Podd: Defense in Depth

The Argument For More Cybersecurity Startups

14 november 2024 | 32 min

How Are New SEC Rules Impacting CISOs?

7 november 2024 | 35 min

Managing the Risk of GenAI Tools

31 oktober 2024 | 29 min

Defending Against What Criminals Know About You

24 oktober 2024 | 32 min

Will We Ever Go Back From Work From Home?

17 oktober 2024 | 33 min

The Lurking Dangers of Neglected Security Tools

10 oktober 2024 | 32 min

When You Just Can't Take It Anymore in Cyber

3 oktober 2024 | 30 min

Is It Possible to Inject Integrity Into AI?

26 september 2024 | 37 min

Are Phishing Tests Helping or Hurting Our Security Program?

19 september 2024 | 28 min

Who Is Responsible for Securing SaaS Tools?

12 september 2024 | 35 min

Hiring Cyber Teenagers with Criminal Records

5 september 2024 | 30 min

What's Working With Third-Party Risk Management?

29 augusti 2024 | 31 min

What Triggers a CISO?

22 augusti 2024 | 33 min

Information Security vs. Cybersecurity

15 augusti 2024 | 27 min

Should Deny By Default Be the Cornerstone of Zero Trust?

8 augusti 2024 | 30 min

What Is a Field CISO?

1 augusti 2024 | 30 min

Cybersecurity Is a Communications Problem

25 juli 2024 | 31 min

Do Companies Undergoing a Merger or Acquisition Get Targeted for Attacks?

18 juli 2024 | 27 min

Telling Stories with Security Metrics

11 juli 2024 | 31 min

Securing Identities in the Cloud

27 juni 2024 | 33 min

How AI Is Making Data Security Possible

20 juni 2024 | 28 min

What Makes a Successful CISO?

13 juni 2024 | 34 min

We Want a Solution to Remediate, Not Just Detect Problems

6 juni 2024 | 25 min

Recruiting from the Help Desk

30 maj 2024 | 30 min

How Do We Build a Security Program to Thwart Deepfakes?

23 maj 2024 | 29 min

Where Are Secure Web Gateways Falling Short?

16 maj 2024 | 28 min

Understanding the Zero-Trust Landscape

9 maj 2024 | 31 min

Scaling Least Privilege for the Cloud

2 maj 2024 | 35 min

Should CISOs Be More Empathetic Towards Salespeople?

25 april 2024 | 35 min

Managing Data Leaks Outside Your Perimeter

18 april 2024 | 30 min

What Are the Risks of Being a CISO?

11 april 2024 | 36 min

Onboarding Security Professionals

4 april 2024 | 31 min

How to Improve Your Relationship With Your Boss

28 mars 2024 | 29 min

Improving the Responsiveness of Your SOC

21 mars 2024 | 28 min

The Demand for Affordable Blue Team Training

14 mars 2024 | 29 min

Why are CISOs Excluded from Executive Leadership?

7 mars 2024 | 33 min

What Is Your SOC's Single Search of Truth?

29 februari 2024 | 31 min

When Is Data an Asset and When Is It a Liability?

22 februari 2024 | 35 min

Tracking Anomalous Behaviors of Legitimate Identities

15 februari 2024 | 34 min

Why Do Cybersecurity Startups Fail?

8 februari 2024 | 32 min

Is "Compliance Doesn't Equal Security" a Pointless Argument?

1 februari 2024 | 34 min

CISOs Responsibilities Before and After an M&A

25 januari 2024 | 31 min

Use Red Teaming To Build, Not Validate, Your Security Program

18 januari 2024 | 32 min

The Do's and Don'ts of Approaching CISOs

11 januari 2024 | 32 min

Doing Third Party Risk Management Right

4 januari 2024 | 31 min

Warning Signs You're About To Be Attacked

14 december 2023 | 33 min

Do We Have to Fix ALL the Critical Vulnerabilities?

7 december 2023 | 31 min

Mitigating Generative AI Risks

30 november 2023 | 33 min

Building a Cyber Strategy for Unknown Unknowns

16 november 2023 | 30 min

Responsibly Embracing Generative AI

9 november 2023 | 33 min

People Are the Top Attack Vector (Not the Weakest Link)

2 november 2023 | 31 min

What's Entry Level in Cybersecurity?

26 oktober 2023 | 31 min

New SEC Rules for Cyber Security

19 oktober 2023 | 36 min

The Value of RSA, Black Hat, and Mega Cyber Tradeshows

12 oktober 2023 | 30 min

Is Remote Work Helping or Hurting Cybersecurity?

5 oktober 2023 | 31 min

How to Manage Users' Desires for New Technology

28 september 2023 | 24 min

Cybersecurity Questions Heard Around the Kitchen Table

21 september 2023 | 30 min

How to Prime Your Data Lake

14 september 2023 | 27 min

Getting Ahead Of Your Threat Intelligence Program

7 september 2023 | 34 min

How Security Leaders Deal with Intense Stress

31 augusti 2023 | 41 min

How Do We Influence Secure Behavior?

24 augusti 2023 | 32 min

Security Concerns with ChatGPT

17 augusti 2023 | 29 min

Create A Pipeline of Cyber Talent

10 augusti 2023 | 32 min

Improving Adoption of Least Privileged Access

3 augusti 2023 | 28 min

Securing SaaS Applications

27 juli 2023 | 31 min

How Do We Get Better Control of Cloud Data?

20 juli 2023 | 30 min

Finding Your Security Community

13 juli 2023 | 30 min

Let's Write Better Cybersecurity Job Descriptions

6 juli 2023 | 30 min

How Should Security Better Engage with Application Owners?

29 juni 2023 | 31 min

How To Get More People Into Cybersecurity

22 juni 2023 | 30 min

How to Create a Positive Security Culture

15 juni 2023 | 31 min

How Should We Trust Entry Level Employees?

8 juni 2023 | 31 min

How Must Processes Change to Reduce Risk?

1 juni 2023 | 29 min

Reputational Damage from Breaches

25 maj 2023 | 31 min

Do RFPs Work?

18 maj 2023 | 28 min

Successful Cloud Security

11 maj 2023 | 31 min

How Should Security Vendors Engage With CISOs?

4 maj 2023 | 37 min

Gartner Created Product Categories

27 april 2023 | 35 min

How to Always Make a Business Case for Security

20 april 2023 | 31 min

Do Breaches Happen Because the Tool Fails, or the Tool Was Poorly Configured?

13 april 2023 | 32 min

What We Love About Working in Cybersecurity

6 april 2023 | 29 min

Security That Accounts for Human Fallibility

30 mars 2023 | 32 min

Why You Should Be Your Company's Next CISO

23 mars 2023 | 28 min

How to Become a CISO

16 mars 2023 | 31 min

Can You Build a Security Program on Open Source?

9 mars 2023 | 25 min

Third Party Risk vs. Third Party Trust

2 mars 2023 | 29 min

How Can We Improve the Cyber Sales Cycle?

23 februari 2023 | 26 min

What Leads a Security Program: Risk or Maturity?

16 februari 2023 | 33 min

Limitations of Security Frameworks

9 februari 2023 | 28 min

Why Is There a Cybersecurity Skills Gap?

2 februari 2023 | 32 min

What Can the Cyber Haves Do for the Cyber Have Nots?

26 januari 2023 | 32 min

Securing Unmanaged Assets

19 januari 2023 | 31 min

Ambulance Chasing Security Vendors

12 januari 2023 | 33 min

Do CISOs Have More Stress than Other C-Suite Jobs

5 januari 2023 | 31 min

How Should We Discuss Cyber With the C-Suite?

15 december 2022 | 29 min

Can You Be a vCISO If You’ve Never Been a CISO?

8 december 2022 | 29 min

How Should We Gauge a Company's Cyber Health?

1 december 2022 | 31 min

Reducing the Attack Surface

17 november 2022 | 31 min

Do We Need a Marketing Manager for the Security Team?

10 november 2022 | 32 min

Cybersecurity Budgets

3 november 2022 | 27 min

How Can We Make Sense of Cybersecurity Titles?

27 oktober 2022 | 31 min

Walk a Mile in a Security Recruiter's Shoes

20 oktober 2022 | 29 min

Moving Security from a Prevention to a Resilience Strategy

13 oktober 2022 | 28 min

How to Engage with Non-Technical Business Leaders

6 oktober 2022 | 30 min

Cybersecurity Burnout

29 september 2022 | 33 min

How to Build a Greenfield Security Program

22 september 2022 | 31 min

Managing the Onslaught of Files

15 september 2022 | 32 min

Can You Have Culture Fit and Diversity, or Are They Mutually Exclusive?

8 september 2022 | 35 min

How to Follow Up With a CISO

1 september 2022 | 36 min

Roles to Prepare You to Be a CISO

25 augusti 2022 | 32 min

Minimizing Damage from a Breach

18 augusti 2022 | 25 min

We're All Still Learning Cyber

11 augusti 2022 | 28 min

Practical Cybersecurity for IT Professionals

4 augusti 2022 | 28 min

Data Protection for Whatever Comes Next

28 juli 2022 | 26 min

What Is Attack Surface Profiling?

21 juli 2022 | 32 min

How Can You Tell If Your Security Program Is Improving?

14 juli 2022 | 31 min

How Can We Improve Recruiting of CISOs and Security Leaders?

7 juli 2022 | 30 min

How Is Our Data Being Weaponized Against Us?

30 juni 2022 | 28 min

Can Security Be a Profit Center?

23 juni 2022 | 30 min

Getting Ahead of the Ongoing Malware Fight

16 juni 2022 | 27 min

Building a Security Awareness Training Program

9 juni 2022 | 28 min

Onboarding Cyber Professionals with No Experience

2 juni 2022 | 29 min

Where's the Trust in Zero Trust?

26 maj 2022 | 28 min

Who Investigates Cyber Solutions?

19 maj 2022 | 28 min

Does the Cybersecurity Industry Suck?

12 maj 2022 | 34 min

Are We Taking Zero Trust Too Far?

5 maj 2022 | 30 min

Is Shift Left Working?

28 april 2022 | 33 min

Technical vs. Compliance Professionals

21 april 2022 | 29 min

Why Do So Many Cybersecurity Products Suck?

14 april 2022 | 32 min

Training for a Cyber Disaster

7 april 2022 | 28 min

Virtual Patching

31 mars 2022 | 30 min

Start a Cybersecurity Department from Scratch

24 mars 2022 | 29 min

How to Think Like a Cybercrook

17 mars 2022 | 31 min

Building a Data-First Security Program

10 mars 2022 | 33 min

Offensive Security

3 mars 2022 | 32 min

When Vendors Pounce on New CISOs

24 februari 2022 | 30 min

Building a Cybersecurity Culture

17 februari 2022 | 27 min

How to Pitch to a Security Analyst

10 februari 2022 | 31 min

Is Your Data Safer in the Cloud?

3 februari 2022 | 28 min

What Should We Stop Doing in Cybersecurity?

27 januari 2022 | 25 min

DDoS Solutions

20 januari 2022 | 29 min

Making Cybersecurity Faster and More Responsive

13 januari 2022 | 31 min

Promises of Automation

6 januari 2022 | 27 min

When Social Engineering Bypasses Our Cyber Tools

16 december 2021 | 29 min

How Can We Simplify Security?

9 december 2021 | 28 min

Convergence of Physical and Digital Security

2 december 2021 | 31 min

How Do You Measure Cybersecurity Success?

18 november 2021 | 29 min

How Do We Turn Tables Against Adversaries?

11 november 2021 | 27 min

Ageism in Cybersecurity

4 november 2021 | 32 min

Proactive Vulnerability Management

28 oktober 2021 | 33 min

Why Is Security Recruiting So Broken?

21 oktober 2021 | 33 min

How to Be a Vendor that CISOs Love

14 oktober 2021 | 30 min

The "Are We Secure?" Question

7 oktober 2021 | 29 min

Ransomware Kill Chain

30 september 2021 | 31 min

Can Technology Solve Phishing?

23 september 2021 | 31 min

Convergence of SIEM and SOAR

16 september 2021 | 27 min

Cybersecurity Is Not Easy to Get Into

9 september 2021 | 31 min

Preventing Ransomware

2 september 2021 | 27 min

Managing Lateral Movement

26 augusti 2021 | 29 min

First Steps as a CISO

19 augusti 2021 | 30 min

How Does Ransomware Enter the Network?

12 augusti 2021 | 29 min

What's the Value of Certifications?

5 augusti 2021 | 30 min

Measuring the Success of Cloud Security

29 juli 2021 | 27 min

How do I get my first cybersecurity job?

22 juli 2021 | 29 min

Educating the Board About Cybersecurity

15 juli 2021 | 26 min

CISO Recruiting Is Broken

5 juli 2021 | 28 min

Retaining Cyber Talent

1 juli 2021 | 34 min

Salesforce Security

24 juni 2021 | 23 min

Cloud Configuration Fails

17 juni 2021 | 25 min

Starting Pay for Cyber Staff

10 juni 2021 | 30 min

Fear of Automation

3 juni 2021 | 24 min

Hiring Talent with No Security Experience

27 maj 2021 | 27 min

Security Hygiene for Software Development

20 maj 2021 | 26 min

How Much Do You Know About Your Data?

13 maj 2021 | 26 min

Do Startups Need a CISO?

6 maj 2021 | 28 min

Insider Risk

29 april 2021 | 29 min

What’s the Obsession with Zero Trust?

22 april 2021 | 29 min

Mentoring

15 april 2021 | 27 min

Securing the Super Bowl and Other Huge Events

8 april 2021 | 30 min

Cybersecurity Isn’t That Difficult

1 april 2021 | 27 min

Cloud Security Myths

25 mars 2021 | 28 min

What Is Security's Mission?

18 mars 2021 | 26 min

Vendor CISOs

11 mars 2021 | 27 min

How Much Log Data Is Enough?

4 mars 2021 | 25 min

Should Finance or Legal Mentor Cyber?

25 februari 2021 | 25 min

Data Destruction

18 februari 2021 | 27 min

How to Make Cybersecurity More Efficient

11 februari 2021 | 26 min

Does a CISO Need Tech Skills?

4 februari 2021 | 27 min

How Do You Know if You're Good at Security?

28 januari 2021 | 26 min

Building a Security Team

21 januari 2021 | 32 min

Are our Data Protection Strategies Evolving?

14 januari 2021 | 25 min

Should CISOs Be Licensed Professionals?

