View this email in your browser

CISO Series Podcast

Why Aren’t You On Slack Where I Can Interrupt You?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Our guest is Howard Holton, CTO, GigaOm. We discussed the following.

Who are the innovators of cybersecurity, the attackers or the defenders? This question alone may sound like cybersecurity heresy. “How could you give any credit to the adversaries?” But in an article on Venture in Security by Ross Haleliuk, he posits that the critical driver of innovation is the adversary who is trying to think of ways to break our defenses. We often refer to this as a “cat and mouse” game, but for this discussion it may also be a "chicken and egg"-type philosophical discussion. Who do we credit with the innovation? Solutions we have today would not exist if it weren't for the adversary finding new techniques. 

How do we tackle the complex beast of “zero trust?” Our guest Howard Holton provided a really succinct definition that also demonstrates that amount of work zero trust entails. Of zero trust he said, “"You are trusted only to take one action, one time, in one place, and the moment that changes, you are no longer trusted and must be validated again, regardless of your location, application, user ID, etc.” Both Andy and Howard talked about what would essentially be the grandmaster level of building out a zero trust network architecture or ZTNA. Howard suggests you start drawing an outline of the elephant you’re going to try to tackle. 

Why did it take so long for APIs to be recognized as an asset to be discovered?  What security leaders know about their API environment is a colossal mess. I've seen reports where half of APIs are unmanaged or abandoned. And 3/4th of security leaders haven't done a complete inventory of their APIs, according to a report by OpinionMatters, said Jon Gold in a CSO Online article. Howard said the reason this problem has gone on so long is both security and development have been trying to pass the buck saying it’s someone else’s problem. And as they kept doing this the problem started to mount. The unknown API environment is massive, said Howard where he’s seen the unknown-to-known ratio to be as high as 4-to-1.

Is the growth of collaboration tools just making us more prone to interrupt therefore not letting anyone get their job done? According to a rant by a redditor on the r/cybersecurity subreddit, they’ve had it with cybersecurity, especially the irritation of constant communications. "Trying to SIT AND FOCUS on solving at least one god damn problem without being needled by teams, slack, email, phone call, sms, jira, etc…Meetings and more meetings that stop me from getting actual work done," they said. Andy boiled this down to a problem with leadership. And if you’re frustrated you should definitely tell your leader. They want to hear this. If you don’t tell them, you’ll probably leave out of frustration and nobody is happy and nothing gets solved.  

Listen to the full episode on your favorite podcast app, or over on our blog where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Cyolo

Best advice I ever got in security...

"Keep it simple. You’re likely overcomplicating it. The reality is we spend a lot of time as technologists kind of buried in technology and really hearing a lot about various technology and tools that can solve our problems. But what we really need to remember is we’re a business, and we need to be able to run a business. So, let’s think instead of thinking about all of the things that are possible…let’s think about it from the perspective of who are our people, what do we do, who are we, what’s reasonable, and then work back from that to figure out what we really should be doing. So, really keep it simple." - Howard Holton, CTO, GigaOm

Listen to full episode of

"Why Aren’t You On Slack Where I Can Interrupt You?"

Why YOU Should Be Your Company's Next CISO

"A lot of the time if you have a CISO, the CEO is probably a little bit more read in on what they want out of a CISO. But if there is no CISO in the organization and they’re starting to think about hiring their first CISO, most CEOs don’t really even have a firm idea of what they want because the role is evolving so quickly and constantly. So, the more that you’re in front of them and as that vision of what they need out of their CISO for the position is evolving, you’re read in. You now can start to learn the things that that CEO is going to want out of the CISO, and then you’re on the gravy train." - Radley Meyers, partner, SPMB Executive Search

Listen to full episode of

"Why YOU Should Be Your Company's Next CISO"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Brett Conlon, CISO, American Century Investments.

Thanks to our Cyber Security Headlines sponsor, Trend Micro

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.