View this email in your browser

CISO Series Podcast

21 “Dark Side”-Approved Ways to Threaten Your Prospects

This week’s episode of CISO Series Podcast is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our sponsored guest is Jason Mar-Tang, director of sales engineering, Pentera. Here are some of the items we discussed. Please let us know your thoughts.

Working for a security vendor is not “going to the dark side.”

 Please, stop calling it that. It’s not original. It’s not funny self-deprecating humor. It’s an “US vs. Them” mentality and it’s not helping anyone. Just don’t be the salesperson who says “yes” to everything. One item we’ve heard often from our CISO community is they like it when a vendor is upfront about what their product can and 

cannot

 do.

Should you apply to a company that just had a cyber incident?

 Often, companies getting breached acts as a financial motivator to spend more on cyber and the staff. How did they handle the breach, and as an interviewee it it appropriate to ask? Mike Johnson suggests asking, “What were some of the lessons you learned from the incident?” And Jason Mar-Tang recommends asking how this incident has changed the security culture at the company. Are they taking it more seriously now, or were they always taking it seriously?

The reason you pentest is to improve your cybersecurity hygiene.

 Pointing out problems without direction and process to fix those problems is a pointless pentest. But to be more effective in pentesting efforts, Jason Mar-Tang suggests focusing on specific areas of the business. For example, if you’re concerned about your identity management and Active Directory, conduct a pentest exercise on that with the understanding that you’re going to focus on those areas in your remediation. Concentrated tests with concentrated improvements provides focus for everyone and significant improvement.

If you were to abandon phishing tests, what would you replace it with

? Mike Johnson doesn’t phish his employees. Since phishes can easily be gamed, he doesn’t see the value in them. Instead, Mike prefers to look at ways employees could be making mistakes and trying to develop controls (preventive or detective) to deal with that kind of behavior (e.g., sending passwords to a phishing site). Mike thinks phishing tests “are creating an ‘us vs them’ approach to security, rather than working with your employees and thinking about how we can work with them on security improvements in general.”

Listen to the full episode right here or over on 

our blog

 where you can read the entire transcript. If you haven’t 

subscribed to CISO Series Podcast

 via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Pentera

What I love about cyber security...

"When I describe to people what I do, I say it’s almost like it’s healthcare. You could be a cardiologist, a dermatologist, podiatrist, or whatever. There’s so many. There’s something for everybody in cyber security. You can get really, really deep into the bits and bites doing forensics or really high up such as getting involved with policy, and governance, and compliance. Each part is important, and they all play together and need to be strong if the posture of the organization is going to be strong." - Jason Mar-Tang, director of sales engineering, Pentera

Listen to full episode of

"21 'Dark Side'-Approved Ways to Threaten Your Prospects."

Why Is There a Cybersecurity Skills Gap?

"If I’m expecting I’m going to just do the pen testing or the, I don’t know, whatever I did in the bootcamp every day in my corporate information security job, and it’s not like that, I might be disappointed. But if I took that course because I am a committed learner, and I’m constantly going to be learning about what’s going on, how my business works, how the techniques I learned in this class can apply to that, and what else I need to learn, you’re going to go very far. And if you’re willing to work hard, you’re going to go even farther." - Geoff Belknap, CISO, LinkedIn

Listen to full episode of

"Why Is There a Cybersecurity Skills Gap?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be  Ed Covert, head of cyber risk engineering, Bowhead Specialty.

Thanks to our Cyber Security Headlines sponsor, CISO Series

Super Cyber Fridays!

What’s the Next Thing I Should Do to Improve My Security Posture?

The Internet, security vendors, and your cybercolleagues are awash with advice on how to improve your security program. All of them are wrong. The only one who truly knows is you, and specifically what malicious intruders can do to your defenses. This was the discussion I had with Dan DeCloss, CEO, PlexTrac. It was all a tease for this Friday’s Super Cyber Friday discussion, “Hacking Your Security Program: An hour of critical thinking of what you should do next to improve your security posture.”

Please join us on Friday, February 10, 2023 for Super Cyber Friday. REGISTER HERE.

Joining me and Dan for this discussion will be Carraig Stanwyck, vp, global cybersecurity and compliance, Avnet.

The event starts at 1 PM Eastern/10 AM Pacific. At the end of the hour (2 PM Eastern/11 AM Pacific) we’ll switch gears to our meetup where everyone will get a chance to chat face to face.

Thanks to our Super Cyber Friday sponsor, PlexTrac

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.