7 januari 2021 | 27 min

Inherently Vulnerable By Design

17 december 2020 | 27 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-inherently-vulnerable-by-design/)

Much of what we do as practitioners is to prevent inadvertent security problems - oversights, zero-days, etc. What about inherent and unavoidable problems? When the very design of the thing requires a lack of security? What do you do then?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Dan Woods, vp of the Shape Intelligence Center, F5.

Thanks to this week's podcast sponsor, F5.

External threats to your organization’s security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial.

On this episode of Defense in Depth, you’ll learn:

The mere act of conducting business requires you to have certain procedures that would make you vulnerable. Simple things like taking customer information to create user accounts and processing credit cards. That's inherent to doing business, and by opening that up, it makes you vulnerable.
A lot of this inherent vulnerability comes down to having users or customers and needing to authenticate them.
When you start a business you're also accepting the inherent vulnerability and you have to ask yourself to what level can the business function having that vulnerability abused? It's all about risk appetite.
Two factor authentication sure is nice, but there has to be multiple "behind the scenes" authentications going on to verify identity continuously.
As you're collecting all these additional data points you can use that information to ask the user to verify.
Provide discounts to customers and users for good security practices. Insurance companies do this with people who prove safe driving practices. It could be a win-win for everybody. For example, with Mailchimp, they give you a discount if you enable 2FA. Why not offer a discount for a really long and complicated password?
One of the major issues is the password reset process happens through email. Email wasn't designed for critical authentication. Many hacks happen through the reset process via email.

Imposter Syndrome

10 december 2020 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-imposter-syndrome/)

For CISOs and other security leaders, suffering from imposter syndrome seems inevitable. How can you ever be really confident when there's an endless stream of threats and a landscape that changes without your knowledge?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest David Peach (@realdavidp), CISO and head of privacy, The Economist Group.

Thanks to this week's podcast sponsor, F5.

CISOs are dealing with the increasing sophistication of cyber attackers that are taking advantage of their applications. Find out how F5 helps organizations expand their security and see the unseen by watching the F5 Security Summit webinar. View it here.

On this episode of Defense in Depth, you’ll learn:

Imposter syndrome is a feeling of not being as good as you purport to be or others perceive you to be. Almost all security professionals, especially CISOs, have moments of imposter syndrome.
The root of the problem is underestimating your contributions.
Imposter syndrome can debilitate a security professional. But the opposite is also dangerous. If you don't question your ability and think you alone can solve things and others perceive that you can do that as well, that's a disaster waiting to happen.
The relentless change of technology and threats can overwhelm a professional and feel that they can't keep up. There's a sense of you will always be behind.
It's not a sprint, nor a marathon. Security is an infinite game. There's no winning and no moment of relief, but looking at it as a journey you can see success along the way.
There is an outside pressure that CISOs know more than they actually do, and at the same time they don't want to disappoint management, the business, or the team.
Imposter syndrome can be seen as a positive when it leads to self awareness and improvement.
Be smart enough to know how little you do know and accept it, but still stay on that journey to keep learning more.
You can't teach the person who thinks they know it all.
The flipside is you rarely get congratulated for your work as a security professional.

Why Don't More Companies Take Cybersecurity Seriously?

3 december 2020 | 28 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-why-dont-more-companies-take-cybersecurity-seriously/)

With every cybersecurity breach, we still don't seem to be getting through. Many companies don't seem to be taking cybersecurity seriously. What does it take? Obviously not scare tactics.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Ben Sapiro, global CISO, Great-West LifeCo.

Thanks to this week's podcast sponsor, Sonatype.

On this episode of Defense in Depth, you’ll learn:

Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy.
Problem with the "I'm too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses.
Watching other companies survive a breach makes one feel as if they'll be just as resilient.
Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis.
A company in a highly regulated industry has no choice but to take cybersecurity seriously.
Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk.
Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort.
Many people simply don't feel attached to any type of cybersecurity effort. If you're not vested in it, why care about it?
Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity.

On this episode of Defense in Depth, you’ll learn:

Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy.
Problem with the "I'm too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses.
Watching other companies survive a breach makes one feel as if they'll be just as resilient.
Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis.
A company in a highly regulated industry has no choice but to take cybersecurity seriously.
Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk.
Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort.
Many people simply don't feel attached to any type of cybersecurity effort. If you're not vested in it, why care about it?
Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity.

Data Protection and Visibility

19 november 2020 | 33 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-protection-and-visibility/)

Where is your data? Who's accessing it? You may know if you have an identity access management solution, but what happens when that data leaves your control. What do you do then?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Elliot Lewis (@elliotdlewis), CEO, Keyavi Data.

Thanks to this week's podcast sponsor, Keyavi Data.

Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com.

On this episode of Defense in Depth, you’ll learn:

In general, all of security is based on detecting threats and stopping threats. When those two fail, and they do, what's your recourse to protect your data?
What if when your data leaves your control either accidentally or through a malicious breach, you were still able to see your data wherever it went and your data could communicate back to you its status, allowing you to control access to your data?
There are so many scenarios when data leaves you, it's impossible to protect for all scenarios.
Asset inventory is first step in the CIS 20. Just trying to get an asset inventory of equipment is difficult. An inventory of data is near impossible especially when you may be pumping out a terabyte of data a day.
Ideal situation is to protect data proactively, as it's being created.
The ultimate goal is to have visibility of your data in perpetuity, for the life of the data, and you can decide when to destroy it even when it's no longer within the confines of your greater network and ecosystem.
Governing your network, your applications, the rules, and the data is half the battle.
Data visibility also allows you to make informed decisions as a business and can provide the answers your legal team will need in case there's a breach.
You want the data protection and visibility schema to be platform and ecosystem independent. If data is taken out of the ecosystem, then the protection and visibility is moot.
A good precursor to this is digital rights management or DRM. They have figured out how to manage data from being copied and manipulated and they can place controls on it. The limiting factor though is it's platform dependent.

What's an Entry Level Cybersecurity Job?

12 november 2020 | 28 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-whats-an-entry-level-cybersecurity-job/)

Naomi Buckwalter, director of information security at Energage analyzed one thousand random information security job posts on LinkedIn. The most notable trend she found was that 43% of the posts had CISSP and 5-year experience requirements for entry level positions. Are companies trying to lowball cybersecurity professionals, or do they simply not know what an entry level cybersecurity job is.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Joseph Carrigan (@JTCarrigan), senior security engineer at Johns Hopkins University Information Security Institute, and co-host Hacking Humans podcast.

Thanks to this week's podcast sponsor, Keyavi Data.

Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com.

On this episode of Defense in Depth, you’ll learn:

There has been an ongoing trend for companies to post "entry level but experience required" job listings for cybersecurity professionals.
This is self-defeating for companies because the positions don't get filled. And for true entry level people, they get discouraged. They feel it's impossible to get into the industry. This can drive them away from cybersecurity which hurts the entire industry.
Others would argue that we shouldn't even have this conversation because there is no such thing as an entry level position. Like there are no entry-level doctors. You must have some type of training or experience to do this job.
There's no doubt that CISOs fight more for headcount than they do overall dollars. And if they get a limited headcount, they're going to want to get as much talent as they possibly can with that limited number of positions they can fill.
Security is a layer on top of IT, engineering, or development. For that reason it can be seen as mid-level experience or above, simply because security is a specialization.
Is this behavior of shooting so high for an entry-level cybersecurity role causing the cybersecurity skills gap?
Best way to prove your value to a hiring cybersecurity professional is to setup your own home lab.
The skill that is hard to put on a resume or to explain in a job listing is non-linear thinking. But that's essentially what you're looking for with an entry-level cybersecurity hire.

Securing Digital Transformations

29 oktober 2020 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-securing-digital-transformations/)

Digital transformation. It's definition is broad. Meaning securing it is also broad. But there are some principles that can be followed as companies undergo each step in a deeper dive to make more and more of their processes essentially computerized.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Paul Asadoorian (@securityweekly), founder & CTO, Security Weekly, and chief innovation officer, Cyber Risk Alliance.

Thanks to this week's podcast sponsor, Keyavi Data.

Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com.

On this episode of Defense in Depth, you’ll learn:

Digital transformation is about relying on computing technology for more integral processes and aspects in our daily work lives.
Lots of debate on the definition of digital transformation and as well securing digital transformations.
Definition: A targeted change to process and technology for the benefit of the people.
Definition: increasing levels of interoperability of information.
We heard the recurring argument of the need for security to have a seat at the table at the beginning of a digital transformation, and not at the end. But at the same time reality sunk in and it was argued that security doesn't get to dictate that. And if security tried to, it would create a greater wedge with the business.
When security is brought in at the end though, security has no option but to disrupt the business. Then no one is happy.
Digital transformation simply introduce new risks, often greater risk. If the point is to integrate more of your processes, then that integrates the risk as well.
If you're undergoing a true transformation, you are looking at core processes and saying, "What new tech facilitates, streamlines, and/or actualizes these core processes?" You no longer have to settle for shopping for a solution and then smashing your processes up against it.
Your security tools should also undergo a transformation. That includes a transformation in monitoring as well.

Leaked Secrets in Code Repositories

22 oktober 2020 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-leaked-secrets-in-code-repositories/)

Secrets, such as passwords and credentials, are out in the open just sitting there in code repositories. Why do these secrets even exist in public? What's their danger? And how can they be found and removed?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Jérémy Thomas, CEO, GitGuardian.

Thanks to this week's podcast sponsor GitGuardian.

GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline.

On this episode of Defense in Depth, you’ll learn:

Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out.
Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub.
Exposed credentials can appear in SIEMS as it's being exported from the developers' code.
There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility.
Scanning public code repositories should be your first step. You don't want to be adding code that has known issues.
Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills.
Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn't eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.

Measuring the Success of Your Security Program

15 oktober 2020 | 27 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-measuring-the-success-of-your-security-program/)

How does a CISO measure the performance of their security program? Sure, there are metrics, but what are you measuring against? Is it a framework or the quality of protection? How do you tell if your program is improving and growing?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Chad Boeckmann (@SDS_Advisor), CEO, TrustMAPP.

TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs.

On this episode of Defense in Depth, you’ll learn:

The process is very systematic. Start with knowing your risks, how you're going to track them, and the controls you're going to put them in place to manage them. Simple to say, hard to do.
Security risk is just one of a multitude risks a business faces.
Data's whereabouts is a moving target. Having confidence in its location and protections is key to managing overall risk.
Constantly be asking who has access to the data and what communications processes are you using to share that information between humans and machines.
Discuss with leadership as to how you will judge success and what metrics you will use. C-suite will need to lead the discussion with security providing guidance as to what they can and can't measure.
If you're measuring security's performance this is a great opportunity for security to tell its story and prove its value, ultimately setting it up for increased budget and participation from others.
An informal metric for success could be how often is security getting invited to informal meetings.
Overall positive sentiment of security by non-security employees.
How well are you able to build (are people eager to work with you?) and maintain your staff?
Another "out of the box" metric to consider are opportunity costs. How many contracts are you losing because you were incapable of meeting a potential customer's security standards?
Strong debate as to what is the goal of a security program: Risk reduction or risk management? It's very possible that you are currently managing risk well and the additional cost to reduce risk is not necessary.

Privacy Is An Uphill Battle

8 oktober 2020 | 29 min

Legal Protection for CISOs

1 oktober 2020 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-legal-protection-for-cisos/)

What's the legal responsibility of a CISO? New cases are placing the liability for certain aspects of security incidents squarely on the CISO. And attorney-client privilege has been overruled lately too. What does this mean for corporate and for CISO risk?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Evan Wolff, partner at Crowell & Moring.

Thank to our episode sponsor, TrustMAPP.

TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs.

On this episode of Defense in Depth, you’ll learn:

We repeatedly joke about Davi Ottenheimer's comment that the CISO has held the moniker of "designated felon" in American risk mitigation.
Big piece of advice that was repeated throughout the episode is to have an employment contract.
In the employment contract you want an exit strategy that allows you to leave if you think a situation is not tenable or the company is asking you to do something that you believe to be unethical. It gives you an opportunity to leave without any blame assigned.
The cc field is your friend. If you don't want to be seen as the only one "in the know" take advantage of making sure key people are also in the loop.
We heard one unbelievable story of an employment contract where it was clear that the CISO would be the "designated felon" should there be any breach. This was put in place to protect the executive team. The contract offered financial security for two years post breach. We all agreed this was insane and had never heard of anything like that before.
Be wary of being forced to take on personal ownership of security issues. A CISO is responsible, not accountable.

XDR: Extended Detection and Response

24 september 2020 | 25 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-xdr-extended-detection-and-response/)

Is XDR changing the investigative landscape for security professionals? The "X" in XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors. Having this full breadth, XDR can contextualize alerts to tell a more cogent story as to what's going on in your environment.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Dave Bittner (@bittner), host, The CyberWire.

Thanks to our sponsor, Hunters.

Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.

On this episode of Defense in Depth, you’ll learn:

XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors.
XDR is viewed as a comprehensive solution that rolls up all your critical feeds, sensors, and analytics.
Having this full breadth, XDR can contextualize alerts to tell a more cogent story as to what's going on in your environment.
If you've got a greenfield security program (essentially it's non existent), XDR is a no-brainer. But for everyone else, which is most of us, rolling out XDR is not as clear cut a decision. How does it integrate with your existing tech stack?
Lots of question as to why do you need a SIEM if you have XDR? But, most responded that the two technologies are complimentary. Where XDR becomes redundant is if you have SIEM + SOAR + XDR + NDR.
XDR's real power is the ability to give you some of the investigative details rather than just telling you that somebody breached a certain endpoint. But it can connect the dots and explain that a certain breach also resulted in a certain action. This greatly reduces the time your SOC needs to spend investigating cases.
Don't though be fooled with solutions that sell purely on reducing time and effort. You're only going to have that if you have useful integrations.

Calling Users Stupid

17 september 2020 | 27 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-calling-users-stupid/)

Many cybersecurity professionals use derogatory terms towards their users, like calling them "dumb" because they fell for a phish or some type of online scam. It can be detrimental, even behind their back, and it doesn't foster a stronger security culture.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Dustin Wilcox, CISO, Anthem.

Thanks to our sponsor, Hunters.

Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.

