technium in which our CISOs question what exactly are they selling?
7/23/201934 minutes, 55 seconds
Episode Artwork

Passwords So Good You Can't Help But Reuse Them

All links and images for this episode can be found on CISO Series (https://cisoseries.com/passwords-so-good-you-cant-help-but-reuse-them/) We've just fallen in love with our passwords we just want to use them again and again and again. Unfortunately, some companies more interested in security aren't letting us do that. We discuss on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is William Gregorian (@WillGregorian), CISO, Addepar. Thanks to this week's podcast sponsor Cyberint The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505's latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. How CISOs are digesting the latest security news Chris Castaldo of 2U and a former guest on the show posted this great story of TripAdvisor invalidating user credentials if a member's email and password were found in publicly leaked data breach databases. Is this a great or bad move by TripAdvisor? Ask a CISO On LinkedIn, Chad Loder, CEO, Habitu8 posted an issue about the easy deployment and ubiquity of cloud applications. He argues it's no longer Shadow IT. It's just IT. And securing these cloud tools you don't manage nor know about requires a lot of education. Is Shadow IT inevitable. Should we lose the name? And is education the primary means of securing these services? It's time to play, "What's Worse?!" One of the toughest rounds of "What's Worse?!" we've ever had. Close your eyes. Breathe in. It's time for a little security philosophy. Mike posed a "What's Worse?!" scenario to the LinkedIn community and got a flurry of response. The question was "Would you rather have amazing, quality cybersecurity incident response in 24 hours or spotty, unreliable response in one hour?" I wanted to know what was Mike's initial response and did anyone say anything in the comments to make him change his mind? For quite a while, IT security experts have been touting the value of two factor authentication (2FA) as a better way to keep data safe than simply using passwords alone. We have even spoken about it here. In its most popular form, 2FA sends a confirmation code to your phone, which you must then enter into the appropriate log-in confirmation window within a short amount of time. This is like having a second key to the safe, like many bank vaults used to have. (more on the site) It’s time to measure the risk Chelsea Musante of Akamai asks, "What would you say to someone who thinks their risk for credential abuse / account takeover has decreased because they've implemented MFA (multi-factor authentication)?"
7/16/201937 minutes, 20 seconds
Episode Artwork

Please Don't Investigate Our Impeccable Risk Predictions

All links and images for this episode can be found at CISO Series (https://cisoseries.com/please-dont-investigate-our-impeccable-risk-predictions/) It's easy to calculate risk if no one ever checks the accuracy of those predictions after the fact. It's all coming up on CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Bob Huber (@bonesrh), CSO, Tenable. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. On this week's episode What's the ROI? Do we analyze how good we are at predicting risk? Phil Huggins, GoCardless said, "We conduct detailed rigorous risk assessments to support security transformation business cases and identify a series of mitigation actions and then declare success if those actions are completed on time and on budget... We never revisit our risk assessments a year later and see how good we were at predicting risk occurrence. I worry that the avoidance of feedback contributes to the underperformance of security." Are we looking back and seeing how good we are at analyzing risk? Close your eyes. Breathe in. It's time for a little security philosophy. We have evolved from an unchecked "Cloud first" model to a more thoughtful "cloud smart" strategy. Are these just PR slogans apparently implemented by the last two administrations, or is there something to them? Looking ten years ago vs. today, have we really become smarter about implementing cloud technologies? In what way have we made the greatest strides? How are we falling short and where would you like us to be smarter? What's Worse?! What would you sacrifice to get all the training you could get? Please, Enough. No, More. Our topic is DevSecOps. It's a big one. Mike, what have you heard enough of on the topic of DevSecOps, what would you like to hear a lot more? What do you think of this pitch? Shazeb Jiwani of Dialpad forwarded me this pitch from Spanning Cloud Apps. He asks, "how they feel about vendors using an availability issue from a partner (not even a competitor) as a sales pitch." Parkinson’s Law states that “work expands to fill the time available,” and any IT specialist knows this applies equally to data and can be stated as “Data expands to fill the storage available.”  As cloud service providers – and the cloud itself both continue to expand, the opportunity to transport and store all of your data seems to be a great convenience. But data management requires oversight, control and governance. The more data – and daily data flow –one has, the greater the potential for misuse, redundancy, errors, and costly maintenance.  More at https://openvpn.net/latest/security-tips/
7/1/201933 minutes, 49 seconds
Episode Artwork

CISO Series One Year Review

Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-series-one-year-review/)  The CISO/Security Vendor Relationship Podcast is now more than a year old. On this episode, the hosts of both podcasts, reflect on the series and we respond to listeners critiques, raves, and opinions. Check out this post and this post for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is the co-host of the CISO/Security Vendor Relationship Podcast, Mike Johnson. Thanks to this week’s podcast sponsor, Trend Micro On this episode of Defense in Depth, you'll learn: We provide the definitive story of how the CISO/Security Vendor Relationship Podcast started and how David, Allan, and Mike all connected. We've been challenging many of the sales techniques that have essentially irked CISOs. The podcast has become a validation tool for sales people to show to their management and say, "We need to change direction." One of the critiques we've heard is the desire to understand more of the sales process. We are actually very much in the dark as to the different levels of incentives are for sales staff. A security sale is often a long and involved process and we know the incentives are more involved than just a sales commission. We've actually done webinars that take a look behind the scenes of sales and we plan to do more. Those who feel isolated with their company enjoy hearing the different viewpoints. There is actually a real return on investment to listening to our show. Sales people say that they've changed their strategy based on advice on the show and it has proved to be fruitful.
6/25/201928 minutes, 37 seconds
Episode Artwork

Worst Question Award Goes to "How Secure Are We?"

Images and links for this episode can be found at CISO Series (https://cisoseries.com/worst-question-award-goes-to-how-secure-are-we/) We've got better ways to determine the overall quality of your security posture than asking this unanswerable question. It's all coming up on CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Helen Patton (@osucisohelen), CISO, Ohio State University. Thanks to this week's podcast sponsor Trend Micro. On this week's episode Why is everyone talking about this now? Jamil Fashchi, CISO, Equifax, "In speaking with a CEO the other day, I was asked, 'As someone who isn’t technical, what questions should I ask to determine if my security team is effective?'" This caused a flurry of discussion. What's your advice, and do you agree it's a lot better question than "How secure are we?" Hey, you're a CISO, what's your take on this? One issue that comes up a lot in cybersecurity is the lack of diversity. We have discussed the value of diversity, in that it avoids "one think" and brings in the critical need of different viewpoints. The problem is we're often attracted to people like us, and we ask for referrals which if you hired people like you is probably going to deliver more people like you. We focus this discussion on actionable tips that CISOs can take to bring in a diverse workforce. What's Worse?! What's it like to work with the business and their acceptance or lack of acceptance of risk? First 90 days of a CISO Steve Luczynski, just became CISO of T-Rex Corporation. In the past the CIO has handled both IT and security at the company. "Now with a CISO onboard, the struggle is figuring out who does what with the expected reluctance by the CIO to let go of certain things and trust me, the new CISO to maintain the same standards. For example, I wanted to change our password policy when I first showed up to match the new NIST guidance of not changing based on a set time period. There was disagreement and it did not change even when I showed the NIST verbiage," said Luczynski. How should Steve deal with such disagreements? Ask a CISO For a while, FUD (fear, uncertainty, and doubt) worked on the average person, to get them to install basic security measures, like an anti-virus. But it appears that's all changed. The cause could be apathy. When there's so many breaches happening the average person feels powerless. Are we marketing cyber-awareness wrong to non-security people? What would get them to be true advocates? The Pre-nup. It’s a difficult thing for most people to talk about in their personal lives, but it’s something that should always be considered when setting up a relationship with a cloud service provider. Not all business relationships last, and if your organization needs to move its data to another provider, it’s not like packing up your furniture and saying goodbye to your half of the dog. 
6/20/201932 minutes, 34 seconds
Episode Artwork

You're Not Going Anywhere Until You Clean Up That Cyber Mess

The images and links for this episode can be found at CISO Series (https://cisoseries.com/youre-not-going-anywhere-until-you-clean-up-that-cyber-mess/) Our CISOs and Miss Manners have some rules you should follow when leaving your security program to someone else. It's all coming up on CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is newly free agent CISO, Gary Hayslip (@ghayslip). Thanks to this week's podcast sponsor Trend Micro On this week's episode Why is everyone talking about this now? Mike, you asked a question to the LinkedIn community about what department owns data privacy. You asserted it was a function of the security team, minus the legal aspects. The community exploded with opinions. What responses most opened your eyes to the data privacy management and responsibility issue you didn't really consider? Hey, you're a CISO, what's your take on this?' Someone who is writing a scene for a novel, asks this question on Quora, "How does a hacker know he or she has been caught?" Lots of good suggestions. What's your favorite scenario? And, do you want to let a hacker know he or she has been caught, or do you want to hide it? What circumstances would be appropriate for either? What's Worse?! Mike decides What's Worse?! and also what's good for business. First 90 days of a CISO Paul Hugenberg of InfoGPS Networks asks, "What fundamentals should the CISO leave for the next, as transitions are fast and frequent and many CISOs approach their role differently. Conversely, what fundamentals should the new CISO (or offered CISO) request evidence of existence before saying YES?" Mike, this is a perfect question for you. You exited and you will eventually re-enter I assume as a CISO. What did you leave and what do you expect? Ask a CISO Fernando Montenegro of 451 Research asks, "How do you better align security outcomes with incentives?" Should you incentivize security? Have you done it before? What works, what doesn't? Imagine how hard it would be to live in a house that is constantly under attack from burglars, vandals, fire ants, drones, wall-piercing radar and virulent bacteria. Most of us are used to putting a lock on the door, cleaning the various surfaces and keeping a can of Raid on hand for anything that moves in the corner. But could you imagine keeping a staff of specialists around 24/7 to do nothing but attack your house in order to find and exploit every weakness?
6/18/201933 minutes, 19 seconds
Episode Artwork

We Take Privacy, Not Our CISO, Seriously

All pictures and links for this episode can be found on CISO Series (https://cisoseries.com/we-take-privacy-not-our-ciso-seriously/) We're looking for the one company brave enough to say they don't care about privacy on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded live on June 6th at The B.O.B. in Grand Rapids, Michigan at the 2019 West Michigan IT Summit, hosted by C3 Technology Advisors. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@allanalfordinTX), principal consultant at Side Channel Security. Our guest for this special live recording is the former CISO/CSO/CTO of the state of Michigan, Dan Lohrmann (@govcso). David Spark and Allan Alford, co-hosts of Defense in Depth on the CISO Series network, and Dan Lohrmann, former CISO/CSO/CTO for the State of Michigan. Thanks to this week's podcast sponsors C3 Technology Advisors, Fuze, and Assured Data Protection. C3 Technology Advisors is a technology consulting firm that helps midsize to enterprise organizations make better technology buying decisions. With technology quickly changing, let C3 help you shift through all the disruption, noise, and sales pitches to allow you to make better technology buying decisions for your organization. Fuze is the #1 cloud communications and collaboration platform for the enterprise, combining calling, meeting, chatting, and sharing into a single, easy-to-use application. Designed for the way people work, Fuze allows the modern, mobile workforce to seamlessly communicate anytime, anywhere, across any device. Assured Data Protection provides backup and disaster recovery solutions utilizing Rubrik ‘as a Service’. They offer 24/7 global support, with expertise that truly sets them apart from other back up and DR service providers. On this week's episode Should you ignore this security advice? Yaron Levi, CISO of Blue Cross Blue Shield of Kansas City posed an interesting question, "Many people in security follow best practice without questioning them but in fact there are many BAD security best practices." Levi asks the LinkedIn community and I also ask our guests, "What do you consider a 'Bad Best Practice?'" How to become a CISO Aaron Weinberg, Kirlin Group, asks, "What would a CIO need to do to switch career tracks to being a CISO?" I'll add why would you want to do that? What's Worse?! We've got two rounds of questions and conflict on at least one of them. I tell ya, CISOs get no respect Brian Krebs of Krebs Security asked, "Why aren't CISOs often not listed on the executive page of a company website?" Krebs looked at the top 100 global companies and only found 5 that had a CISO listed. Of the NASDAQ 50, there were only three listed with a security title. But plenty had chief of human resources or chief marketing officers listed. One argument for the lack of front page visibility for CISOs is that companies value revenue centers over cost centers. Another argument is the reporting structure. That CISOs often report to CIOs. Is that why it's happening, or is it something else? Close your eyes. Breathe in. It’s time for a little security philosophy. A question on Quora asks you to participate in this little thought exercise, "If you knew all computers would be erased tomorrow by a worldwide virus, what steps would you take to protect yourself?" It's a little more involved than just unpluging your computer from the Internet. Why is this a bad pitch? I read a cringeworthy bad pitch and our CISOs respond. Listen to the end as I reveal something surprising about this very bad pitch. And now this… I burn through a stack of questions from the audience as we go into a cybersecurity speed round.
6/11/201946 minutes, 12 seconds
Episode Artwork

Do These Jeans Make My Vulnerabilities Look Too Big?

