CISO Series Newsletter
Posts
[01-17-23] Your Password Is Too Long. Please Shorten It.

[01-17-23] Your Password Is Too Long. Please Shorten It.

Your Password Is Too Long. Please Shorten It.

January 17, 2023

CISO Series Podcast

Your Password Is Too Long. Please Shorten It.

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Terrance Cooley, CISO, Air Force JADC2 R&D Center. Here are the issues we discussed. Please jump in with your thoughts.Are your hiring practices designed to reduce risk? Chalk this up as a “great idea, but geez, is it really feasible?” In a McKinsey and Company article, they suggested mapping out all your security staff and then demonstrate that if you hired specific priority roles you can reduce roles the quickest. Mike Johnson thought it was a logical idea, but nobody has 150 security professionals to hire all at once, as the article suggested. He did question their recommendation of starting at the top and then building an incident response team. The incident responders are doing the work so they need to be in first with some basic management in place.Broker marketplaces of susceptible targets are popular because they’re more cost efficient. Malicious attackers would rather just pay someone to give them the weakest link than to find it themselves. It’s way cheaper. There is a long history of this that just keeps growing, such as botnets, ransomware as a service, compromised credit cards and usernames/passwords all for sale on the dark web.Could you please lower your security standards so we can work with you? Some IT vendors are so myopic to the purpose of security standards that they make inappropriate requests solely so their products can work in your environment. For example, one CISO told me about a vendor's tool that had a problem with the company's long passwords, so they requested the password requirements be lowered. And Mike is amused by the phishing test platforms that require you to whitelist them, so your technical controls don’t intercept their phishing emails. Um, then I guess we don’t need you.No matter what the conditions, you always need to strive for a supportive culture. A frustrated redditor who is managing a lot with a lean security team feels overwhelmed and doesn’t know what to do. While most redditors responded that the person is getting burnt out, another redditor who faced a similar situation that lasted for four years, said they were able to work through it because there was a fantastic culture and great support. If you want to keep staff, no matter how difficult the environment, you must build a supportive culture. There are too many options for great talent to go somewhere else.You can listen to this week’s episode over on our blog where you can read the full transcript. If you aren’t already subscribed to CISO Series Podcast on your favorite podcast app, please go ahead and do that right now.

Thanks to our podcast sponsor, Varonis

Best advice I ever got in security...

"Fight through failure. Success is at the other side." - Terrance Cooley, CISO, Air Force JADC2 R&D Center

Listen to full episode of

"Your Password Is Too Long. Please Shorten It."

Ambulance Chasing Security Vendors...

"Please after I’m done dealing with what we’re dealing with, show me where it has prevented this for somebody else. Show me how it would have saved me all this time. But no matter how much time your product you think would save me, it won’t save me time in the middle of dealing with that crises. I can’t stress enough that….The most opportune time for you is not the most opportune time for a security organization that is dealing with a problem. And I think we just have to be more realistic as sales teams, as suppliers, as partners about when we can have those conversations." - Geoff Belknap, CISO, LinkedInListen to full episode of "Ambulance Chasing Security Vendors"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review

Make sure you

to join the LIVE "Week In Review" this Friday for

Cyber Security Headlines

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Ed Covert, head of cyber risk engineering, Bowhead Specialty.

Thanks to our Cyber Security Headlines sponsor, Cerby

Super Cyber Fridays!

What Can You Automate Without Needing to Increase Staff?

In this preview video for this Friday's Super Cyber Friday, Brian Vecci, field CTO, Varonis, discussed what's doable and not doable in security automation. And why you must automate the easy stuff you should be automating. Join us Friday, January 20, 2023, for “Hacking Automated Security: An hour of critical thinking of how intelligent automation can achieve more without doing more.”

It all begins at 1 PM ET/10 AM PT with Brian, Me, and Ken Collins, sr. director, information security, Sunbelt Rentals, Inc. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Varonis

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.