On this episode of Defense in Depth, you’ll learn:

Security people have notoriously had a "better than them" attitude towards their users who they view as the ones causing all the problems and making their lives more difficult.
Calling users stupid for making a "mistake of effort" even if it's behind their back does not foster a bond with the security team. It fosters the us vs. them attitude.
Security professionals will have a lot more success if they understand why users do the things they do. Once there is that understanding, then cybersecurity will better be able to design systems that accommodate users.
About a third of your users confidently believe they're following the right cybersecurity procedures. That discrepancy is not the fault of the users, it's the fault of cybersecurity's education of users.
Security can always be more effective in offering up the right tools and the correct education.
Security awareness must begin with good service and process design.
Phishing tests are pointless to determine security effectiveness. That's because no matter how low your click rates go, someone can always create a more creative test that will send them soaring back up again.
If your defense in depth strategy is so poorly designed that your company can be compromised by the simple click of a phish, then you've got a poorly configured security stack.
Security professionals' jobs exist because of their users. If there was no organization and users, then there would be no need for security professionals.
Quoting Albert Einstein: "If you judge a fish by his ability to climb a tree, he will live his whole life thinking he is stupid.”
Look at user mistakes as an education moment, not an opportunity to put them down. If you educate them, they'll go onto educate others as well. Mistakes can actually be very beneficial.

Is College Necessary for a Job in Cybersecurity?

10 september 2020 | 28 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-college-necessary-for-a-job-in-cybersecurity/)

Where is the best education for our cyber staff of the future? Where does college fit in or not fit in?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Dan Walsh, CISO, Rally Health.

Thanks to our sponsor, Hunters.

Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.

On this episode of Defense in Depth, you’ll learn:

Years ago most would say a college degree is necessary, but it appears the ROI for exorbitant college education simply doesn't deliver like it used to.
Tons of valuable online courseware can deliver a targeted education for individuals wanting to start a career in cybersecurity.
If organizations believe these first two statements to be true, then why are they putting down a college degree as a requirement for jobs in cybersecurity?
Is requiring a college degree a false and elitist narrative that doesn't drive better cybersecurity talent?
With such a stringent requirement, it detracts many people, including women and minorities, who may not have college degrees to pursue cybersecurity roles.
Most college courseware in computer science is often quickly outdated. But that doesn't speak to all colleges. Some that specialize in cybersecurity are doing their best to stay current.
Those arguing the need for college explain it teaches critical thinking and the desire to always keep learning.
Does the lack of having a college degree prevent an individual from moving up the ranks in cybersecurity leadership?
The college degree requirement may be arbitrary or it may be there because of management's jealousy. They had to have a college degree when they joined so everyone else should as well.
A college degree doesn't necessarily mean you'll be a great technician.

When Red Teams Break Down

3 september 2020 | 25 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-when-red-teams-break-down/)

What happens when red team engagements go sideways? The idea of real world testing of your defenses sounds great, but how do you close the loop and what happens if it's not closed?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest, Dan DeCloss, founder and CEO, PlexTrac.

Thanks to this week’s podcast sponsor, PlexTrac.

PlexTrac is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time.

On this episode of Defense in Depth, you’ll learn:

Don't make the mistake of red teaming too early. If you don't have your fundamental security program in place, you'll be testing out non-existing defenses.
If you're just starting to build up your security program, conduct a vulnerability scan and do some basic patch management.
A red team exercise exists to discover risks you didn't even know about and couldn't have predicted in your threat model exercises.
Have a plan of what you're going to do after the red team exercise. Just discovering you've got problems with no plan to remediate them will not only be a waste of money, but will also breed discontent.
Don't red team just to fill out an audit report. You can do a vulnerability scan for that.
Consider moving the red team to purple to actually help the blue team remediate the findings.
If you don't have a plan for remediation you'll find yourself running the same red team and filling out the same report.
Prioritize! The red (now purple) team can greatly help along with those who've assessed business risks.
First to remediate are the ones that are high impact and easy to execute. The rest is determined by an analysis of likelihood and impact.

What Cyber Pro Are You Trying to Hire?

27 augusti 2020 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-what-cyber-pro-are-you-trying-to-hire/)

Do companies hiring cybersecurity talent even know what they want? More and more we see management jobs asking for engineering skills, and even CISO jobs with coding requirements. What's breaking down?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Liam Connolly, CISO, Seek.

Thanks to this week's podcast sponsor, Salt Security.

Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy.

On this episode of Defense in Depth, you’ll learn:

The poor focus of cybersecurity job listings often exposes either the poor understanding or lack of maturity of a company's information security program.
We often see management cyber jobs asking for engineering skills and vice versa.
Job listings can also portray the "last guy" syndrome. Those are the job listings that tack on desired skills the last person did not have.
When you see too many requirements it comes off as a wish list. It's not what is required, it's more of a question as to how many boxes can a candidate check off.
There can be serious harm to a company's ability to hire if they throw down too many requirements or even optional items. People who are truly required for the position you want may never apply because they'll be scared off by the other skills required or desired.
CISOs are often hired by non security people and as a result they don't have a full understanding of what type of CISO they want. As a result it's often hard to find two similar CISO job listings.
While CISO technical competencies are desired, it's clear that once hired a CISO will not be showing off their technical expertise. As a result, there's a lot of debate as to how much technical skill a CISO really needs. The job requires management, influencing, and communications.
Many hiring teams have a hard time parsing out the types of security people they need to build out a security team. That's why you get a single job listing that appears to want to hire five different types of security people.
If a CISO isn't given the budget and authority to hire a staff to fill all the necessary gaps for the company's security program, they will become fed up and leave. That starts the whole process again.
Many debate that job titles in job listings are just there to massage the ego. But if compensation doesn't match the title, then they realize the title is just for show.

Junior Cyber People

20 augusti 2020 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-junior-cyber-people/)

There are so few jobs available for junior cybersecurity professionals. Are these cyber beginners not valued? Or are we as managers not creating the right roles for them to improve our own security?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Naomi Buckwalter (@ineedmorecyber), director of information security & privacy at Energage.

Thanks to this week's podcast sponsor, Salt Security.

Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy.

On this episode of Defense in Depth, you’ll learn:

There are tons of newbies eager to work in cybersecurity. The shortcoming is not the available pipeline, but a lack of headcount and managers' willingness to train and find appropriate assignments.
Because headcount is often the limitation to hiring, leaders will opt to hire the most senior person they can get.
Common feeling is hire one experienced person and stress them out rather than hire three junior people and train them. Problem with the former is if you stress that experienced person they will leave and tell others not to work there.
There is plenty of good junior-level cybersecurity work, such as asset management cleanup, PII discovery, procedure documentation, filling out security questionnaires, scrubbing and tuning out false positives from alerting systems, reviewing vendor contracts, patch verification, following up on vulnerability management with other teams, launching and managing vulnerability scans, interviewing for shadow IT installations, working with help desk for user account remediation, and scanning logs for anomalies.

Trusting Security Vendor Claims

13 augusti 2020 | 28 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-trusting-security-vendor-claims/)

Do security vendors deliver on their claims and heck, are they even explaining what they do clearly so CISOs actually know what they're buying?

Check out this post and the Valimail survey for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Lee Parrish (@LeeParrish), CISO, Hertz.

Thanks to this week's podcast sponsor, AttackIQ.

AttackIQ, the leading independent vendor of breach and attack simulation solutions, built the industry’s first Security Optimization Platform for continuous security control validation and improving security program effectiveness and efficiency. AttackIQ is trusted by leading organizations worldwide to plan security improvements and verify that cyberdefenses work as expected, aligned with the MITRE ATT&CK framework.

On this episode of Defense in Depth, you’ll learn:

From those surveyed by Valimail survey, a third to a half didn't believe that vendors did a good job explaining what their product does, or that the product actually performed, or there was any way to actually measure that performance.
Many questioned those numbers because they feel many security buyers still fall for security vendors' boastful claims. Both can actually be true.
Stunned behavior at a trade show is not the indicator of knowledge and susceptibility to vendor pitches.
When you're under the gun as a security professional to produce results you often become victim to security vendor claims because you want to deliver on demands from the business.
By nature, CISOs should be skeptical about vendor claims and information within their own environment.
There's a battle between those vendors truly trying to deliver value and those who are using their marketing savvy to sway industry thinking.
Don't place all the blame on the vendors. CISOs still have trouble understanding their requirements, risk, and priorities. Many are guilty of engaging in "random acts of security".
Claims can often be more trustworthy if the vendor is willing to explain what they can't do.

How Vendors Should Approach CISOs

6 augusti 2020 | 30 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-how-vendors-should-approach-cisos/)

"How do I approach a CISO?" It's the most common question I get from security vendors. In fact, I have another podcast dedicated to this very question. But now we're going to tackle it on this show.

Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Ian Amit (@iiamit), CSO, Cimpress.

Here also is my original article with Allan Alford when he first launched this engage with vendors campaign.

Thanks to this week's podcast sponsor, Sonrai Security.

Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.

On this episode of Defense in Depth, you’ll learn:

All CISOs are different so any advice we provide will vary from CISO to CISO. Plus, we have an entire other show, CISO/Security Vendor Relationship Podcast, dedicated to this very topic.
We acknowledge that this is tough because to be really on target you need to know what the CISO has, what their mix of products are, and how your product could work in their current security maturity and mix of security products and processes. It's all a very tall order for a security vendor.
Vendors must stop thinking of themselves as point solutions, but rather how they fit into the overall makeup of a security program. You're not coming in with a blank slate. How do you interoperate with what's existing?
There's unfortunately the trend of the people who make the contact, then initiate a meeting, and hand off to someone else. CISOs do not welcome that kind of engagement, although it may be very cost effective for security vendors to hire junior people to make those contacts and hand offs.
Lots of argument about the efficacy and the acceptance of cold calling. Those who claim they don't like it are often working at organizations that do it repeatedly to great success.
The pushy salesperson who eventually gets through after repeated attempts even when they're told no may show success, but they don't calculate all the people they've angered and the word-of-mouth negativity that has resulted from that behavior. If you push beyond a request to stop, the worse that can happen is your reputation will be destroyed.
CISOs are more receptive to market pull into your organization. That can happen through traditional marketing, content marketing, podcasts, analyst reviews, and word-of-mouth. Problem is these techniques don't leave any room for salespeople to operate.

Secure Access

30 juli 2020 | 23 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-secure-access/)

What is the Holy Grail of secure access? There are many options, all of which are being strained by our new work from home model. Are we currently at the max?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Rohini Kasturi, chief product officer, Pulse Secure.

Thanks to this week’s podcast sponsor, Pulse Secure.

Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 24,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance.

On this episode of Defense in Depth, you’ll learn:

Multiple technologies, such as VPN, split-tunnel VPN, VDI, SASE, EDR, and secure management, are used in attempts to insure secure access. But given that secure access isn't just about managing endpoints, but users, you also have to look at IAM.
We look to conditional access to provide more support than just full VPN access.
Argument that we are moving away from endpoints to identity as that's the new perimeter.
SASE solution blocks by default, instead of allows by default, and requires permission for access. User is secured dynamically based on a combination of identity and device.
Would be great if secure access solutions were universal, but they vary country by country based on costs, availability, and regulations.
Secure access models must be user experience first. One possible play that works in this way is IAM + SASE + EDR + secure management.
Another factor that prevents the one-size fits all model for secure access is the complexity of stacks.

InfoSec Fatigue

23 juli 2020 | 28 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-infosec-fatigue/)

Have we reached peak InfoSec fatigue? Revolving CISOs and endless cyber recruitment OR the fact that we're spending more money to reduce even greater risk. Is it all leaving our grasp?

Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Helen Patton (@OSUCISOHelen) CISO, The Ohio State University.

Thanks to this week's podcast sponsor, Sonrai Security.

Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.

On this episode of Defense in Depth, you’ll learn:

Are we sliding in our effort to get ahead of security issues? There's a sense the tools and our ability isn't keeping up with the onslaught.
Are we able to prove risk reduction to show that our efforts are successful?
Those people who don't burn out are the ones who thrive on the technical and political challenges of cybersecurity.
Disagreement on how you lead a discussion. Should it be story-based or data-based?
Classic complaint about cybersecurity is success is measured by the absence of activity.
Preventative security is not easily quantifiable as reactive security.
CISOs have to step up and show evidence of security's success in the most understandable and digestible format. Suggested measures and metrics: likelihood and impact, business impact analysis, security program maturity curve, framework compliance, pen test results, and threat modeling.
FUD (fear, uncertainty, and doubt) may be effective in the short run, but it's exhausting. It never works in the long term.
Approach cybersecurity altruistically. If it benefits you and those around you, then it's worth doing.
Lean on security vendors to help you show the value of their product. The business impact will be on the CISO's shoulder, but the vendor should help build the case.

Securing a Cloud Migration

16 juli 2020 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-securing-a-cloud-migration/)

You're migrating to the cloud. When did you develop your security plan? Before, during, or after? How aware are you and the board of the cloud's new security implications? Does your team even know how to apply security controls to the cloud?

Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Sandy Bird, CTO and co-founder, Sonrai Security.

Sandy was the co-founder and CTO of Q1 Labs, which was acquired by IBM in 2011. At IBM, Sandy became the CTO for the global security business and worked closely with research, development, marketing, and sales to develop new and innovative solutions to help the IBM Security business grow to ~$2B in annual revenue.

Thanks to this week's podcast sponsor, Sonrai Security.

Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.

On this episode of Defense in Depth, you’ll learn:

You can't just migrate to public cloud and secure things like you secure your on-premise servers and applications. You have to think cloud-native in all security decisions.
Cloud migrations intensify the focus between data and identity.
"Security as an afterthought" is never a good plan. Those who succeed build security into the migration. Don't let IT broker a deal to migrate to cloud and then bring in cyber after the fact.
In the cloud, knowing where your data is one step, securing the data is another.
There's a multitude of variances with data. There are the API controls on data, who has access through those APIs, is the data cloned or cached, and how are permissions being adjusted to that data?
Start by knowing who and what should access your data and build your controls from there.
The people side of securing cloud migration is critical. If your staff is not properly trained, a single mistake can be extremely expensive.
Speeds in the cloud, especially if you've got a DevOps and CI/CD approach, can make problems move at lightening speed. There's a need for automation and to continuously monitor your controls and coverage. Get ahead of problems.
DevOps learned the fail fast technique, but also the ability to recover quickly. If security wants to play as well, they have to develop the same strategy and tools.

API Security

9 juli 2020 | 23 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-api-security/)

APIs are gateways in and out of our kingdom and thus they're also great access points for malicious hackers. How the heck do we secure them without overwhelming ourselves?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Roey Eliyahu, CEO, Salt Security.

Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy.

On this episode of Defense in Depth, you’ll learn:

The skill set needed to secure APIs is different than web security.
The move towards the cloud, DevOps, and the need to have security tools talk to each other has brought a lot more attention to the need for API security.
Like in all areas of security, just knowing what you've got is a struggle. Same is true with APIs.
Just knowing what APIs you have is not enough. You must know their functionality. Map your APIs to the systems and the data their transmitting.
How aware are your developers of the pitfalls of API misuse?
There's a myriad of security options but start with strong authenticate using hash-based message authentication.
Much of the advice we got was simply shrinking the API attack surface. This can be done by either limiting the functionality of the API or removing unused APIs.
The "review the code" advice that we heard often is sadly not realistic. APIs are resistant to both automatic and manual code review.
API security seems like a 300 or 400 level security effort. Smaller companies that don't have a security operations center (SOC) may simply not be able to handle it and will need to outsource their API security and SOC needs to a third party or managed security service.

Shared Threat Intelligence

2 juli 2020 | 27 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-shared-threat-intelligence/)

We all know that shared intelligence has value, yet we're reticent to share our threat intelligence. What prevents us from doing it and what more could we know if shared threat intelligence was mandated?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Joel Bork (@cincision), senior threat hunter, IronNet Cybersecurity.

Thanks to this week's podcast sponsor, IronNet Cybersecurity.

To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity.

On this episode of Defense in Depth, you’ll learn:

We all benefit from sharing threat intelligence, so why don't we do it?
If threat data is public, is it useful? The argument is that if the good guys know about the threat intelligence, then all the bad guys know as well. But that's if it's in a public forum.
If threat intelligence was shared in a more rapid, comprehensive, and secure manner it would have more utility.
Sometimes the "intelligence" a company first gets is just a data feed.
There has to be a greater discussion of the risks of sharing as compared to the upside. Often, it's so easy to shut the doors and not share with the benefit never calculated into the equation.
When an organization is in the middle of their security maturity curve, they hold all their data as close to their chest as possible. As they continue on their journey and continue to learn lessons along they way, they begin to understand that collaboration will help the community as a whole - including themselves.
Threat data is really not what professionals need. What they need is intelligence. And this requires a way to onboard and make sense of the data on its own and in aggregate and over time.
Each of us are collecting different pieces of the threat landscape puzzle. If someone doesn't provide their piece, then we have an incomplete puzzle and there are now holes in our knowledge and ability to protect ourselves.
Threat intelligence does not hold the same weight for every user. What's valuable to someone may not be of value to another. And you may be holding onto that data that you don't necessarily think is valuable.
You want threat intel to be actionable, not necessarily responding automatically.
We spoke of threat intel with the analogy of animals traveling in herds for protection. The attackers often pick off the weak ones, but when everyone is working together, the stronger animals can actually protect the weak.
Even with everything we know and value with shared threat intel, there is still a ton of paranoia around sharing. While there is lots of discussion about data not being identifiable, most choose to opt out of sharing threat intel.

Drudgery of Cybercrime

25 juni 2020 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-drudgery-of-cybercrime/)

Why does the press persist on referring to all cyber breaches as sophisticated attacks? Is it to make the victim look less weak, or do they simply not know the tedium that's involved in cybercrime?

Check out this post by Brian Krebs for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Steve Zalewski, deputy CISO, Levi Strauss.

Thanks to this week's podcast sponsor, IronNet Cybersecurity.

To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity.

On this episode of Defense in Depth, you’ll learn:

There's a dichotomy between how the press glorifies cybercrime as being "sophisticated" when the reality is much of cybercrime is drudgery.
Most cybercrime is under a pay-for-hire or a web-based service model. Cybercriminals have to deal with many of the same business-related issues we all do, such as support, infrastructure, customer relations, and sales.
Given that the cybercriminals are usually doing work for someone else, they have customers and those customers will often complain if they are not getting the expected service.
There was question if cybercrime does pay. It seemed that if you had some basic technical talents then legitimate InfoSec was a far more lucrative field that would probably offer benefits that cybercrime couldn't offer.
The paper states that low-skilled administrators often don't know much about the systems they maintain. This would lead one to believe they're also far removed from the criminal activity.
Many of these claims of the boredom of cybercrime can be made of the InfoSec community as well.
Once you understand that cybercrime is a business with a need for ROI like any other business, the goal in protecting oneself is to simply make it too costly and not financially attractive to be hacked.

Security Budgets

18 juni 2020 | 26 min

Role of the BISO

11 juni 2020 | 29 min

Shared Accounts

4 juni 2020 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-shared-accounts/)

As bad as all security professionals know, shared accounts are a fact in the business world. They still linger, and from an operational standpoint they're hard to secure and get accountability. Why are they still around and what can be done about them?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Jake King (@jakeking), CEO, Cmd.

Thanks to this week's podcast sponsor, Cmd.

Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems.

On this episode of Defense in Depth, you’ll learn:

As much as it makes security professionals cringe, shared accounts are a business reality that can't be avoided.
Certain business processes force shared accounts to exist, but that doesn't mean as a security professional you shouldn't grill to find out why the shared account exists and if there's a way you can remove that shared privilege.
Get an inventory of your shared accounts. Also, you can do this with mapping credentials with location information.
Time pressures in a physical environment often force shared accounts.
You need to shine a light on shared accounts even if they're not going to go away. It's part of your GRC (governance, risk, and compliance) program.
There are compensating controls one can put around shared accounts such as password rotation, monitoring usage, and alerts.
Privileged access management (PAM) is the favorite solution for dealing with shared accounts. Often you don't need compensating controls if you have a dynamic PAM solution in place.
The need for accountability is key here. If you don't have an equal understanding of its importance then those eventual issues are simply going to magnify.

Bug Bounties

28 maj 2020 | 30 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-bug-bounties/)

What is the successful formula for a bug bounty program? Should it be run internally, by a third party, or should you open it up to the public? Or, maybe a mixture of everything?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Justin Berman (@justinmberman), head of security, Dropbox.

Thanks to this week's podcast sponsor, Cmd.

Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems.

On this episode of Defense in Depth, you’ll learn:

Like red teaming, you need outside eyes looking at your environment and vulnerabilities.
There was much debate between internal, private, and public bug bounty programs. But it was agreed that if you do them, that you do them in that order.
There was another concern regarding the cost of a bug bounty program. Whether you do them or not, you're still going to pay for coding errors and vulnerabilities one way or another. It's either upfront or later.
Those new to bug bounty programs are not aware of the additional costs of management and engaging with the researchers and white hat hackers. That is a critical part of the bug bounty program.
Before you begin, set up a system to manage the flow of problems reported. If not, you and your staff could very quickly be overwhelmed.
Having a consistent and clear way you handle the findings is often more important than the findings.
Have you allocated budget to remediate the findings? Are you going to need to make cases as each weakness is found?
Keep in mind that companies don't go into bug bounty programs for the same reason. Some go into it for reasons of publicity or forming relationships with researchers.
Communications between your engineers and the bug bounty researchers is critical. If your team is non-responsive, the bug bounty program could backfire.
Most people are wary of public bug bounty programs because of the low signal-to-noise ratio. As there is a rush for attention and money, the whole effort may implode.

Data Classification

21 maj 2020 | 25 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-classification/)

The more data we horde, the less useful any of it becomes, and the more risk we carry. If we got rid of data, we could reduce risk.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Nina Wyatt, CISO, Sunflower Bank.

Thanks to this week's podcast sponsor, Cmd.

Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems.

On this episode of Defense in Depth, you’ll learn:

Usable, user-friendly, viable-in-every-scenario data protection that is invisible, seamless, and always on does not exist, but could exist, and should exist.
Classification tools that tout automation, really aren't. There is still a good amount of manual intervention.
Another way to solve the data protection issue is to get rid of data. Our data protection problem amplifies as we find ourselves protecting more data. But a lot of data simply doesn't need to be protected. It could be classified for non-protection or just destroyed.
Data is mostly unstructured and it needs to be structured to the sense that you know how data is flowing, and that is extremely difficult to do.
We spend more time on hardware and networking diagrams but what we should be doing is diagramming data flow.
Mandate retention limits on data. People don't like it, but it's going to make you a lot safer. Just mandate the lifespan of data. If it's not needed or accessed in a certain period of time, archive it or possibly kill it.
People think holding onto data is costless, but reality is the more you hold onto it becomes very costly from a security perspective.
Utility to you vs. utility to the bad guys is relative. For example, a bank statement from five years ago has little utility to you now, but if a bad guy is looking for information, that has the same value as a bank statement from today.
The questions you need to be asking: Is your data sensitive, does it have open permissions, how long has it been since the data was accessed?
Data with PII is both an asset and a liability.
Classifying data also has a major problem with consistency. Often data can be put into multiple categories or classes.
Security of data is usually not the factor many consider. We are often thinking about the security around data.

Prevention vs. Detection and Containment

14 maj 2020 | 27 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-prevention-vs-detection-and-containment/)

We agree that preventing a cyber attack is better than detection and containment. Then why is the overwhelming majority of us doing detection and containment?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Steve Salinas (@so_cal_aggie), head of product marketing, Deep Instinct.

Thanks to this week's podcast sponsor, Deep Instinct.

Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play.

On this episode of Defense in Depth, you’ll learn:

A recent Ponemon study notes that most security professionals agree that prevention is a better security strategy than detection and containment.
Even with the acceptance that prevention is a better security posture, most security spending goes into detection and containment.
By implementing firewalls, patching, and security training, many of us are already doing prevention, but may not classify it as such.
Prevention is not nearly as expensive as creating a detect and respond security program.
The two halves work in concert together. No prevention program can be perfect, and that's why you always need a detect and contain program as well.
The reason you don't only go with detect and respond without prevention is that the flood of valid information will be too much for a security program to handle.
There was a strong argument for detect and respond because it shows the products you spent money on are actually working. This is not just to humor the security professional, but also to give some "evidence" to the senior executives.
A lot of prevention comes down to the individual. But since it's so tough to get people to change behavior, there's less friction to just purchase another prevention tool to protect people from their own behavior.
Prevention tools won't stop the attackers who sit dormant on a network waiting to attack. Their behavior has to be spotted with the use of detection and containment.

Asset Valuation

7 maj 2020 | 28 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-asset-valuation/)

What's the value of your assets? Do you even understand what they are to you or to a criminal looking to steal them? Do those assets become more valuable once you understand the damage they can cause?

Check out this post for the basis for our conversation on this week’s episode which features me and Allan Alford. Our guest is Bobby Ford, global CISO, Unilever.

Thanks to this week's podcast sponsor, CyberArk.

At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

On this episode of Defense in Depth, you’ll learn:

Allan revised the well known formula for risk (Risk = Likelihood x Impact) to reflect an asset's importance. So instead, Risk = Threat plus Vulnerability as aimed at an Asset.
It's hard to get a stakeholder to tell you the value of their assets. Instead, ask them the reverse. Describe the absolute worst breach scenario. What's the second worse? And then on down until you have an understanding of the hierarchy of the assets.
A business impact analysis (BIA) will also help uncover asset valuation. Allan Alford has a BIA calculator on his site.
The simple question of "What are you defending?" is one that most business leaders struggle to answer. They need to be able to answer that question often.
Once you know what to defend the question is how much to defend and then after that is there anything that doesn't need to be defended.
You may actually not be able to start this process if you doing know what your asset inventory is. This should be managed with a discovery tool and multiple iterations of discovery.
While you're valuing your own assets, try to make sense of what these assets mean to an attacker. That will help you answer the question of "how much to defend".

DevSecOps

30 april 2020 | 27 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-devsecops/)

We know that security plays a role in DevOps, but we've been having a hard time inserting ourselves in the conversation and in the process. How can we get the two sides of developers and security to better understand and appreciate each other?

Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Sumedh Thakar (@sumedhthakar), president and chief product officer, Qualys.

Thanks to this week’s podcast sponsor, Qualys.

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

On this episode of Defense in Depth, you’ll learn:

It's debatable whether the term "DevSecOps" should even exist as a term. The argument for the term is to just make sure that security is part of the discussion, but security people feel that's redundant.
Security is not an additional process. It should be baked in. It's an essential ingredient.
But should it really be seen as "embedding" or rather a partnership? Developers and operations operate as partners.
Instead of dumping security tools on developers and just demanding "implement this" security needs to go through the same transition development had to go through to be part of "Ops".
As DevOps looks forward to what's next, how can security do the same?
Security is unfortunately seen as an afterthought, and that's antithetical to the DevOps philosophy.
Security is an innate property that imbues quality in the entire DevOps effort.
Security will slow down DevOps. It's unavoidable. Not everything can be automated. But, if you deliver the security bite-sized chunks you can get to an acceptable level of speed.
Business needs to specify the security requirements since they were the ones who specified the speed requirements. That's how we got to DevOps in the first place.

Fix Security Problems with What You've Got

23 april 2020 | 28 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-fix-security-problems-with-what-youve-got/)

Stop buying security products. You probably have enough. You're just not using them to their full potential. Dig into what you've got and build your security program.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Brent Williams (@brentawilliams), CISO, SurveyMonkey.

Thanks to this week's podcast sponsor, Deep Instinct.

Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play.

On this episode of Defense in Depth, you’ll learn:

It's very possible you're not using the tools you've purchased to their full potential. What would happen if you completely stopped buying security products and tried to fix your problems with the tools you've already purchased?
The reason this is such a popular discussion is that as an industry we're still struggling with managing the fundamentals of security.
Shelfware happens because we buy before we're ready. Purchase decisions should be made in conjunction with knowing if you have the staff and understand the integration points to implement the solution.
Tooling for the few layers must be dealt with first. You don't need a solution selling a higher layer of security if you don't have the foundation built.
Much of this argument is based on the messaging we hear from vendors. They're understandably in the business of selling product. Be cognizant of how you're absorbing information.
We need to also focus on the people who unfortunately are fallible and can make non-malicious, but poor decisions.
If there was going to be any additional spending, the argument was to invest in your people - from the entire staff to specific training for your security staff.

Should Risk Lead GRC?

16 april 2020 | 25 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-risk-lead-grc/)

Defining risk for the business. Is that where a governance, risk, and compliance effort should begin? How does risk inform the other two, or does calculating risk take too long that you can't start with it?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our guest is Marnie Wilking (@mhwilking), global head of security & technology risk management, Wayfair.

Thanks to this week’s podcast sponsor, Qualys.