Full episode with images and links available at CISO Series (https://cisoseries.com/do-these-jeans-make-my-vulnerabilities-look-too-big/) We're starting to get a little self-conscious that our vulnerabilities are starting to show. People we don't even know are telling us we have them on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Fredrick Lee (AKA "Flee") (@fredrickl), CSO of Gusto. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. What's a CISO to do? Chris Romeo, CEO of Security Journey, wrote a post where he asked, "What if I had to develop an application security program with a budget of zero dollars?" What he presented was a means to lean on the OWASP open source community and tools to build an application security program. You're a CISO, what's your take on this? I was chatting with a pentester, Benjamin McEwan, from Scotland, who reaches out to CISOs trying to responsibly disclose, not expose, a credible security vulnerability. It's his effort to get recognized. He's frustrated though in his ability to find permanent work because those hiring only see him as an independent researcher. Is his exercise the right approach? What can a talented security person in his position do to make himself more attractive to CISOs? What's Worse?! We've got a couple of scenarios that shocked our guest at the sheer InfoSec horror. Breathe In, It's Time for a Little Security Philosophy On Quora, a question right out of the Matthew Broderick movie WarGames asks, "If a student hacked into university computers and changed his grade in cyber security to an A, does he actually deserve the A?" Except for one person, everyone said, "No," but for different reasons. Mike, are you saying no, and if so, what reason? What do you think of this pitch? We've got two pitches from vendors this week. One came directly to me. Cloud Security Tip, by Steve Prentice - Sponsored by OpenVPN. The idea behind an Advanced Persistent Threat is both intriguing and a little distracting. It sounds like the title of a Tom Clancy novel – maybe a sequel to Clear and Present Danger. Designed to penetrate a network, operate while hidden for a long time, all the while receiving commands from an outside agent, an APT is more sophisticated than everyday malware and tends to be deployed against large targets.
6/3/201932 minutes, 6 seconds
Episode Artwork

Great Demo! Let's Schedule a Time to Ignore Your Follow Up

All links and images for this episode can be found on CISO Series (https://cisoseries.com/great-demo-lets-schedule-a-time-to-ignore-your-follow-up/) We're playing hard to get on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Al Ghous, head of cloud security at GE Digital. Thanks to this week's podcast sponsor Carbon Black Carbon Black (NASDAQ: CBLK) is a leader in endpoint security dedicated to keeping the world safe from cyberattacks. The company’s big data and analytics platform, the CB Predictive Security Cloud (PSC), consolidates endpoint security and IT operations into an extensible cloud platform that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. On this week's episode Why is everybody talking about this now? On LinkedIn, Marcus Capone, Partner at Onyx, a physical and cybersecurity firm said, "I laugh when clients balk at prices. They expect champagne but want to pay for Coors Light…" This caused a flurry of discussion of price/value in security. There was an attitude across the board that we're the absolute best and we should be paid that. But as Allan Alford said on Defense in Depth, there's a market for a slightly worse, but way cheaper version of Splunk. Do CISOs want beer-level security solutions? It’s time to measure the risk How can startups and large companies get along better? Enterprises are jealous of startup's agility, and startups are eager to get at an enterprises' assets. But startups can be a security nightmare and it's a non-starter if they can't pass the third-party risk management process. With all this frustration, is there any middle ground? What's Worse?! We have a common real-world scenario in this week's game. You're a CISO, what's your take on this? We have talked in the past about how the term "AI" can mean a lot of things. It can be a simple script or it can be an algorithm that actually learns by itself. Both will do something for you automatically, but the expectations are vastly different. When security vendors tout AI, what would CISOs like to hear so your expectations can be set appropriately? Understanding security sales The frustration of the vendor follow up process after a demo. An anonymous listener asks, "We are usually told some sort of next step or asked to follow up in a few weeks." The challenge is they're often left chasing the potential client getting no response. This can go on for months. "Is there a way to make this more productive for all involved?" Should the prospect be blamed? What can be done to improve the process? Application Programming Interfaces (API’s) are wonderful for customizing and enhancing the cloud experience, but as a common front door, they pose a significant security risk. Regardless how secure a cloud service provider is, their primary role as an interface means APIs will always pose a weakness that can be exploited by hackers.  
5/28/201930 minutes, 45 seconds
Episode Artwork

We Unleash Our Military Grade InfoSec BS Detector

Find all images and links for this episode on CISO Series (https://cisoseries.com/we-unleash-our-military-grade-infosec-bs-detector/) We're trying to clean up vendor pitches of unnecessary and outrageous claims so they can sail through to a CISO's inbox. It's our service to cybersecurity community on this week's episode of CISO/Security Vendor Relationship Podcast. This show was recorded live in front of an audience of CISOs and security vendors at the San Francisco CISO Executive Summit, hosted by Evanta. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Aaron Peck, CISO, Shutterfly. Thanks to our podcast sponsors ExtraHop and Tenable Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. On this week's episode Why is everybody talking about this now? Last week I was about to install a popular and approved app in the Google Play store that asked if the app could read, copy, download, and DELETE my contacts. Also last week during Google I/O, Sundar Pichai, Google’s chief executive touted their focus on privacy. This is not the first time we've heard this from Google or Facebook who is going to be facing the largest privacy violation in FTC history. Getting access to our behaviors is how Facebook and Google make their money. What would we like to see, not hear, from either Google or Facebook that convinces us that yes, they are doing something significant and proactive about privacy. Maybe they've already done it. Why is this a bad pitch? A Twitter thread asked, "What do vendors say that immediately undermines their credibility?" There were a lot listed, but the ones I saw repeated multiple times were military grade, next-gen, bank-level encryption, full visibility, 100% effective, and single pane of glass. We have brought up many of these on our show. And while we understand companies are trying to find a short pithy way to describe their technology, using terms like these can turn a great pitch into an effort to dig out of a hole. What's Worse?! We squeeze in two rounds of this game and our guest tries to dodge the question, but I don't let him. You're a CISO, what's your take on this? Brian Fricke, CISO at BBVA Compass is eager to hear how to successfully reconcile the cloud-driven CapEx to OpEx budget shift. CFOs don't get any depreciation benefit from OpEx, and Brian believes they'd prefer to see CapEx even if it's double the cost. He's struggling. Our CISOs offer up some advice. How to become a CISO Jason Clark, CISO of Netskope, wrote an article on Forbes about security mentorship. Mentors are needed to create more security leaders, CISOs, increase interest in security, and teach the ability to talk to the business. All of it centered around one theme of motivating others. What are ways to teach motivation across all these areas?    
5/21/201928 minutes, 6 seconds
Episode Artwork

What's Worse?! "Culture of No" or No Culture?

See all links and images for this episode on CISO Series (https://cisoseries.com/whats-worse-culture-of-no-or-no-culture/) We want to put an end to InfoSec negativity, but not at the sacrifice of the soul of the company. We're weighing our options on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Catlett, CISO of Reddit. Thanks to this week's sponsor, Perimeter 81 Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and mobile workforce. We allow cybersecurity professionals to easily build, manage and secure their organization’s networks in one unified, multi-tenant, cloud-native platform. Learn more at www.perimeter81.com. On this week's episode Why is everybody talking about this now? Helen Patton, CISO at Ohio State University, asked the security community, "What cultural/behavioral influences on Security would you like to see changed?" First 90 Days of a CISO Matt McManus who works in InfoSec at WeWord asks, "What's the ideal information security team make-up and structure?" Sean, you came into Reddit recently as a new CISO. How did you go about determining what you needed for a team? What's Worse?! What needs to be protected? The endpoints or the network? You're a CISO, what's your take on this? Last year I was chatting with a CEO, and he mentioned one common frustration with a scenario that keeps repeating itself. He will have a truly fantastic meeting with a potential buyer. Absolutely everything goes right, but the moment he asks to engage in a PoC, Proof of Concept, the conversation does an about face and everything falls apart. And vendors have unrealistic expectations of the time it will take a potential buyer to conduct a PoC. Ask a CISO With the recent release of the Verizon Data Breach Investigation Report, or DBIR, we brought up a question from Kip Boyle, author of Fire Doesn't Innovate. He asks, "What role do vendors and the media play in determining and prioritizing your cyber risks?" Whether your data is in transit or at rest, it’s vital to remember that neither state is secure. Data must be protected in both states, and encryption plays a major role in this. In addition to encryption standards for in-transit data such as TLS for email, HTTPS and SSL for websites and the use of a VPN when connecting from public Wi-Fi hotspots (even those that say they are secure), there is symmetric and asymmetric encryption, part of the Advanced Encryption Standard. Symmetric encryption happens when the sender and receiver of a message use a single shared key to encrypt and decrypt the message, which is something most internet traffic uses. Asymmetric encryption uses more CPU power and is harder to encrypt, and is used for secure online exchanges via the Secure Sockets Layer. But encryption isn’t the end of the story. There must be network security controls to help protect data in transit as well as securing the transmission networks themselves. Proactivity is key here, which means identifying at-risk data, establishing user prompting regulations and automatic encryption for things like files attached to an email message, and taking stock of, and categorizing all types of data to ensure the right level of security is applied to each. On a human level, Role-Based Access Control (RBAC) ensures different levels of security and permissions, multi factor authentication helps make data a more difficult target, and of course, each company should take ownership of this challenge and not rely on their cloud supplier to do it for them.  
5/11/201933 minutes, 5 seconds
Episode Artwork

Our "What Not to Do" Security Selling Secret

Check out all links and images for this episode on CISO Series (https://cisoseries.com/our-what-not-to-do-security-selling-secret/) We're not always clear on what vendors should do when selling security products, but when we get a really bad email pitch, we're very clear on what they should not do. We're bedazzled with bad pitch disbelief on this episode of CISO/Security Vendor Relationship Podcast. Thanks to this week's sponsor, Women in Security and Privacy (WISP) Women in Security and Privacy works to advance women in security and privacy. We accomplish this through practical and technical workshops, TANDEM mentorship programs, leadership training, job board postings, Equal Respect speakers bureau, and conference and training scholarships. On this week's episode Why is everybody talking about this now? Facebook is expected to pay somewhere between $3 to $5 billion in FTC fines for violating the 2011 consent decree. They violated user's privacy without giving clear notice or getting clear consent. But, all this financial and reputational damage doesn't seem to do a darn thing to dissuade individuals or investors from Facebook. The site has 2.38 billion active users. It's growing 8% year over year. And after their earnings announcement which mentioned the multi-billion dollar fine, their stock jumped 7%. This doesn't appear to get people to care about security and privacy, So what will? Hey, you're a CISO, what's your take on this?' The NSA has announced that no zero day attacks were used in any high profile breach in the last 24 months. Most of the attacks were simple intrusion where they went after users through techniques like phishing or water holing. We talk endlessly on this show about good cyber hygiene, but we have an event coming up, Black Hat, that thrives on showing security professionals the latest attack techniques, which I know are not zero days. But how can security professionals NOT gravitate towards the newest and coolest? What's Worse?! Who needs to control the problem? Security or the business unit? How to become a CISO Gary Hayslip, CISO of Webroot, and a former guest on Defense in Depth. He wrote an article to his younger self of what he wish he had known when he started in cybersecurity and then becoming a CISO. I'll ask the two of you to do the same exercise. What is something that you now know that there's no way you would have known starting out but would have made your life a lot easier as you took the climb to become a CISO. Why is this a bad pitch? We've got a one-two punch on a bad pitch email that uses self-deprecating humor plus an assumption of business relationship. Ouch. The importance of developing consistent data protection policies across multiple cloud services Many IT departments manage multiple clouds to ensure redundancy and avoid vendor lock-in. But diversifying brings along a new set of risks that demand a consistent and constantly reviewed data governance solution. In general, cloud vendors do not take responsibility for the security of your data. So, your policy must take full responsibility for endpoints, networks and cloud environments. Just a few of the must-haves on this list include limiting user’s permissions to only what they absolutely need, strong security practices including multi-factor authentication and password management, enforcing a uniform set of data loss prevention policies, and building a dynamic inventory of applications by the types of data stored, compliance requirements, and potential threats. Policies should be assigned to groups or roles rather than individual people. In-house IT people are already busy. Their attention and energies might be best served by working with senior management to establish and maintain Multicloud and data loss prevention policies, while leaving the heavy lifting and day-to-day proactive maintenance to a completely reputable as-a-service cloud security vendor. 
5/6/201932 minutes, 21 seconds
Episode Artwork

