Failure Is The Likely Option
This show was recorded in front of a live audience in New Orleans as part of the BSidesNOLA 2023 reboot conference. The episode features me, David Spark , host and producer of CISO Series . My guest co-host is my former co-host, Allan Alford , CISO for Precedent and host of The Cyber Ranch Podcast . Our guest is Mike W. , corporate CISO for 通用电气 .
We always say, “trust but verify,” but how do you actually verify? This was a question Allan posted to LinkedIn for which many people really struggled. Like everything in security, verification is not a one and done effort. It requires continuous checking and most importantly it’s best when the vendor does the verification for you, so you don’t have to keep asking for it.
When it comes to cutting the cybersecurity budget, make sure you’re already in the mind of the CFO. It’s important that the CFO understands the impact budget cuts have on a security program. Less security will affect the company’s risk profile. So before budget time rolls around, make sure you’re already in conversation with the CFO so that you understand their world and they understand your world. If something gets cut, the CFO has to accept that the company will be opening themselves up to more risk in that specific area.
Even if you do it just a little, you’ll get burned if you stretch the truth of your product’s capabilities. Allan posted about the danger of vendors waffling even a little on their capabilities. It can quickly venture into snake oil. This often happens when there’s a lack of alignment between marketing and engineering. When you have poor communications between those creating and delivering the product or service and those communicating about those capabilities, it is inevitable you’ll have problems. Better alignment is necessary so as to not slide into snake oil. What should engineering be telling marketing, and what should marketing be asking for if they're not getting it?
What’s the difference between a good cybersecurity professional and a great one? This question was asked on the cybersecurity subreddit. The most popular responses included:have technical knowledge, don't be the boy who cried wolf, don't try to be the hero, be willing to own up to your mistakes, and the most popular answer was the need for communications and charisma because you're going to need to do a lot of persuading.
Listen to the full episode here, over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.
Huge thanks to all our contributors (witting, unwitting, and those who were there live with us in New Orleans): Rob Demain of e2e-assure , Evan Schuman of Dark Reading , Chris Shull , CISO, Washington University in St. Louis , Dr. Dustin Sachs DCS, CISSP, CCISO of World Fuel Services , Peder Angvall of Fastly , Ben Smith of NetWitness , Charles Payne of CISOevents , Loy Evans of theom , Ricky Allen of CyberOne , and Ryne Davis of Navy Federal Credit Union .
Thanks to our podcast sponsors, Conveyor , Nightfall AI , Rapid7
Reputational Damage from Breaches...
"For the healthcare industry, this is something that we always worry about. We know that there are fines, we understand that we have to take care of those fines, but at the same time the most important for us is making sure that we take care of the organization's reputation, so we work every day to make sure of that." -? Cecil Pineda , CISO, R1 RCM
Listen to full episode of "Reputational Damage from Breaches"
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily?Cyber Security Headlines?newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter?- Twice every week
Cyber Security Headlines Newsletter?- Every weekday
领英推荐
Cyber Security Headlines - Week in Review?
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter? Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Howard Holton , CTO, GigaOm .
Thanks to our Cyber Security Headlines sponsor, Barricade Cyber Solutions
We Want Guidance on How to Manage Risk
"People in the GRC world, we like frameworks, and we like checklists. We like a clear model," said Meghan Maneval , director of technical product management,? ZenGRC . "And risk management just doesn't have that." It's frustrating because everyone wants a better understanding of what their risk is.
In this video, Meghan and I talk about this frustration all as a tease for our chat we're going to be having this Friday (June 2nd, 2023) for Super Cyber Friday: “Hacking the Future of Risk Management: An hour of critical discussion on how we need to evolve our measurement and reduction of risk.”
Joining me and Meghan will be Jo-Ann Smith , CISO,? Long View Systems .
It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we'll switch gears to our meetup where everyone will get a chance to chat face to face.
Thanks to our Super Cyber Friday sponsor, ZenGRC
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
Bridging Behavioral Science & Cybersecurity | Enhancing Security Leaders’ Decision-Making | Cyber Risk Strategist | Keynote Speaker | Author
1 年Okay.. so what so learned from this episode is that I need to become Facebook friends with Allan Alford’s mom!
Experienced IT & Cyber Risk Specialist, IAM GRC Leader Thinking like a CISO while striving to be the change I wish to see
1 年Great episode!
Global Cybersecurity Leader. CEO Janos LLC. Named 2024 Top CISO & Cyber Leader! Practices at intersection of Technology, Law, Compliance & Policy. CISSP & LPEC certified (Ethics/ Compliance). Website dianejanosek.com
1 年Great article! Loved point about charisma!
Those are really good points. I especially like #3. Marketecture is incredibly dangerous and I don't think companies realize this. When you stretch the truth of your products capabilities and we (the customer) find out, you undo any trust that was built. As a CxO (CTO, CIO, CISO) I ONLY buy trust. Those I trust I carry from organization to organization, and conversation to conversation. Do not destroy trust.
CEO & Founder | SOC, MDR, XDR
1 年In the MDR/ SOC business one way to 'trust but verify' is to test the detection and response provided by the service by simulating attacks. This is something we have started to do to address this and provide validation that the service works as expected – i.e. run a set of tests during on boarding and then at regular intervals that prove detections and response work. ? As you mention, it does need to be regular and ideally continuous in order to be most effective and the tests/simulations need to be continually updated too in order to keep pace with attacker techniques. In terms of supplier / customer responsibilites it works well if the supplier of the service provides their standard set of validations and then the customer works with them to address any specifics...best to work together as when valiation fails it's generally something customer side that's the cause. This is why its important to run the simulations on the customers netowork/devices as opposed to proving things work under 'lab conditions'.