Fix it? Let’s Just Get Rid of It.
A vulnerability is found. hardware vendor issues a software patch. What else is new? But that trend is taking a new path. Sometimes, these vulnerabilities are so severe that vendors don’t know what to do. They just throw up their hands and say, you’ve got to rip and replace. It’s the only option. It’s scary. Suddenly, you’ve got a zero day that effectively moves your hardware to end-of-life.
This week’s episode is hosted by David Spark , producer of CISO Series and Andy Ellis , partner, YL Ventures . Joining them is our sponsored guest, Danny Jenkins , CEO, ThreatLocker .
A zero-day upgrade
When a zero-day vulnerability renders hardware obsolete, organizations face the challenge of forced upgrades, often outside of planned schedules. We saw the wide impact this has had on Barracude Networks. It’s an industry-wide problem, noted Brian Krebs in a blog post. The increasing shift toward subscription-based and SaaS security models offers a solution, ensuring continuous updates and incentivizing vendors to innovate. These models also eliminate the reliance on hardware tied to end-of-life risks. As we all know, operational expenditures are more adaptable than capital investments, as they avoid sunk costs that limit flexibility.?
Don’t let a pentest go bad
Penetration testing, especially when it involves physical or highly visible activities, requires careful coordination to avoid unnecessary escalation. A recent example, cited on Reddit, involved a cybersecurity team calling building security on a pentester, and it escalated to the police. Before launching a penetration test, make sure everyone is on board, even those not within your four walls. Yes, you want your staff to notice and report suspicious activity, just make sure those people who will be called are clued in. Pen testers should also carry proper documentation, such as engagement contracts, to validate their activities. Maintaining regular communication with law enforcement, such as the FBI or local police, can further foster cooperation and ensure smoother operations during tests. Oh, and this contact will also come in handy in the event of a real security incident.?
Improving user training
User training in cybersecurity must focus on practical, targeted guidance rather than overwhelming employees with exhaustive lists of rules. Prioritize scenarios that could significantly disrupt business operations, such as phishing attacks impersonating executives or fraudulent requests for large wire transfers. These should include clear instructions like verifying any unexpected requests directly with the sender using publicly available contact information. Forget broad "awareness" campaigns, training should be built around critical, business-specific scenarios. The result shouldn’t be a compliance checkbox; it should be employees who can now handle high-impact risks effectively.?
Cybersecurity is made for people
The future of cybersecurity is not in creating new specialized roles but rather in embedding skills like behavioral psychology and economic modeling into existing roles. Understanding how people perceive and react to risks is critical for designing effective controls that integrate seamlessly into workflows, noted Ross Haleliuk . Focus on real-world solutions, such as robust controls and processes, while using insights from human psychology to ensure those controls are adhered to and not bypassed due to inefficiencies. As we continue designing security for humans, these social science skills will only become more valuable.
Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.
Thanks to our podcast sponsor, ThreatLocker
Subscribe to CISO Series Podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.
Biggest mistake I ever made in security…
"I think the biggest mistake I ever made was assuming something did what it said on the tin. I pitched for a new security product. I've done it several times, but there was one in particular I fought like hell to get a new security product, this is back in 2002, and I said it was going to stop all of our virus problems, and it didn't, [Laughter] and I got egg on my face." - Danny Jenkins, CEO, ThreatLocker
Listen to the full episode of "Fix it? Let’s Just Get Rid of It."
Protecting Your Backups from Ransomware…
"Keep in mind that in an encryption event, 80% of your storage capacity's probably encrypted. You can't delete it. You can't blow it away. So, you have to have the storage capacity to move the data back into the environment. That's one of the biggest challenges most clients have whose backups do survive. Keep in mind, 95% of our clientele, backups do not survive ransomware events." - Heath Renfrow , co-founder, Fenix24
Listen to the full episode of "Protecting Your Backups from Ransomware."
领英推è
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily?Cyber Security Headlines?newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter?- Twice every week
Cyber Security Headlines Newsletter?- Every weekday
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be CISO TC Niedzialkowski . Thanks to Scrut Automation !
Thanks to our Cyber Security Headlines?sponsor, Scrut Automation
Are Your Security Metrics Actually Keeping You Safe?
Metrics are often touted as the key to improving security, but what exactly should we be tracking? How do we measure security success beyond simply avoiding breaches?
Host David Spark sat down with Frederico Hakamine , technology evangelist?at Axonius ,?to discuss the complexities of cybersecurity metrics. We discussed the gap between traditional security measurements and real indicators of risk reduction. From tracking remediation efforts to prioritizing threats, this conversation dives into the nuances of security effectiveness and the role of metrics in justifying security investments.
Join us on 02-21-25 for “Hacking Security Metrics†at 1pm ET / 10am PT for Super Cyber Friday. David and Freddie will be joined by James Killgore , sr. mgr., information security, WideOrbit to discuss defining meaningful security metrics.
Thanks to our Super Cyber Friday sponsor, Axonius
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact us.