We're Gonna Run These Pen Test Exercises Until You Turn Purple

Find all the links and images on CISO Series (https://cisoseries.com/were-gonna-run-these-pen-test-exercises-until-you-turn-purple/) We learn to iterate our security stamina faster by bringing the attackers and defenders in the room together. We're seeing purple on this episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Matt Southworth (@bronx), CISO of Priceline, who was brought to us by our sponsor, Praetorian. Thanks to this week's sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. Why is everybody talking about this now? Senator Elizabeth Warren's proposed bill, the Corporate Executive Accountability Act, would pave the way for criminal charges of executive wrongdoing that leads to some public harm, like a public data breach. Note, there needs to be proof of wrongdoing. This isn't designed to blame victims. Regardless, the cybercommunity lit up on this topic. Warren said that too many executives were walking away free with no penalty while the community were left to suffer. Is this the bill that's needed to put a check on breaches? Hey, you're a CISO, what's your take on this?' Priceline has been conducting purple team exercises with our sponsor Praetorian. We discuss the value in purple team efforts over all the other alternatives, like pen testing, red team/blue team exercises, and threat hunting reports. Plus, we discuss the cultural benefits of purple team exercises. What's Worse?! We get a consensus on a question about asset and risk management. How to become a CISO Question from the director of information security at a Fortune 100 company wants to know how to make the leap from his position to CISO. Pay attention, it’s security awareness training time Dan Lohrmann, CSO of Security Mentor and an upcoming guest on our live podcast we're going to be recording on June 6th in Grand Rapids, Michigan had a very interesting article on Peerlyst about avoiding the punishment angle of security training. He said his number one struggle in education is explaining how important security is at an individual level and that individuals understand the impact of their actions. At Priceline, Matt Southworth created a Security Champs program to extend the reach of his security team by training interested non-security coworkers about security. We discuss what this has done to improve culture, security, and help people understand the impact of their actions. Two-factor authentication, also called 2FA, is vital, and should be considered the default in online security, not a fancy option. In short, 2FA means that two separate identifiers are required to gain access to an account. These identifiers should come from: 1.) something only you know, like a complex password, and 2.) something physically separate that belongs to you like a phone that can receive SMS messages, a physical token, a time or location limited message, or something biometric, like a retinal scan or fingerprint. Currently the SMS message is the most popular “second factor,” but security analysts say this is still the weakest option. A better option is to use an approved app, or to partner with a cybersecurity company who can build one for you.
4/30/201932 minutes, 13 seconds
Episode Artwork

Vulnerability Management

This is a special episode of Defense in Depth being shared on this feed. Find the full post with links and images on the CISO Series site here (https://cisoseries.com/defense-in-depth-vulnerability-management/) So many breaches happen through ports of known vulnerabilities. What is the organizational vulnerability in vulnerability management? Check out this post and discussion and this one for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Justin Berman (@justinmberman), CISO for Zenefits. Vulcan’s vulnerability response automation platform allows enterprises to automate their TVM programs. Vulcan integrates to existing IT DevOps and security tools to fuse enterprise data with propriety intelligence which allows to accurately and subjectively priorities and remediate vulnerabilities - either using a patch workaround or compensating control. On this episode of Defense in Depth, you'll learn: As the CIS 20 concurs, vulnerability management is the first security measure you should take right after asset inventory. Vulnerability management needs to be everyone's issue and managed by all departments. Lots of discussion around vulnerability management being driven by culture which is a very hard concept to define. To get a "vulnerability management culture" look to a combination of awareness and risk management. Vulnerabilities don't get patched and managed without someone taking on ownership. Without that, people are just talking and not doing. Increased visibility across the life cycle of a vulnerability will allow all departments to see the associated risk. Who are the risk owners? Once you can answer that questions you'll be able to assign accountability and responsibility.
4/25/201921 minutes, 55 seconds
Episode Artwork

I'm Humbled to Tell You About My Prestigious Award

Find the full episode of this podcast (with links and images) on the CISO Series site right here: (https://cisoseries.com/im-humbled-to-tell-you-about-my-prestigious-award/) I'm not exactly sure what "humbling" means, but I'm going to use it to hopefully soften my braggadocio announcement. We discuss semantics and when it's OK to boast your accomplishments on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Will Lin (@WilliamLin), partner and co-founder, ForgePoint Capital. Thanks to this week's sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this week's episode How CISOs are digesting the latest security news In many industries we see VC investments following trends. This is hot and new, let's go and invest in it. A recent story on Forbes spotlights five trends in cybersecurity which comes off as catnip for VCs or at least those in those spaces looking for investments. Is trend hopping a lucrative way to succeed with cybersecurity investments? Why is everybody talking about this now? Peter Cohen, director at Countercept remarked on the hypocrisy of posting a photo of yourself on stage and referring to it as "humbling". People say this with zero idea of the definition. The use of humbled or humbling as a verb means that at one time you thought you were superior and now you realize you are not because essentially someone defeated you and put you in your place. I don't get the sense that's what people mean when they refer to an experience as "humbling." But do a search for the term on LinkedIn and you will see people use it ALL THE TIME. Some of the most popular posts on LinkedIn are achievement announcements. Where's the line between saying you're proud of something and would you honor it with me and coming off like a jackass? What's Worse?! We have two scenarios this week in honor of our VC guest. Hey, you're a CISO, what's your take on this? In a special VC edition of "Hey, you're a CISO, what's your take on this?" Much of what we talk about on this show is what we like and don't like about how security companies market themselves. In the news, the only role we hear VCs playing is financial. But given that VCs are seeing the inner workings of a startup, they can probably see firsthand why a company succeeds or fails. Given what VCs are privvy to that others of us are not, how can VCs help shape the way vendors market themselves? Ask a CISO Fernando Montenegro of 451 Research brought to my attention this tweet from Soldier of Fortran that caused a flurry of discussion. The tweet pointed out that many sites say they offer pricing, but when you go to the page it's just a lot of verbiage with a link to request a quote. Haroon Meer of Thinkst, producers of Canary deception devices and a former guest on this show, said they have pricing on their site even when experienced salesmen told them not to do it. Kyle Hanslovan of Huntress Labs, asked how he could provide transparent pricing when half of his clients are direct and the other half are distributors. Is there a happy medium here or is obfuscation the way to succeed with security selling?
4/23/201931 minutes, 29 seconds
Episode Artwork

No Shirt. No Security. No Merger.

Episode available on CISO Series blog (https://cisoseries.com/no-shirt-no-security-no-merger/) Sure, we'd like to merge with your company but geez, have you looked at your security posture lately? Uggh. I don't know if I could be seen in public with your kind let alone acquire your type. We're wary as to who wants to enter our digital home on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Mark Eggleston (@meggleston), vp, chief information security and privacy officer, Health Partners Plans. Thanks to this week's sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this week's episode How CISOs are digesting the latest security news Good cybersecurity hygiene is critical not just to mitigate breaches but also the valuation of a company, especially during a merger or acquisition. Itzik Kotler, co-founder and CTO of Safe Breach, notes that back in 2016 the Verizon acquisition price of Yahoo was lowered nearly $350 million after Yahoo disclosed data breaches that had happened up to two years earlier. Kotler said, "The problem is cybersecurity risk from mergers and acquisitions perspective should not be about what has happened, but about what vulnerabilities are being introduced and what could happen as a result." Why is everybody talking about this now? An interesting question on Quora asked, "Do you regret working in cybersecurity?" Do our CISOs ever regret? Why do people regret? "What's Worse?!" We have a challenge that pits securing old and new technology. Ask a CISO Eric Rindo just graduated with his MS in Cybersecurity. He has a certification, but zero experience. He's looking for his first InfoSec opportunity. For a CISO, what's attractive about a candidate like Eric? What do you think of this pitch? What happens when you pitch something CISOs already have?
4/16/201935 minutes, 28 seconds
Episode Artwork

Machine Learning Failures

Full post for this episode (https://cisoseries.com/defense-in-depth-machine-learning-failures/) NOTE: You're seeing this special episode of Defense in Depth, because we think our CISO/Security Vendor Relationship Podcast listeners should hear it.  Is garbage in, garbage out the reason for machine learning failures? Or is there more to the equation? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Davi Ottenheimer (@daviottenheimer), product security for MongoDB. Thanks to this week’s podcast sponsor, Remediant 81% of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Don't fall victim to believing that success and failure of machine learning is isolated to just garbage in/garbage out. It's far more nuanced than that. Some human actually has to determine what is considered garbage in and what is not. It only takes a very small amount of data to completely corrupt and ruin machine learning data. This knowledge of small infection can spread and corrupt all of the data and can have political and economic motivations to do just that. We have failures in human intervention. Machine learning can just magnify that at rapid rates. While there are many warning signs that machine learning can fail, and we have the examples to back it up, many argue that competitive environments don't allow us to ignore it. We're in a use it or lose it scenario. Even when you're aware of the pitfalls, you may have no choice but to utilize machine learning to accelerate development and/or innovation.
4/10/201931 minutes, 43 seconds
Episode Artwork

All Aboard the 5G Paranoia Train

The direct link to this episode (https://cisoseries.com/all-aboard-the-5g-paranoia-train/) We're getting excited and stressed out about the impending 5G network that appears will control our lives and all our cities. Will it be as exciting, productive, and lacking of security protocols as we expect? We discuss that and more on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Bruce Schneier (@schneiersblog), book author, lecturer at Harvard Kennedy School, and prolific blogger at Schneider on Security. Thanks to this week's sponsor, Chronicle, makers of Backstory Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself. On this week's episode How CISOs are digesting the latest security news Marsh, an insurance broker, is working with other cyber insurers to identify products and services that will reduce your cyber risk. With their Cyber Catalyst program, they're offering what appears to be some type of Better Business Bureau stamp of approval on solutions that meet their cyber risk standards. What gets us excited and what sets off red flags when we see such an offering? Why is everybody talking about this now? Are you scared of 5G yet? You should be. Well, according to our government, we need to be wary of China and Huawei with their rollout of 5G because owning the next-gen network will conceivably own all of commerce, transportation, and heck anything else. In Schneier's new book, Click Here to Kill Everybody, he speaks to how to survive with all our hyper-connected devices. How aggressively is 5G going to exacerbate the issue of cyber-survival? What's Worse!? We have a split decision on a scenario that involves a time limit. Hey, you're a CISO, what's your take on this? On Schneier's blog, he shared a study that examined whether freelance programmers hired online would write secure code, whether prompted to do it or not. The coders were paid a small pittance and it was unclear if they knew anything about security and surprise. In the end they didn't write secure code. While there are questions about the validity of this study, this does bring up an interesting question: Using a marketplace like Upwork or Freelance.com, how does one go about hiring a freelance coder that can write secure code? Ask a CISO Mark Toney of CrowdStrike asked, after the purchase and use of a security tool, does a CISO or CTO do a post-mortem to see if they got what they paid for? Mark wants to know are you looking at what was improved, where it was improved, and by how much it was improved?  
4/9/201930 minutes, 42 seconds
Episode Artwork

Do You Know the Secret Cybersecurity Handshake?

