View this email in your browser

CISO Series Podcast

We're Experts At Telling You To Fix Your Problems

I don't need another vendor to find my problems. Finding my problems has not been the issue. That's the easy part. Fixing them with the staff I have is definitely "the problem." Vulnerability management must include ways to remediate, quickly.This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is John C. Underwood, vp, information security, Big 5 Sporting Goods. We discussed the following.More visibility is great. But what we really need is more action. A year ago, Yaron Levi, CISO, Dolby complained about vendors offering “visibility only” solutions. Back then he was clamoring for a “if you find it, fix it” solution. The demands of security leaders has pushed the industry to move in this direction, with automated remediation solutions. Mike Johnson said it’s just a natural evolution of security products. “For security teams to get to a point where they are asking for automation remediation means they've reached a confidence with detection abilities,” said Johnson.What can an entry level security person do that doesn’t scare you? “Nobody wants to trust someone with no experience to be responsible for any aspect of the security of their organization,” said Edward Hickcox in what he thought was an open and shut case on why entry level jobs in cybersecurity are so hard to find. But entry level people do join the industry and they ramp up through education programs, mentoring, checklists, and shadowing, noted Johnson. John Underwood recently brought on two internal hires from his company’s help desk. The first thing he did was strip away their access and put them in the SOC to watch speeds and feeds.Yeah, we know we’re not supposed to hack back, but isn’t there something we can do beyond just playing defense? We had a great story from the DOJ and FBI taking down the Hive ransomware gang after spending months inside siphoning encryption keys and doling them out to those targeted by the gang. They truly hacked the hackers. This is an exciting story, but it still puts security professionals in the same position. They’re not supposed to hack back. It’s frustrating that we’re not getting any closer to dealing with the root of the problem. You simply can’t choose to be a vigilante because you have no idea who is behind the attack, what resources they have, and they are probably using an innocent user’s system to carry out their attacks. A hack back could also result in an unexpected escalation.Is there any reason security professionals should be scared of ChatGPT? This was the question Mike Johnson asked on LInkedIn. One commenter said one of ChatGPT’s dangers is its ability to confidently give incorrect answers. And this adds to poorly written code which ChatGPT is very capable at doing. This could give users a false sense of security. But other security professionals have used ChatGPT to write the first drafts of their security programs. It saved an enormous amount of time.Listen to the full episode over on our blog where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Pentera

Biggest mistake I ever made in security...

"The biggest mistake I've ever made in security was coming into a new organization and not really learning the new communication pattern. So, I came in and used the old method of getting projects done thinking I was doing the right thing, and along the way I was creating a lot of work for a lot of people. And four years later, I'm still trying to unruffle some of those feathers." - John C. Underwood, vp, information security, Big 5 Sporting Goods

Listen to full episode of

"We're Experts At Telling You To Fix Your Problems"

Third Party Risk vs. Third Party Trust

"I always try to challenge my thought process and try to think about different things from the different sides. In other words, just the fact we have done something in a certain way for so long doesn’t mean that’s the right thing to do. So, I find it helpful from time to time to stop and try to reflect on the different side. And many security or many businesses practices in general are based on trust." -  Yaron Levi, CISO, Dolby

Listen to full episode of

"Third Party Risk vs. Third Party Trust"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Nick Espinosa, Host, The Deep Dive Radio Show.

Thanks to our Cyber Security Headlines sponsor, Packetlabs

Super Cyber Fridays!

"Hacking RSA" - Super Cyber Friday

Join us this Friday, March 10, 2023, for “Hacking RSA: An hour of critical thinking about how to get the most from attending RSA, or any security conference.”

It all begins at 1 PM ET/10 AM PT on Friday, March 10, 2023 with guests Adrian Sanabria, host, Enterprise Security Weekly and Allan Alford, host, The Cyber Ranch Podcast. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.