View this email in your browser

CISO Series Podcast
I Don’t Want Insider Risk, You Take It

We know insider risks represent a major attack surface for any organization, but who should own insider risk management? HR, security, legal? 

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Joining us is our sponsored guest, Abhishek Agrawal, CEO and co-founder, Material Security.

What does defense in depth look like in the cloud?

While the principles of defense in depth remain the same on-prem and in the cloud, the shared responsibility model in the cloud significantly changes its implementation, said Anton Chuvakin of Google’s Cloud Security podcast. Many security professionals have argued that "defense in depth" is outdated. "Defense in height" might be more appropriate, focusing on stacking interlocking controls rather than sequential layers. What’s important is rapid response systems and adaptive defenses, rather than more traditional protection methods. Effective defense mechanisms should be attack-agnostic. Organizations need a balanced approach to cloud security, negotiating the need for multiple layers of security controls with the associated maintenance costs.

Collaborating on insider risk

Who ultimately owns insider risk management? A recent study from MITRE reflected that this doesn’t seem to be a settled question, as shared by Christopher Burgess at CSO Online. Responses ranged from general counsel and human resources to infosec. But in reality, insider risk management calls for a dual approach, separating technology and people. CISOs must manage the technological aspect, ensuring devices are secure, while HR should handle the human element, treating employees well to prevent hostility. HR and legal departments set the constraints, but the security team must identify risks and implement controls. Collaboration among HR, legal, and security teams is key. Security takes the lead on detection and management while involving counterparts as needed. 

Email is a vector and a target

Email remains a bedrock of most organizations. Instead of blaming users for email-related security issues, organizations need to rethink the level of trust placed in emails in the first place. It's well-known that email is a major attack vector, but the conversation needs to shift towards its role as a target. Email accounts contain years of sensitive information and can serve as identity points for various services, making them highly valuable to attackers. 

Understand risk during an IPO

As the IPO market heats up, cybersecurity has become increasingly pivotal during the due diligence period, with public companies facing heightened reporting requirements. However, a cyber incident during the IPO could derail the process. CISOs can prepare by avoiding surprises, similar to how well-established financial and accounting teams prepare. This involves educating the board and the market on potential risks, incident response strategies, and mitigation controls. It’s important to remember that the governance dynamic shifts post-IPO, with board members representing the SEC's interests, necessitating a different approach to cybersecurity oversight and governance.

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to BadThingsDaily on X for providing our “What’s Worse” scenario.

Listen to the episode.

Thanks to our podcast sponsor, Material Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Telling Stories with Security Metrics

"The threat landscape these days is much more dynamic than a point in time. That’s why we would like to be able to see metrics and the controls and their performance, in the way that we can see that in a continuous way that will not just give us the visibility but will actually help us to see that we are enforcing the policies that we have probably set during the risk assessment." - Shirley Salzman, CEO and co-founder, SeeMetrics.

Listen to full episode of "Telling Stories with Security Metrics."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Adam Arellano, former vp, enterprise cybersecurity, PayPal.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Super Cyber Fridays!
Revolutionizing SOC Automation with Large Language Models

Automation in the SOC is experiencing a seismic shift, going from basic, rule-based robotic automation to the sophisticated capabilities of large language models. Edward Wu, CEO and founder, Dropzone AI, explained to me that LLMs make it not only easier to deploy existing SOC automation but also open the door to new areas that previously didn’t seem possible to automate. So what are you automating today and what do you wish you could automate? These expanding capabilities will be the basis for our conversation this Friday on Super Cyber Friday.

Please join us! Joining me and Edward Wu will be Caleb Sima, builder, WhiteRabbit.

REGISTER for 7-19-24 Super Cyber Friday event

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face-to-face.

Thanks to our Super Cyber Friday sponsor, Dropzone AI

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.