Direct link for episode on blog (https://cisoseries.com/do-you-know-the-secret-cybersecurity-handshake/) We get the feeling that as we're adding more solutions and requiring more certificates, we're just making the problem of security harder and harder. Has the problem of not enough talent become an issue that we created? We discuss that and more on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Taylor Lehmann (@BostonCyberGuy), CISO, Wellforce. Thanks to this week's sponsor, Chronicle, makers of Backstory Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself. On this week's episode How CISOs are digesting the latest security news The Hill reports, "A Democrat on the House Intelligence Committee introduced a bill on Wednesday that would require publicly traded companies to disclose to investors whether any members of their board of directors have cybersecurity expertise." The Cybersecurity Disclosure Act of 2019, would require the SEC to issue a new set of rules requiring U.S. companies to tell their investors whether they have someone who has cyber expertise on their board. If they don't, they must explain to their investors why this is the case." Will such a measure pass and if not, what is the best action here to insure some level of cybersecurity confidence? Why is everybody talking about this now? On a recent episode of the podcast we talked about swapping out the word "security" for "safety." Chris Roberts of Attivo Networks brought this topic up and he says if we change the conversation more people will care. How does the viewpoint of security change when you're talking about safety? How does behavior change? What's Worse?! I can't believe it's taken me this long to ask this question. Hey, you're a CISO, what's your take on this? Once you connect a device to the Internet and trade information, you're now a potential attack vector. And if your device is critical for maintaining life, like automobiles and medical devices, vulnerabilities no longer become a case of losing data, but of losing lives. Medical device manufacturers are rarely experts at software development, let alone cybersecurity. Vulnerabilities happen all the time. What is and isn't working with the reporting, alerting, and fixing of device vulnerabilities? Ask a CISO Could the talent gap be a self-fulfilling prophecy or at the very least an avoidable consequence of security’s red hot growth," asked Sam Curry, CSO at Cybereason, on Forbes. "What started as an esoteric field is becoming even more arcane as we grow." Curry offered some suggestions on where to improve situations to improve the complexity of security. Are fixing these issues harder than fixing security?  
4/2/201933 minutes, 53 seconds
Episode Artwork

If At First You Don't Succeed, There's Always Blackmail

Direct link for episode on blog (https://cisoseries.com/if-at-first-you-dont-succeed-theres-always-blackmail/) We note that blackmail has become an option even in cybersecurity sales. It appears some vendors have become so desperate that they've resorted to borderline criminal activity. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Branden Newman, CISO for Adidas. Thanks to this week's sponsor, Logicgate LogicGate is an agile GRC process automation platform that combines powerful functionality with an intuitive design to enhance enterprise governance, risk, and compliance programs. With our prebuilt process templates, organizations quickly and efficiently operationalize their GRC activities without requiring support from consultants or corporate IT. On this week's episode How CISOs are digesting the latest security news CNBC published a piece about security vendors being so desperate for meetings with CISOs that they've resorted to blackmail. They see a breach, even if it's not holding any critical or personal data, and they threaten to take it to the press if the CISO doesn't meet with them and/or let them fix it. Has this happened to our CISOs and if so, what did they do? Why is everybody talking about this now? We talk about the basics a lot on this show, but I'm getting the sense that the industry is finally taking it seriously. We saw evidence at RSA with 60% of the content being focused on fundamentals. And CISOs at major companies not touting the latest threats, but getting back to basics. We've talked a lot about this issue on the show. How else can the industry turn the focus about getting back to basics? What's Worse?! I challenge the CISOs once again on what is probably the shortest What's Worse?! question. Hey, you're a CISO, what's your take on this?' The horror of the badge scanner. Chad Loder, CEO of Habitu8, posted that he never uses badge scanners because "There's nothing worse than talking to someone only to have them ask, 'Mind if I scan you?' - it reinforces the idea that the goal of this human interaction is to ensure you're added to a list." The goals of attendees (learning and valuable conversations) are not coinciding with the goals of vendors (more scans for follow up cold calls and marketing). What is the ideal booth experience for a security professional? BTW, I wrote a book on how to engage at a trade show entitled Three Feet from Seven Figures: One-on-One Engagement Techniques to Qualify More Leads at Trade Shows. Check it out at http://threefeetbook.com Ask a CISO Jeremiah Grossman, CEO of Bit Discovery, and a former guest, asked this question on Twiter which caused a flurry of discussion: "In InfoSec we often hear, 'Why don’t organizations just do or fix … X?' As a thought exercise, ask the opposite. 'Why should businesses do or fix… X?,' and do so in dollars and cents terms.It’s often surprisingly difficult." Is it possible to calculate this formula?
3/26/201928 minutes, 53 seconds
Episode Artwork

When Abusing Our Privacy, Does Size Matter?

Do the biggest tech companies abuse our privacy because they have no competitive incentive to protect it? That debate and more on the latest episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Emilio Escobar (@eaescob), head of information security for Hulu. Endgame makes military-grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode Why is everybody talking about this now? Why can't security vendors get CRM right? One week after RSA I have received cold phone calls and emails from companies for which I"m already engaging with multiple people at said company, some I've actually interviewed their CEOs, actually worked for the company, and/or they've sponsored this very podcast. Other industries use their CRM. Why does it appear en masse the cybersecurity industry is failing at basic CRM? How CISOs are digesting the latest security news Massachusetts Senator Elizabeth Warren wrote an opinion piece on Medium saying that if elected President her administration would seek to breakup Amazon, Facebook, and Google. She cited them as monopolies squashing innovation and competition and damaging our privacy for their profit. She said, "With fewer competitors entering the market, the big tech companies do not have to compete as aggressively in key areas like protecting our privacy." What's Worse!? What's the best kind of CISO to have? What's a CISO to do? Last year at Black Hat I produced a video where I asked attendees, "Should DevOps and security be in couples counseling?" Everyone said yes. Are security leaders taking on the role of couples counselor as they try to get security and DevOps working together? What do you think of this pitch? We've got two pitches for the show and the second one has a response that veers into insulting.  
3/18/201934 minutes, 6 seconds
Episode Artwork

We’re Releasing Security Studies of Made Up Numbers

Since no one ever checks a research study's methodology, why not just make up all the numbers? You're in the risk analysis business, right? Chances are very good they'll never check and research studies are a great way to get free press. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), CISO of FOX. Thanks to this week's sponsors, Axonius and New Context. New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business. Huge congrats to Axonius for their two big wins at RSA this year. They were named Rookie Security Company of the Year by SC Media and they also won top prize at RSA’s Innovation Sandbox. They’ve been touted as the company trying to solve the least sexy part of cybersecurity, asset management. Go to Axonius’ site to learn more. On this episode Ask a CISO It’s been reported many times, that the average life of a CISO is 18 months and Mike Johnson lasted 18 months at Lyft. At the time of Mike’s departure so many people were forwarding me articles regarding the stress level of CISOs, most notably around Nominet’s study that claimed that about 1 in 5 CISOs turn to alcohol or self-medicating. With two CISOs on the panel we discuss if this was the most high-pressured job they had and would you be eager and willing to jump back into the CISO role again. Why is everybody talking about this now? Couple weeks ago I wrote an article entitled “30 Security Behaviors that Set Off a CISO’s BS Detector.” There was quite a response from the community to this. Now that we’ve just finished RSA, did our CISOs see or hear anything that set off their BS detectors. What’s Worse?! We play two rounds of “What’s Worse?!” Both rounds are cases of employees putting security in very compromising positions. What’s a CISO to do? When we talk about security we’re often talking about protecting customer and employee data. While all companies have intellectual property they need to protect, at FOX, Melody Hildebrandt is having to deal with some very high profile individual assets that are of interest to many hackers. What are the factors a CISO must consider, that most security people probably aren’t thinking about, when you’re trying to secure a single media asset that’s worth hundreds of millions of dollars? What do you think of this pitch? After you hear this pitch, every security professional may be out of a job. Tip of the hat to Christopher Stealey of Barclays for providing this pitch he received. You’re a CISO, what’s your take on this? Ameer Shihadeh of Varonis asks a question of trying to overcome the objection from a security professional that they don’t have any security initiatives or projects. And now this… We field questions from our audience for the CISOs.
3/12/201942 minutes, 1 second
Episode Artwork

A Pesticide-Free Podcast Made with 'All Natural' Intelligence

We eschew those cybersecurity firms touting claims of artificial intelligence for our organic conversation-based approach to podcasting. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Mike Wiacek (@Mikewiacek), co-founder and CSO for Chronicle. Thanks to this week's sponsor, Chronicle Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself. On this episode What's a CISO to do? As we brace for RSA this week, we expect most companies on the floor will be touting some form of artificial intelligence or machine learning. CISOs are no longer even slightly moved by those terms. What should vendors be saying? And what should a savvy security shopper demand to know about a company's AI or ML? Why is everybody talking about this now? Allan Alford, CISO of Mitel, and my co-host on the other CISO Series podcast, Defense in Depth, created a very funny "Cybersecurity Startup Name & Mission Generator!" chart that got a lot of response. We've seen a lot of these name generators, but this one seemed creepily too real. We discuss InfoSec company names and how not to let your eyes glaze over as you walk the trade show floor. What's Worse?! How do you feel when big security companies acquire smaller security companies? Please, enough. No, more. This week's topic is "threat hunting." We talk about what we've heard enough of on "threat hunting," and what we'd like to hear a lot more. What's a CISO to do? A great challenge question from an anonymous source: "My users learned security from the evening news. Now I can't see their traffic due to their VPN tunnel and they are using programs that delete evidence to be more secure." What's a CISO to do?
3/3/201929 minutes, 28 seconds
Episode Artwork

You Get a Private Network! You Get a Private Network!

CISO/Security Vendor Relationship Podcast and series is available at CISOSeries.com. We're giving away private networks to everybody. Even if you think you don't need one, you want one. It's all on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Francis Dinha, CEO of OpenVPN. Thanks to this week's sponsor, OpenVPN Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free. On this episode What's a CISO to do? A few years back I interviewed Francis Dinha about hiring talent. Dinha had the fortune to be able to mine his own community of people of open source volunteers. It's become a great resource for hiring talent. Finding those passionate communities are key for finding talent. We discuss other possible resources and why it's critical or maybe not critical to hire people who've contributed to the open source community. Why is everybody talking about this now? Given the number of default passwords being used and connected devices with little to no security, does achieving "zero trust" have to be the InfoSec equivalent of climbing Mt. Everest? We discuss simplifying security architecture so achieving "zero trust" isn't a badge of honor but rather something everybody can easily do. "What's Worse?!" Another round where we debate an open source conundrum. Please, enough. No, more. What have we heard enough with VPNs and what would we like to hear a lot more? Let's dig a little deeper John Prokap, CISO of HarperCollins, said on our live NYC recording, "If you patch your systems, you will have less threats that will hurt you." I posted John's basic security advice as a meme, and it got a flurry of response. My favorite came from Greg Van Der Gaast of CMCG who said, "The fact that this is quote/post-worthy in 2019 boggles my mind." The issue of "why aren't you doing this" came up and people discussed integration issues, hard to keep up, and the fact that patches can often break applications. Is this a cycle that's impossible to break?  
2/26/201932 minutes, 40 seconds
Episode Artwork

Productivity Tip! Get More Done By Refusing To Do Anything

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We tip our hat to the much maligned "Department of No" for having the foresight to see that refusing service is probably the most efficient and secure response. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is April Wright (@AprilWright), CEO, ArchitectSecurity.org. Thanks to our sponsor, Endgame Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall. On this episode How CISOs are digesting the latest security news In an effort to improve security before the 2020 Olympic games, the government of Japan will try to hack its own citizens by using default passwords on webcams, routers, and other Internet connected devices. If they break through they will alert the people that their devices are susceptible to attacks. How good or bad is this idea? Will this give way to easy phishing scams? Why is everybody talking about this now? Online, Mike brought up the subject of security rockstar culture and specifically pointed this comes from the security staff playing offense vs. the ones playing defense who really need a team behind them to be effective. We look at the difference between a healthy leading voice in security vs. “a look at me” security rockstar. It’s time to play, “What’s Worse?!” Two rounds and the first one Mike spends a lot of time debating. Ask a CISO Brad Green of ObserveIT asks, “Do CISOs pay attention to competitive market conditions of different vendors?” Are you aware of what’s going on and what impact do analysts have? What do you think of this pitch? Two pitches to critique. Lots of insight.  
2/19/201934 minutes, 3 seconds
Episode Artwork

