Elvis Is Alive and He’s Reusing Your Passwords

Often, news reports about a company data leak come from threat actors who perpetrated the attack. News organizations can be quick to pick up reports that organizations suffered a data leak, even when they come from these unreliable sources. So what should a company do when their name is in the press, but they didn't actually suffer a security incident? How much difference is there in responding to a fake data breach versus a real one??

This week’s episode is hosted by me, David Spark , producer of CISO Series and Andy Ellis , operating partner, YL Ventures . Joining us is our guest, Bob Schuetter , CISO of 亚什兰 .

Dealing with a fake data breach

Data breaches are bad enough when they are real. You have to deal with alerting stakeholders and regulators, deal with the immediate crisis and resolve the underlying issues that caused it. But what about when a threat actor claims a data breach occurred when it didn’t actually happen ? A lot of times the steps a CISO has to take are the same for a legitimate breach, cautioned Rosalyn Page in a CSO Online piece. For CISOs, the key is to assume the breach until proven otherwise. You need to validate your infrastructure before you start judging if this is a legitimate incident.??

Starting up new new vendor relationship?

When it comes to vendors, bigger isn’t always better. In fact, search from CISO Circuit found that some CISOs will only meet with early-stage startups , hoping to find a technological edge and perhaps an ownership stake over time. While some CISOs may prefer smaller and more nimble vendors, CISOs working for public companies often don’t have that luxury. This can mean going with more established vendors that offer less innovation, but with a much longer track record.?

A CISO interview strategy

We talk a lot about the unique path it takes to land a CISO role, but less discussed is what CISO candidates should consider when interviewing for the position . That question came up on the cybersecurity subreddit, and commenters prioritized trying to get an understanding of an organization’s existing security strategy and getting a handle of what kind of mandate the incoming CISO will have. Regardless of the specific questions, the goal should be to establish what level of maturity the company’s cybersecurity program is operating under, and does that align with your comfort level?

When do CISOs get involved with sales?

When it comes to CISOs, do we need to add another S to the acronym for "sales?" The vast majority of CISOs in a Checkmarx survey have been dragged into sales-related engagements , with about half saying it happens “very often.” In very real ways, this came about because security is now a supply chain issue, where the risk of a third-party going down to a cyberattack has a big impact on your business. When framed that way, it makes more sense why CISOs increasingly see sales involvement.?

Listen to the full episode over on our blog , or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now. Thanks to Thoropass .

Huge thanks to our sponsor, Thoropass

Best advice for a CISO…

"Fundamentally, our real job and the responsibility we have is not to actually mitigate risk. It's actually to fundamentally transform risk-taking from downside risk to upside risk that has business value, right? Things that the company can actually go forward with and make more money out of." - Bob Schuetter, CISO, Ashland

The Do's and Don'ts of Approaching CISOs

“For me, that’s the key to success. It’s establishing these meaningful business relationships. You’re probably not going to be at that vendor forever. You’re probably going to be at that technology forever. I’m probably not going to be at my company forever. Having these relationships we can lean on throughout a long career is where you’re going to find the success. So, establishing that relationship, building that rapport, and just driving to mutual benefit at that point.” - Adam Glick , CISO, PSG

Listen to full episode of "The Do's and Don'ts of Approaching CISOs."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily?Cyber Security Headlines?newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter ?- Twice every week

Cyber Security Headlines Newsletter ?- Every weekday

LIVE! Cyber Security Headlines - Week in Review

Make sure you?register on YouTube ?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino . We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Jerich Beason , CISO, WM . Thanks to Savvy .

Thanks to our Cyber Security Headlines?sponsor, Savvy Security

What's Broken With Security Audits?

It doesn't take too much prompting to get a security professional to say audits are broken. But where specifically are they failing? Leith Khanafseh of Thoropass sees organizations plagued with too many overlapping audits that take up way too much time, largely due to antiquated methods of data collection. This is a preview of our Super Cyber Friday event happening this Friday, January 19, 2024. Our topic will be “Hacking Security Audits: A hour of critical thinking of how to improve this vital process.”

REGISTER for 01-19-24 Super Cyber Friday Event

Joining me and Leith for the event will be Rose Songer, CISSP , director, IT and compliance, Spring Health .

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we'll switch gears to our meetup where everyone will get a chance to chat face to face. Join us!

Thanks to our Super Cyber Friday sponsor, Thoropass

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com .

Interested in sponsorship,?contact me,? David Spark .