[09-05-24]--Join us tomorrow for “Hacking Tabletop Exercises”

Author

Aaron
September 05, 2024

Super Cyber Friday

Join us TOMORROW, Friday, 09-06-24, for “Hacking Tabletop Exercises”

Please join us on Friday September 6, 2024 for Super Cyber Friday.

Our topic of discussion will be “Hacking Tabletop Exercises: An hour of critical thinking about enhancing incident response readiness.”

Joining me for this discussion will be Christina Shannon, CIO, KIK Consumer Products and Shawn Bowen, CISO at large.

It all starts at 1 PM ET/10 AM PT and then we roll over to our meetup portion on Discord. It’s a great chance to connect with the cybersecurity community.

Defense in Depth
Hiring Cyber Teenagers with Criminal Records

Hiring Cyber Teenagers with Criminal Records

Threat actors don’t need certifications or a degree to be good at their job. So why do we keep trying to demand those from new cyber hires? And could a teenager’s online bad behavior taint their ability to enter the field of cybersecurity?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our guest, Adam Arellano, former vp, enterprise cybersecurity, PayPal. 

Accounting for mindset

Cybersecurity is a peculiar field. There are skills you need to have, but what separates the best can rarely be taught. "When I used to hire people onto my team, I've held the belief that passion and curiosity were far more valuable than a college degree, and if I had to choose between two candidates, the one that learned on his own usually won, hands down," said Jason Eicholtz of Google. As Pieter Christiaan van Rooijen of KEMBIT noted, this doesn’t mean we have to rewrite all hiring practices, but we need to account for this aptitude, saying, "You cannot teach the natural determination and mindset that some of these teenagers in this case have. If a person with these qualities is guided in the correct direction, they may easily surpass even some of the industry veterans. Reevaluating the whole process might not be the solution, but amending it to account for mindset and attitude will be beneficial in the long run."

The importance of ethics

Encouraging those with aptitude is one thing, but professionals aren’t in this for the “lolz” or to cause chaos. It’s important to make sure your staff is on board with the mission. "It’s not about skills why we learn the bachelors or masters or any other certifications but it’s about the ethical consideration while using the technology. We all know a couple of scripts that can penetrate into the servers and do our work but we don’t do that as our ethics stop us," said Prabhu Kiran Veesam of CyberOne. The need to scale operations also means that those who aren’t team players won’t work out in a modern cybersecurity department. Redi Shabani of INFOKOM laid out the issue, saying "Are these teenagers able to develop a secure system for billion dollar companies, communicate with customers, and understand their needs and handle their security concerns? A willingness to cause irrational damage and driving irresponsibly is not enough to reevaluate the recruitment process."

A matter of incentives

There’s a truism in cybersecurity that defense has to be infallible, but attackers only need to succeed once. "Any teenager can throw a rock on a passing car, from the top of a highway overpass. But this doesn't mean that they have the engineering skills to actually build societal infrastructure across the country," shared Tue Jagtfelt of Globeteam. But this isn’t the only issues. Often teenages have very strong incentives to break things, in a more direct way than cybersecurity teams, as Andrew Wright of Rothe Development said, "Organizations make concessions every day and security is told to sit in a corner. These teenagers were incentivized. Cybersecurity professionals need to be incentivized. We need to be energetic, adaptable, and creative."

Understanding what is teachable

Everything needed to excel at cybersecurity isn’t teachable. It’s in the best interest of the industry to figure out how not to turn away people who can prosper with the right training. "Down the road you can go to school, get certified, learn about ethical hacking, but the basic ingredients are willingness to learn and a drive for success. If a candidate possesses those qualities, everything else is teachable and they should therefore be considered worthy even if they don’t yet hold the proper credentials," said Evelyn Huang of Amazon.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, ThreatLocker

ThreatLocker

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

CSH Week in Review-Justin Somaini, partner, YL Ventures

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Justin Somaini, partner, YL Ventures.

Thanks to our Cyber Security Headlines sponsor, Scrut Automation

Scrut Automation
Automating Network Alert Investigations with Dropzone AI

What good are network security alerts if they never get addressed? Frustration around this issue led Edward Wu to create Dropzone AI. I spoke with Edward about how he pivoted to developing AI technologies that automate Tier 1 alert investigations. Advances in generative AI have enabled Dropzone AI to create software capable of simulating human reasoning and performing autonomous investigations. The result is a more efficient and effective security team, allowing analysts to focus on critical threats and projects.

Huge thanks to our sponsor, Dropzone AI

Dropzone AI

LIVE!
CISO Series Podcast LIVE in Boca Raton, FL (09-21-24)

CISO Series Podcast LIVE in Boca Raton, FL (09-21-24)

CISO Series Podcast will be at the 2024 SFISSA Hack the Flag Conference to do a live audience recording of our show. Joining me on stage will be Adam Fletcher, CSO, Blackstone and Brett Conlon, CISO, American Century Investments. Here's everything you need to know:

WHAT: Live audience recording of CISO Series Podcast at 2024 SFISSA Hack the Flag Conference

WHERE: Boca Raton Innovation Campus, 4950 Communication Avenue, Boca Raton, FL 33431

WHEN: September 21, 2024 (the event runs from 9:30 am through 5 pm).

COST: Free! Register here.

HUGE thanks to our sponsors: Fortra, Quadrant Information Security, and Savvy Security

Fortra
Quadrant Information Security
Savvy Security

Cyber chatter from around the web...
Jump in on these conversations

"Cyber security as a career" (More here)

"How do I prioritize vulnerabilities?" (More here)

"Phishing Attacks - Underestimated effect of Internationalised domain names" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

  • [09-06-24] Hacking Tabletop Exercises

  • [09-13-24] Hacking Leadership Skills

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.