- CISO Series Newsletter
- Posts
- [02-13-24]-It’s Like a Trust Fall, But We Know You’ll Hit the Floor
[02-13-24]-It’s Like a Trust Fall, But We Know You’ll Hit the Floor
CISO Series Podcast
It’s Like a Trust Fall, But We Know You’ll Hit the Floor
Getting buy-in to your security awareness program is critical. So why do so many organizations get it so wrong? Phishing tests seem most successful at getting your staff not to trust you, rather than discouraging poor behavior. So what framework can we apply to actually build trust with security awareness?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Joining us is Grant Anthony, CISO, Orion Health.
How do you get staff to care about cybersecurity?
Cyber awareness training ignores the fact that cybersecurity departments lack buy-in. All the awareness training in the world doesn’t matter if no one cares, argued a redditor in a recent thread on the cybersecurity subreddit. Andy Ellis pointed out that organizations show a lack of innovation to get greater security buy-in. Use an organization's extensive marketing expertise to achieve this, rather than spend more on security awareness. Then use training time and money focused on developers for the biggest ROI.
Accounting for incompleteness with patch management
We can’t patch everything. Any attempt would lead to missing patches for critical issues. So how many vulnerabilities can we actually patch? Security research Wade Baker found only about 10%. Vulnerability management feels like a losing game because it reflects issues already too far upstream. These systems attempt to fix software development issues. The horse already bolted the barn. Organizations see better results investing in better quality software development from the start.
Bridging the threat-informed divide
Building a threat-informed security program sounds good, but isn’t easy to operationalize. Organizations lack basic security hygiene or can’t bridge threat intelligence to actual controls, argued Dr. Anton Chuvakin host of the Cloud Security Podcast by Google in a recent Medium piece. But designing a threat-informed program risks putting the cart before the horse. Early in maturity, identifying specific threats takes your eye off of what really matters. Organizations should be following relevant best practice security frameworks. Since these generalized frameworks come from common threats, it’s still building a threat-informed program.
Using metrics to build trust
Every CISO lives by metrics. These are the keys to drive decisions. But Michael Hill at CSO Online argued they also are the building blocks to build trust with the business. Then they become not just about decisions, but about driving action. This starts at the team level and can extend all the way up to the board. When the board has the metrics it can connect to the business, it gives them greater visibility into risk and ultimately stronger governance. When accountability for cyber risk extends from the board on down, it brings your cybersecurity program into better alignment with the business.
Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.
Thanks to Jared Mendenhall of Impossible Foods for providing this week’s “What’s Worse?!” scenario.
Thanks to our podcast sponsor, Varonis
10-second security tip…
"Referring to security controls such as patch and vulnerability management as the basics does our industry a disservice. These are foundational but complex domains and when described as such, garner more support, funding, and ultimately reduce risk." - Grant Anthony, CISO, Orion Health
Listen to full episode of "It’s Like a Trust Fall, But We Know You’ll Hit the Floor."
OPEN AUDITION! Looking for Next Hosts on CISO Series
Your favorite hosts of CISO Series shows are not going anywhere.
BUT, we’re developing a new show and we’re looking for your NEXT favorite CISO Series hosts.
And we’re looking for a pair of them, possibly two pairs!
Submit a recording to be CISO Series hosts
We’re looking for a two-person recording. You and a friend get on the microphone and explain something, anything in cyber.
The recording should be 5-10 minutes in length. Audio only.
Send your submissions via our contact form or via [email protected]. Label it “PODCAST AUDITION.”
DEADLINE: THURSDAY March 7th, 2024
Go to the blog post on details on how to deliver the IDEAL submission.
Why Do Cybersecurity Startups Fail?
“You have to basically integrate your technology into your larger portfolio. It has to play nice. It has to work with everything. Because if it doesn't, it then raises the question that then you have to basically answer, "Wait, we invested in ABC in the past. Are you telling me that was a mistake, and now I need this new shiny thing? Why didn't we invest in this previously? Why wasn't this problem not previously brought up?" Which creates a whole bunch of uncomfortable discussions with leadership that you generally don't want to have.” - Mike Levin, deputy CISO, 3M
Listen to full episode of "Why Do Cybersecurity Startups Fail?"
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
LIVE!
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Trina Ford, CISO, iHeartMedia.
Thanks to our Cyber Security Headlines sponsor, Vanta
Super Cyber Fridays!
Understanding the Security and Compliance Silos
We know there is a tense relationship between compliance and security. But why? As Matt Cooper, senior management, privacy risk and compliance, Vanta, points out, this stems from compliance requirements coming from external parties rather than being internally driven by a need to be secure. This is a preview of our Super Cyber Friday event happening this Friday, February 16, 2024. Our topic will be “Hacking Compliance vs. Security: An hour of critical thinking about why checking the box is good.”
Joining me and Matt for this event will be Christopher Hymes, CISO, Riot Games.
It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face to face. Join us!
Thanks to our Super Cyber Friday sponsor, Vanta
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.