View this email in your browser

Defense in Depth

What Leads a Security Program: Risk or Maturity?

When you think about building a plan (and budget!) for your security program, do you lead with risk, maturity, or something else?Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Our guest is Ngozi Eze, CISO, Levi Strauss. We discussed the following:Lead with risk or maturity, just have a plan. This decision can vary depending on the organization you’re joining and the type of security leader you are. But when you talk about maturity, that’s subjective, noted Jonathan Waldrop of Insight Global. But once you know your maturity that will lead you to understand the level of risk the business is currently accepting.You’re trying to create a risk to business model that finance understands. "Begin with ‘customer and market requirements’ overlayed with risks followed by costs in terms of here's the impact to the bottom line for not doing this work,” said Esteban Gutierrez of New Relic. Consider everything, said Ngozi Eze: customers, wholesale consumers, regulatory requirements of the market, the climate, the technological climate, your vertical, and your competitors.A little bit of security can reduce a lot of risk. Ryan Franklin of Amazon recommends, “Risk first and then blend with maturity. You can get a lot of risk coverage for a low cost.” Then start building out the maturity of your program with the business making decisions whether they want to take on a given risk, or pay to bring it down. A mature security organization will bring the company to a point where the ROI is no longer acceptable.Let the business tell you how to run your security program. Every security program is different because every business and their industry is different. Certain risks are far scarier in one industry and not that big a deal for another. Start by asking what the business’ goals are, said Christian Hyatt of risk3sixty. “We can't have an intelligent conversation if we don't understand the business, if we don't understand what's in it for them,” said Ngozi Eze.Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, runZero

Super Cyber Fridays!

Join us NEXT Friday [02-24-23], for "Hacking Vulnerability Remediation"

Join us NEXT Friday, February 24, 2023, for “Hacking Vulnerability Remediation: An hour of critical thinking of how to improve the efficiency of what vulnerability needs to be fixed next, and by whom.”

It all begins at 1 PM ET/10 AM PT on Friday, February 24, 2023 with guests Venu Rao, CEO, Strobes Security and Mathew Biby, CISO, Satcom Direct. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Strobes Security

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be George Al-Koura, CISO, Ruby.

Thanks to this week's headlines sponsor, CISO Series

Jump in on these conversations 

"How would you proceed?--Business Security Questions & Discussion" (

More here

)

"Availability or Integrity, which one is more important?(Exam questiton)" (

More here

)

"People who are asking about burnout factors--Career Questions & Discussion" (

More here

)

Super Cyber Friday...

Coming up in the weeks ahead on Super Cyber Friday we have:

• [02-17-23] NO SHOW

• [02-24-23] Hacking Vulnerability Remediation

Save your spot

and register for them all now!

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.