View this email in your browser

CISO Series Podcast

Make Them a Passwordless Offer They Can’t Refuse (LIVE in Denver)

This week’s episode was recorded in front of a live audience at the Colorado Convention Center in Denver where we kicked off the Rocky Mountain Information Security Conference (RMISC). Joining me, David Spark, producer of CISO Series, on stage was my guest co-host, Jay Wilson, CISO for Insurity. Our guest was Michelle Wilson, CISO, Movement Mortgage.

This is what we discussed on the show.

We’re going passwordless, suck it up. Are we spending too much time listening to our users when it comes to authentication? We all know a password-only solution is weak and full of security holes. We try to amend with multi-factor authentication, but adoption is so low. Why don’t we just force people to adopt passwordless? That’s what Expensify did. Don’t even give them an option. It’s our way or the highway. Do we have to force users to go passwordless?

Are we overthinking the value of ChatGPT for cybersecurity? Cyberdefense automation, adversary simulation, reporting, and threat intelligence are all future applications of ChatGPT,  said Ashwin Krishnan on TechTarget. But after reading a discussion on the r/cybersecurity subreddit, where a redditor asked, "What does the future of cybersecurity look like with the rise of AI," I thought we may be overthinking this. One redditor responded: "Our customer wanted us to prepare a tabletop incident response exercise. I basically copied their email to ChatGPT and told it to prepare the scenario and timeline. Then I copied the answer to email, changed two things, and sent it to them. The customer was happy. Saved at least half an hour." Isn’t the real benefit of AI in the hands of those creative people who know how to take advantage of the tool at the right time, quickly slicing out time intensive projects. Or, am I selling the benefits way too short?

It’s amazing what we don’t know when we try to find our first job in cybersecurity. “It's not about who you know, but who knows you,” advised Ricki Burke, founder of CyberSec People. Green cyber people wanting to get in are eager to know the right path to get their first job. And this eagerness makes them a target for a TON of bad advice. But those who are actually doing the work of hiring, are the ones who truly know. They are the gatekeepers. I realized when I started hiring myself all the mistakes I made when I was looking for a job. What is it that you only know about hiring once you actually begin to hire?

How exactly are they a “winner” if they just paid to win the award? The reality is yes, you can pay to win an award in cybersecurity. It’s a plague that affects our industry and Mark Curphey of Crash Override along with Thinkst Canary and Resourcely want to put an end to the endless stream of non-credible cybersecurity awards. They launched a site, SillySecurityAwards.com, offering evidence for how bogus these awards are. They go so far as to tell you publicly that certain payments will “significantly increase your odds of an award win." Haroon Meer of Thinkst created a fictitious person from a fictitious company and paid real money to an awards program, and guess what? He won! Let’s expose the credible and not so credible awards being offered in cybersecurity.

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Trend Micro

Best advice I ever got in security...

"Know your audience. So if you're emailing an executive, make sure that you start with what you need. Are you asking them a question? Do you need them to make a decision? Are you just letting them know something? And then be succinct, to the point, and if you need to elaborate, do that later." - Michelle Wilson, CISO, Movement Mortgage

Listen to full episode of

"Make Them a Passwordless Offer They Can’t Refuse (LIVE in Denver)"

How to Create a Positive Security Culture

"In reality, I think you can extrapolate this out and go you really are asking people to change their behaviors by informing them what positive behaviors are, why you’re trying to change their behavior, what you’re trying to get towards." - Geoff Belknap, CISO, LinkedIn

Listen to full episode of

"How to Create a Positive Security Culture"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Janet Heins, CISO, iHeartMedia.

Thanks to our Cyber Security Headlines sponsor, Wing Security

How To Make the Security Department More Approachable

The best way for people to realize that it's OK that you made a cybersecurity mistake, is to own up to the mistakes that you've made, said George Gerchow, CSO and svp of IT, Sumo Logic, who admits to a stupid simple mistake of copying everyone on a cc list who should have been on a bcc list. That list of names got posted everywhere.

It's not that we want people to care about security, but rather we want them to be thinking about security reflexively and do it as a matter of their daily actions. Just as simple as we brush our teeth or put on our seatbelt in a car.Watch the videoHUGE thanks to our sponsor, Sumo Logic

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.