• CISO Series Newsletter
  • Posts
  • [03-19-24]--​​BREAKING: “Department of No” Upgraded to “Department of Slow”

[03-19-24]--​​BREAKING: “Department of No” Upgraded to “Department of Slow”

CISO Series Podcast
BREAKING: “Department of No” Upgraded to “Department of Slow”

BREAKING: “Department of No” Upgraded to “Department of Slow”

How can security teams do their jobs without seeming like an impediment to developers? This relationship can seem oppositional. But how can both sides work together to better secure software without seemingly like a road block?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our sponsored guest, Nadav Lotan, product management team leader, Cisco.

Where are we using AI right now?

Stop me if you’ve heard this before, but I think AI might be a bit of a thing. Sarcasm aside, we hear a lot about the potential for LLMs across the enterprise. We’re starting to see these systems going into production, as outlined by Shweta Sharma in CSO Online. But what are people using them for at this moment? One place is making security solutions more accessible, like allowing users to run complex queries using natural language. At the moment, chatbots seem to be the most obvious use cases. Their ability to understand intent opens the door to a lot of productivity solutions, and also a lot of chances for misuse. There is the looming threat of prompt injections. Even if they protect against data loss, getting a chatbot to respond poorly can still be bad for optics.

Securing development without becoming a roadblock

Security folks get mad at developers for not caring about security. But as was pointed out in our recent cybersecurity subreddit AMA, organizations incentivize product managers to ship on time, not to ship secure code. So how do we create a structure and incentives to change that? This can start by security working with developers to build reusable secure software components, making it easier down the road to build apps. Organizations can also frame secure development as a way to speed overall time to market, with less duplicate work needed to fix critical issues in production software. Ultimately, security needs to approach developers as a way to make their jobs easier and more productive. 

Are platform plays played out? 

The typical argument for going with a platform of tools versus best in breed comes down to integration and cost. This can lead some to argue that platform plays aren’t “good enough” solutions on their own. But Mike Johnson pointed out this misses the opportunity to build a relationship with a platform provider as a partner rather than as one of many vendors. Nadav Lotan also pointed out that more organizations than ever need end-to-end visibility across their IT stack, something much easier to do with a platform play, versus adding yet another vendor to the mix.

Who makes policy for the policymakers?

One use case for LLMs we didn’t discuss earlier in the show was writing policy. But that’s exactly what Alex Haynes, CISO at IBS Software did in a piece for Dark Reading. He found tools like Google Bard to be a great resource for creating more human readable policies that still hold water. And since Bard and ChatGPT are available to anyone, if a CISO doesn’t take the time to make policies more understandable, their users will do it anyway. The next evolution of this is using LLMs to synthesize documentation and practices an organization already uses to create the basis of a policy they are already following. This could allow policies to be statements of actual practice rather than purely aspirational. 

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our contributor Jaike Hornreich, SDG Corporation for supplying the What’s Worse?! scenario.

Thanks to our podcast sponsor, Panoptica, Cisco’s Cloud Application Security Platform

Panoptica, Cisco’s Cloud Application Security Platform

What I love about cyber security…

"I love the fact that as engineering groups are heading towards adopting technologies to make better products and better experiences, we, as security teams, must adopt and make sure that we align with them, and support them, and make sure that we don’t put any business risk alongside the technology." - Nadav Lotan, product management team leader, Cisco

Listen to full episode of "BREAKING: “Department of No” Upgraded to “Department of Slow”."

The Demand for Affordable Blue Team Training…

"What I really like about this blue team/red team conversation though is that a lot of modern organizations have a purple team where people will rotate in and out, they will collaborate, they will simulate the adversary, but then they will also kind of try to be more mature about just avoiding the stereotype of the red team breaks in and makes the blue team work the weekend." - Ron Gula, president and co-founder, Gula Tech Adventures

Listen to full episode of "The Demand for Affordable Blue Team Training."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

LIVE!
Cyber Security Headlines - Week in Review

CSH Week In Review Gerald Auger Ph.D., chief content creator, Simply Cyber

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Gerald Auger Ph.D., chief content creator, Simply Cyber.

Thanks to our Cyber Security Headlines sponsor, Vanta

Vanta

Super Cyber Fridays!
Using Evidence for Third-Party Risk Management

SCF Promo Hacking Effective Third-Party Risk Management

No one likes third-party risk management. Part of that is a reliance on third-party questionnaires, static documents that almost never are timely or give you enough information. We need to move on to evidence-based third-party risk decisions, argues Paul Valente, CEO and co-founder, VISO TRUST. No one is saying this is easy, but it’s the most reliable way to assess third-party risk.

Check out this preview of our Super Cyber Friday event happening this Friday, March 22, 2024. Our topic will be “Hacking Effective Third-Party Risk Management: An hour of critical thinking of going beyond questionnaires and ratings.”

Joining host David Spark and Paul will be Arkadiy Goykhberg, CISO, Branch.

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face to face. Join us!

Thanks to our Super Cyber Friday sponsor, VISO TRUST

VISO TRUST

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.