Super Cyber Fridays!
Join us TOMORROW, Friday [06-21-24], for "Hacking Generative AI Anxiety"

Join us Friday, June 21, 2024, for “Hacking Generative AI Anxiety: An hour of critical thinking about how to create constructive outlets around this technology.”

It all begins at 1 PM ET/10 AM PT on Friday, June 21, 2024, with guests Russell Spitler, CEO and co-founder, Nudge Security and Jay Wilson, CISO, Insurity. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Nudge Security

Defense in Depth
How AI Is Making Data Security Possible

Have we lost sight of data security with defense in depth? Recent trends have seen a focus on applications and roles, but do we need to refocus on the fundamentals?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Lamont Orange, CISO, Cyera. 

The data security check has come due

The fundamentals of data security are well understood, but implementing them effectively at scale remains a challenge. "Core data security relies on basics - understanding your data, knowing where it sits, ability to provide safe and JIT (just in time) access, safe environment to process such data and robust disposal," said Venkat Paruchuri, CISO of Cox Automotive Inc. But this difficulty has led many organizations to kick the can down the road. As Duane Gran of Converge Technology Solutions Corp points out, this is now being felt with the rollout of LLM-based tools, saying, "Look at the rollout guidance to use Microsoft Copilot. If you don't want everything indexed, you need a foundation of good data governance and classification. Organizations are experiencing a ‘check has come due’ moment as they want to use powerful AI tools but data hygiene may be lacking."

Putting data security at the heart of defense in depth

Even outside of emerging AI applications, mature data security practices can create a virtuous circle for your entire security program. "Data Security is the inner layer of any defense in depth strategy. If these principles of data security are adhered to, they enable the other layers of defense and make them more valuable and successful," said Tony Gonzalez of Innervision Services LLC. Bil Harmer, CISO at Craft Ventures, points out a fundamental tension with data security in our age of AI, saying, “Controlling the access to information is why we add layers to defense in depth and what is at the core of zero trust. Access to data should be validated and verified on a continuous basis. It's why the building of AI systems at the rate they are being built scares me. We are implicitly trusting data scientists with MASSIVE amounts of data in the training and tuning phases."

Automation is key

Automation isn’t just a way to scale data security, it allows an organization to use it as a further tool in and of itself. "Data security defense in depth for us was defined by answering (using technology) the following: Is it sensitive? Who can access it? Then enforcing the policy of zero trust and least privileged. When you have it automated, it can be successfully used for both posture and incident response," said Snir Ben Shimol of ZEST Security. With automation in place, organizations can enable a data access policy engine that can make sensible ABAC (Attribute-Based Access Control)-style policy rules. 

You need to know what you’re protecting

One of the reasons data security remains challenging is the fundamental nature of data. "Data cannot self-defend. You need an encapsulating app to guard data access. The only direct security on data is encryption, and that leaves you as vulnerable as passwords," said Abhishek Singh of Qualys. This makes data classification of primary importance. Knowing what data you are protecting gives you the context to build everything else around it for defense. Alex Bodryk of Netcracker Technology makes the case that this should be the first thing to do, saying, "Start with data classification, and after that label security scopes, zones and environments using that, and apply networking, people and application controls in a relevant way. Data classification itself can be pretty simple."

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to Justin Pagano of Klaviyo for being another witting contributor for this week’s show.

Listen to the episode.

Thanks to our podcast sponsor, Cyera

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Bil Harmer, operating partner and CISO, Craft Ventures.

Thanks to our Cyber Security Headlines sponsor, Vanta

Sponsored content
From Pen Testing to Remediation with NetSPI

There are a lot of common pitfalls in penetration testing, particularly with the remediation phase. It's important to move away from static processes to more actionable systems, understanding the gaps in an organization's IT assets, and adopting a continuous and programmatic approach to pen testing, argues Aaron Shilts, CEO, NetSPI.

Watch the video.

Huge thanks to our sponsor, NetSPI

Cyber chatter from around the web...
Jump in on these conversations

"Is Cyber Security an issue in SMB market?" (More here)

"How is the Job market Scene for Cyber Security in USA?" (More here)

"What is an essential read for Cybersecurity?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [07-12-24] Hacking the Materiality of a Data Breach

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.