View this email in your browser

CISO Series Podcast

Your Lips Say “No,” But I’m Not Listening

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner for YL Ventures. Our guest is Rinki Sethi, vp and CISO for BILL.

This is what we discussed on the show.

You can’t just tell users to not use an insecure technology they love. There is a long history of security professionals complaining about the insecurity of new technologies. When new technologies take off, they rarely have lots of great security built in. The populace never comes around and says, "Security is right. We should stop using this thing we love." The popular technology ALWAYS wins. In a post on LinkedIn, Matthew Sullivan of Instacart pointed out we have a history of this with BYOD, DevOps, and the Cloud. As a security leader figure out how you want to handle ChatGPT, because generative AI isn’t going away just because you have security and privacy concerns.

The critical nature of a cyber-aware board and C-suite. The board can’t only look to the CISO to get all their cyber education. They simply need other opinions and other information. If they don’t have that cyber knowledge already, such as an ex-CISO on the board, then some will look to cyber advisory boards to compliment the CISO’s efforts, noted Rinki Sethi. The cyber knowledge from these advisors doesn’t need to be tactical, but more aware of how the threats operate, said Andy Ellis. 

Is there any value to “Failure is not an option?” "I work in software product management, and if failure wasn't an option, we'd never build anything. I think it's outdated sales-ish ‘motivational’ nonsense," said @CyndiL44 on Twitter. Karsten Hahn of G DATA echoes the sentiment, "Failure is not avoidable and is an opportunity to learn and make things better in the future. It should be used to improve processes.” Failure is a tool for creating opportunities, said Sean Mollett, “Failure is not recognizing and correcting a mistake."

What are the realistic expectations of a CISO’s performance? In an article on Dark Reading, Steve Shelton of Green Shoe Consulting outlines a fictional scenario of a very demanding CEO that requires 100% protection against malicious threats and perfect performance. Is this type of scenario still applicable? Written in February, 2023, it seems a little outdated. Don’t most realize that perfection and 100% security are both far from reality? Realistically, the business isn’t expecting perfect security, but they are expecting the CISO can handle incidents. “In a healthy organization, you have incidents on a regular basis. Most of them don’t have really bad outcomes. But they’re at least visible so that the management gets this understanding that you are capable of managing incidents,” said Ellis.

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, OffSec

What I hate about cyber security...

"What I hate about cyber security is that the gender diversity in the field doesn’t represent the gender diversity in the world. And the reason that’s frustrating is because we have some of the toughest challenges that we need to go and solve, and we need different ways to go and solve the cyber security challenges. And the only way we’re going to do that is if we have that kind of diversity. " - Rinki Sethi, vp and CISO, BILL

Listen to full episode of

"Your Lips Say 'No,' But I’m Not Listening"

How Must Processes Change to Reduce Risk?

"We are talking reframing the conversation in terms and in context that a business can really evaluate, and address, and understand that by doing so, it’s not only making the business more secure or providing protection, but it actually enables them to grow the business." - Amad Fida, CEO, Brinqa

Listen to full episode of

"How Must Processes Change to Reduce Risk?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Joshua Scott, head of security and IT, Postman.

Thanks to our Cyber Security Headlines sponsor, Trend Micro

Super Cyber Fridays!

Data Classification Is the Key to Your Data Security Efforts

Why is data classification such a critical keystone? "It helps you quantify where your risk is", said Matt Radolec, sr. director incident response and cloud operations, Varonis. "If you're trying to figure out, 'Where is your risk, Where should you apply controls?', a good place to start is classifying your data and figuring out where that breach risk is."

In this video, Matt and I talk about the importance of data classification all as a tease for our chat we're going to be having this Friday (June 9th, 2023) for Super Cyber Friday: “Hacking Data Loss: An hour of critical thinking about improving the marriage between data security and cybersecurity.”

>> REGISTER for 6-9-23 Super Cyber Friday event. <<

Joining me and Matt will be Mike Johnson, CISO, Rivian.

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we'll switch gears to our meetup where everyone will get a chance to chat face to face.

Thanks to our Super Cyber Friday sponsor, Varonis

Live show!

CISO Series Podcast LIVE in Denver 6-7-23

Here's a preview video of the live audience recording of the CISO Series Podcast at the Rocky Mountain Information Security Conference (RMISC) in Denver. Joining me on stage will be Michelle Wilson, CISO, Movement Mortgage and Jay Wilson, CISO, Insurity.

WHEN: RMISC conference runs from June 7th to June 9th, 2023. We'll be kicking off the event on June 7th with our recording at 4:30pm MT. Right after our session will be a welcome reception and game night. Looking forward to that. They better have pinball!

WHERE: Colorado Convention Center, 700 14th St, Denver, CO 80202>> REGISTER for the event here <<HUGE thanks to our sponsor, Trend Micro

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.