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

On this episode of Defense in Depth, you’ll learn:

The model of risk = likelihood x impact doesn't take into account the value of assets. Assets have to be valued first before you calculate risk.
Is the reason risk isn't used to lead governance, risk, and compliance (GRC) because it's so darn hard to calculate? Many CISOs say their toughest job starting out is trying to understand what the crown jewels are and what the board's risk tolerance is.
Risk management allows the board to know when you have enough security. Some assets may require eight layers where others may only require one or two.
Determining likelihood of an attack involves a good amount of guesswork. We've discussed on a previous episode of CISO/Security Vendor Relationship Podcastthat we don't go back to see how good our risk predictions were. If you want to get better at it, you should. Otherwise, it will always be guesswork.
Even if you can get someone to agree what their risk tolerance is, or what asset is of importance, trying to get agreement among a group can be a blocker. Keep in mind that each person is going to have a different viewpoint and concerns.
Knowing risk appetite is critical. You can apply security controls without knowing it, but that's providing a unified security layer across all data, people, and applications when they are all not equal when it comes to asset valuation.

Responsible Disclosure

9 april 2020 | 25 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-responsible-disclosure/)

Security researchers and hackers find vulnerabilities. What's their responsibility in disclosure? What about the vendors when they hear the vulnerabilities? And do journalists have to adhere to the same timelines?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Tom Merritt (@acedtect), host, Daily Tech News Show.

Thanks to this week’s podcast sponsor, Qualys.

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

On this episode of Defense in Depth, you’ll learn:

Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure.
Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure.
While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor's Hippocratic Oath, the goal is to minimize harm.
You can't announce a vulnerability without offering a fix. It's opening the door to the bad guys to come in and cause havoc.
There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities.
One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure."
There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they're not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn't a good fix yet.

Internet of Things

2 april 2020 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth:-internet-of-things/)

When Internet of Things or IoT devices first came onto the market, security wasn't even a thought, let alone an afterthought. Now we're flooded with devices with no security and their openness and connectivity are being used to launch malicious attacks. What are methods to secure environments today and how should these IoT devices being secured in the future?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Josh Corman (@joshcorman), founder of I Am The Cavalry.

Thanks to this week’s podcast sponsor, Pulse Secure.

Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance.

On this episode of Defense in Depth, you’ll learn:

For years, manufacturers didn't consider device security. As a result, attackers have used insecure devices like connected webcams to gain entry into a corporate network.
If you're manufacturing devices, then make security and patches a top concern even after end of life support.
Big gap between public trust and the reality. Almost all people trust manufacturers to secure their devices. The reality is most manufacturers aren't securing their devices.
While we've seen webcams used to launch distributed denial of service (DDoS) attacks, the greatest concern is of a similar style attack being launched against industrial IoT.
The discussion of IoT security goes beyond security of devices. We know there are devices with zero security connected to our network. This is where a larger discussion of zero trust and defense in depth style security programming comes into play.
We have a growing number of unmanaged devices. Devices that are just always on and connected to the Internet providing simple functions like reading their environment.
How much responsibility do manufacturers have for the security of their devices after they've been purchased and shipped? They can create updates and patches, but they can't enforce them.

Is Governance the Most Important Part of GRC?

26 mars 2020 | 27 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-governance-the-most-important-part-of-grc)

Your policy should rarely change. But your ability to achieve that policy is found in procedures or governance that should inform, steer, and guide your team. Those procedures should change often and others should follow. Are they?

Check out this post for the basis for our conversation on this week’s episode which features me and Allan Alford. Our guest is Mustapha Kebbeh (@mustaphake), CISO, Brinks.

Thanks to this week's podcast sponsor, CyberArk.

At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

On this episode of Defense in Depth, you’ll learn:

By leading with governance, how do you make a governance, risk, and compliance (GRC) program meaningful?
Without the right governance it will be hard to accomplish the bigger picture.
GRC requirements have to adhere to the three A's: actionable, accountable, and achievable.
GRC programs require strong leaders. Without them, nobody will follow a governance effort.
There was debate on whether risk or governance should lead the GRC effort. But everyone appeared to agree that leading with compliance is very dangerous.
A list of rules, or governance, is completely pointless if it's not enforced. Enter risk, compliance, and a good leader and you've got the opportunity for enforcement.
Governance that's not tied to risk will probably be ignored and therefore useless.
The argument to lead with risk is because it has applicability to the business where it's questionable with governance and compliance. But for the purpose of this episode's argument, we were making a case for governance leading the conversation.
The main argument for governance over risk is that you can't truly understand the risk if there isn't some type of structure to understand what you're dealing with.

Who Should the CISO Report To?

19 mars 2020 | 25 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-who-should-the-ciso-report-to/)

Who should the CISO report to? What factors determine that decision? And why is that single decision so critical to a company's overall security?

Check out this post for the basis for our conversation on this week’s episode which features me, special guest co-host Yaron Levi (@0xL3v1) CISO, Blue Cross Blue Shield of Kansas City. Our guest is Gary Harbison, vp, global CISO, Bayer.

Thanks to this week's podcast sponsor, IBM Security.

IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents.

On this episode of Defense in Depth, you’ll learn:

We're having this discussion because as Allison Berey, M:CALIBRATE explained, "Wrong reporting lines can mean poor decision-making."
There is no definitive answers as to what the reporting line should be. The final answer on this this discussion was "it depends."
A CISO's placement within an organization should depend on where a company derives its value.
All companies say security is important. How they place the CISO within the reporting structure and the influence they have on the organization is very telling as to whether the company truly does value security.
There was a lot of concern reporting to other C-level executives that are not the CEO as the CISO's concerns could play second fiddle to a CFO, CIO, or CRO's primary desires.
Many felt the most desirable reporting line was CISO-to-CEO.
But, assuming every department is dealing with some sort of business risk, don't they all have the right to report to the CISO? Where do you draw the line?

Hybrid Cloud

12 mars 2020 | 28 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-hybrid-cloud/)

The consistency of your security program becomes a challenge once you introduce the cloud. Controls and visibility are not necessarily transferable. How do you maintain the control you want in a hybrid environment?

Check out this post for the basis for our conversation on this week’s episode which features me, special guest co-host Taylor Lehmann (@BostonCyberGuy), vp, CISO, athenahealth, and our sponsored guest, Chris Meenan (@chris_meenan), director, offering management and strategy, IBM Security.

Chris Meenan, director, offering management and strategy, IBM Security, David Spark, producer, CISO Series, Taylor Lehmann, vp, CISO, athenahealth.

Thanks to this week's podcast sponsor, IBM Security.

IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents.

On this episode of Defense in Depth, you’ll learn:

Moving to the cloud, like any other technology initiative, is a business decision.
What controls are you ceding over to the cloud provider? What service level agreements (SLAs) and performance measurements do you have for the provider?
Be realistic about what’s going to be done if a service provider violates the SLA. You’re not going to all of a sudden dump the provider. You’re going to put some types of corrections in place. Make sure you know what those are and how that can be handled, realistically.
Understand your shared responsibility in the cloud. According to a report by FireMon on hybrid cloud use and adoption, about one-third do not fully understand the shared responsibility model of the cloud.
Start slow. While you may need to go with multiple cloud providers to fill distribution and requirements, begin with one and learn from that experience.
Use cloud adoption as an excuse to join forces with your privacy team to understand where data is being placed and what control you have over it.
Cloud providers are not interchangeable like a utility. Cloud providers are chosen based on the services they offer.

CISO Tenure

5 mars 2020 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-tenure/)

The CISO has the shortest tenure of any C-level role. Why so brief? Is it the pressure, the responsibility, the opportunities, or all of the above?

Check out this LinkedIn discussion to read the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. Our guest is John Meakin, CISO, Equiniti.

Thanks to this week's podcast sponsor, IBM Security.

IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents.

On this episode of Defense in Depth, you’ll learn:

There's a lot of confusion as to what a CISO needs to do. All job descriptions for CISOs are different.
There are humans behind the data and as a result CISOs are tasked with protecting the humans.
CISOs can improve their tenure if they seek out a business mentor to allow them to better support the business.
CISOs who aren't able to communicate clearly will not last long.
It's a CISO's job to communicate in the language of the business, not the other way around.
Before the CISO ever arrives, there's a business culture. There's always going to be a natural push back from the business. "Why are you making us change?"
A simple walkabout the office can solve a lot of uncertainty.
If employees start asking questions about their personal security, that's a good sign the CISO has successfully inserted security into the business culture.
Another huge factor that impacts CISO tenure are the increased opportunities. Regulations and privacy laws are pushing companies to get CISOs to provide much needed oversight.
What does the reporting structure in your organization mean in regards to the CISO being heard at the executive and board level?

Toxic Security Teams

27 februari 2020 | 26 min

Personality Tests in the Workplace

20 februari 2020 | 23 min

Lack of Diversity in Cybersecurity

13 februari 2020 | 28 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-lack-of-diversity-in-cybersecurity/)

Cybersecurity teams are notoriously not diverse. At the same time we keep hearing and talking about the need for diversity. Is it critical? Can you be just as successful without it?

Check out this Twitter feed for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Christopher Zell, vp, head of information security, The Wendy's Company.

Thanks to this week's sponsor, Electronic Frontier Foundation.

On this episode of Defense in Depth, you’ll learn:

Discussion is based on a quote by one PayPal co-founder, Max Levchin, who said, "The notion that diversity in an early team is important or good is completely wrong. You should try to make the early team as non-diverse as possible."
There is diversity of people and there's diversity of opinions. Those two often go together, but they don't have to.
While appalling, there is some truth to Levchin's statement. When everyone thinks the same you don't have conflict and can move quickly.
But lack of diversity of opinion means you don't see the full picture and that can make you susceptible to unforeseen vulnerabilities.
If you don't know what problems you're facing, you should want diversity.
Minorities often face different and more struggles than those who never have to suffer diversity issues. They've been hardened and that should make them an even more attractive candidate.
Start building your diverse network now. When it comes time to hire diversity and you don't have that network already in place, you're going to have a very difficult time.
For more, check out the (ISC)^2 study "Innovation Through Inclusion: The Multicultural Cybersecurity Workforce" and Computerworld article, "The next tech skillset is ‘differently-abled neuro-diverse’".

When Are CISOs Responsible for Breaches?

6 februari 2020 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-when-are-cisos-responsible-for-breaches/)

When is a CISO responsible for a breach or cyber incident? Should they be disciplined, fired, or let go with an attractive payout?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Norman Hunt (@normanhunt3), deputy CISO, GEICO.

On this episode of Defense in Depth, you’ll learn:

On the onset, one may want to jump to finding liability. But a CISO's responsibility should not be isolated at the moment of the breach. There are more issues to consider, such as authority, accountability, efficacy, and expectations.
Be wary of assigning accountability if the CISO didn't have the authority to actually carry out his/her intended plan.
Often the CISO is seen as a necessary scapegoat when there is a breach. It shows an aggressive move by the company to make a change, but then they'll have to go ahead and hire another CISO, probably at a much higher salary (see last week's episode).
When are you measuring the performance of the CISO? Is it as they build the security program, or is it only at the moment of the breach?
How well does a CISO handle the breach when it happens and how well do his direct reports and the rest of the company handle it? That's a better measurement of the efficacy of the CISO.
CISOs are held to a higher level of expectation to prevent a risky event from happening. CIOs, CEO, and CFOs are not held to the same standard.
Even the best CISOs will suffer a breach. It's a single point in time. It sure is a very bad point in time, but what are the events that led up to this moment. Were they building out a security program and were there improvements or was staff education and leadership falling short?
The best standard of measurement of a CISO is how well do they communicate and implement security and risk decisions?
Failure may be at the definition of the role of the CISO. A CISO's role and its responsibilities are far from standardized.

Post Breach Desperation and Salary Negotiations

30 januari 2020 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-post-breach-desperation-and-salary-negotiations/)

A data breach usually spells financial and reputational disaster. But such an event can also be an opportunity for a security professional to capitalize.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Michael Piacente, co-founder and managing partner, Hitch Partners.

Thanks to this week’s podcast sponsor, Anomali.

Anomali is a leader in intelligence-driven cybersecurity solutions. Anomali turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com

On this episode of Defense in Depth, you’ll learn:

Salary negotiation is a topic that is always in vogue, but the post-breach angle shows the value companies are eventually seeing in the CISO role. Unfortunately for them they realize it after the fact.
A bad breach incident will cost far more than an investment in a good security team. But that's your insurance policy.
Location, industry, and size of company are all key factors on whether or not a CISO will be able to command a seven figure salary.
Industry specific skills will definitely come into play. If a bank is breached and you've been a security professional or a CISO at multiple banks that has maintained its cybersecurity without any significant incidents, then you have a lot of leverage.
When a company needs a CISO to right the ship, they're going to want someone who has gained skills in the areas of communicating with the board, strategy, vision, leadership, and successfully creating a pro-security culture.
Negotiating salary is not just isolated to CISO role. There are cloud security architects that are in high demand and can garner a much higher wage than just a couple years ago.
Threats outnumber security people regardless of their rank. There's no one person that's going to prevent breaches. But if you have a poor security culture, then a company will need to pay for the talent to get it operating in the right direction.

Presenting to the Board

23 januari 2020 | 25 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-presenting-to-the-board/)

What metrics, reports, or strategies should a security professional utilize to communicate the value to the board? Or is the mode of "presenting to the board" a damaged approach?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Barry Caplin (@bcaplin), executive leadership partner, Gartner.

Thanks to this week’s podcast sponsor, Anomali.

Anomali is a leader in intelligence-driven cybersecurity solutions. Anomali turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com

On this episode of Defense in Depth, you’ll learn:

A conversation with the board begins with a discussion of what risk is. But getting that information out of the board is far from a simple task. Vague answers are not helpful.
Metrics are of value to the board, but avoid offering up tactical metrics. Instead, utilize strategic metrics.
Once risk appetite is understood and agreed upon, then it's appropriate to begin a discussion of the security program's maturity.
Caplin recommends a four-slide presentation for the board:
1. Where we were, problem areas identified per risk and maturity.
2. What we spent and a bit of why we spent.
3. Where we are now (metrics come into play here). Best to show how much progress you've made in implementing security programs.
4. Where we want to go next, and what the next ask is.
If you're going to show a metric, it should answer a very specific question for the board.
If you are going to show one metric, the most popular one is dwell time or the time between when an attack happens, when you discover it, and when it's remediated.
The one metric of dwell time provides a lot of information as to the maturity of a CISO's security program as it coincides with its ability to respond to incidents.
Some CISOs aim for a storytelling approach completely avoiding metrics because metrics have unfortunately led the board down the wrong path. It's either the wrong metrics, too detailed of a metric, or metrics not tied to business risk or to a maturity model.

