[04-30-24]--I Really Shouldn’t Have Agreed to Variable Rate Technical Debt

Author

Aaron
April 30, 2024

Capture the CISO!
Capture the CISO! Season 2 Episode 2 Out Now!

Capture the CISO Season 2 is back! Listen to the second episode available now and see the contestant’s videos!

CISO Series Podcast
I Really Shouldn’t Have Agreed to Variable Rate Technical Debt

I Really Shouldn’t Have Agreed to Variable Rate Technical Debt

Technical debt is an inevitability in any organization. But managing it requires a framework to understand the risk the technical debt represents to your organization. So how do you decide when you need a systematic refresh and when can you kick the can down the road a little longer?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest Aaron Shaha, CISO, CyberMaxx.

Threat actors getting in on the AI rush

With all the breathless hype surrounding LLMs and generative AI tools, it’s surprising it took this long for us to see reports of threat actors using them. Microsoft and OpenAI released details of some attempts they’ve seen, like using AI to create malware. It’s great to disclose that, but as the major vendors of LLM services, we need to hold these companies to a higher standard. These companies need to produce actionable reports to help inform how we assess the risk of these models, and show us the work they are doing to better secure them from malicious use. 

Cybersecurity needs to account for company culture

As a discipline, cybersecurity gets into trouble when we think about it in isolation from the business. Abstract best practices are important, but if they can’t survive first contact with a company’s culture, they aren’t much use. A recent paper by Fred Hebert of Honeycomb showed this conflict in effect in hospitals, where sensible security precautions were sidestepped for the sake of lifesaving treatment. This requires cybersecurity to understand the company before building controls, by talking to the people they will impact and seeing their processes in action. 

MDR shouldn’t focus on tools

Managed detection and response (MDR) conversations often center around installing agents and other tooling. But we need to shift the conversation to exploring how MDRs can solve the human problems of your cybersecurity team so they can focus on business outcomes. Focusing on tooling can cause you to underestimate the challenge of setting up your own SOC and MDR practices, which need to understand the human elements behind attacks.

Paying down technical debt

Technical debt is inherent across any IT stack. Everyone is accruing it all the time, but not everyone strategizes on how to pay it down. Organizations need a systematic approach to the issue, Zach Zoulias of Zoba Lab argued. Right now, most technical debt conversations happen as the technology ages, where organizations determine if they can get away with another minor update or need a full infrastructure refresh. But just like with disaster recovery and business continuity plans, organizations could create robust end-of-life plans at the point of implementation. These could outline set conditions for sunsetting aging tech that won’t come as a surprise. 

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our contributor Jon Densmore of First Mutual Holding for providing this week’s “What’s Worse?!” scenario. 

Thanks to our podcast sponsor, CyberMaxx

CyberMaxx
The Importance of Data Hygiene with OpenText

Knowing what data your organization holds is critical to using it effectively. But organizations don’t know where to start getting their data in order. In this video Greg Clark, director of product management, OpenText, details how organizations can frame holding data as a matter of risk, and get started with a data hygiene program. This marks a key first step to holistically managing customer data.

HUGE thanks to our sponsor, OpenText

OpenText

LIVE!
PREVIEW: CISO Series Game Show During RSA Week

CISO Series Game Show in San Franncisco 5-7-24

Going to the RSA Conference? Looking forward to having some fun, win prizes, and enjoy lunch? Then come to our CISO Series game show that will be happening on Tuesday, May 7th, 2024 from 12:30pm – 1:30pm on the second floor of the W Hotel – directly across the street from the Moscone Conference Center.

COME EARLY and grab lunch!

Check out this video where we highlight some of the games we’ll be playing.

If you want to come, you have to register. You can register right here.

HUGE thanks to our sponsor and host, Veracode

Veracode

What’s a great approach from a security vendor?

"I really appreciate honesty. The industry is full of a lot of what we’ll call hype, and when I have a vendor come in that gives me just the straight answers, tells me exactly what their product’s capable of and not capable of, helps me understand and make a reasoned decision, and really helps me bring forward my team members that are part of that decision-making process, the CFO, the CEO, etc." - Aaron Shaha, CISO, CyberMaxx

Listen to full episode of "I Really Shouldn’t Have Agreed to Variable Rate Technical Debt."

Should CISOs Be More Empathetic Towards Salespeople?

"At the end of the day, look, it’s human nature. People want to work with people that they like." - Emily Heath, general partner, Cyberstarts

Listen to full episode of "Should CISOs Be More Empathetic Towards Salespeople?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

LIVE!
Cyber Security Headlines - Week in Review

CSH Week in Review Shyama Rose

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Shyama Rose, CISO and head of IT, Affirm.

Thanks to our Cyber Security Headlines sponsor, Dropzone AI

Dropzone AI

Super Cyber Fridays!
How Compliance Can Launch Your Risk Program with Vanta

How Compliance Can Launch Your Risk Program with Vanta

For many organization, risk programs are driven by compliance requirements. What compliance framework you use will directly impact what processes you have in place around risk, noted Kim Elias, Senior Compliance Specialist, Vanta. This puts the onus on organizations not just to recognize risk, but to assign ownership of the issues that can be demonstrated in an audit.

Check out this preview of our Super Cyber Friday event happening this Friday, May 3, 2024. Our topic will be “Hacking the Value of GRC: An hour of critical thinking of how compliance can kickstart your risk program.”

Joining me and Kim will be Norman Hunt, Deputy CISO, GEICO.

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face to face. Join us!

Thanks to our Super Cyber Friday sponsor, Vanta

Vanta

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.