View this email in your browser

Super Cyber Fridays!

Join us TOMORROW, Friday [02-10-23], for "Hacking Your Security Program"

Join us this Friday, February 10, 2023, for “Hacking Your Security Program: An hour of critical thinking of what you should do next to improve your security posture.”

It all begins at 1 PM ET/10 AM PT on Friday, February 10, 2023 with guests Dan DeCloss, CEO, PlexTrac and Carraig Stanwyck, vp, global cybersecurity and compliance, Avnet. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, PlexTrac

Defense in Depth

Limitations of Security Frameworks

Why do strongly supported security frameworks have such severe limitations when building a security program? Do we get consumed with compliance requirements that we end up sidestepping really critical security controls to lower risk?Check out this post for the discussions that is the basis of our conversation on this week’s episode of Defense in Depth hosted by me, David Spark, producer of CISO Series and Geoff Belknap, CISO, LinkedIn. We welcome our sponsored guest Stas Bojoukha, CEO, Compyl. Here’s what we discussed on the show.Regulatory and compliance programs are non-prescriptive. “They tell you what you need to do, but now how to do it,” said Bill Richardson of Assured SPC. The programs, the frameworks, guidelines all provide some direction, which is what we all want. But they are explaining an endpoint and not an explanation of how you’re going to get your business more secure. “The product security landscape updates with such speed and ferocity that these frameworks can't keep up,” said Michael Segal of JIT. “They offer false hope by suggesting the illusion of ‘security’ to your product."With technologies seemingly always ahead of standards and frameworks, are we making a mockery of the regulatory and compliance industry? Because ISO certifications and SOC2 certificates are updated so infrequently, what they’re ultimately saying is you have a reasonable security program in place, said Geoff Belknap. It’s not really telling another party the quality of your security program today. You must use other means to figure that out.Achieving compliance is something you must do, but so is reducing risk, and those two are often different exercises. Stas said he’s had customers come to him saying, “We have this tool that we currently use. We don’t really know what it does, but it’s gotten us SOC2, or it’s gotten an ISO. But we’re now worried that we’re going to get breached.” You want your business to be both legal and secure.Compliance looks good, but it’s not enough to run a business. Compliance is just like all the other business licenses you must get before you can open your doors. But as David Geer of Geer Communications said, "Compliances are like dress codes. Suit and tie required. But you'd never show up to the party with only a suit and tie."Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, Compyl

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Ed Covert, head of cyber risk engineering, Bowhead Specialty.

Thanks to this week's headlines sponsor, CISO Series

Jump in on these conversations  

"What to get from a mentor?" (

More here

)

"What is the best way to prevent getting ransomware for a smaller company" (

More here

)

"Which cybercriminals get caught?" (

More here

)

Coming up in the weeks ahead on Super Cyber Friday we have: 

• [02-10-23] Hacking Your Security Program

• [02-17-23] No show

• [02-24-23] Hacking Vulnerability Remediation

Save your spot

and register for them all now!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.