- CISO Series Newsletter
- Posts
- [01-09-24]--SSO No You Didn't (LIVE in La Jolla, CA)
[01-09-24]--SSO No You Didn't (LIVE in La Jolla, CA)
Aaron
January 09, 2024
CISO Series Podcast
SSO No You Didn't (LIVE in La Jolla, CA)
Remember when single sign-on was supposed to cure all for everything that ailed us in security? With so many stories of SSO failures, the security panacea doesn’t seem all powerful anymore. Is it just growing pains or are we seeing more structural issues?
This week’s episode is hosted by me, David Spark, producer of CISO Series and my guest co-host Billy Norwood, CISO at FFF Enterprises. Joining us is our guest, Joshua Barons, CISO at the San Diego Zoo Wildlife Alliance.
We recorded the show in front of a live audience at the Planet Cyber Sec conference in La Jolla, CA.
Stretching the security dollar
Budget is always a major consideration and constraint when it comes to any cybersecurity strategy. So it’s not surprising that during our recent cybersecurity subreddit AMA someone asked what are some free or low cost options for small cybersecurity teams. Top tips were adopting a cybersecurity framework, starting a threat register, or doing a business impact analysis.
Why are we still struggling with SSO?
In hindsight, the SSO hyperbole should have been taken with a grain of salt. The promises of SSO still seem like a cybersecurity greatest hits list. Forcing strong MFA, forcing logouts, setting sessions lengths are not features to sneeze at. So where are we falling down with SSO? Often issues arise from the handoff between SSO platforms and application providers, according to Joe Sullivan and Atul Tulshibagwale at CSO Online. Can these disconnects get smoothed out so organizations can see the security promises that made SSO seem so attractive in the first place?
Is cybersecurity a social science?
It’s been said that cybersecurity is essentially a design discipline focused on risk. One of the elements that makes these risk models so hard to design are those pesky humans. If only there was some discipline that studied why and when humans make irrational decisions. Oh wait there is. It’s behavioral economics! Keavy Murphy at Dark Reading argues cybersecurity could benefit from studying the discipline, which examines concepts such as perceived risk and sunken cost fallacies that still plague cybersecurity decision makers. Human irrationality may not be going anywhere, but a little cross pollination between the two could help us make better design decisions.
Learning from first responders
Why can’t you be like your older brother, the first responder? You both need to be at a state of readiness, never sure where the next call is going to come from, argues Mark Stone with IBM’s Security Intelligence. But it’s the pace of change that separates the two. While firefighters might need to train on how to extinguish new fire sources, EV batteries for example, it still pales in comparison to the iteration of threats and vectors facing cybersecurity professionals. But that doesn’t mean we can’t learn from our brother’s profession either.
Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.
Thanks to our podcast sponsor, Praetorian
Best advice I ever got in security…
"Always question the status quo. Don’t be afraid to ask why are we still doing something in a particular way. One of the scariest things to hear in security is, ‘That’s the way we’ve always done it.’" - Joshua Barons, head of information security at San Diego Zoo Wildlife Alliance
Doing Third Party Risk Management Right
“But the fact is, is once that relationship is established, risk continues, and things change, widgets move, configuration files adjust. And if you don't have a way of continually understanding how the postures change, a lot of that work that you've done up front is actually kind of for naught.” - Erik Decker, CISO, Intermountain Health
Listen to full episode of "Doing Third Party Risk Management Right."
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
LIVE!
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Allan Cockriel, CIO of global functions and group CISO, Shell.
Thanks to our Cyber Security Headlines sponsor, Vanta
Super Cyber Fridays!
When Good Data Becomes Bad
Data sits in this weird space of being vital for business activity, growth, and sales. But at the same time it can become a serious liability. Holding onto data too long can run you afoul of regulations. And any data you hold may be very attractive to thieves. In a tease for our upcoming Super Cyber Friday live show on Friday, January 12th, 2024 (“Hacking the Data Privacy Paradox: An hour of critical thinking on where to find the balance between business operations and personal information”) Kim Elias, senior compliance specialist, Vanta and I discussed how to determine what that balance is. As every company’s business model is different, and our reliance on data for business varies, this balance is not the same for all.
Joining Kim and I for this discussion will be Davi Ottenheimer, vp of trust and digital ethics, Inrupt.
It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face to face.
Thanks to our Super Cyber Friday sponsor, Vanta
“Business Networking Pickup Lines” for Your Next SKO
Think about all the people in your life that make you feel professionally attractive.
People who make you feel good about the work you do, especially those people who don’t work with you, are great business flirts. Becoming a business flirt is an amazing sales technique. Because you begin the engagement making the person feel good about just being around you. And when you make people feel that darn good, they want to just spend more time around you, because heck, you make them feel good.
That is exactly the techniques I teach in my workshop, “Business Networking Pickup Lines.” Here’s a video show at Cyber Marketing Con, 2023 where I talked to attendees about their experience taking the workshop. Here’s some more information about the workshop.
If you’re interested in having “Business Networking Pickup Lines” at your event or sales kick off (SKO), please contact us.
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.