The Iran Cybersecurity Threat

16 januari 2020 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-the-iran-cybersecurity-threat/)

The Iran conflict has threatened new retaliations and we don't know where they're going to come from. Cyber retaliation is a real possibility. Who's being threatened and how should we prepare?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Nicholas Hayden, global head of threat intelligence, Anomali.

Thanks to this week’s podcast sponsor, Anomali.

Anomali is a leader in intelligence-driven cybersecurity solutions. Anomaly turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com

On this episode of Defense in Depth, you’ll learn:

As we're seeing now, it often takes a scare like Iran, to get everyone to pay attention to their threat detection and response capabilities.
if you believe you're a target for an APT (advanced persistent threat) you need to also assume it's going to be hidden.
If and when you find an APT, also assume it's at the beginning of an attack chain. You're going to have to go deeper. Shutting it off at that moment won't let you understand what's happening.
Iran may use the resources of China and Russia as they have hooks into other industries.
There's a strong belief that cyber warfare is commingled with organized crime. The two groups need each other.
Much of the "how to handle Iran" advice is to focus on foundations, not basics, because it's actually not easy, said Yaron Levi, CISO, Blue Cross/Blue Shield of Kansas City, we use these potential threats as an area of focus.
If you are doing the fundamentals, and doing them well, you are doing what you can. You don't have the intelligence that the military has, and therefore, you don't have the ability to craft specific defenses.
Beware of complacency and going in and out of "heightened alert". Eventually, people will forget about this perceived impending Iran threat. That's why threat intelligence needs to be handled consistently over time.

Building a Fully Remote Security Team

9 januari 2020 | 26 min

Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-building-a-fully-remote-security-team/)

Could you be successful with a fully virtual InfoSec team? Many say it can't be done, while some have actually done it and been successful.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Kathy Wang, former CISO, GitLab.

Thanks to this week’s podcast sponsor, Pulse Secure.

Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance.

On this episode of Defense in Depth, you’ll learn:

A fully remote team is possible. Our guest was formerly the CISO of GitHub which is a fully remote organization so the concept of remote work was built into the company's DNA.
Two of the most important factors to great remote success are each individual's willingness to over communicate and never be afraid to escalate an issue.
Not surprisingly, remote work requires top-down support and it starts at the point of hiring.
Trust is a two-way street in remote work.
Under the umbrella of "over communicating" is documenting everything.
Huge benefit of having a remote team is you are no longer competing with location-based hiring. There are talented people all over the world.
With your staff living all over the world, you in effect create a 24/7 office network with everyone operating in different time zones.
A fully virtual company is perfect for cloud native companies.
It can be very costly to place a person physically on site.
Saving money is a great side effect of remote staffing.
Make sure to have in-person team building events. Kathy does one to two a year and tries to make sure one of them coincides with a big security event like DEFCON, RSA, or Black Hat.
One unforeseen benefit of remote work is that you're always able to start meetings on time. Problem with in-person meetings is you're often waiting for another meeting to finish in a room so you can start your meeting.

Account Takeover

19 december 2019 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-account-takeover/)

An account takeover traditionally follows a methodical path that takes considerable time before anything bad happens. Is it worth a company's time and effort to be monitoring a potential account takeover at the earliest stages?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Mike Wilson, CTO and co-founder, Enzoic.

Thanks to this week’s podcast sponsor, Enzoic.

Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic.

On this episode of Defense in Depth, you’ll learn:

Attack takeover (ATO) has a life cycle with multiple (6) steps. The first step is reconnaissance and you need to focus on that to stop the life cycle.
There's plenty of talk about sharing OSINT (open source intelligence), but the reality is, and always been, that there are more consumers than contributors. Like any open source endeavor, it can only get better if more people contribute.
Account takeover has at its root in stolen credentials, and as we know from sites like "Have I been pwned?" there are billions of stolen credentials floating out there that are consistently being used in credential stuffing attacks.
What is your credential situation? How unique are they? Can they be learned?
Start threat modeling your existing systems to determine what type of investment you'll need to make in account takeover.
You can greatly reduce the risk of ATO by implementing multi-factor authentication (MFA) and privileged access management (PAM).
The bad guys are playing the same game as we are and we essentially need to have better reconnaissance than them. Problem is they're sharing information freely and we're not.

UX in Cybersecurity

12 december 2019 | 27 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ux-in-cybersecurity/)

Security products and programs may be functional and work correctly, but are they usable in the sense that it fits into the work patterns of our users?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Rakesh Patwari (@rakeshpatwari), UX lead, Salesforce and UX instructor at UC Berkeley Extension.

Thanks to this week’s podcast sponsor, Enzoic.

Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic.

On this episode of Defense in Depth, you’ll learn:

There is the path to security you create and the path that your users take, or the desired path. As a security and UX professional you should plan to make those two the same path. If not, your users will take the simpler route and circumvent your security controls.
Users will always choose the easier path which is not necessarily the most secure path.
Security is an "ask." You're requesting users do something, but it's hard to get them to keep doing that "ask" if you don't give them feedback as to the reason or value of the ask.
Error messages historically provide little to no information to the user and thus no guidance to solve the problem. We often have to go outside of the environment (a search engine) to find a solution.
Security professionals need to take on the role of a UX designer which requires defining work processes by interviewing users, not deciding what you want those processes to be.
Creating a simple process is far more difficult than creating a complex process. Secure processes don't require users to constantly turn functions on and off or go through additional unnecessary steps to get their job done.
View your users as customers where you're trying to sell them on your process rather than dictating which will eventually be avoided.

InfoSec Trends for 2020

5 december 2019 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-infosec-trends-for-2020/)

We're coming to the end of the year and that means it's time to make our predictions for 2020. Mark this episode and check back in one year to see how we did.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Rob Potter, chief revenue officer for Verodin.

Thanks to this week’s podcast sponsor, Verodin.

The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value.

On this episode of Defense in Depth, you’ll learn:

More large scale breaches is not a prediction. At this stage that's an inevitability.
ML/AI/Blockchain will continue to be oversold and under-delivered.
Most cloud breaches are configuration errors. They are not mastermind attacks. They can't be called a breach if they were never secured properly in the first place. Note that cyber insurance does not pay out unless proper protections were in place.
"Better" cloud and Internet of Things (IoT) security is not possible given how far it's been mismanaged up to this point. There are so many insecure nodes out there that it appears an impossibility to create any type of patch protection. There was strong debate as to whether this was a true statement or not.
Strongest prediction (and it's already in motion) is the convergence of privacy and security.
Privacy will be driven by regulations and as a result more people will be instituting chief privacy officers to avoid being in violation.

Cybersecurity Readiness as Hiring Criteria

21 november 2019 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-readiness-as-hiring-criteria/)

What if every candidate interviewed was tested on their cybersecurity competency? How would that affect hiring and how would that affect your company's security?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Greg van der Gaast, head of information security, University of Salford.

Thanks to this week’s podcast sponsor, Enzoic.

Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic.

On this episode of Defense in Depth, you’ll learn:

For all candidates, whether in cybersecurity or not, gauge their current level of cybersecurity awareness.
There was a time we put knowledge of Microsoft Word and Excel on our resumes. Now you never see it because it's common knowledge. Security knowledge is not common. At this stage it would be seen as a valuable bonus to have it on your resume.
There are always small things that hiring managers look for to tip the scales in a candidates favor. Cybersecurity skills should be one of them.
For candidates who would have the most to gain from cybersecurity awareness, bring in the CISO to ask one or two questions during the hiring process.
Different departments bounce candidates off each other even if they're not going to be working in a specific department. They want to know how well a person will or won't interface with your department.
There's a strong fear that adding cybersecurity into the hiring criteria will greatly slow down the hiring process which could damage business productivity.
There was much debate around seemingly great candidates, such as an accountant with 20 years of experience, who fails miserably on cyber awareness. Would that raise a red flag?

Cybersecurity and the Media

14 november 2019 | 30 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-and-the-media/)

Cybersecurity and the media. It rides the line between providing valuable information and feeding the FUD cycle. What's the media's role?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Dave Bittner (@bittner), producer and host of The CyberWire Podcast, Hacking Humans podcast, and Recorded Future podcast.

Thanks to this week’s podcast sponsor, Verodin.

The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value.

On this episode of Defense in Depth, you’ll learn:

Stop laying blame on the media for negative cybersecurity perceptions. They're acting as a reflection of ourselves, both good and bad.
When done right, the media can bring about much needed attention to issues, most often to enlighten those not in the know.
A good indicator of media's success in informing us is when our friends and family, who are not as cybersavvy, start asking us our thoughts on big security issues.
Disturbing trend is the media referring to an attack as "sophisticated" when it's often a poorly secure server that was just waiting to be breached.
Given this trend, many are eager for the media to demystify these supposedly "advanced" attacks demonstrating that the rest of us can protect ourselves even if we're not cyber-sophisticated.
Social engineering demos are often done for the purpose of humor rather than showing how dangerous it can be when we let our guard down.
Outside of someone like Bruce Schneier, the cybersecurity industry needs the equivalent of a high-profile expert who can speak to the lay person, à la Bill Nye, The Science Guy.

The Cloud and Shared Security

7 november 2019 | 25 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-the-cloud-and-shared-security/)

When your business enters the cloud, you are transferring risk, but also adding new risk. How do you deal with sharing your security obligations with cloud vendors?

Check out this LinkedIn post for the basis of this show's conversation on shared responsibility of security with a digital transformation to the cloud.

This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Paul Calatayud (@paulcatalayud), CSO for Americas, Palo Alto Networks.

Thanks to this week’s podcast sponsor, Palo Alto Networks.

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices.

On this episode of Defense in Depth, you’ll learn:

You have to have a business reason to go to the cloud. Usually it's done as a business imperative in order to stay competitive.
Security is rarely the primary reason businesses move to the cloud. It's often an adjunct reason.
Moving to the cloud may transfer risk, but it also introduces new risk.
Security professionals have long avoided the cloud because they feel they give up perceived control. If I can't see or touch it, how can I secure it?
One issue security people need to grapple with during digital transformation and a move to the cloud is what does it mean to manage risk when you don't own the program?
Much of the online discussion was about getting your service license agreements (SLAs) in place. But if you're a small- to medium-sized businss (SMB) you're going to have a hard if not impossible time negotiating.
Don't lean on SLAs to be your entire risk profile. It's like using insurance as your only means of security.
Cloud security requires setting up automation guard rails.
For cloud evolution you'll need a change in talent and it probably won't be your traditional network engineers.
Because of performance, privacy, and data protection issues you're probably going to find your business moving apps in and out of the cloud.
The Cloud Controls Matrix (CCM), from the Cloud Security Alliance (CSA) is a controls framework designed to help you assess the risk of a cloud security provider.

Is Product Security Improving?

31 oktober 2019 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-product-security-improving/)

We've been at this cybersecurity thing for a long time. Are products improving their security? A recent study says they aren't.

Check out this tweet and the ensuing discussion for the information on the study and the concerns people have about the history of poor security in consumer-grade networking products.

This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Michael L. Woodson (@mlwoodson), CISO, MBTA.

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices.

On this episode of Defense in Depth, you’ll learn:

We focus our conversation mostly on consumer products, most notably networking, which was the focus of the relevant study.
Some basic measurements of security such as stack guards and buffer overflow protection showed no noticeable improvement.
Margins are so slim on consumer products that manufacturers are put in a bind. They can't overcharge and stay competitive, so they have to underdeliver, and often security protections are cut as a result.
People accept the failures of cybersecurity products by just accepting the end user license agreement (EULA).
Be very careful with these agreements. Often a vendor will make outrageous claims like saying they own the data.
When we have security incidents companies are not blamed or liable.
What type of pressure would need to be put on manufacturers to get them to improve security? Will it have to be standards, regulations, or government regulations?

Best Starting Security Framework

24 oktober 2019 | 27 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-best-starting-security-framework/)

If you were building a security program from scratch, which many of our listeners have done, which framework would be your starting point?

Check out this post initiated by Sean Walls, vp, CISO of Visionworks, who asked, "If you were building a security program from scratch, would you align with ISO 27001, NIST CSF, or another framework, and why?"

That conversation sparked this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Omar Khawaja (@smallersecurity), CISO, Highmark Health.

Thanks to this week’s podcast sponsor, Palo Alto Networks.

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices.

On this episode of Defense in Depth, you’ll learn:

When determining a starting security framework, always lead with the "Why?" What are you trying to accomplish and achieve?
In some cases you're building a framework to build trust.
Although most in security take a risk-based approach. That's not always necessary when picking a framework. Frameworks are often very regulatory driven.
Framework decisions will be built on both internal and external pressures.
If you don't have a specific security problem, a specific security solution makes no sense.
The Secure Controls Framework is a free meta-framework that allows users to pick and choose elements from multiple frameworks.
Check out Allan Alford's four-year mapping of NIST CSF, CIS CSC 20, and ISO 27001.
While there are plenty of great frameworks out there, for someone who is truly starting from scratch, many security professionals pointed to the CIS top 20 because it maps to frameworks like NIST and ISO.

Cyber Defense Matrix

17 oktober 2019 | 28 min

User-Centric Security

10 oktober 2019 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-user-centric-security/)

How can software and our security programs better be architected to get users involved?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Adrian Ludwig, CISO, Atlassian, a customer of our sponsor, Castle.

Thanks to this week’s podcast sponsor, Castle.

Castle is helping businesses keep customers’ online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io

On this episode of Defense in Depth, you'll learn:

It's impossible to create a security system that removes the user from the equation. They are integral and they have to be part of your security program.
Security is defined by the individual.
The minimum expectation you can have of your users is that they'll operate in good faith.
Avoid complexity because as soon as it's introduced it drives problems everywhere.
Instead, keep asking yourself, how can I make security more usable?
Individuals are suffering from alert fatigue. If you're going to send an alert to a user, make it relevant and actionable. And always be aware that your security alerts are not the only alert the user is seeing and deciding or not deciding to take action on.
Think about all the alerts you completely ignore, like the confidentiality warning in a corporate email.
One of the main problems with security is the party who suffers is not the one who has to act.
The user often does not have any stake in the goods he/she is protecting.