We’re 99% Sure Our Malware Protection Will Fail 1% of the Time

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. Do you want a security vendor that’s good at protecting you from malware or a vendor that’s honest with you about their failure rates? Whatever happens you’ll take it on the latest episode of CISO/Security Vendor Relationship Podcast recorded live in NYC for the NY Information Security Meetup (@NYInfoSecurity). Thanks for hosting our recording! This super-sized special episode features drop-in co-host, John Prokap (@JProkap), CISO of HarperCollins Publishers, and our guest Johna Till Johnson (@JohnaTillJohnso), CEO of Nemertes Research. Check out all the awesome photos from the event. Context Information Security is a leading technical cyber security consultancy, with over 20 years of experience and offices worldwide. Through advanced adversary simulation and penetration testing, we help you answer the question – how effective is my current cyber security strategy against real world attacks? On this episode How CISOs are digesting the latest security news To Facebook, our data in aggregate is very valuable. But to each individual, they view it as essentially worthless as they're happy to give it away to Facebook for $20/month. I don't see this ever changing. Does an employees carelessness with their own privacy affect your corporation's privacy? Why is everybody talking about this now? Rich Mason, former CISO at Honeywell posted about the need to change the way we grade malware. He noted that touting 99 percent blocking of malware that allows for one percent failure and network infection is actually a 100 percent failure. It's the classic lying with statistics model. How should we be measuring the effectiveness of malware? What's Worse?! We play two rounds trying to determine the worst of bad security behavior. What's a CISO to do? A CISO can determine their budget by: 1: Meeting compliance issues or minimum security requirements 2: Being reactionary 3: Reducing business risk 4: Enabling the business Far too often, vendors have preyed on reactionary and compliance buyers. But the growing trend from most CISOs is the reduction of business risk. How does this change a CISO's budgeting? Let's dig a little deeper We bring up "do the basics" repeatedly on this show because it is often the basics, not the APTs, that are the cause of a breach or security failure. Why are the basics so darn hard and why are people failing at them? What do you think of this pitch? We've got two pitches for my co-host and guest to critique. And now this... We wrap up our live show with lots of questions from the audience.
2/12/201944 minutes, 15 seconds
Episode Artwork

We're Selling Your Data at Unbeatable Prices

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We've got so much data we've got to liquidate. Whatever private information you want - location, purchase history, private messages - we've got it! Call us now before our users realize what we're doing. Your privacy, unleashed, on the latest episode of CISO/Security Vendor Relationship Podcast. Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.     On this episode Why is everybody talking about this now? Oh Facebook, not again. Appears they were paying teenagers for the right to snoop on their phone. The most telling part of this story is that this app was activated by clicking a button that said, "Trust." How does Facebook's untrustworthy behavior affect a CISO's ability to maintain trust with their audience? How are CISOs digesting the latest security news? From the UK, the Cyber Skills Impact Fund will receive a nice boost of £500,000 to attract more people to cybersecurity, but specifically a diverse workforce. We have talked at great length about the need to have a diverse security staff, and Mike has said on a previous show that not having diversity actually makes you less secure because you fall into "one think." How does a diverse staff change the thinking dynamic of your security team? It's time to play "What's Worse?!" We play two rounds of the game. One round is far more challenging than the other. Ask a CISO Tip of the hat to Schaefer Marks of ProtectWise for his suggestion about RSA pitching. I'm starting to get RSA meeting requests. They all follow the same format: assuming we're getting ready, and asking if we would like a meeting with a VP, CEO, some expert. We discuss what pre-event pitching we like and don't like. What do you think of this pitch? We have two pitches, one that's pretty good, and one that's disastrous.  
2/5/201931 minutes, 10 seconds
Episode Artwork

We're the Ellen of Cybersecurity Podcasts

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We're comparing ourselves to media you already know in hopes you'll better understand our product and listen to our show. It's our first self-produced live recording of the CISO/Security Vendor Relationship Podcast from San Francisco and it came out awesome. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest for this live show is Andy Steingruebl (@asteingruebl), CSO of Pinterest. Check out all the awesome photos from our first self-produced live recording. Thanks to our sponsors The Synack Crowdsourced Security platform delivers effective penetration testing at scale. Synack uses the world’s top security researchers and AI-enabled technology to find what scanners and regular testing do not. It’s used by US Dept of Defense and leading enterprises for better security. To learn more, go to synack.com. New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business.  Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.   Why is everybody talking about this now? Chris Roberts with Attivo Networks caused a flurry of discussion when he argued that using the term "security" is meaningless. He said, "There is no such thing as security. There is just a measurement of risk." He went on to say we shouldn't be talking about security risk, but only business risk. Would it be a good idea to change the terminology? How are CISOs are digesting the latest security news? France’s data protection regulator, CNIL, issued Google a $57 million fine for failing to comply with its GDPR obligations. Not the first GDPR fine, but it's first big tech giant. And it's not nearly as much as it could have been. But it's the biggest fine so far. Are GDPR fines starting to get real? Will this embolden even more fines? Hey, you're a CISO, what's your take on this? On LinkedIn Mike Johnson brought up the discussion of security vendors marketing what they're not. He claimed that this tactic is doomed to fail, and should just stop. Why is it a failed tactic? It's time to play, "What's Worse?!" We get a little philosophical in this round of "What's Worse?!" Um...What do they do? I read the copy from a vendor's website and the two CISOs try to figure out, "What do they do?" Ask a CISO A listener asks, "What are the signs that tell you that a vendor is serious about improving the security of their product?" How are CISOs are digesting the latest security news? A caustic attendee to DerbyCon brings down the entire event because the organizers didn't know how to handle his behavior. How can event producers in the security space avoid this happening in the future? And now this... We take questions from our audience.  
1/28/201945 minutes, 40 seconds
Episode Artwork

Introducing Defense in Depth: Security Metrics

Our new podcast, Defense in Depth, is part of the CISO Series network which can be found at CISOSeries.com. This is a special episode introducing this new podcast. To get more of Defense in Depth, subscribe to the podcast. What are the most important metrics to measure when building out your security program? One thing we learned on this episode is those metrics change, as your security program matures. This episode of Defense in Depth is co-hosted by me, David Spark (@dspark), the creator of CISO Seriesand Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is my co-host of the other show, Mike Johnson, CISO of Lyft. Fluency's correlation and risk scoring technology combined with their approach of using pseudonyms in place of certain PII data greatly facilitates your organization's path towards compliance. Over time, machine learning and artificial intelligence algorithms detect anomalies at an impressive level of scalability. Run Fluency as a standalone or integrate it into your existing SIEM. Learn more by visiting us at booth #4529 at the RSA® Conference 2019. On this episode of Defense in Depth, you'll learn: There is no golden set of security metrics. Metrics you use to measure your security program this year won't necessarily be the same ones you use next year. Use the NIST model to determine your security program maturity. Unlike B2C, B2B companies can use metrics to build a closer tie between security and the business. Regulations and certifications is one easy way to align security with the business.
1/24/201925 minutes, 42 seconds
Episode Artwork

You're the Expert, You Figure Out Our Software

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We don't have to make our software any simpler to use. You just need to get smart enough to use it. We're all attitude on the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Mike Nichols (@hmikenichols), VP of product at Endgame. Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall. On this episode How CISOs are digesting the latest security news Is this yet ANOTHER security breach? A massive document of usernames and passwords. These are all available in text files, pretty much for anyone to see. We're not sure, but this may be a collection of usernames and passwords from historical hacks, but it's not clear. Most of us have potentially more than a hundred usernames and passwords. How are we supposed to go through all our accounts and change them all? Can we slap 2FA on top of everything? What should be the best reaction to this kind of news? Hey, you're a CISO, what's your take on this?' In the area of user experience, B2B software seems neglected. All the wonderful usability goes to consumer apps, because everybody needs to be able to use them. But B2B software can cut corners and add extra layers for usability because heck, these people are experts, they're hired to do this job. They should know what they're doing. But that type of thinking is hurting the industry as a whole. What's Worse?! We've got a scenario of two CISOs with two different companies. Which one has the worst security posture? Please, Enough. No, More. Our topic is endpoint protection. We talk about we've heard enough about on endpoint protection, and what we'd like to hear a lot more. Endgame's machine learning engine, Ember, is open source. What's a CISO to do? Why is it so difficult to hire InfoSec professionals? Is there not enough skills, not enough people interested, tough to hire diversity, way too competitive environment, or is it the nature of the recruiting industry itself?
1/22/201932 minutes, 6 seconds
Episode Artwork

Get Out! The Data Leak Is Coming from the Inside

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. Be afraid. Be very afraid of the latest episode of the CISO/Security Vendor Relationship Podcast where it's possible that 90 percent of your security breaches are coming from within your own company. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Leon Ravenna, CISO, KAR Auction Services. Synack provides crowdsourced security testing that provides more than older style penetration testing. Instead of using a few researchers who output a final report, Synack uses a globally-sourced crowd of researchers backed by a purpose-built hacking platform. This gives organizations access to security talent that is not available from any one company, and data and insights into the testing process. All Synack security testing is recorded, measured, and analyzed to not only output results like new vulnerabilities and compliance checks, but displays attack patterns and quantities in real-time. By using bug bounties as incentives, researchers are rewarded for the great finds that Synack verifies and shares with its customers. To find out more about the Hacker-Powered Security used by the Internal Revenue Service and many other organizations, go to synack.com. On this episode How CISOs are digesting the latest security news According to a new report from Kroll, "Human Error, Not Hackers, to Blame for Vast Majority of Data Breaches." They report that 2,124 incidents could be attributed to human error, compared to just 292 that were deliberate cyber incidents, They say that's a 75% increase over the past two years but that could be because reporting breaches wasn't mandatory before GDPR. One user commented, these numbers seem to conflict with what the Verizon Breach report says. According to this data it appears a security leader should be spending close to 90 percent of their budget and effort trying to prevent inside data leakage. How would your security plan change if that was your charge? Hey, you're a CISO, what's your take on this?' An article and video published last week on this site written and featuring Elliot Lewis, CEO of Encryptics, talks about the need to get cozy with your legal team because when a breach occurs, you're going to need to have possession, custody, and control of your data. If you can't answer those questions you're putting your legal team in a bind. Mike and our guest talk about being able to answer these questions and building relations with the legal team. It's time to play, "Um... What Do They Do?" It's a brand new game where I read copy from a vendor's website, and Mike and our guest try to guess, "What do they do?" What's a CISO to do? Kip Boyle, past guest, friend of the show, and author of a new book, "Fire Doesn't Innovate," which comes out today asks this question, "Could good cyber risk management be the basis for a competitive differentiator for your business? How?" Kip's book is available at firedoesntinnovate.com and for the first week it's out it's only $.99 via Kindle. Ask a CISO Thomas Torgerson of Blue Cross/Blue Shield of Alabama asks, "How do CISO's feel about presenting webinars or speaking at other events regarding products that they use in their environment?" Are there incentives promoting a vendor solution? Or is it too risky to let threat actors know your security toolsets?   
1/15/201927 minutes, 5 seconds
Episode Artwork

Shoving Money Down Security's Bottomless Pit

No matter how much money we shove into security, it never seems to fill up. That's good for vendors. Not so good for buyers of security who don't have a bottomless pit of money to fill the bottomless pit of security.   This week's episode is sponsored by Red Canary. Red Canary is a security operations ally to organizations of all sizes. They arm customers with outcome-focused solutions that can be deployed in minutes to quickly identify and shut down adversaries. Follow their blog for access to educational tools and other resources that can help you improve your security program. Got feedback? Join the conversation on LinkedIn On this episode How CISOs are digesting the latest security news Wayne Rash of eWEEK wrote a piece on what to expect in cybersecurity in 2019. Most of the stuff is more of the same, such as nation state attacks, ransomware, phishing, and assume you're going to get attacked. But, he did bring up some issues that don't get nearly as much discussion. One was cryptomining which is hijacking your cloud instances, encrypting ALL data, moving away from usernames/passwords, and getting a third-party audit. So what's on CISOs' radar in 2019 Why is everybody talking about this now? Dutch Schwartz of Forcepoint brought up the issue of collaboration. This is not a new topic and we all know that if we don't share information the attackers who do share information will always have leverage. There are obvious privacy and competitive reasons why companies don't share information, but I proposed that if the industry believes collaboration is so important, then it should be a requirement (think GDPR) or we should build incentives (think energy incentives) with a time limit. Is this the right approach? Is the collaboration we're doing already enough? What's Worse?! We play yet another round on an issue that really annoys my co-host. What's a CISO to do? Thom Langford, CISO of Publicis Groupe, said that cybersecurity should be seen as a long term campaign. And if you keep at it, you will see results. Think anti-smoking or seat belt campaigns. Yet we see more and more companies treating security as a one-off project and not looking at dealing with it in the long term. Could this be more a problem of how we view security in the media? Ask a CISO Brijesh Singh, Inspector General of Police, Cyber at Government of Maharashtra said, "A young student asked me a very basic question, isn’t Cybersecurity just a branch of IT? Why should it be treated separately?" It's an awesome question that resulted in a flurry of responses. Is there a difference? Got feedback? Join the conversation on LinkedIn  
1/8/201932 minutes, 38 seconds
Episode Artwork

