View this email in your browser

CISO Series Podcast

​​When Do I Fix the Toilet Myself or Call the Plumber?

For some security problems, it can be tough to know when to try to fix the problem yourself or turn to a vendor. Deciding this shouldn’t start with talking to someone that wants to sell you something. But how do you determine when it’s time to call in a vendor?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for this episode is our special guest, Katie Ledoux, CISO, Attentive.

Risk quantification comes down to focus. There are an infinite number of risks out there to business. Putting them in their proper place is the only way to deal with them. Sometimes that comes down to weighing the frequency of a risk versus its potential impact. But often it's enough to identify the top risks and plan from there. “Figure out what it takes for our organization to mitigate that risk to an acceptable level, then build a roadmap to get there,” said Katie Ledoux. 

Solving a security problem should start with why, not a vendor. For a CISO, going to a vendor can check a box. But answer the questions of what you actually need for your security program before you go shopping. “If you are allowing the vendor to define the problem for you, they're going to show you ‘our solution solves this,’” said Mike Johnson. Starting with why will give you an understanding of how a security issue impacts your organization. Starting with a vendor to solve the problem can ignore context for the sake of closing the deal. 

Third-party risk isn’t just a cybersecurity discussion. Sometimes working with a third-party means going in knowing they don’t have a great security posture. But they can offer something critical to an organization. There is a business risk in not working with them. In that case, security teams need to look at mitigations and plan for how things could go wrong in that relationship. There’s no one-size solution to third-party risk, but understanding what problems they are solving, and reviewing implementations around that, goes a long way.

There are a lot of misunderstandings in cybersecurity. Policy is one major aspect. Some organizations see this as a way to be aspirational. Set policy where you want to be. But this actually introduces risk to an organization, whether from an audit or a security incident. Another aspect is the role of the CISO in helping organizations understand the right security problems. Leadership generally cares about security, but getting them to focus on the right problems, rather than the most flashy ones, is a continual challenge. 

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Palo Alto Networks

Best advice for a CISO...

"A great piece of advice I got from one of my first bosses was to avoid multiyear contracts. I think that's especially true if you're using a product for the first time because it's really hard to know until you've battle tested it whether it's going to be the right long-term solution for your company. But even if it's a tool that you think you love, things change really quickly out here. Vendor could stop investing in your product, their customer support could become garbage, you could be incorrect about the number of licenses you're going to need two years from now, three years from now. So, it can be tempting when a vendor pitches a multiyear contract at a lower rate, but I think it's very rarely worth the level of risk you're taking on." -  Katie Ledoux, CISO, Attentive

Listen to full episode of

"When Do I Fix the Toilet Myself or Call the Plumber?"

Improving Adoption of Least Privileged Access

"It's one of the greatest risks that we as information security professionals face is overprovisioned accounts. If an overprovisioned account is compromised, then an attacker can gain access to some system or resource which the actual user account shouldn't even have been provisioned for in the first place." - Paul Guthrie, information security officer, Blend

Listen to full episode of

"Improving Adoption of Least Privileged Access."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Mike Woods, corporate CISO, GE.

Thanks to our Cyber Security Headlines sponsor, Conveyor

CISO Series Podcast LIVE in Nashville 09-2023

We’re very excited to be joining the 2023 Global CISO Executive Summit hosted by Evanta in Nashville this year. We were at the 2022 Global CISO Executive Summit in Chicago and we demanded a return engagement!We absolutely promise to put on a really fun event for you. Joining me on stage will be Allan Cockriel, CIO and Group CISO, Shell and Mary Rose Martinez, vp, CISO, Marathon Petroleum.WHEN: September 11th to 13th, 2023 (We’ll be the opening night entertainment on September 11th, 2023)WHERE: Four Seasons Hotel Nashville

If you’re interested in attending, you’ll need to apply. It’s an exclusive event catering to security leaders working at enterprise organizations. If that describes you and you’re not a vendor, please fill out the registration form.

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.