Securing the New Internet

3 oktober 2019 | 32 min

All links and images from this episode can be found at CISO Series (https://cisoseries.com/defense-in-depth-securing-the-new-internet/)

If you could re-invent the entire Internet, starting all over again with security in mind, what would you do?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode, Davi Ottenhimer (@daviottenheimer), who happens to be working on this project with Tim Berners-Lee at Inrupt to create a new Internet and secure it.

Thanks to this week’s podcast sponsor, Castle.

Castle is helping businesses keep customers’ online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io

On this episode of Defense in Depth, you'll learn:

Much of the advice on how to secure the Internet focused on just improving known protocols such as SMTP, IPv6, and TCP/IP. Is that limited thinking or not?
Creating a new Internet has a lot of political and socioeconomic issues connected to it so you have to consider both relative (changing existing protocols) or absolute updates (reinventing and trashing existing protocols).
One suggestion was dynamic port assignments which was an interesting tip, but it runs into the issue that at some point someone needs to know where you're communicating.
Future of identity is that it's not controlled by one entity. But the solution is not blockchain. That's essentially a spreadsheet of information and banking on a spreadsheet or blockchain would not be wise.
Another suggestion would be to create a data-centric approach to the Internet, but this would put a massive load on the endpoints.
One core philosophy of securing the new Internet is creating a system where each individual can own their own data, put rights on it to others to use it, rather than being beholden to the rights others give us to manage our own data.
Our favorite suggestion was about looking to biomimicry and our millions of years of evolution to help us build an Internet that could learn to evolve on its own. The issue is that history has given us tectonic shifts that come all at once and don't necessarily evolve gradually. Could a security system be built to adapt in that manner?

Creative Commons photo attribution to Joybot.

Resiliency

26 september 2019 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-resiliency/)

How fortified is the business to withstand cyberattacks? Can it absorb the impact of the inevitable hits? Would understanding the business' level of resilience provide the appropriate guidance for our security program?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Anne Marie Zettlemoyer, vp, security engineering and divisional security officer, MasterCard.

Thanks to this week’s podcast sponsor, Castle.

Castle is helping businesses keep customers’ online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io

On this episode of Defense in Depth, you'll learn:

Resiliency allows the business to perform in conjunction with risk.
A conversation about resilience forces security to think about business processes and the criticality of each one to the business' ability to sustain itself.
We're forcing ourselves to think proactively when we have no choice but to react, hopefully automatically. Disaster recovery (DR) and business continuity planning (BCP) come into play here.
There's a concern that of the CIA (confidentiality, integrity, and availability) triad, "integrity" doesn't have enough outside forces to insure its credibility.
While security teams may just be coming up to speed, or are just thinking of resiliency, the business has been thinking about it since day one of becoming a business. If security begins thinking this way, they will be more in alignment with the business.

And here are some items Anne Marie mentioned at the end of the show:

Ransomware

19 september 2019 | 26 min

Top CISO Communication Issues

12 september 2019 | 28 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-top-ciso-communication-issues/)

Understanding risk. Communicating with the board. Getting others to understand and care about security. What is the most vexing cybersecurity issue for a CISO?

Check out this post by Kate Fazzini, cybersecurity reporter for CNBC, for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Mark Eggleston (@meggleston), CISO, Health Partners Plans.

Thanks to this week’s podcast sponsor, Varonis.

The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab.

On this episode of Defense in Depth, you'll learn:

Communications starts with engaging people where they work. CISOs can't have any long-term success selling fear, uncertainty, and doubt (AKA "FUD").
CISOs need to focus on people skills. If a CISO is going to be rolling out a solution it's going to be in his/her hands to get others to adopt. Successful CISOs integrate the community into their thinking.
While CISOs want to be proactive, you can't be purely proactive or reactive. It's always a blend.
The best start for a CISO is to get the C-suite and board to listen and understand.
Not only do CISOs need to have conversations about risk, they need to document it and revisit it.
Look at where the company is making money by examining the 10-Q report. See where you can apply risk analysis to all of those revenue streams.
Whenever a FUD-like headline appears, the C-suite and board will see it. Don't let them fall into the trap of absorbing the hype. CISOs need to show how they're handling such situations and how they would if something similar happened to them.
Top issues for CISOs include having a clear understanding of who owns what risk. And more importantly, individual contributors should acknowledge their specific role in the overall security program.

Cybersecurity Excuses

5 september 2019 | 25 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-excuses/)

"I've got all the security I need."

"I'm not a target for hackers."

These are just a few of the many rationalizations companies make when they're in denial of cyberthreats. Why are these excuses still prevalent and how should a cyberprofessional respond?

Check out this post by Ian Murphy, co-founder of LMNTRIX, for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers.

Thanks to this week’s podcast sponsor, Varonis.

The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab.

On this episode of Defense in Depth, you'll learn:

Security professionals must endure an endless string of excuses to not improve a security program. On this episode, the ones we saw fall into four categories: "What I've got is good enough", "Denial", "False safety net", "Costs too much time/money".
Never rest on what you've got today. Today's configuration is tomorrow's vulnerability. Security is a process, not an end state.
There are always issues because humans are involved.
Small companies may not have a huge payout, but their defenses are usually weaker making them an easy score. A bunch of small companies add up to a big one.
If you have not invested well in a good security program, you are already breached and don't know it.
As this show title explains, you can't rely on a single layer of defense (e.g., firewall) to protect you.
No CISO is complaining they're spending too much on security.
A great security partner is awesome, but you don't hand off your security to someone else. It's a shared responsibility.
Don't rely on cyber insurance in the same way you don't leave your front door unlocked even though you've got home insurance.

Employee Hacking

29 augusti 2019 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-employee-hacking/)

A cyber professional needs their staff, non-IT workers, and the board to take certain actions to achieve the goals of their security program. Should a CISO use the hacking mindset on their own people?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Yael Nagler (@MavenYael), consultant.

Thanks to this week’s podcast sponsor, Anomali.

Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions.

On this episode of Defense in Depth, you'll learn:

Employee hacking is an effort to get employees to do what you need them to do in order to pull off your security program
There's a grand debate as to whether you should be hacking employees (use the tools you've got) or working with them (don't trick).
Many listeners likened this motivation technique to be no different than sales persuasion methods. But these methods are focused on getting individuals to take a single action, to purchase. This is not the case for a CISO who must change a wide ranging set of behaviors that are often not connected to individual desires.
To complicate matters even more, a CISO must sell a process and culture change, NOT a product. It's not easy to change human behavior.
Manipulation is a tainted word. You need to respect differences and find a common ground to motivate employees to show concern to want to stay with a security program.
One way to get people to care about security is to internally explain what do big security news items have to do with your business and how a similar breach could or couldn't happen to your business.
While you're trying to win someone over, it's not a selfish interest. It's of interest to the individual and the company. It's just the individual has to understand why they're changing behavior and see value in making that change.

100% Security

22 augusti 2019 | 25 min

100% Security. A great idea that's impossible to achieve. Regardless, CEOs are still asking for it. How should security people respond and we'll discuss the philosophical implications of 100% security.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Rich Friedberg (@richf321), CISO, Blackbaud.

Thanks to this week’s podcast sponsor, Anomali.

Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions.

On this episode of Defense in Depth, you'll learn:

Even though security people learned a long time ago that 100 percent security is not achievable if you can run a business, CEOs are still asking their security departments to deliver it.
The most common response to the 100 percent security request is to point out that nothing in business is 100 percent. Everything is a type of a risk.
Pointing out that everything is a risk doesn't necessarily endear a CISO to the security department. Instead, use empathy and try to understand what are they really asking when they make the 100 percent security request.
It's often difficult for a CEO to initiate a discussion about risk.
The question shouldn't be "how safe are we" but rather "how prepared are we". Should a breach happen, which seems inevitable these days, how quickly can the business respond and continue to function. A breach doesn't need to destroy a business.
The best way to connect with the business on security risk is to correlate it to another risk decision that makes sense to them. For example, battling fraud. No business tries to eliminate 100 percent of fraud because at one point the cost to eliminate the remaining fraud far exceeds the cost of the remaining fraud.
As a theoretical exercise, most agreed that if you truly did try to achieve 100 percent security, the business would cease to function.

Proactive Security

15 augusti 2019 | 29 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-proactive-security/)

How proactive should we be about security? What's the value of threat intelligence vs. just having security programs in place with no knowledge of what attackers are trying to do?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is AJ Nash, director of cyber intelligence strategy, Anomali.

Thanks to this week’s podcast sponsor, Anomali

Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions.

On this episode of Defense in Depth, you'll learn:

You can't start a threat intelligence until you understand your internal threat landscape and business mission.
Sadly, very few organizations have a good answer to "What and where are your crown jewels, your high valued assets?" But if you can answer that question, your threat intelligence will be far more effective.
It's possible to understand internal and external landscape in parallel. But you won't get great value of your intelligence until you understand your environment.
How do we judge the value of intelligence? It's all about dealing with costs before the "boom" vs. afterwards. Because afterwards is far more expensive.
The reason to invest in threat intelligence is because once you know your assets, and you know what your adversaries are after, you can adjust your defenses accordingly.
If your goal is to harden everything, you're going to be very busy. It's not economically and physically possible.
Make sure you're manning the threat intelligence and incident response teams properly. This is a common misstep that many shops make.
If you don't have intelligence you're doing reactive security, which nobody wants, yet that's what many often end up doing.

ATT&CK Matrix

8 augusti 2019 | 25 min

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-attck-matrix/)

Is the ATT&CK Matrix the best model to build resiliency in your security team? What is the best way to take advantage of the ATT&CK framework and how do you square away conflicting data coming in from your tools. What can you trust and not trust? And is the disparity of results the fault of the tool, the user, or neither?

Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Ian McShane (@ianmcshane), VP, product marketing, Endgame.

Thanks to this week’s podcast sponsor, Endgame

Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com.

On this episode of Defense in Depth, you'll learn:

ATT&CK Matrix should be used both strategically and tactically.
Use it strategically to understand gaps in your security program.
As for tactics, it's great for blue team exercises. When you're being attacked, it helps you understand what's going to happen next.
You can use ATT&CK framework even on 0 day viruses. It allows you to focus on the techniques in an attack rather that the specifics of an attack.
When you're being attacked, be wary of getting conflicting information from your tools.
If you have a tool that's constantly producing noise, you have two options: either fix it or dump it.
The reason two seemingly similar tools are producing different results is because they're taking different paths. Once you understand the paths you'll understand the variances.
The goal would be for industry standardization or maybe even a third party to come in and act as middleware to offer standardization. Is that even possible?

Hacker Culture

1 augusti 2019 | 25 min

Bad Best Practices

25 juli 2019 | 24 min

Cyber Harassment

18 juli 2019 | 24 min

All images and links are available on CISO Series (https://cisoseries.com/defense-in-depth-cyber-harassment/)

Whether a jilted lover or someone trying to wield their power over another, cyber harassment takes many forms and it doesn't stay in the digital world. It comes into our real world and gets very dangerous. What is it and how can it be thwarted?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Parry Aftab (@parryaftab), founder of StopCyberbullying Global.

Thanks to this week’s podcast sponsor, Endgame

Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com.

On this episode of Defense in Depth, you'll learn:

You can be public or anonymous in your effort to stop cyber harassment.
If you are public about your efforts, you are putting yourself out there to be a target for harassment yourself. Our guest has received death threats and also been SWATted.
Cyber harassment can be devastating to the one who is being attacked. The fear of it can stay with you for years even after it's been "resolved."
Traditional response to cyber harassment is to stop, block, and tell.
Ignoring is one technique, but it doesn't always work if they're trying to blackmail you.
Cyber harassers can often just be bored. They're looking for something to do and sending death threats can be "fun."
Cyber harassers are looking for attention. It could be a situation of an employee feeling they weren't given the promotion they wanted or a jilted lover who's looking for revenge.
One best technique for prevention is early detection. Do regular Google searches of your name and all your online handles to see if someone is starting to mess with your online reputation.

CISO Series One Year Review

25 juni 2019 | 28 min

Economics of Data

25 juni 2019 | 28 min

Tool Consolidation

19 juni 2019 | 24 min

All links and images can be found on CISO Series (https://cisoseries.com/defense-in-depth-tool-consolidation/)

While cybersecurity professionals always want more tools, more often than not they're dealing with too many tools delivering identical services. The redundancy is causing confusion and more importantly, cost. Why should you pay for it? How does it happen and how do InfoSec leaders consolidate tools?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Adam Glick, vp, cybersecurity, Brown Brothers Harriman.

Thanks to this week’s podcast sponsor, SpyCloud.

Learn more about how you can protect employees and customers from account takeover with SpyCloud.

On this episode of Defense in Depth, you'll learn:

The tools bloat problem does not happen overnight.
Often you have no choice with tools bloat. It's a function of the industry that companies add new capabilities and they acquire companies so you start to get redundancy even if you didn't plan on it.
You can run into the trap of having excellent independent tools, but then they cause overlap and because they're independent and not integrated you eventually fall on the side of going with the lesser tool because it has integration with other capabilities.
Best of breed doesn't sit still. It starts to morph and doesn't necessarily become the best anymore.
Even if you did a great job consolidating, you can't set it and forget it. Given the industry's behavioral morphs and your growing needs, you'll need to revisit the issue at least once or twice a year.
You need to do a tools audit.
A lot of political issues will come into play as people will defend the tools they love, built upon, and use. If you can't figure out a way to mediate, you'll need to hire a third party to do the audit and make the assessment.
Integration is critical. If there aren't APIs and other ways for the tools to communicate, it doesn't matter how awesome it is, the tool will need to be dumped.

Camry Security

12 juni 2019 | 22 min

Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-camry-security/)

The Camry is not the fastest car, nor is it the sexiest. But, it is one of the most popular cars because it delivers the best value. When CISOs are looking for security products, are they also shopping for Camry's instead of "best of breed" Cadillacs?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Lee Vorthman (@leevorthman), sr. director, global security engineering and architecture, Pearson.

Thanks to this week’s podcast sponsor, SpyCloud.

Learn more about how you can protect employees and customers from account takeover with SpyCloud.

