[08-20-24]--I Said I Was Technically a CISO, Not a Technical CISO

Author

Aaron
August 20, 2024

CISO Series Podcast
​​I Said I Was Technically a CISO, Not a Technical CISO

I Said I Was Technically a CISO, Not a Technical CISO

The road to becoming a CISO is highly individual. Often a CISO will not come from a technical background, or their technical background is long in their career rearview mirror. Can a CISO be effective today without a technical background? And how do you keep up on your technical chops once you get the role? 

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Joining us is Fredrick Lee (aka Flee), CISO, reddit.

The case for the technical CISO

Does a CISO need to be technical to get the role? What about once they’ve been a CISO for a decade? While CISOs can't master all technical disciplines, they should aim to retain mastery in a few key areas, suggested Geoff Hancock, CISO at Access Point Technology in a recent LinkedIn post. Regardless of technical proficiency, CISOs must hire smarter technical experts and engage in active listening, ensuring they understand and can communicate technical details effectively. A technical CISO has a significant advantage, particularly in navigating new technologies and enabling secure outcomes. All CISOs would benefit from learning to code. They shouldn’t be pushing out bug fixes, but that skill provides concepts that can empower them to solve problems more efficiently and create better security solutions.

Making Recall safe for business

Microsoft’s Recall feature made headlines earlier this year by offering some genuinely useful features but storing data in plaintext. Although Microsoft has since made Recall an opt-in feature due to backlash, Susan Bradley at CSO Online noted the main concern remains its potential for misuse and exposure in legal discoveries. As we see more of these AI-enabled tools come to market, CISOs must ensure business stakeholders understand the risks. Using Recall could mean exposing all internal communications during legal proceedings. Organizations should take a proactive approach, led by security teams that can isolate and monitor Recall, minimizing risks while leveraging its benefits. The best way to leverage any disruptive new technology is through threat modeling, cross-departmental collaboration, and ensuring intentional and secure implementation to mitigate potential security and compliance issues.

The aches and pains of cybersecurity hiring

The frustrations with cybersecurity hiring come from all sides. Job descriptions stood out as a sore point in a recent cybersecurity subreddit post. They’re poorly constructed and filled with vague and ambiguous language that fails to attract qualified candidates. Job descriptions should be concise and specific, but many are optimized for recruiters rather than candidates, which can result in filtering out potentially great hires due to irrelevant criteria like requiring specific certifications. Hiring managers should own the job descriptions and ensure they accurately reflect the role. Another key is setting low hurdles in the application process to filter out uninterested or unqualified candidates. Implementing simple tasks can significantly streamline the hiring process by identifying those who are genuinely interested and attentive to detail.

Leveling up municipal cybersecurity

Municipalities struggle with cybersecurity due to budget and staffing challenges. But there are low-hanging fruits they can leverage to enhance their security posture. Municipalities should utilize programs like Year Up, which train individuals in cybersecurity skills even if they lack traditional education. These programs can provide a steady stream of capable talent who can contribute to municipal cybersecurity efforts. Partnering with organizations like VetsinTech can bring skilled veterans into the fold. Municipalities offer internships to those seeking experience, creating a mutually beneficial situation. Moreover, they can band together to secure enterprise-grade contracts, reduce costs, and increase access to advanced technologies. Embracing open source solutions is another cost-effective strategy, as many robust open source cybersecurity tools are available and widely used in the industry. 

Listen to the full episode over on our blog or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to Nir Rothenberg, CISO, Rapyd for providing our “What’s Worse” scenario.

Thanks to our podcast sponsor, ThreatLocker

ThreatLocker

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Best advice for a CISO…

"Go to amazon.com, search for Renewed HP Mini PC, buy that HP Mini PC, install Proxmox, then go to rancher.com, download Rancher RKE 2, install that at home and start running some of this critical infrastructure in your house for your life because that's going to help you be better prepared to deal with real life threats and to actually talk to engineers." - Fredrick Lee, CISO, Reddit

Listen to full episode of "I Said I Was Technically a CISO, Not a Technical CISO."

Information Security vs. Cybersecurity

"When we talk about information security, it's a much broader topic that encompasses all the governance and risk management and including the more fun parts of offensive and defensive security, but it's a lot more holistic." - Mike Lockhart, CISO, EagleView.

Listen to full episode of "Information Security vs. Cybersecurity."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

LIVE!
Cyber Security Headlines - Week in Review

CSH Week in Review Bethany De Lude, CISO, The Carlyle Group

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Bethany De Lude, CISO, The Carlyle Group.

Thanks to our Cyber Security Headlines sponsor, Nudge Security

Nudge Security

Super Cyber Fridays!
Combining Continuous Pentesting with Attack Surface Management

Combining Continuous Pentesting with Attack Surface Management

A point-in-time pentest is insufficient in today's cybersecurity landscape. Casey Cammilleri, CEO & Founder, Sprocket Security, explained to me that constantly changing targets, such as new application deployments and infrastructure modifications, require continuous monitoring. In our upcoming Super Cyber Friday discussion, we'll break down how continuous pentesting can provide near real-time identification and remediation of issues when implemented correctly.

Please join us! Joining me and Casey will be Stephen Harrison, CISO, MGM Resorts International.

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we'll switch gears to our meetup where everyone will get a chance to chat face-to-face.

Thanks to our Super Cyber Friday sponsor, Sprocket Security

Sprocket Security

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.