Dear Abby: Should I Sell to a CISO During a Cyberattack? (LIVE in Silicon Valley)

It seems inevitable. Whenever there’s a high profile cyberattack, salespeople come out of the woodwork asking if the affected CISO would like to see their product which would have helped prevent the attack. We recently saw this occur while a victim was actively dealing with an attack. These sales tactics are universally derided. Is there any way for a vendor to positively reach out to victims after a cyberattack??

This week’s episode is hosted by me, David Spark , producer of CISO Series and Mike Johnson , CISO, Rivian . Joining us is our guest, Kurt Sauer , CISO, Docusign .?

We recorded in front of a live audience at Microsoft’s offices in Mountain View, CA as part of the ISSA-Silicon Valley chapter meeting. Check out more photos from the event.

Selling to CISOs after an incident

The day of a major cybersecurity incident is likely one of the worst days on a job for a CISO. So why do so many vendors take that as a green light to send out a cold sales call? This recently happened to a CISO in our community. Despite a near universal revulsion to this type of ambulance chasing, do vendors do this? because it works? And even if this isn’t a remotely appropriate sales tactic, if a vendor doesn’t work with a CISO, is there anything they can do to help a CISO after an incident??

How should CISOs look at IP?

We always talk about the changing role of a CISO. But the advent of generative AI puts securing IP more clearly into focus. We’ve seen companies become hesitant to embrace LLMs over fears employees may leak IP. In a recent video, Sounil Yu , creator of the Cyber Defense Matrix , and I discussed how CISOs might look at IP as an asset to spend like money. Instead of looking at all IP as equally valuable and trying to prevent all leaking, what if CISOs acted as something akin to a CFO of IP. Rather than securing all of it, CISOs would understand the value of different IP and look where each could be strategically spent.?

When leadership becomes a liability

One of the key ways to keep an organization secure is by developing and maintaining a productive security culture. But this begs the question, if we have security cultures, can we also have insecure cultures? Tyler J. Farrar and Gianna Driver went deep on this topic in a recent article on Dark Reading . This isn’t by design by company leadership, but company culture can serve to be a security liability when it encourages a lack of communication about security issues, or toxic leadership pushes employees to the point of becoming insider threats. Having all the mechanisms in place for a security culture doesn’t do any good if employees don’t feel empowered to use it.??

Busting security myths

While we like to think cybersecurity is always a practice grounded by fact and reason, there is unquestionably a lot of inherent knowledge that doesn’t hold up to scrutiny. Whether believed by management or by security teams themselves, there are a lot of security myths out there, which we discovered on a recent post on the Cybersecurity subreddit. Some of these come down to annoying buzzwords and vendors promising “seamless integration” always seem to touch a nerve. Sometimes this remains bluster, but even more dangerous is when a vendor actually believes some of these myths at their core.?

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to all our other witting contributors: Dr. Dustin Sachs, DCS, CISSP, CCISO of World Fuel Services and Osman Young of SETECH Astronomy (pseudonym), Brian Roth of SlashNext , Siwei Dodge of Check Point Software , Hemam Muthyala , CISO, SPAN , Siva Vadakandra of Neptune Retail Solutions , Jason Quiles of SlashNext , and Alice S. of Kiteworks . Thanks also to Veza and Sysdig .

Huge thanks to our sponsors, Veza, Sysdig, and Slashnext

Biggest mistake I ever made in security...

"That was when I moved from a large organization to a small one and decided to take on too much stuff. Moving from a 300-person organization to a 10-person organization requires a different set of focus." - Kurt Sauer, CISO, Docusign

Building A Cyber Strategy For Unknown Unknowns

"One of the first questions you ask is where are my affected assets.That key preparation and knowing how your own network is mapped out, knowing that data is something you can prepare in advance… But the reality is that a lot of orgs don’t have the tools to understand that question. But it is definitely something that you can proactively respond to." -? Himaja M. otheram, security researcher, Censys

Listen to full episode of "Building A Cyber Strategy For Unknown Unknowns."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily?Cyber Security Headlines?newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter?- Twice every week

Cyber Security Headlines Newsletter?- Every weekday

Join us?Friday [12-08-23], for "Hacking Cyber Resilience"

Please join us on Friday, December 8th, 2023 for Super Cyber Friday.

Our topic of discussion will be “Hacking Cyber Resilience: An hour of critical thinking of shifting the risk conversation to maintaining business continuity during a cyber attack.”

Register for 12-08-23 episode of Super Cyber Friday, "Hacking Cyber Resilience."

Joining me, for this discussion will be:

• Brian Spanswick , CISO/CIO, Cohesity
• TC Niedzialkowski , CISO, Nextdoor

Thanks to our Super Cyber Friday sponsor, Cohesity

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com.

Interested in sponsorship,?contact me,?David Spark.