View this email in your browser

CISO Series Podcast
I’m Rewarding Your Successful Use of the Security Budget by Giving You Less of It

Do cybersecurity budgets suffer from recency bias? It seems organizations are most likely to significantly raise budgets after a cybersecurity incident. Meaning if you’ve run an effective program, your budget could be a victim of your success. How can we change this mindset?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Joining us is our guest, Aamir Niazi, executive director and CISO, SMBC Capital Markets.

Communicating security accomplishments

It feels counterintuitive, but companies often cut cybersecurity budgets during periods without incidents and then increase spending following a breach. CISOs need to consistently market the cybersecurity team's achievements to demonstrate value and justify budget, especially when times get tight. This involves celebrating near misses and the efforts that prevent breaches. Regardless of budget, CISOs still must prioritize critical assets and maintain protection. A key to this is transparent communication with business units about what will be affected by budget cuts. This gives business leaders the tools to make informed decisions about resource allocation and potential risks.

Spotting red flags in an interview

What sets off your Spidey sense during a job interview? Always be on the lookout for certification-heavy questions without any follow-up on practical experience. It suggests the interviewer may lack a deep understanding of the role and not consider overall fit within the company culture. But just because these questions are asked doesn’t mean the interview has become a lost cause. Candidates who overly criticize certification-focused questions might miss opportunities to showcase their practical knowledge. Don’t be the "brilliant jerk" candidate who comes off as dismissive. The interview should ultimately be a two-way conversation to make sure both parties are the right fit.

What does offensive security look like today?

“Offensive security” has evolved. At one time the term evoked the idea of “hacking back,” but increasingly it's seen as an extension of traditional red teaming. It’s a means to create a holistic security assessment to preemptively address vulnerabilities, rather than settling for static and infrequent pentesting. The term still carries baggage, so to avoid any confusion, organizations should clearly distinguish it as legally permissible with sound objectives.

Where Gen AI is fitting into cybersecurity

We’re still in the early days of uncovering productives use of generative AI. For example, the financial services industry has explored AI for tasks like risk assessments and parsing unstructured security data. As its use expands in business, security professionals will lean on AI to make informed decisions, such as generating remediation instructions, and potentially revolutionizing SOC automation. 

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our unwitting contributor Tom Eston of SecurityWeek.

Listen to the episode.

Thanks to our podcast sponsor, Cyera

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Recruiting From the Help Desk…

"I have managed help desk teams for the last 24 odd years, and the help desk team was kind of what security engineers do today. Because 20 years ago, cyber security or having security dedicated team did not exist. And so you relied on your service desk team or infrastructure team to help you out." - Sasha Pereira, vp of infrastructure and CISO, WASH.

Listen to full episode of "Recruiting From the Help Desk."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Andrew Wilder, CISO, Community Veterinary Partners.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Super Cyber Fridays!
Demystifying SOC 2 and ISO 27001

ISO 27001 and SOC 2 remain two of the most prominent industry compliance standards. These standards are crucial for establishing customer trust and maintaining security best practices, said Faisal Khan, SME, security GRC, Vanta.

Check out this preview of our Super Cyber Friday event happening this week, Friday, June 7, 2024. Our topic will be “Hacking SOC2 Vs. ISO 27001: An hour of critical thinking about the value of these compliance standards.”

REGISTER for 6-7-24 Super Cyber Friday Event

Joining us will be Rich Friedberg, CISO, Live Oak Bank.

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face-to-face. Join us!

Thanks to our Super Cyber Friday sponsor, Vanta

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.