Real Housewives of Cybersecurity

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We're clawing each other's eyes out in the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Darren Death (@darrendeath), VP of InfoSec, CISO, ASRC Federal. Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available. On this episode: How CISOs are digesting the latest security news A nasty fight between two security vendors becomes public because one of the CEOs decides to expose the other CEO. But did he really? What's really going on? Thanks to Nathan Burke of Axonius for bringing this story to our attention. Why is everybody talking about this now? Is calling someone a "blocker" the most weaponized word in the tech industry? How can this be avoided and what are the scenarios this term comes up? What's Worse?! We've got a split decision on this week's question on trust. What's a CISO to do? Robert Samuel, CISO, Government of Nova Scotia asks our CISOs, "What does success look like?" How do CISOs define success? Ask a CISO Where should an SMB, that may have little to no security team, begin building out its security program?
12/17/201831 minutes, 53 seconds
Episode Artwork

America's Next Top Data Privacy Violator

CISO/Security Vendor Relationship Podcast and Series can be found at CISOSeries.com. A newly proposed provision in the Consumer Data Protection Act (CDPA) could result in jail time for intentional data privacy violations. We're not scared. We're still peeping into your digital lives on the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Will Ackerly, co-founder and CTO of Virtru. Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available. On this episode Why is everybody talking about this now? Huge fines and massive jail time for intentional violations of data privacy. Do the new provisions in the CDPA go too far or are they just right? What's a CISO to do? Listener Bradley Teer of Armor Cloud Security asks, “What’s the scariest moment or event that's ever happened in your career as a security practitioner?" What's Worse?! Two listeners, Rick McElroy of Carbon Black and Jamie Leupold of PreVeil asked the same question for this week's game. It's a question Mike knew was eventually going to be asked. Please, Enough. No, More. We talk about data privacy in today's segment. Can we get beyond the discussion of GDPR? Ask a CISO On a previous episode we talked about the meager adoption of multi-factor authentication. We concluded that it was still too complicated to use. So what's encryption's excuse? Why isn't encryption available and used by all? How does the security paradigm change if everyone is sending encrypted messages?
12/10/201832 minutes, 30 seconds
Episode Artwork

A 'Single Pane of Glass' for Ignoring Vendor Pitches

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. Tired of deleting pages of vendor pitches? Wouldn't it be more efficient if  you could see them altogether on one screen so you could simply choose which ones to ignore? We're improving vendor non-engagement efficiency in the latest installment of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Chris Castaldo (@charcuteriecoma), sr. director of cybersecurity, 2U. This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber. Got feedback? Join the conversation on LinkedIn. On this episode: Why is everybody talking about this now? Six months ago Mike Johnson proposed the idea of "Demos for charities" and it got mixed results, but some people took on the challenge from both the practitioner and the vendor side. See how our guest offered up 45 minutes of his time in exchange for a donation to his favorite charity. What's a CISO to do? In light of the most recent Marriott breach, Brian Krebs wrote a great thought piece about our new acceptance of "security" and that is we can't count on companies security our data. How do security professionals communicate that to their team and users and still maintain trust? What's worse?! This week's challenge comes from William Birchett, Sr. Manager IT Security at City of Fort Worth. Both options are annoying and we have a split decision on what's worse. First 90 days of a CISO Tony Dunham of the Professional Development Academy asks how can InfoSec professionals develop the soft skills needed for leadership prior to being put in the pilot seat? Ask a CISO We talk about user-centric design and my co-host has some not-so-nice-words for vendors selling a "single pane of glass" solution.  
12/4/201834 minutes, 8 seconds
Episode Artwork

The Latest Unnecessary Stats on Marginal Security Threats

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. If we let you know that 90 percent of break-ins happen because of a little known threat we happen to mitigate, you'd purchase our product, right? Ignore basic security practices as you listen to the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Yaniv Bar-Dayan, CEO of Vulcan Cyber. This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber. On this episode: Why is everybody talking about this now? How do you reaffirm that dynamic leadership stance so people aren't just responding to the title, but are actually responding to you and the way you're proving your leadership on a day-to-day basis? Ask a CISO Why do we keep recommending "go back to security basics"? What's Worse?! In honor of our guest, this one is about vulnerability management. Please, enough! No, more! What have we heard enough about on vulnerability management and what would we like to hear a lot more? Ask a vendor How do security vendors work differently with enterprises vs. smaller and mid-size companies?  
11/26/201833 minutes, 8 seconds
Episode Artwork

We Turn Our Backs on Cybersecurity Rock Stars

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. We're no longer buying their albums because we've had enough of the "can do no wrong" toxic culture of cybersecurity rock stars. On this episode of the CISO/Security Vendor Relationship Podcast we are elevating the little known indie InfoSec professionals. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is independent analyst, Kelly Shortridge (@swagitda_). Follow her musings at Swagitda. This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber. On this episode: Why is everybody talking about this now? We do a health check on where we are in terms of security enabling the business. What have been the greatest strides and where are we falling behind? We reference a post by CISO of Mitel, Allan Alford. Please, Enough. No, More. We discuss the phenomenon of cybersecurity rock stars and why their “they can do no wrong” pass is toxic to the industry. What’s Worse?! Tip of the hat to Kip Boyle, CEO of Cyber Risk Opportunities for this week’s question. Ask a CISO The phenomenon of security buzzwords. When is it actually used to describe a product and when is it used to fill up space in a marketing campaign? What’s a CISO to do? We talk about people being the problem in security, but it’s not in the way you think it is.  
11/19/201830 minutes, 5 seconds
Episode Artwork

We'd Feel Safer if This Legitimate Email Was a Phishing Attack

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. Why is our financial institution sending us an email suggesting we click on a link to log into our account? On this episode of the CISO/Security Vendor Relationship Podcast we educate your customers and your marketing department about suspicious looking emails. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Chenxi Wang, managing general partner, Rain Capital. Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available. On this episode Why is everybody talking about this now? While many security professionals' eyes roll when they hear the word "blockchain," it is currently the second most popular area of security research, according to IDG. What is it about blockchain that VCs and security professionals find so attractive? Question for the board What responsibility does the board bear for educating the C-suite about cybersecurity competency? PwC put together a great list of questions the board should be asking regarding cybersecurity competency. It's time to play "What's Worse?!" There's a visual attached to this game. Go ahead and look here and tune in to hear the question. What's a CISO to do? Our guest, Chenxi Wang, provided some excellent advice for startups on getting on the diversity train early on. If you don't, you'll find it's incredibly hard to build in diversity with an established and non-diverse team. And now this... How do VCs play a crucial role in the relationship between buyers and sellers of security products?
11/13/201830 minutes, 59 seconds
Episode Artwork

Is This a Vendor Dinner or an Escape Room?

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. Why were we brought to this event? Why can't we leave? I don't think we have enough clues to get out of this vendor meeting. We struggle to remember our safe word in the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Richard Seiersen (@RichardSeiersen), former CISO of LendingClub. Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity. Got feedback? Join the conversation on LinkedIn On this episode: Opening We realize that Mike's comment about burning found USB drives was spot on. According to an experiment conducted by Sophos, about 2/3rds of found USB drives were infected. What's a CISO to do? You've been invited to a vendor dinner, but you feel trapped. Where can you go? We discuss what constitutes a good vendor dinner and which ones make you feel trapped? Here's a link to that Onion article I referenced on the show: "‘First Date Going Really Well,’ Thinks Man Who Hasn't Stopped Talking Yet." Ask a CISO Are CISOs swayed when a vendor sells themselves as "market leading?" Could it actually be a detractor? What about the array of current clients? Does that have any impact? What's Worse?! Mike Johnson says this could be the most even comparison ever! How a vendor helped me this week We talked about an article I released last week, "How to Make a Huge Impact in the Security Community with Zero Marketing," which told the story of building thought leadership and industry influence through open source and related contributions, but not marketing. Ask a CISO How quickly is risk being created in your environment and how quickly can you reduce it? More importantly, can you measure that? Our guest, Richard Seiersen, author of the upcoming book, "The Metrics Manifesto: Confronting Security With Data" (Wiley 2019), explains.
11/5/201834 minutes, 34 seconds
Episode Artwork

STAND BACK! We're Plugging In USB Drives We Found on the Ground

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. We gear up in HAZMAT suits and get ready for some dangerous USB drive analysis. We're taking all precautions on the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Dean Sysman (@DeanSysman), CEO of Axonius. Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity. On this episode: Opening We talked about how the history of the Enigma machine speaks volumes to how users react when they're forced to use a way too complicated security solution. They will find ways to simplify even if means weakening the overall security. Learn more from Mark Baldwin, Dr. Enigma. Why is everyone talking about this now? I challenged Mike and Dean to this question posed on Quora, "What is the safest way to check the content of a USB stick I found on the ground?" What's a CISO to do? Traditionally, CISOs rise through the ranks as security practitioners and slowly learn the business. But what if you're a CISO that never held the title of practitioner, but is very well versed in the business. How is selling to that type of a CISO different? What's Worse?! Mike and Dean are challenged with two horrible scenarios in asset management. Both are very risky, it's just one will probably result in a breach faster than the other. Please, Enough. No, More! We talk about asset management, and what's shocking is there isn't much to complain about in the "Please, Enough" portion of the segment. The reality is it's all "No, More!" Ask a CISO Dennis Leber, CISO for Cabinet for Health and Family Services for the Commonwealth in Kentucky asked if traditional sales pitches for the latest and greatest threat are really detracting companies from dealing with the basics of security.
10/30/201833 minutes
Episode Artwork

We Get to Know Our Bodies and Our Security Program

We're just a bunch of immature teenagers who can't seem to control ourselves or our security program. We're definitely exploring new solutions in the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guests this week is Michael Makstman, CISO of the City and County of San Francisco. Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity. Read the full article on CISOseries.com.
10/23/201834 minutes, 20 seconds
Episode Artwork

Why it’s Critical for CISOs to Proactively Engage with Vendors

This is a bonus episode of the CISO/Security Vendor Relationship Podcast with former guest, Allan Alford, CISO of Mitel, who was also the subject of a story I wrote in September entitled "One CISO's Grand Experiment to to Engage with Security Vendors." At that end of that discussion, Alford and I agreed that I would follow up with him in a month to see how the experiment went. This conversation is that story. Find the full article here.
10/17/201818 minutes, 30 seconds
Episode Artwork

CHEAT! Best Practices to Win at Monopoly and Security

Check out more at our site CISOseries.com. We don't play fair and we're not ashamed to admit it. This week's episode of the podcast is super-sized because it was recorded in front of a live audience at the Silicon Valley Code Camp conference held at PayPal in San Jose. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guests this week for the live show were Ahsan Mir (@ahsanmir), CISO, Autodesk and Geoff Belknap (@geoffbelknap), CSO, Slack. (from left) Geoff Belknap, CSO, Slack, Mike Johnson, CISO, Lyft, Ahsan Mir, CISO, Autodesk, David Spark, Founder, Spark Media Solutions Special thanks to our sponsor, Electronic Frontier Foundation. Please support their efforts to protect your digital privacy. On this super-sized episode of the CISO/Security Vendor Relationship Podcast: Ask a CISO Is cybersecurity an IT problem or not? Do non-security executives pigeon-hole the role of security? Is this an unfair assessment? Is it dangerous to only view InfoSec as an IT problem? Why is everyone talking about this now? A hot discussion by Jason Clark of Netskope got everyone discussing why CISOs fail. In general, our panel believes it's a situation of poor alignment with the functions and risk profile of the business. What game best prepares you for a job in InfoSec? A few years ago I wrote an article entitled, "What 30 Classic Games Can Teach Us About Security," in which security professionals point to video games, board games, gambling games, and sports as great metaphors and training grounds for a life in security. Our panel debates the value of games as InfoSec teaching tools. "What's Worse?!" We play two rounds of the game and we get split decisions! The first round touches upon a major pet peeve Mike Johnson has had since our very first episode. What's a CISO to do? Security is often seen as a thankless job. It's though the role of the CISO to make sure everyone knows how awesome their security staff is and what they can do for the rest of the business. What do you think of this pitch? We critique another pitch and with this one a CISO does a rewrite that hopefully the security vendor will use. How do CISOs know they're getting a good deal? Not only do CISOs need to come up with a security program for the company, but they need to understand whether or not they're getting good price for the security tools they purchase. Do CISOs have a method to actually insure they're getting the best price possible? Do they even care?
10/16/201849 minutes, 47 seconds
Episode Artwork

