All links and images for this episode can be found on CISO Series (https://cisoseries.com/improve-security-by-hiring-people-who-know-everything/)
If you're having a hard time securing your infrastructure, then maybe you need to step up the requirements for expertise. Why not ask for everything? We're offering unreasonable advice on this week's episode of CISO/Security Vendor Relationship Podcast.
This episode was recorded in front of a live audience at ADAPT's CISO Edge conference in Sydney, Australia. This special episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Liam Connolly, CISO of Seek. Our guest is Matt Boon (@mattjboon), director of strategic research for ADAPT. Plus, we have a special sponsored guest appearance from John Karabin, vp, cybersecurity, Dimension Data.
Thanks to this episode's sponsors Dimension Data/NTT and ADAPT
By 1 October 2019, all 28 NTT companies, including Dimension Data, will be branded as NTT. Together we enable the connected future. Visit NTT at hello.global.ntt.
ADAPT’s mission is to equip IT executives with the knowledge, relationships, inspiration and tools needed to gain competitive advantage. ADAPT’s membership platform provides business leaders with fact-based insights, actionable patterns of success and the collective experience of 3,000 peers to improve strategic IT, security, and business decisions. Visit ADAPT for more.
On this week's episode
Why is everyone talking about this now?
Independent security consultant Simon Goldsmith sent this post from Stu Hirst, a security engineer at JUST EAT who posted a job listing that requested subject matter expertise on 12 different aspects of security. This highly demanding request resulted in well over 200 responses from the community. Is it laziness on the part of the company posting? Is it an attempt to just capture job seekers' search queries? Or is it simply an editorial mistake that they shouldn't have requested subject matter expertise but rather basic knowledge across 12 different aspects of security?
Ask a CISO
Mitch Renshaw, Fortinet, describes a problem that many vendors are having. He says:
"Fortinet’s broad portfolio makes it hard to give a concise yet effective overview of our value. As a result I’m worried my emails are going long. Customers know us for our firewalls – and a full firewall refresh is hard to come by as a sales rep. So if I get more targeted in my demand generation techniques, I’m met with an 'I’m all set, I’ve got Palo/checkpoint/juniper/etc.'"
Mitch has got a conundrum. He's looking for the happy medium on how to sell a company with a wide variety of products, some of which are highly commoditized in the industry. How should he reach out to security professionals?
"What's Worse?!"
We play two rounds and the audience gets to play along as well.
Hey, you're a CISO, what's your take on this?'
My American co-host, Mike Johnson, asked this question of the LinkedIn community, and I ask you this as well. "Why do sites still **** out the password field on a login page?" It's designed to stop shoulder surfing. Is this really the main problem? What else is it helping or hurting, like password reuse? Passwords are a broken system that are easily hacked. We have solutions that add layers on top of it, like multi-factor authentication. What solutions do we have for the password process itself?
OK, what's the risk?
Ross Young of Capital One, asks this question about what risk should you be willing to take on? "What should cyber professionals do when they can’t contract or outsource services like pen testing however they struggle to acquire the talent they need. If they train folks they find them poached sooner and if they don’t they are stuck without the talent they need to survive."
Why is this a bad pitch?
We've got a pitch sent in to us from Eduardo Ortiz. It's not his pitch, but one he received. You may need to strap in when you hear this.
It’s time for the audience question speed round
Yep, it's just like it sounds. I ask the panel to ask some questions submitted from our audience.