BREAKING: “Department of No” Upgraded to “Department of Slow”
How can security teams do their jobs without seeming like an impediment to developers? This relationship can seem oppositional. But how can both sides work together to better secure software without seemingly like a road block?
This week’s episode is hosted by me, David Spark , producer of CISO Series and Mike Johnson , CISO, Rivian . Joining us is our sponsored guest, Nadav Lotan , product management team leader, 思科 .
Where are we using AI right now?
Stop me if you’ve heard this before, but I think AI might be a bit of a thing. Sarcasm aside, we hear a lot about the potential for LLMs across the enterprise. We’re starting to see these systems going into production, as outlined by Shweta Sharma in CSO Online . But what are people using them for at this moment? One place is making security solutions more accessible, like allowing users to run complex queries using natural language. At the moment, chatbots seem to be the most obvious use cases. Their ability to understand intent opens the door to a lot of productivity solutions, and also a lot of chances for misuse. There is the looming threat of prompt injections. Even if they protect against data loss, getting a chatbot to respond poorly can still be bad for optics.
Securing development without becoming a roadblock
Security folks get mad at developers for not caring about security. But as was pointed out in our recent cybersecurity subreddit AMA, organizations incentivize product managers to ship on time, not to ship secure code. So how do we create a structure and incentives to change that? This can start by security working with developers to build reusable secure software components, making it easier down the road to build apps. Organizations can also frame secure development as a way to speed overall time to market, with less duplicate work needed to fix critical issues in production software. Ultimately, security needs to approach developers as a way to make their jobs easier and more productive.?
Are platform plays played out??
The typical argument for going with a platform of tools versus best in breed comes down to integration and cost. This can lead some to argue that platform plays aren’t “good enough” solutions on their own. But Mike Johnson pointed out this misses the opportunity to build a relationship with a platform provider as a partner rather than as one of many vendors. Nadav Lotan also pointed out that more organizations than ever need end-to-end visibility across their IT stack, something much easier to do with a platform play, versus adding yet another vendor to the mix.
Who makes policy for the policymakers?
One use case for LLMs we didn’t discuss earlier in the show was writing policy. But that’s exactly what Alex Haynes, CISO at IBS Software did in a piece for Dark Reading. He found tools like Google Bard to be a great resource for creating more human readable policies that still hold water. And since Bard and ChatGPT are available to anyone, if a CISO doesn’t take the time to make policies more understandable, their users will do it anyway. The next evolution of this is using LLMs to synthesize documentation and practices an organization already uses to create the basis of a policy they are already following. This could allow policies to be statements of actual practice rather than purely aspirational.?
Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.
Thanks to our contributor Jaike Hornreich, SDG Corporation for supplying the What’s Worse?! scenario.?Thanks to Panoptica: Cisco Cloud Application Security
Huge thanks to our sponsor, Cisco Panoptica
What I love about cyber security…
"I love the fact that as engineering groups are heading towards adopting technologies to make better products and better experiences, we, as security teams, must adopt and make sure that we align with them, and support them, and make sure that we don’t put any business risk alongside the technology." - Nadav Lotan, product management team leader, Cisco
The Demand for Affordable Blue Team Training…
"What I really like about this blue team/red team conversation though is that a lot of modern organizations have a purple team where people will rotate in and out, they will collaborate, they will simulate the adversary, but then they will also kind of try to be more mature about just avoiding the stereotype of the red team breaks in and makes the blue team work the weekend." - Ron Gula, president and co-founder, Gula Tech Adventures
Listen to full episode of "The Demand for Affordable Blue Team Training."
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily?Cyber Security Headlines?newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
领英推荐
CISO Series Newsletter?- Twice every week
Cyber Security Headlines Newsletter?- Every weekday
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be ???? Gerald Auger, Ph.D. , chief content creator, Simply Cyber . Thanks to Vanta .
Thanks to our Cyber Security Headlines?sponsor, Vanta
Using Evidence for Third-Party Risk Management
No one likes third-party risk management. Part of that is a reliance on third-party questionnaires, static documents that almost never are timely or give you enough information. We need to move on to evidence-based third-party risk decisions, argues Paul Valente , CEO and co-founder, VISO TRUST . No one is saying this is easy, but it’s the most reliable way to assess third-party risk.
Check out this preview of our Super Cyber Friday event happening this Friday, March 22, 2024. Our topic will be “Hacking Effective Third-Party Risk Management: An hour of critical thinking of going beyond questionnaires and ratings.”
Joining me and Paul will be Arkadiy Goykhberg , CISO, Branch .
It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face to face. Join us!
Thanks to our Super Cyber Friday sponsor, VISO TRUST
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
Neurodivergent | Information Security Officer @ SG Computers Inc. |
6 个月In today's CISO Series episode, I'm grateful to David for highlighting the importance of AI and LLMs, tools that have been pivotal for someone like me, facing challenges like ADHD and dyslexia. These technologies have transformed my communication ability, overcoming barriers that once limited my career progression in IT and InfoSec. My journey underscores the value of leveraging available resources to surmount personal obstacles. Embrace technology—it's a game-changer for overcoming challenges and achieving your potential.
Founder, Comm Sutra l Hiring PR & Communication professionals
6 个月Tasneem PedhiwalaTaj