We Acknowledge We've Received and Are Ignoring Your Support Ticket

Our CISOs don't have much confidence they'll receive any support when they hit the 'Send' button on your web form.  Check out our NEW SITE: CISOseries.com This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Aaron Peck, CISO of Shutterfly. Special thanks to our sponsor, ConnecTech, producer of intimate custom executive events for IT professionals. Executives: Register to be notified when one of their events will be coming to your city. Vendors: Sponsor one of their events to get meetings with executives that are looking for solutions that your company provides. On this episode of the CISO/Security Vendor Relationship Podcast: Ask a CISO What were the turning points that led you to achieve the title of CISO? We've got a shout out to Mike Rothman's book, "The Pragmatic CISO" and the desire to find and solve the toughest most needed security problems. How a security vendor helped me CISOs have heard the stories from all the major InfoSec vendors. They're tired of playing second and third fiddler to a vendor's hundreds if not thousands of other clients. While a young startup company, potentially in stealth mode, doesn't necessarily have a track record, they do have eagerness and are willing to make their earliest and first customers extremely happy. This hand-holding-type relationship is very attractive to a CISO. What's Worse?! This entry into our weekly game is all about the following two images. There's so much going on in these pictures of a man who has decided to start day trading in public at a local Starbucks. Can you determine what's worse in these two pictures? Our CISOs debate. For more, check out the avid discussion on LinkedIn. What do you think of this pitch? Mike delivers probably the most thorough analysis of a vendor pitch I've ever heard on the show. What's a CISO to do? Hiring great InfoSec talent is an extreme challenge. Our guest, Aaron Peck, makes an argument for speedy hiring to get value for the company as quickly as possible.
10/9/201833 minutes, 56 seconds
Episode Artwork

How to Help Your Best Employees Leave

In such a hyper-competitive market for security talent, the natural inclination would be to try everything you can to keep your best employees. Unfortunately, even when you do everything right, your best employees just get up and leave. Can you and should you fight it? Or should you go out of your way to make the exit as smooth as possible for your staff? What's the benefit to you when they do leave? On this episode of the CISO/Security Vendor Relationship Podcast, we discuss: 10-second security tip: Vanity metrics aren't going to create a more secure environment. Pitching the latest crisis: We've talked endlessly about how CISOs don't respond well to fear pitches. Similarly, salespeople need to understand that CISOs are aware of last week's Facebook hack. Don't bring the news they already know. Provide some insight. Selling the latest APT: If it's a new threat, it's sexy. It may make for great news, but focusing on it doesn't necessarily make for good security. Shouldn't you be starting with the boring basics? Can security basics ever be sexy? We play "What's Worse?!" Listen up security vendors. You're going to want to pay attention to this one. What do you think of this pitch? This week's pitch comes from a CISO. It's not his pitch to us, but a pitch he received. It kind of misses the mark. We explain why. Retaining security talent: We discuss the InfoSec manager's role in retaining security talent. How do you form a relationship that all exits or near exits go as smoothly as possible? This show, like all the previous ones are hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Justin Berman (@justinmberman), CISO of Zenefits. Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection.
10/2/201835 minutes, 53 seconds
Episode Artwork

I Wish I Didn't Post That... But I'm Glad I Did

We admit we've posted some rather embarrassing posts on social media. In particular, my co-host, Mike Johnson, talks about a post he initially regretted, but then realized it's what brought all of us together. In fact, it's a post that initiated much of the discussion we're having today about the relationships between CISOs and security vendors. On this week's episode of the CISO/Security Vendor Relationship Podcast, we discuss: A CISO that eagerly wants to talk to security vendors: CISO of Mitel, and former guest, Allan Alford sent a shock through the industry when he said he was going to reserve time to actually speak with security vendors. Why was this announcement such a big deal? One CISO and one CTO admit to posts they regret: Turns out posts you wish you didn't write actually shake up the pot so much that they form relations, like the two you hear on this show. We play "What's Worse?!" Possibly our toughest round of the game ever. Hint: think security policies. What Do You Think of This Pitch? Mike and our guest dissect a pitch from a listener. They advise what should be taken out, and what should be put in its place. Ask a CISO: Do CISOs need consultative resellers? When are they valuable? If not now, were they valuable? And as always, we've got launch with a great 10-second security tip. Today's episode is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Mike D. Kail (@mdkail), CTO of Everest.org. This episode is sponsored by Thinkst, makers of Canary deception devices. Read how much their customers love their product here. We thank Thinkst for sponsoring this episode of the podcast.
9/25/201829 minutes, 33 seconds
Episode Artwork

Our All White Male Panel Discusses Diversity in Cybersecurity

With absolutely no irony three white men discuss the value of diversity in cybersecurity in the latest episode of CISO/Security Vendor Relationship Podcast. So before you tell me we're three white men talking about diversity, I'm letting you know ahead of time we're three white men talking about diversity. We have no shame! On this episode of the CISO/Security Vendor Relationship Podcast, we debate the following: Microsoft Office macros still top the malware attack vector charts: After apparently three decades it appears that MS Office macros are still the attack point of choice of malicious hackers. What legacy nonsense are enterprises still holding onto? What's the real value of diversity? As I readily admitted, our all white male panel confesses that lack of diversity results in group think and unconscious bias. We play a round of "What's Worse?!" This one has to do with budget and there's a split decision! Which one do you think is worse? Please, Enough. No, More. (on endpoint security): There is a very long list of stuff Mike and our guest don't want to hear anymore about with regard to endpoint security. And similarly, there's plenty more they do want to hear about. Listen to know what you should be paying attention to regarding endpoint security. Does complicating security infrastructure make us safer? What's the right balance of security complexity and simplicity to make your environment safer? If you've got more systems and more security applications in place that means you've got more vectors to exploit. Ten second security tip: And as always, we've got a quick security tip so you don't have to listen to more than a minute of the show before you get some value of this podcast. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Tomer Weingarten, CEO, SentinelOne. Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection. Catch up on past episodes plus read articles and watch the latest videos from the series at CISOseries.com.
9/18/201831 minutes, 43 seconds
Episode Artwork

Our Latest Product Release Includes Shiny New Security Vulnerabilities

We have an exciting announcement. Our latest version of the podcast is packed with new features and they're riddled with security holes. We know you wanted the features. The security vulnerabilities are just a bonus. On this episode of the CISO/Security Vendor Relationship Podcast, we discuss: Cybersecurity burnout: How bad is it? What can be done to mitigate it? And what are the warning signs? All tech professionals have burnout issues, but InfoSec has it toughest because it's very hard for them to get a sense of accomplishment for their work. CISO/Security Vendor Relationship Podcast is making an impact in the vendor community: We hear multiple stories from vendors how the advice from Mike and the guests is really changing the way they reach out to security professionals. Are you willing to release a product with known security vulnerabilities? What if the customer really demands the new feature next week and they're expecting it, but remediation may take much longer. Do you give the customer what they want, or are there other solutions? What's Worse?! We play a round of picking the worse of two evils. This one is all about training your staff. We unleash another pitch on the security professionals: Their response will surprise you as will the outcome of this pitch. Dumb CISO mistakes: This one actually may not be so dumb. It could actually be good advice when it comes to product testing. Ten-second security tip: This one offers up a more holistic view of security that you may have not considered, but definitely should. Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest is Anne Marie Zettlemoyer, a security strategist and independent researcher who is also on the board of directors for SSH.  
9/10/201831 minutes, 30 seconds
Episode Artwork

Security Made the Mess. They Should Clean It Up.

Security is suffering from a serious Rodney Dangerfield "I get no respect" problem. What has often been seen as the department of "no" is struggling under that brand image. That's probably because security is often seen as an inhibitor rather than an enabler. If InfoSec wants to fix that perception, it'll be their responsibility to dig themselves out. Here's what you'll hear on the latest episode of the CISO/Security Vendor Relationship Podcast: Nobody thinks security is their friend: How can security rid itself of this highly negative branding? Be problem solvers vs. problem creators. Techniques to integrate AppSec into the DevOps process: It comes down to measurement, respecting an engineer's time, and learning from the success of one process and putting it into another. Read more great insight by Chris Steipp of Lyft. We play "What's Worse?!" In this episode of the game we question the worst scenario of an encrypted or unencrypted laptop, but with qualifications. Uggh, WAFs are NOT magical boxes: In a round of "Please, Enough. No, More." we challenge the way web application firewalls (WAFs) are being sold. WAFs need to be more friendly and flexible. No one believes you if you sell them as magical boxes that stop all attacks. How can you be a great customer? We turn the tables from "Ask a CISO" to "Ask a Vendor" and ask what it takes to be a great customer. Vendors would like you to ttop kicking the tires and talk about solving real problems. Plus a ten-second security tip: It may be cliche, but if security departments want to be more effective, they should be moving away from blocking to enabling. Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Zane Lackey (@zanelackey), co-founder and CSO for Signal Sciences and author of the new book from O'Reilly, "Building a Modern Security Program." Sponsor the Podcast If you'd like to sponsor the podcast, contact David Spark at Spark Media Solutions.
8/27/201829 minutes, 53 seconds
Episode Artwork

BONUS: What's So Awesome About Being a CISO?

This is an extra segment we recorded with Dan Glass, former CISO, American Airlines for our last episode. It didn't make it into the last episode, but I thought it was still worthwhile to release as a short bonus mini episode of only four minutes. As always, the show includes myself, David Spark, founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Enjoy.
8/23/20184 minutes, 14 seconds
Episode Artwork

Job Opportunity: Unqualified AND Underpaid

We spend a good portion of this episode of the CISO/Security Vendor Relationship Podcast mocking unrealistic job listings that ask for too many unnecessary credentials and on top of it aren't willing to pay a fair market rate. Did companies forget that it's a buyers' market right now in security? On this episode of the podcast we discuss: The security semantics of "responsibility" vs. "accountability": Which one drives which behavior? And it is possible to try to compel one to the detriment of the other? See Chad Loder's post for more. How do you motivate employees to be concerned about security outside of hammering them with pen tests and fake phishing emails? If it hasn't happened already, those tests to see how secure your environment is may backfire. What can you do to instill secure behavior without testing employees to the point of annoyance? What do you think of this pitch? We get a split decision on a pitch of a company that's operating in a new category. Plus, advice on what never to do in a pitch. Unrealistic expectations for position descriptions: Job descriptions in the security field seem to be getting longer, with more certification requirements, and lower pay. What's going on and do companies who list these types of jobs realize they're only hurting themselves? In a buyers' market you can't just put out an unrealistic job posting to "see who will respond." It will actually damage your brand. Plus, a 10-second security tip (that's a few seconds longer): It's what you should be doing, but probably aren't doing. And a visit from the host of The Cyberwire: Dave Bittner, from The Cyberwire, joins us for a discussion about his daily security tech news show and to tell us about the launch of two more security podcasts. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Dan Glass, former CISO (as of just a couple days ago) of American Airlines. Special thanks to SpyCloud for sponsoring this episode. Learn more about how you can protect employees and customers from account takeover with SpyCloud. Contributions. Contributions. Contributions. I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn. Sponsor the podcast If you're interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.
8/21/201831 minutes, 24 seconds
Episode Artwork

How CISOs Stay Current When They're Ignoring Vendor Pitches

We promise to keep your identity private while we discuss the troubles of two-factor authentication. On this episode of the CISO/Security Vendor Relationship Podcast we discuss: Why don't more people use two-factor authentication? Does the UX still suck? Why can't we agree on a common model for how to authenticate? Will U2F be the saving grace for 2FA? Story on the debate. What are the signs your employees are going rogue? We debate the need to monitor employees this way. Are internal intrusions the same as external? Is monitoring the monitoring devices enough? What are the signs? Discussion on LinkedIn and a recommended book: "Nothing to Hide: The False Tradeoff between Privacy and Security." We play a round of "What's Worse?!" It's the game where we determine which is the worst of two really bad practices. In this case, the CISOs have to choose between two unpleasant marketing practices. How do CISOs balance compliance and security: The two aren't equal, but compliance is a means to prove that you're doing security right. Our guest hits it out of the park with a very clear explanation and also how to use compliance to better market your company. How do CISOs discover new solutions: This might as well be the title of this podcast, but we delve into some unique angles that CISOs are taking as they're avoiding traditional pitches from security vendors. Discussion on LinkedIn. Ten-second security tip touting the value of passphrases: See this cartoon for more. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Allan Alford (@AllanAlfordinTX), CISO, Mitel. Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection. Contributions. Contributions. Contributions. I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn. Sponsor the podcast If you’re interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.
8/14/201836 minutes, 18 seconds
Episode Artwork

Use Your CRM. CISOs Are Tired of Repeating Themselves.

