View this email in your browser

CISO Series Podcast

We’re Here. We’re Highly Unqualified. Get Used To It.

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Our guest is Stephen Cicirelli, CISO, American Bureau of Shipping. We had some heated discussions on the following topics. Please provide your thoughts.Should you fire an employee who repeatedly fails phishing tests? I have a friend who heads HR for a large company, and they had to fire an employee who just couldn’t stop clicking links on phishing emails. The employee was given ample warning and repeat training, but nothing worked. The company managers felt they had no recourse but to fire the employee. Andy Ellis felt the decision was way too harsh and believed you should never reprimand an employee because technology fails. What if you do have an employee you want to keep, but they can’t protect themselves in cyberspace. Is there a way to create a virtual padded room so they can’t hurt themselves and others?How big is the gulf between what we know we should do and what we can actually do? In an article on CISO Online, Mary K Pratt offers up some suggestions on how to build a proactive security program. All her suggestions were topics we’ve discussed on this show such as strong user authentication, zero trust, hunt for threats and vulnerabilities, and more solid foundational advice. The question is can anyone achieve all or are we just doing partial versions of all? What’s realistic?Why can’t we get ahead of known problems in cybersecurity? Here are some depressing stats from a study by Foundry:34% said non-malicious user error was the top cause of cybersecurity incidents.28% said third party security vulnerabilities26% said unpatched software vulnerabilitiesAll of these issues are fixable if you had infinite time and people. But no one has that situation. "If you're short-staffed, you can't have someone looking at every alert," said Bob Bragdon of Foundry.Is it just inevitable that we’ll lose the infinite game?Is all the publicity to get more people involved in cybersecurity attracting the wrong talent? "Does anyone else feel like the security field is attracting a lot of low-quality people and hurting our reputation," asked a redditor on the cybersecurity subreddit. This caused an enormous debate, but much of the marketing of cybereducation leads one to believe that if they just take this course they can get a six-figure salary in cybersecurity. Has this issue always been around, or is it exacerbated by the increased demand and increased supply of recently educated cybersecurity personnel?Listen to this week’s podcast on our blog where you can read the entire transcript. And if you haven’t already subscribed to CISO Series Podcast via your favorite podcast app, please do that now.

Thanks to our podcast sponsor, Stairwell

Watch CISO Series Podcast LIVE in Clearwater, Florida next Tuesday, January 10th, 2023

CISO Series is coming to Clearwater, Florida for our first live in person recording at the Convene conference. We’re going to be the opening night’s entertainment for the event, which will be happening on January 10th, 2023. But the event continues until the next day on January 11th, 2023.

Register here and if you use this link you get 15% off. Discount code of “CISOSERIES” is already applied.Thanks to our sponsors COFENSE, KnowBe4, and Fortra's Terranova Security

Ten second security tip...

"With gambling online being legal now and the Super Bowl coming up, you’re going to see a lot of phishing coming out. Make sure you avoid that." -- Stephen Cicirelli, CISO, American Bureau of Shipping

Listen to full episode of

"We’re Here. We’re Highly Unqualified. Get Used To It."

How Should We Discuss Cyber With the C-Suite?

"Well, giving you time to brief them is one thing. But I’ve seen a lot of enthusiasm over the last few years on the topic, so it isn’t a lack of interest in cyber security. I think it’s just, look, they have so many things…these executives have so many things they’re responsible for. They’re coordinating quarterly disclosures, earning, acquisitions, divestitures, financials, compliance, pricing, marketing, legal issues, strategy. It goes on and on. Cyber is just one more important part of their responsibilities. So, in this vein, succinct business aligned briefings can be affective for this audience." - Lee Parrish, CISO, Newell Brands

Listen to full episode of

"How Should We Discuss Cyber With the C-Suite?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Sean Kelly. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Bryan Willett, CISO, Lexmark.

Thanks to our Cyber Security Headlines sponsor, AppOmni

Super Cyber Fridays!

Hacking Automated Security

Join us Friday, January 20, 2023, for “Hacking Automated Security: An hour of critical thinking of how intelligent automation can achieve more without doing more.”

It all begins at 1 PM ET/10 AM PT on Friday, January 20, 2023 with guests Brian Vecci, field CTO, Varonis and Ken Collins, sr. director, information security, Sunbelt Rentals, Inc. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Varonis

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.