On this episode of Defense in Depth, you'll learn:

CISOs have budgets and they simply can't purchase the most expensive and best option for every InfoSec need. Good enough is often exactly what they want.
It's often not possible to take advantage of all the features on a Cadillac-type security product. So you end up paying for shelfware, or tools that never end up being used.
The tool's complexity factors into the cost. This is often an argument against open source software which has been branded, most often by the proprietary software community, as "tough to use."
Each tool creates a new demand on your staff in terms of time and complexity. What new costs are you introducing by acquiring and deploying a new tool?
"Best of breed" everything can also turn into an integration nightmare.
If you don't need everything a company is trying to offer, try to de-scope the requirements.
Some companies are so big that they have no choice but to purchase the Cadillac for everything since so many departments will need access to the tool. It's far too complicated to create an RFP that takes into account everyone's needs. To speed access to the tool these large companies just get the product that "does everything" and then let all the departments "have at it" once it's available for use.

Amplifying Your Security Posture

4 juni 2019 | 27 min

All links and images can be found on CISO Series (https://cisoseries.com/defense-in-depth-amplifying-your-security-posture/)

In security, you never have enough of anything. But the scarecest resource are dedicated security people. When you're running lean, what are some creative ways and techniques to improve overall security?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Matt Southworth (@bronx), CISO of Priceline.

Thanks to this week’s podcast sponsor, SecurityBridge

Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation.

On this episode of Defense in Depth, you'll learn:

When you manage too many people you get to a point of saturation. Are you doing security or are you managing people?
Core success comes from looking outside your immediate staff for security help. Most common programs are Security Champions and Security Prime. The first are just people outside of the InfoSec team who really want to learn about security, and the Prime players are actually implementing it.
Look for ways to reduce overheard in terms of paperwork, meetings, and unnecessary programs. If what you're doing is not helping, stop doing it.
Empower individuals to make their own decisions about security without the chain of command of approvals.
Avoid giving orders, because once you do you'll always be called into a meeting on that topic.
Use artificial intelligence (AI) to take work off of the security operations center (SOC) and incident response team.
The "lazy" sysadmin who automates all his tasks is a highly productive member.
Communicate to everyone that security requires the entire company's support, not just the security staff.

And here's Jan Schaumann's presentation at BsidesNYC 2016 entitled "Defense at Scale". Matt mentioned it on the show.

ERP Security

30 maj 2019 | 22 min

Managing Obsolete (Yet Business Critical) Systems

22 maj 2019 | 28 min

All links and images from this episode can be found at CISO Series (https://cisoseries.com/defense-in-depth-managing-obsolete-yet-business-critical-systems/)

Obsolete systems that are critical to your business. They're abandoned, unpatchable and unmanaged. We've all got them, and often upgrading is not an option. What do you do?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Mitch Parker (@mitchparkerCISO), Exec. Director, InfoSec and Compliance, Indiana University Health.

Thanks to this week’s podcast sponsor, SecurityBridge

Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation.

On this episode of Defense in Depth, you'll learn:

This issue appears to affect every security and IT person. At one time they've all had to deal with it.
Obsolete technology should not be treated like any new technology. It needs to be isolated.
Lots of great advice from the community regarding containing the outdated technology through firewalls, air gapping, segmenting, virtual machines, and a jump box.
Constantly measure the risk of not just intrusion of the outdated technology, but the cost of keeping the thing running as you can't rely on outside support or updates.
As you're reporting the risk, constantly push for solutions to end reliance on this outdated technology.
The obsolete technology is often an expensive and critical piece of hardware that's difficult if not impossible to replace.
The UK National Cyber Security Center has some great guidance on what to do with obsolete platforms.

Cybersecurity Hiring

16 maj 2019 | 26 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-hiring/)

Everyone needs more security talent, but what kind of talent, how specialized, and what kind of pressure is hiring requirements putting on security professionals?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is one our favorite InfoSec gadflies, Greg van der Gaast.

Thanks to this week’s podcast sponsor, Morphisec

Detection-based security technologies are by definition reactive, responding to threats after they’ve hit. Morphisec takes an offensive strategy to advanced attacks, dismantling the attack pathways to prevent an attack from ever landing. No detection, no hunting, no clean-up. Watch the on-demand webinar to see how it works. More at www.morphisec.com.

On this episode of Defense in Depth, you'll learn:

Specialization also veers towards simplifying as Greg said, "A lot of middle of the road positions are being narrowed and dumbed down in a push towards commoditization."
Is the collection of so many tools pushing us to more specialization? Have we created our own hiring problem?
There are needs for specialists and generalists in cybersecurity. The issue is where do you find the balance from the creation of your toolset to your hiring?
Too many open positions for security analysts which isn't a defined role. Sometimes there's an inherent laziness in hiring managers just wanting "a security person" and not understanding their environment as to what they really need.
Greg notes that "you can often tell how broken an infosec organisation is just by looking at the job roles they're looking to fill and the job descriptions."
If you're developing a tech stack and then looking for people to manage it, that is the reverse way you should be building a security program.
Students are eager to learn, but degrees are useless when companies are hiring for specific tools.

How CISOs Discover New Solutions

9 maj 2019 | 29 min

Find images and links for this episode on CISO Series (https://cisoseries.com/defense-in-depth-how-cisos-discover-new-solutions/)

Are security professionals so burned out by aggressive cybersecurity marketing that they're giving up on discovering new and innovative solutions? What are the best ways for cyber professionals to discover new solutions?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Yaron Levi (@0xl3v1), CISO, Blue Cross and Blue Shield of Kansas City.

Thanks to this week’s podcast sponsor, ComplianceForge

ComplianceForge is a business accelerator. ComplianceForge offers a full-stack of cybersecurity documentation that ranges from policies and standards, to controls, metrics, procedures and program-level documentation to provide evidence of due diligence in managing risk, vulnerabilities, secure design and other pertinent areas that requires clear and concise documentation.

On this episode of Defense in Depth, you'll learn:

The two tactics of carpet bombing with marketing emails and cold calls are universally hated, but they must produce results and that's why they continue.
If a CISO wants to discover new solutions, they must expose themselves somehow to what's out there. New solutions aren't magically going to land in your lap.
Many CISOs rely on their networks of CISOs but that can limit your thinking if none of the CISOs are willing to venture outside of the group.
Don't rely on your own discovery. Task your staff members to do it as well. Encourage and reward the showing of new ideas to the group which can and will foster disruption and innovation.
You need a trusted partner, a reseller, or a vendor who can be your eyes and ears. Finding that trusted partner doesn't come easily, but when you find it, hold onto it because you're going to need them.
Your trusted partner should be proactive about giving you quarterly updates.
Large conferences and vendor emails act as touch points, but they don't act as a valuable source of information.
Engage in smaller local conferences where you can meet and build trust with your local experts.
If you do go to a large conference, and you walk the trade show floor, aim for the edges where you find the smaller companies.
Best advice for CISOs was to create a form for vendors to fill out if they want the chance to meet with you.
Yelp-like review sites have questionable credibility, but they are a touch point in tool discovery. Lean on podcasts and discussion groups, such as Slack.

Is the Cybersecurity Industry Solving Our Problems?

1 maj 2019 | 30 min

Find all links and images from this episode on CISO Series (https://cisoseries.com/defense-in-depth-is-the-cybersecurity-industry-solving-our-problems/)

Is the cybersecurity industry solving our problems? We've got lots of new entrants. Are they doing anything new, or just doing the same thing slightly better?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest this week is Taylor Lehmann (@BostonCyberGuy), CISO, Wellforce.

Thanks to this week’s podcast sponsor, Remediant

Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment.

On this episode of Defense in Depth, you'll learn:

Industry is just growing symptoms to core issues.
The cybersecurity industry is motivated by marketplace which justifies investment. As one might expect many security solutions are just hyped rather than built on innovations.
While many of our listeners are rather savvy, we expect most purchases are reactive rather proactive. And if this continues, then the profit-minded vendors will still deliver reactive-based solutions.
We've got a radical increase in problems. We're just chasing the problems by spending more money.
Security people know that the solution is people, process, and technology, but far too often we're looking for a 'box' to solve our problems. We don't look at the tougher challenge of people and processes.
So much of the security market is reactive in its purchase decision. To improve your success rate in cybersecurity you need to be forward-thinking about building out your security program and your spend.
One area of opportunity that not enough companies are taking advantage of is offering dramatically cheaper solutions than alternatives even though they don't perform as well. There is a definite market for those types of solutions.
We always lean on security products to solve our problems rather looking internally at our people and processes.
There is always a losing comparison between attackers and defenders. An attacker can come up with a new variant of attack in minutes to hours. Defenders in enterprises often take months to implement patches for known vulnerabilities.

Vulnerability Management

25 april 2019 | 21 min

Privileged Access Management

17 april 2019 | 25 min

Machine Learning Failures

10 april 2019 | 32 min

Software Fixing Hardware Problems

4 april 2019 | 23 min

The full post (if you're not seeing links and images) can be found here (https://cisoseries.com/defense-in-depth-software-fixing-hardware-problems/)

As we have seen with the Boeing 737 MAX crashes, when software tries to fix hardware flaws, it can turn deadly. What are the security implications?

Thanks to this week’s podcast sponsor, Unbound Tech

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode Dan Glass (@djglass), former CISO for American Airlines.

Founded in 2014, Unbound Tech equips companies with the first pure-software solution to protect cryptographic keys, ensuring they never exist anywhere in complete form. By eliminating the burden of hardware solutions, keys can be distributed across any cloud, endpoint or server to offer a new paradigm for security, privacy and digital innovation.

On this episode of Defense in Depth, you'll learn:

The reason the Boeing 737 MAX airplane crashes are such a big story is airplanes don't usually crash because the airline industry is ingrained in a culture of safety.
Even though safety culture is predominant in the airline industry , there were safety features (e.g., training for the pilots on this new software correcting feature) that were optional for airlines to purchase.
Software is now in charge of everything. What company is not a digital company? We can't avoid the fact that we have software running our systems, even items that control our safety.
The software industry does not operate in a safety culture like the airline industry.
Is this just a data integrity issue? Is that the root cause of problems? How do we increase the integrity of data?
Can we override software when we believe it's making a bad decision? Allan brought up one example of a friend who tried to swerve out of his lane to avoid something in the road. The self-driving car forced him back in his lane and he hit the thing he was trying to avoid. Fortunately, it was just a bag, but what if it was a child? The self-correcting software didn't let him takeover and avoid the object in the road.

Tools for Managing 3rd Party Risk

28 mars 2019 | 25 min

CISO Burnout

21 mars 2019 | 27 min

RSA 2019: Success or Failure?

14 mars 2019 | 30 min

Security IS the Business

7 mars 2019 | 26 min

Threat Intelligence

27 februari 2019 | 21 min

Secure Controls Framework

21 februari 2019 | 25 min

Insider Threats

14 februari 2019 | 21 min

Building an Information Security Council

7 februari 2019 | 24 min

Privacy

31 januari 2019 | 29 min

Security Metrics

23 januari 2019 | 24 min

Welcome to Defense in Depth

21 januari 2019 | 1 min

Defense in Depth

Defense in Depth promises clear talk on cybersecurity’s most controversial and confusing debates.

Om podden

Avsnitt

The Argument For More Cybersecurity Startups

How Are New SEC Rules Impacting CISOs?

Managing the Risk of GenAI Tools

Defending Against What Criminals Know About You

Will We Ever Go Back From Work From Home?

The Lurking Dangers of Neglected Security Tools

When You Just Can't Take It Anymore in Cyber

Is It Possible to Inject Integrity Into AI?

Are Phishing Tests Helping or Hurting Our Security Program?

​​Who Is Responsible for Securing SaaS Tools?

Hiring Cyber Teenagers with Criminal Records

What's Working With Third-Party Risk Management?

What Triggers a CISO?

Information Security vs. Cybersecurity

Should Deny By Default Be the Cornerstone of Zero Trust?

What Is a Field CISO?

Cybersecurity Is a Communications Problem

Do Companies Undergoing a Merger or Acquisition Get Targeted for Attacks?

Telling Stories with Security Metrics

Securing Identities in the Cloud

How AI Is Making Data Security Possible

What Makes a Successful CISO?

We Want a Solution to Remediate, Not Just Detect Problems

Recruiting from the Help Desk

How Do We Build a Security Program to Thwart Deepfakes?

Where Are Secure Web Gateways Falling Short?

Understanding the Zero-Trust Landscape

Scaling Least Privilege for the Cloud

Should CISOs Be More Empathetic Towards Salespeople?

Managing Data Leaks Outside Your Perimeter

What Are the Risks of Being a CISO?

Onboarding Security Professionals

How to Improve Your Relationship With Your Boss

Improving the Responsiveness of Your SOC

The Demand for Affordable Blue Team Training

Why are CISOs Excluded from Executive Leadership?

What Is Your SOC's Single Search of Truth?

When Is Data an Asset and When Is It a Liability?

Tracking Anomalous Behaviors of Legitimate Identities

Why Do Cybersecurity Startups Fail?

Is "Compliance Doesn't Equal Security" a Pointless Argument?

CISOs Responsibilities Before and After an M&A

Use Red Teaming To Build, Not Validate, Your Security Program

The Do's and Don'ts of Approaching CISOs

Doing Third Party Risk Management Right

Warning Signs You're About To Be Attacked

Do We Have to Fix ALL the Critical Vulnerabilities?

Mitigating Generative AI Risks

Building a Cyber Strategy for Unknown Unknowns

Responsibly Embracing Generative AI

People Are the Top Attack Vector (Not the Weakest Link)

What's Entry Level in Cybersecurity?

New SEC Rules for Cyber Security

The Value of RSA, Black Hat, and Mega Cyber Tradeshows

Is Remote Work Helping or Hurting Cybersecurity?

How to Manage Users' Desires for New Technology

Cybersecurity Questions Heard Around the Kitchen Table

How to Prime Your Data Lake

Getting Ahead Of Your Threat Intelligence Program

How Security Leaders Deal with Intense Stress

How Do We Influence Secure Behavior?

Security Concerns with ChatGPT

Create A Pipeline of Cyber Talent

Improving Adoption of Least Privileged Access

Securing SaaS Applications

How Do We Get Better Control of Cloud Data?

Finding Your Security Community

Let's Write Better Cybersecurity Job Descriptions

How Should Security Better Engage with Application Owners?

How To Get More People Into Cybersecurity

How to Create a Positive Security Culture

How Should We Trust Entry Level Employees?

How Must Processes Change to Reduce Risk?

Reputational Damage from Breaches

Do RFPs Work?

Successful Cloud Security

Who Is Responsible for Securing SaaS Tools?