View this email in your browser

CISO Series Podcast

No Need for Chaos Engineering Since Our Architecture Is Always Failing

Today’s issue of CISO Series Newsletter features this week’s episode of CISO Series Podcast which is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Our sponsored guest is Mike Wiacek, CEO, Stairwell. Here are a few of the items we discussed.

Can chaos engineering work well for security resilience and defense in depth? “Chaos engineering, at least the way Netflix engineered it, was set up as, ‘Let's just turn things off to make sure that resilience still works,’” said Andy Ellis. “You have to be really careful when you try to apply that to security systems. You don't want to just go and deliberately turn off systems in a way that's sort of deprovisioning them.” Certain systems can handle it, but you don’t want to be turning off authentication tools. In the world of security chaos engineering can work… up to a point.

Are we building homogenous security stacks that become recognizable fingerprints? If we’re all following the same best practices for security, we’ve essentially told the bad guys how our walls are being built. The question is where do we go beyond what is just required. That’s how you stop the bad guys. For example, as Mike Wiacek explains, “If you're going to have a WAF in place to help filter, block, detect malicious activity, you still need to drive it, you still need to make sure that you are looking at what it sees.”

Does ‘tuning your EDR’ mean you’re going to ignore a bunch of alerts? “This whole ‘tuning’ concept is not focusing on how we can solve the problem. It's, ‘How do we make this less painful for the people who have to deal with it?’ There’s just too many of these alerts and, well, they can't deal with it, so let's just get rid of a certain number of them,” said Wiacek. “I've always found much more interesting stuff in the gray areas. What is in between absolutely no good and absolutely no bad?”

Wait, does cybercrime NOT pay? An article on Insider by Sindhu Sundar notes that ransomware payments are going down and the US government has successfully broken up ransomware gangs. One hacking group had to lay off 45 call center operators. Mike Johnson, the other co-host of this show said that when building a security program his focus is just to make it more expensive to steal his data. Andy Ellis says to just keep looking at ways to narrow access to your most critical data. One way to do that would be to distribute Chromebooks to all employees, where nobody has any data sitting on their machines, thus eliminating ransomware, said Wiacek. 

Listen to the full episode over on our blog where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Stairwell

What I love about cybersecurity...

"I love the game, that cybersecurity is almost adversarial by design. Whatever we do as defenders to try and protect systems that we're responsible for, bad guys are always trying to adapt and evolve, and then that forces us to do that. So, some people think it's like the eternal cat-and-mouse game, but there's something great about watching the coyote try and chase the roadrunner. It just keeps going and gets more and more fun as time goes on." - Mike Wiacek, CEO, Stairwell

Listen to full episode of

"No Need for Chaos Engineering Since Our Architecture Is Always Failing"

CISO Series Podcast LIVE!

Join us in NYC on April 13th, 2023

Don't forget we're coming to NYC and we want you to join us. 

Joining me on stage will be guests Aaron Zollman, CISO & vp, platform engineering, Cedar and Colin Ahern, Chief Cyber Officer for the State of New York.

Event is happening on Thursday, April 13th, 2023.

• 5:30pm - Doors open

• 6:30pm - Recording begins

• 7:15pm - Recording ends and drinks and food served until 8:30pm.

>> REGISTER HERE on Eventbrite <<

Security That Accounts for Human Fallibility

"Humans are fallible – and when you have people in a system, you have to have controls to try and help those people do the right thing. So, when you talk about a broken system, or you talk about how people are being blamed, and how you communicate to those folks, it's all well and good, but again, you have to put the right controls in place because you have to expect that people, they're going to do the wrong thing, they're going to make these mistakes. And again, blaming the users for being human isn't effective. You have to understand what their behavior is, you have to understand how you can protect them from their selves." - Ken Athanasiou, CISO, VF Corporation

Listen to full episode of

"Security That Accounts for Human Fallibility"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Rich Gautier, former CISO, Department of Justice Criminal Division.

Thanks to our Cyber Security Headlines sponsor, Normalyze

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.