View this email in your browser

CISO Series Podcast
You Can’t Leak What You Don’t Collect

Data minimization in the US is changing from a potential policy goal to a regulatory imperative. Maryland’s new Online Data Privacy Act requires any service collecting data to meet the requirement of being “strictly necessary.” So how does this impact the rest of the country? And how do CISOs start getting ready for compliance?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Joining us is our sponsored guest, Jeremiah Roe, advisory CISO, OffSec.

How effectively can we legislate data minimization? 

Maryland’s Online Data Privacy Act looks to introduce regulatory teeth for data minimization in the US. This is another in an increasingly long line of state-based privacy laws designed to set a new standard for privacy, with effectiveness still questionable. If other states follow suit, it could drive a broader shift towards stricter data privacy standards across the U.S. From a consumer standpoint, Maryland’s law carries a lot of benefits. However, it presents challenges and costs for businesses needing to re-engineer their data ingestion processes. 

The rise of detection engineering

There’s increasing awareness that detection engineering isn’t just a part of working in the SOC, it’s a discipline in itself. There remain three major challenges, according to Anton Chuvakin, host of Google’s Cloud Security Podcast: a constantly changing threat landscape, the need for quick turnaround on detection content, and the numerous data sources in modern organizations. We are seeing improvements in detection engineering from a variety of factors. Executive orders, new cybersecurity laws, and initiatives like zero trust have led to progress, albeit fairly slow. As the field matures, we’re seeing detection engineering becoming more specialized. This specialization addresses the complexity of creating effective detection rules that perform well at scale with low false positives.

Making training part of the development process

Training is the way for organizations to overcome the well-documented cyber skills shortage. Want a cybersecurity unicorn? Grow your own, said Jesse Whaley, CISO, Amtrak. In addition, training does wonders for employee retention. Leaning into that, training should be integrated into performance development rather than treated as a standalone activity. Organizations need to budget for training as part of overall employee costs, similar to other benefits like insurance. Well-trained employees boost business reputation and attract talent. It’s a positive and virtuous cycle. 

Learning from data breaches

As an industry, we often learn from data breaches impacting our organization. However, we need to improve the process for analyzing external breaches. Ido Ganor of CISOteria highlighted three key strategies on LinkedIn: identify root causes rather than symptoms, apply relevant insights to your company, and focus on process improvements over new technology. This gets tricky as many breaches have multiple contributing factors, not a single root cause. This makes it critical to examine processes to find and fix recurring issues. Technology failures often stem from process issues. 

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our contributor Jonathan Waldrop, CISO, The Weather Company for providing this week’s “What’s Worse?!” scenario.

Listen to the episode.

Thanks to our podcast sponsor, OffSec

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Where Are Secure Web Gateways Falling Short?

"I feel that SWGs, unfortunately, are forced to act in the blind because all they are seeing is this massive traffic stream. Imagine your browser has 10 tabs, all of that traffic just gets mixed. So, the SWG has really no application context. And I feel like that is the biggest undoing of the solution, is without context, how do you know how to look at traffic and decide what to do?" - Vivek Ramachandran, founder, SquareX.

Listen to full episode of "Where Are Secure Web Gateways Falling Short?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Mike Lockhart, CISO, EagleView.

Thanks to our Cyber Security Headlines sponsor, Tines

Super Cyber Friday
Join us 05-31-24 for “Hacking Microsoft Copilot”

Please join us on Friday May 31, 2024 for Super Cyber Friday.

Our topic of discussion will be “Hacking Microsoft Copilot: An hour of critical thinking of how to get your Copilot pilot into production.”

REGISTER for 05-31-24 Super Cyber Friday event

Joining me for this discussion will be:

• Brian Vecci, field CTO, Varonis

• Cyrus Tibbs, CISO, PennyMac

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face to face.

REGISTER for 05-31-24 Super Cyber Friday 

HUGE thanks to our sponsor Varonis

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.