Super Cyber Fridays!
Join us TOMORROW, Friday [08-23-24], for "Hacking the Future of Pentesting"

Join us Friday, August 23, 2024, for “Hacking the Future of Pentesting: An hour of critical thinking about how to continuously manage your threat exposure.”

It all begins at 1 PM ET/10 AM PT on Friday, August 23, 2024 with guests Casey Cammilleri, CEO and founder, Sprocket Security and Stephen Harrison, CISO, MGM Resorts International. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Sprocket Security

Defense in Depth
What Triggers a CISO?

CISOs are familiar with dealing with stress, making high-stakes decisions, and operating in an industry of unknown unknowns. But even with the high pressures, there are still some ways you can easily annoy and irritate a CISO.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our guest, Sherron Burgess, CISO, BCD Travel.

Disingenuous claims rub everyone the wrong way. 

Vendors need to build trust. It’s hard to do that when they say things patently untrue. Robert Tremonti of The University of British Columbia heard too many vendors telling him “Our application is 100% secure.” In other instances, they would claim to have found silver bullet solutions to perpetual cybersecurity problems. Jeremy Wheatman of Black Kite provided this example, "We have a simple, new and novel approach to solve the problem that has remained an issue for the last 30 years." And Gerald Auger of Simply Cyber took offense when getting 5-figure quotes for a “custom add” that was clearly an upcharge to an existing cloud solution. 

Don’t put the CISO behind the 8-ball

Cybersecurity is hard enough without the business putting a CISO in an impossible security position. A major pain point for CISOs comes when a cybersecurity decision has been made without their input, as Christian Haller summarized, "Can you look at this vendor, We already signed the contract." It also sparks CISO rage when other parts of the business volunteer to take on risks that the cybersecurity team will inevitably manage, as Michael Starke of KPMG provided the example of a product owner who neither understands the impact nor likelihood of an exploit yet goes ahead and says, “I accept the risk.” And Drew Simonis, CISO at Juniper Networks pointed out the constant point of frustration of being asked to make his department more efficient at the same time his department gets a budget cut.

The sales hustle

The whole process of sales leads can grind a CISO's gears. That doesn’t mean they’re without sympathy. "I do feel for the three-person startup trying to get a call. Cold calling, hustling to get someone to just look at your damn slides and go through a demo, it's hard work," said Mike Curnow of Defiant Networks. Of course, that sympathy goes out the window when you try to pull rank on a CISO. Douglas Brush of Brush Cyber gave a classic example of jumping the line, saying "Hey, I know you are busy so I reached out to your CIO.”

They didn’t understand the assignment

A major source of frustration is just having no idea what a CISO is supposed to do. This can come in the form of requests that have no concept of security best practices. "This 3rd party support engineer is having trouble in site X, can you turn off some security so they can continue," cited Laurence Dale, CISO at Surveil as an example. Or others in the business trying to use security tooling for questionable company practices. "Can you use your security tools to see if my employee is doing their work,” quoted Robert Wagner of Strategic Security Advisors of such requests. Alan Berry of Verizon Cyber Security Customer Advisory Board got upset by the business ignoring sensible advice on risk, saying, "We chose to accept the risk and not patch it since we intend to decommission that app in Q4.”

Thanks to our other unwitting contributors, Don Boian, CISO of Hound Labs and Laura Whitt-Winyard of Hummingbird

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the episode.

Thanks to our podcast sponsor, Scrut Automation

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Bethany De Lude, CISO, The Carlyle Group.

Thanks to our Cyber Security Headlines sponsor, Nudge Security

Sponsored content
Mastering Data Visibility for Secure AI Adoption with Cyera

Does data security need to be complex? Perhaps in the past, but modern AI and cloud solutions make it simplify data security at scale, argues Yotam Segev, Co-Founder and CEO, Cyera. The key is data classification. He described Cyera's ability to rapidly classify petabytes of data within days. This holds value for enterprises not only to get insights into valuable data but also to quickly determine what data they don't need. This data classification at scale opens a whole new world of security possibilities.

Watch the video.

Huge thanks to our sponsor, Cyera

Cyber chatter from around the web...
Jump in on these conversations

"Why is Penetration Testing so hard to get into?" (More here)

"How often are you training users?" (More here)

"Question: What makes a good Security Engineer?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [08-23-24] Hacking the Future of Pentesting

• [08-30-24] No show

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.