View this email in your browser

CISO Series Podcast

Password Rules Make Us Feel More Secure

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Dave Hannigan, CISO, Nubank.

Here’s what we discussed on the show.

Are dumb password rules the result of security theater or limitations of old technology? Troy Hunt's new site, "Dumb Password Rules," demonstrates yet another slice of security theater. Rules designed to make the creator believe they're making the business more secure, but appear to do nothing more than create unnecessary roadblocks and confusion. Mike Johnson points out that many of these password rules are actually not security theater but rather limitations of old technology, like mainframes, that are receiving authentication. Instead of layering on more password rules, look to solutions, such as passwordless authentication and FIDO2, that bypass passwords altogether.

If I’m so important to the business, why am I constantly fighting for budget? Alyssa Miller, CISO for Epic, received a chorus of "Hell ya" with this tweet: "It's not risks that cause lack of sleep and burnout among IT and security leaders. It's the mental fatigue of being told you're critical to the success of the org but being forced to repeatedly defend the same technology/service spends over and over again." Mike Johnson rephrased Miller’s tweet as “It's the mental fatigue of being a cost center rather than a profit center.” Mike noted that it’s not unique to security. IT and HR has to deal with this as well. 

Why aren't all the people raising their hand saying "I want in" not enough? There are tons of people who want a cybersecurity job and they still struggle to get in. But, at the same time we’re trying to attract even more people into cybersecurity. Don’t we already have a huge supply of candidates that we’re not letting in? The reason, said Dave Hannigan, is because we need more people from different backgrounds. He’s referring to those people who don’t naturally see themselves as cybersecurity professionals because they don’t come from a technical background.

What level of quality/service should security practitioners expect/demand from security vendors? This issue came up as a result of a Twitter and LinkedIn poll posted by Dr. Anton Chuvakin of Google Cloud who asked, "Would you call your #SIEM vendor support and complain if their out-of-the-box detection rule / content is producing false positives?" There was a significant percentage of respondents who selected, "Yes, they better fix it." Mike Johnson said, “If there’s no way for the customer to fix the false positives, then the vendor needs to step up.” But I argued this conversation should be moot. CISOs are always asking their vendors to be partners. So if a customer is having an issue, wouldn’t the vendor, as an opportunity to improve customer relations, want to step up?

Listen to the full episode over on your favorite podcast app or over on our blog where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to all our contributors (witting and unwitting): John Prokap, CISO for Success Academy Charter Schools, Peter Schwacker of Nearshore Cyber, Jason Dance of Stubhub.

Thanks to our podcast sponsor, Reqfast

10-second security tip...

"Take a moment before you do anything. Remember that speed can be your enemy. It's psychological for you to want instant feedback or gratification. Hackers know that. Even when you're thinking through complex problems, just take a moment and pause and then take the action that you want." - Dave Hannigan, CISO, Nubank

Listen to full episode of

"Password Rules Make Us Feel More Secure"

How To Get More People Into Cybersecurity...

"The work needs to be rescoped. Instead of to one super talent, you throw three beginners in the mix, you create a competitive yet also a teamwork situation. There's a lot of desire out there to get started, but the knowledge gap for cyber positions is great. And I hear this from students that I teach – we have to focus more on the essay part of the KSAs as I had mentioned earlier." - Rich Gautier, former CISO for the U.S. Department of Justice, Criminal Division

Listen to full episode of

"How To Get More People Into Cybersecurity"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Cassio Goldschmidt, CISO, ServiceTitan.

Thanks to our Cyber Security Headlines sponsor, AppOmni

Map Staff Training to the Threats

"Hire or train staff for the threats," said Paul Reid, global head of threat intelligence, OpenText. It's a very simple concept that makes complete sense. There's need to be a mapping from skills to threats. But we rarely think about hiring that way. The right skills you're looking for are the people who have skills in handling these kinds of threats. Watch this video with me and Paul as we talk about hiring and finding people who are adaptable, because the threats you hire for them today are not the ones you're going to be dealing with tomorrow. 

Watch the videoHUGE thanks to our sponsor, OpenText

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.