Just because you have a new salesperson, doesn't mean you have to restart the sales process. If you've been properly entering information into your CRM, you shouldn't have to. On this episode of the podcast we discuss: Are you ready for...Black Hat: Techniques to get the most value out of the conference. We've got some really good post-conference suggestions. What do you think of this pitch? We have one of those follow up pitches that just rubs CISOs and security professionals the wrong way. It's time to play, "What's Worse?!" Both host and guest agreed on this one. It's possibly the worst of the worst. Please, Enough. No, More: We discuss account takeover. What we've heard enough on this subject, and what we'd like to hear a lot more. Make sure to read Lyft's article about fingerprinting fraudulent behavior. What's a CISO to do? Beyond blocking and responding, we discuss different tactics for offense and defense against cybercriminals. Which ones are most effective and which ones are ethically and morally wrong? It's time for "Ask a Vendor!" Working off the same model as "Ask a CISO," we turn the tables and security professionals ask questions of vendors. This time, we asked about the use/non-use of CRMs. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Ted Ross (@tedross), CEO, SpyCloud. Special thanks to SpyCloud for sponsoring this episode. Learn more about how you can protect employees and customers from account takeover with SpyCloud. Contributions. Contributions. Contributions. I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed
8/6/201829 minutes, 27 seconds
Episode Artwork

Ultra Enhanced Deluxe AI with a Drop of Retsyn

Just like so many security products are infused with artificial intelligence, we've also got plenty of meaningless modifiers to describe this podcast. On this episode we've got: First 90 Days of a CISO. How do you assess talent already there, and how do you prioritize the new hires you need? Please, Enough! No, More! We delve into the overexposure of AI (artificial intelligence) and machine learning. Are they the same thing? And what do CISOs actually want to hear more about on both of these topics? "What's Worse?!" This is a brand new game where I ask the CISOs to determine which of two really bad security practices is worse. What Do You Think of This Pitch? We've got another vendor pitch that the CISOs critique. Ask a CISO. How are CISOs involved in purchase decisions that are not security related (e.g., cloud, networking, infrastructure). Special thanks to Signal Sciences for sponsoring this episode. If you're using web application firewalls (WAFs), make sure you read "Three Ways Legacy WAFs Fail" by their head of research, James Wickett. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Dennis Leber (@dennisleber), CISO, Cabinet for Health and Family Services, Commonwealth of Kentucky and the self proclaimed "Most Interesting Man in Information Security." We Want More of "What's Worse?!" In this episode, I introduced a new segment, a game called "What's Worse?!" where I introduce two comparably bad security practices and ask the CISOs to debate on which is worse, and why. Fortunately in this episode the CISOs disagreed on both comparisons posed. I'm eager to challenge CISOs with more "What's Worse?!" questions. So if you've got a good one, please contact me here or on LinkedIn. I'm also interested in: “Ask a CISO” questions. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can mention you and your company name or keep you anonymous. Just let me know which you prefer. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.
7/31/201829 minutes, 44 seconds
Episode Artwork

How to Choose a Bad Security Product

If I knew more about your current security needs, I'd probably be able to tell you what security product to buy. But that would require me to spend time understanding your needs and this podcast is only 30 minutes long. Instead, we decided to uncover the universal truths of what security product you shouldn't buy. In this episode of the CISO/Security Vendor Relationship podcast, we uncover failed CISO product purchases plus: Do temporary dips in hacker attacks change your security posture? What CISOs LOVE to see in their inbox. For this week, we're talking about their favorite reports. What metrics are CISOs following? And what are the metrics CISOs use to determine those metrics? Oh, and are there any metrics CISOs should ignore? Our CISOs digest a vendor pitch. And for "Ask a CISO," we question the value of case studies in print or video form. And as always, we launch the show with a 10-second security tip! As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Randall (Fritz) Frietzsche (@frietzche), CISO, Denver Health, Denver ISSA distinguished fellow, and teaches at Harvard University. We Want Your Input and Critiques For every episode we want input from listeners! Please contact me here or on LinkedIn and send me the following: “Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.  
7/24/201832 minutes, 2 seconds
Episode Artwork

We Have the Silver Bullet for BS Detection

We're fed up with vendors who think they can detect any breach, but we're not fed up with breach detection. On this week's episode: Are millennials excited or not excited about working in security? Supposedly, nine percent of all millennials are interested in a job of security. Is that good news/bad news/misrepresented news? (Read the story) Haroon Meer's amazingly open story of the money Thinkst spent at RSA 2018. Was it worth it? Great advice for anyone else sponsoring a big tech conference. (Read the story) Are you sponsoring Black Hat or another big tech conference? Pick up my book, Three Feet from Seven Figures: One-on-One Engagement Techniques to Qualify More Leads at Trade Shows. We talk about breach detection and the use of deception devices. When a breach happens, should you or shouldn't you blame the victim? How should security sales managers pump up their team for sales? Is letting people know that they're the only ones to fix their customers' problems the right tactic? This episode is sponsored by Thinkst, makers of Canary deception devices. Read how much their customers love their product here. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Haroon Meer (@haroonmeer), founder and researcher of Thinkst. We Want Your Input and Critiques For every episode we want input from listeners! Please contact me here or on LinkedIn and send me the following: “Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.
7/17/201833 minutes, 27 seconds
Episode Artwork

Is Password2 More Secure Than Password1?

Are you managing your passwords the same today as you did five years ago? On this episode of the CISO/Security Vendor Relationship podcast, we discuss the changing landscape of what we once thought were best practices, but aren't anymore. On this episode: Which CEOs are more fatalistic about inevitability of cyber attacks Explaining cyber risks to the board Reappropriating the word "hacker." My cartoon that spurned a debate and Rick McElroy of Carbon Black's discussion on LinkedIn. What we're no longer advising you do with your passwords. Do cold calls and emails ever work? What are CISO's biggest organizational roadblocks? All that and a ten-second security tip. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Maxime Rousseau (@maxrousseau), CISO, Personal Capital. We Want Your Input and Critiques For every episode we want input from listeners! Please contact me here or on LinkedIn and send me the following: “Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.
7/10/201830 minutes, 38 seconds
Episode Artwork

Stop Asking CISOs if They Care about Security

Want to get under a CISO's skin? Ask them if they have a concern for security in their environment. It's like asking a chef if they're concerned about preparing food. In this week's episode of the CISO/Security Vendor Relationship Podcast we learn how the following: Dumbest mistakes you can make as a CISO What to do on day 1 when you're a CISO Why is everyone talking about this now? Questioning a CISO's job interests. Please, Enough. No, More on GDPR. We critique a vendor pitch. And "Ask a CISO." As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Richard Greenberg (@ragreenberg), CISO, LA County Department of Health Services as well as chapter presidents of ISSA and OWASP in Los Angeles. This episode is sponsored by Signal Sciences. We thank them for their support. We Want Your Input and Critiques For every episode we want input from listeners! Please contact me here or on LinkedIn and send me the following: “Ask a CISO” question. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at http://www.sparkmediasolutions.com/contact/Spark Media Solutions.
7/3/201827 minutes, 15 seconds
Episode Artwork

Katy Perry Recommends Two-Factor Authentication

Did Katy Perry provide sound security advice, or didn’t she? You’ll have to listen to the latest episode of the CISO/Security Vendor Relationship Podcast to find out. In this episode: A Third of UK Organizations Have Sacked Employees for Data Breach Negligence Younger Employees Identified as ‘Main Culprits’ of Security Breaches Who has your CEO’s credentials? – by Robert Herjavec, one of the sharks on “Shark Tank” NEW Segment: Please, Enough. No, More. This week we talk about identity management What do you think of this pitch? A pitch from Cobalt Ask a CISO. How many tools in your suite? Are you worried about integration?   As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Richard Rushing (@secrich), CISO, Motorola Mobility. The written content for this podcast was first published on Security Boulevard.
6/26/201829 minutes, 6 seconds
Episode Artwork

Your ‘Go-To Source’ for Unnecessary Cyber Terror Alerts

On this week’s episode of the CISO/Security Vendor Relationship podcast we ask, “What good is a security alert if there’s no actionable item?” As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Wendy Nather (@wendynather), director, advisory CISOs, Duo Security.   On this episode, you’ll learn: Flex your incident response muscles. Does your cybersecurity policy change around high-profile events? What’s the definition of cybersecurity and why do so many people care? How a security vendor helped me a long time ago, but Mike thought about them this week. A couple of vendors submit their pitches for a critique. One is confusing and one is almost perfect. And a couple of “Ask a CISO” questions.   The written content for this podcast was first published on Security Boulevard.
6/19/201829 minutes, 3 seconds
Episode Artwork

CISOs Don’t Care About Your Funny Sales Pitch

Don’t bother trying to craft a potentially clever, funny and adorable email that you hope will tickle a security practitioner; it’s simply not going to work. When it comes to security pitches, practitioners just want the facts. While humor is appreciated, a cold email pitch is not the time to showcase your creative writing skills. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions  and Mike Johnson, CISO, Lyft. Our guest this week is Jeremiah Grossman (@jeremiahg), CEO, Bit Discovery.   On this week’s CISO/Security Vendor Relationship podcast, You’ll discover that InfoSec truism and: 10-second security tip (do you have these security controls in place?). The correct pronunciation of CISO (and whether anyone cares). Consumers and activists issuing lawsuits in the name of GDPR and why that’s a good thing for the future of GDPR. The increasing cost of breaches. A new method to get a security practitioner’s time (Is the idea so crazy it will work? Or do we just need more crazy ideas?). How a security vendor helped me this week.   The written content for this podcast was first published on Security Boulevard.
6/13/201831 minutes, 2 seconds
Episode Artwork

Security Vendors Buy Their First Pack of Condoms

After tackling some dodgy audio issues, we have released the second episode of the CISO/Security Vendor Relationship podcast with our guest Kip Boyle (@KipBoyle), CEO of Cyber Risk Opportunities. Subscribe to Kip’s podcast. As always, the show is hosted by myself, David Spark (@dspark), Founder, Spark Media Solutions and Mike Johnson, CISO, Lyft.   In this episode, “Security Vendors Buy Their First Pack of Condoms”: 10-second security tip. Amazon Alexa hacked or just a failure of the technology? Does rebooting your router help or is it just security theater? Will automation replace entry-level SOC jobs and if so, how do we bring in new security talent? How security vendors helped me this week. Security vendors padding their pitches. Mitigating new risks or getting back to security basics?   The written content for this podcast was first published on Security Boulevard. Creative Commons photo attribution to Peter Rivera.
6/4/201827 minutes, 59 seconds
Episode Artwork

A Privacy Policy Written in English (Introducing the CISO/Security Vendor Relationship Podcast with Mike Johnson and David Spark)

I’m proud and excited to announce the launch of the CISO/Security Vendor Relationship Podcast based on the series of articles and videos I produced that examine the relationship between security buyers and sellers. That series was heavily inspired by the writings, posts and insane engagement that Mike Johnson, CISO of Lyft, continues to drive on LinkedIn. And what’s even more awesome, Mike agreed to be my co-host! For our first episode, Mike and I invite Dwayne Melançon (@ThatDwayne), CTO, Innovyze.   In this episode we have: 10-second security tips. Tidal claims “breach” when they’re accused of faking streaming numbers Google Chrome switches its “secured” website alert to one of “not secured” Juro introduces a privacy policy that anyone can read. How security vendors helped me this week How to improve your pitch And ASK a CISO The written content for this podcast was first published on Security Boulevard.
6/1/201830 minutes, 14 seconds