CISO Series Newsletter
Posts
[07-25-23]--Vendors Are From Mars. Their Security Is From Venus.

[07-25-23]--Vendors Are From Mars. Their Security Is From Venus.

Vendors Are From Mars. Their Security Is From Venus.

July 25, 2023

CISO Series Podcast

Vendors Are From Mars. Their Security Is From Venus.

This episode was hosted by me, David Spark, producer of CISO Series, and Mike Johnson, CISO of Rivian. Our guest is Phil Beyer, former head of security, Etsy.

Should non-security employees be required to manage third-party risk? Mike Johnson said employes should be aware that third parties do pose risks, but they shouldn’t be required to manage it because they’re not risk professionals. When we take on others’ resources, we are taking on third-party risk. Robert Wood, CISO for Centers for Medicare & Medicaid Services, tried to explain third-party risk to his son by using the analogy of building a fort. To which his son suggested they just make the fort out of LEGOs.

To teach security awareness to users or developers. Which one is a more hopeless pursuit asked Dr. Anton Chuvakin host of the Google Cloud Security Podcast in a Twitter poll. A companion LinkedIn poll offered different results demonstrating that the audience was split on this discussion. But Wynn Fenwick of TELUS offers this argument, saying, "Talking security to Devs is basically telling them they are doomed to last minute bugs that 100 percent delay their deliverables' deadlines on every project, or they need to work 10 percent overtime pumping their own creations full of holes 'that would never happen.'" Mike Johnson is not so pessimistic. He said the way you approach devs is to talk about reliability and writing bug free code. They don’t need to be security experts. But they will listen to ways to do their job better. And Phil Beyer agrees. The real problem is us, the security professional. He pointed to @mackwage’s response to Anton’s thread, that the toughest part is "teaching empathy to security professionals who think like this.” BTW, Anton came around and admitted it was a false argument.

Are security lakes a revolution in data security management? Back in November, 2022, Apurva Venkat wrote in CSO Online about AWS' announcement of their security data lake that aggregates and normalizes online and on-prem security data, like from your SIEM, into one repository. Mike Johnson is very bullish on security data lakes because there is a lot of non standardized data many of us don’t realize. For example, data comes in with different time zone stamps such as UTC, EST, and PDT. Plus, vendors have different ways to tag IP addresses. All of this creates a lot of unnecessary confusion. “Normalizing security event data is the hardest problem when analyzing security data and security lake solves that and more. I really hope we see more products like this,” said Johnson. Phil Beyer pointed that this concept is not new, but it wasn’t easy before and required a lot of data engineering. What he’s seeing now in the market is “commoditizing data management on our behalf (security) and providing us more time to focus on the work we want to do.”

An hour has passed and we’re going to talk about the security implications of ChatGPT again. Depending on the day and who you talk to ChatGPT is the greatest risk or it’s just rehashing the risks we already know. In an article on CSO Online, Michael Hill isolated five popular security concerns, one of which being more effective phishing lures. Mike Johnson isn’t concerned because “ChatGPT isn’t able to create anything novel. It assembles from existing knowledge.”

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Balbix

Best advice for a CISO...

"Many junior executives think there's an executive career ladder and there isn't. You've got to ditch the ladder and think differently about your career once you become an executive. The top of the career ladder ends at the clouds of the executive level where things are a whole lot less linear, less measurable, less predictable, less obvious. If you take a purely vertical and logical approach to your career choices at the executive matrix, you'll become frustrated and lost. Results and relationships are the only principles that apply to executive careers. The sooner each of us internalize that reality, the better." - Phil Beyer, former head of security, Etsy

Listen to full episode of

"Vendors Are From Mars. Their Security Is From Venus."

How Do We Get Better Control of Cloud Data?

"[T]he way I like to think about this is the main problem we've created is it is now a problem of legibility. We have all this visibility, we have all this surface area to create policies and enforce them, but now we have much less ability to understand what's going on in terms of those policies, where they're implemented, are they consistent, do they do what we want them to do." - Geoff Belknap, CISO, LinkedIn

Listen to full episode of

"How Do We Get Better Control of Cloud Data?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review

Make sure you

to join the LIVE "Week In Review" this Friday for

Cyber Security Headlines

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be TC Niedzialkowski‌, CISO, Nextdoor.

Thanks to our Cyber Security Headlines sponsor, AppOmni

Super Cyber Fridays!

Simple Misconfigurations Are Often the Result of Systemic Problems

We hear so many stories of breaches happening from what appears to be a simple mistake. A permission was granted that shouldn’t have, or something wasn’t configured right. Oh, someone just made a simple error and didn’t check that box, right?

It’s not so simple, said Tarek Khaled, founding sales engineer at Veza. The way these mistakes are reported, it seems quite simple. But the reality is these mistakes happen because of a chain of issues. Poor cybersecurity hygiene is what results in these mistakes.

Check out this video which is a tease for the Super Cyber Friday event happening this Friday, July 28th, 2023. Our topic of discussion will be “Hacking Bad Permissions: An hour of critical thinking about the domino effect of unknown access settings.”

Register for 7-28-23 Super Cyber Friday.

We’re setting up an awesome show. Joining Me and Tarek for this discussion will be David Tyburski, vp of information security and CISO, Wynn Resorts.

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face to face.

Thanks to our Super Cyber Friday sponsor, Veza

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.