View this email in your browser

CISO Series Podcast
Can’t Talk, I’m Onboarding My Kids To Their First Soccer Practice

It seems like the age of fighting against the tide of BYOD has come to an end. It’s accepted wisdom that virtually all employees will commingle personal and company data on the same device. With the line so blurred, how do we keep this data secure? 

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our guest, TC Niedzialkowski, CISO, Nextdoor. 

The episode was recorded in front of a live audience at Planet Cyber Sec conference on April 17th, 2024 in Mountain View, California. 

The security conundrum of personal devices

We might know that doing work on a personal device isn’t good security practice. But that hasn’t stopped virtually all employees from doing it. Research shows 97% of US office workers do it, as pointed out by Shweta Sharma at CSO Online. In some ways, this simplifies the security approach. If we know employees will do it, we can architect zero-trust to account for that reality. In some ways losing the inevitable fight over BYOD gives security professionals a more consistent baseline to build off of. 

Cracks showing in open source security

Open source software provides the backbone of so much of our digital infrastructure. But the very things that make it appealing, open code, volunteer maintainers, no upfront cost, also makes it appealing to threat actors. The XY project hack shows the dangers of relying on unregulated maintainers for critical pieces of software. Even with the best of intentions, these developers can unknowingly hand off their duties to threat actors. Large organizations are already the major contributors to many open source projects, but the way to build resilience around open source software remains an open question. 

Following the NSA’s lead on zero-trust

CISA and other government agencies have stepped up efforts to give meaningful cybersecurity tools to the public. The NSA is no exception with recently publishing updated guidance on zero-trust. While this guidance isn’t revelatory, it presents a number of principles that can still be hard to swallow for less mature organizations. Things like expecting threat actors to breach your perimeter and accepting you’ll only make iterative progress on this journey, noted Robert Lemos at Dark Reading. That latter is key for organizations to realize. There’s never a point where you’ll finish a zero-trust implementation, but you can make gradual improvement to give your organization more resilience in the long run. 

 What’s old is new again

Web app security remains challenging. Not only do professionals need to respond to evolving threats, but web apps also seem prone to flaws that have been around for decades, like SQL injections. These still show up every time on OWASP’s top 10. On the cybersecurity subreddit, some blamed this on regular churn among developers, with companies not keeping experienced developers on staff, and new developers repeating the mistakes of the past. 

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to all our contributors at our live show, including Tyler Pinchard of SupportLogic, Francisco Igual of SOAProjects, Bil Harmer of Craft Ventures, Mike Skurko of ISSA SV, and Yash Kosaraju of sendbird.

Listen to the episode.

Thanks to our podcast sponsors, Eclypsium and Normalyze

Scaling Least Privilege for the Cloud

"What you learn in one cloud doesn't apply to the other. So it is a big learning curve to get that stuff going. But it does allow this scale to data and to resources and to permissions that are really hard to do using the standard RBAC models, right? Role-based access control where you're just granting somebody contributor at a subscription or you're just giving them editor rights in a GCP project." - Sandy Bird, co-founder and CTO, Sonrai Security.

Listen to full episode of "Scaling Least Privilege for the Cloud."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Sasha Pereira, CISO, WASH.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
Capture the CISO Finals

Season 2 of Capture the CISO is not over. We still have the finals!

And it's going to be LIVE on Friday, May 17th, 2024 at 1 PM ET/10 AM PT! This is the normal time we do Super Cyber Friday.

See our finalists Omer Singer, vp of strategy for Anvilogic, Russell Spitler, CEO of Nudge Security, and Attila Szász, founder and CEO of BugProve go head to head to see which company captures our CISO judges attention.

Our judges will be Edward Contreras, CISO for Frost Bank and Alexandra Landegger, CISO for Collins Aerospace. The show will be hosted by Rich Stroffolino.

Register

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.