View this email in your browser

CISO Series Podcast
This Security Crisis Is the Perfect Time to Tell You I Was Right

During a security incident, CISOs are trying to keep their heads above water, managing priorities from their team, the overall business, and often regulators. So it’s not the best time for someone to tell you they’ve warned about this issue last week. This isn’t just an issue of morale either. Cybersecurity doomerism like this can also damage relationships with the business, which makes implementing stronger security harder in the long run.

This week’s episode is hosted by me, David Spark, producer of CISO Series and my co-host Andy Ellis, operating partner, YL Ventures. Joining us is our guest, Mike Kelley, CISO, EW Scripps.

Identity alone is not enough

As traditional cybersecurity perimeters begin to dissolve, identity becomes the new perimeter. But an “identity only” security philosophy ignores the need for proper authentication and access controls, argued Paul Martini in a recent piece on Dark Reading. While organizations certainly shouldn’t ignore these two important aspects, it’s important to recognize that any zero trust strategy is a journey. Almost all organizations deal with technical debt that makes it tough to implement these systems overnight. Identity verification is a key incremental step along this journey. 

“I told you so” doesn’t solve any problems

Cybersecurity professionals often come off like Cassandras, warning about important issues that don’t get addressed until they become exploited. But these people often don’t help during a security incident with a recriminating attitude during a crisis, noted a redditor on r/cybersecurity. The redditor expressed a rather defeatist attitude of always failing at security because he felt the business was fighting against him. Rather than a defeatist attitude, we need to recognize that it’s more important than ever for security teams to be seen as a partner with the overall business. A security team needs to become a trusted advisor on managing risk. An “I told you so” attitude only breeds contempt and distrust.

Security professionals should lean into their expertise

Ah, if the business wasn’t there, our job in security would be so much easier. But if the business wasn’t there, security professionals wouldn’t have a job. Security must serve the business and this is most visible when talking about “requirements” for a project, where cybersecurity effectively cedes its expertise to the business, noted Brad Kirkpatrick in a post on Medium. This can leave the business frustrated that they have to communicate on a technical level, and security frustrated that the business side “doesn’t get it.” CISOs need to take the lead on understanding how the business operates and guide the security team to improve the conversations and end goal of secure/less risky solutions. 

Build security awareness on the board

There’s increasing awareness that company boards need cybersecurity experience. The good news is we’re starting to see former and current CISOs get named to boards. But the board always needs balance of opinion and decision making, and just having one person with cyber expertise risks putting too much dependence on one person, warned Ericka Chickowski in a recent CSO Online piece. A CISO on the board can serve to help incrementally increase the board's cybersecurity acumen. That’s great, but another solution may be dedicated technology risk committees, who could better keep up with the rapid technological landscape.

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Praetorian

Warning Signs You’re About To Be Attacked…

“Your frontline people, whether it’s a phishing email or more targeted like a vishing attempt, those people on the frontlines talking to customers are often times also the first people that the attackers can communicate with.” - Trevor Hilligoss, senior director of security research, SpyCloud

Listen to full episode of "Warning Signs You’re About To Be Attacked."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Johna Till Johnson, CEO, Nemertes.

Thanks to our Cyber Security Headlines sponsor, NetSPI

Super Cyber Fridays!
Join Us 01-12-24 for “Hacking the Data Privacy Paradox”

Please join us on Friday January 12, 2024 for Super Cyber Friday.

Our topic of discussion will be “Hacking the Data Privacy Paradox: An hour of critical thinking on where to find the balance between business operations and personal information.” 

REGISTER for 01-12-24 Super Cyber Friday event

Joining me for this discussion will be:

• Kim Elias, senior compliance specialist, Vanta

• Davi Ottenheimer, vp of trust and digital ethics, Inrupt

Thanks to our Super Cyber Friday sponsor, Vanta

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.