View this email in your browser

CISO Series Podcast
Our Cybersecurity Journey Starts With a Single Overworked Staffer

When operating a security program in an existing deployment, it can be tempting to romanticize an opportunity like a greenfield deployment. But starting from square one doesn’t mean you’ll be able to get closer to perfection. Although it sounds ideal, there are challenges trying to build a security program from scratch.

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining us is Kush Sharma, Director Municipal Modernization & Partnerships, Municipal Information Systems Association, Ontario (MISA Ontario). 

Your first security hire

When hiring the first security engineer for a startup, the focus should be on the organization's specific needs at that stage. A recent post in the cybersecurity subreddit made it clear there are three types of hires to consider. The first is a compliance-focused hire, an essential role if the startup needs to achieve certain certifications early on. The second type is an IT security generalist, who would manage the organization's internal security, including endpoint security and SaaS vendor management. This person could grow into a broader cybersecurity leadership role. The third, often overlooked but critical hire, is a platform safety engineer, who would ensure that the startup's products are secure from the outset, addressing potential long-term security risks. This role, however, is sometimes integrated into the responsibilities of a CTO or a developer. Regardless of the role, a strong grasp of technical and soft skills is crucial for making an immediate impact in a startup environment.

Moving beyond the basics with critical infrastructure

Protection of critical infrastructure from advanced persistent threats requires fundamentals like network segmentation, intrusion detection systems, and identity security, said Sean Tufts on Dark Reading. While these security controls make great starts, they all have limitations - the ability to move beyond basic segmentation to segregation—completely isolating critical operational technology (OT) from information technology (IT). Without this, threats will migrate across networks. Organizations also need automated response systems, as human operators alone cannot keep pace with the volume and complexity of modern cyber threats. Adopting a zero-trust mindset is also crucial for maintaining security. Relying solely on predefined steps can only get you so far. With critical infrastructure, we need a broader philosophical approach that focuses on preventing unacceptable losses rather than just adhering to traditional best practices.

Untangling the Gordian Knot of municipal cybersecurity

Municipalities live with the reality of having to rely on limited resources to protect critical assets from threat actors. Graham Cluley of Smashing Security rightly wondered how they can improve resilience to attacks. Municipalities need pragmatic solutions, such as starting with simpler cybersecurity controls and gradually building up to more robust standards. Municipalities also can’t afford to stand alone. They need to pool resources and tackle cybersecurity collectively, especially in regions with limited access to cybersecurity expertise and infrastructure. We need to stop pretending municipalities can operate like a large enterprise. While the shift to a resilience-focused model is crucial, it must be implemented in a way that is realistic and achievable. 

Starting from square one

It's easy to underestimate the difficulty of starting a security environment from scratch as a CISO, especially in a greenfield deployment. As Roger Grimes pointed out on CSO Online, perfection is not the goal. The focus should be on creating a security program that aligns with a business's objectives and priorities. Start with the basics. Define actionable patching policies and implement lifecycle management processes. Just as important is engaging with stakeholders across the organization, including finance and procurement, to build consensus and secure necessary resources. Accept that early efforts may be temporary solutions that will need refinement over time. Be persistent, communicate effectively, and prioritize actions that deliver the most significant impact with the resources available. And appreciate that even small improvements are steps in the right direction.

Listen to the full episode over on our blog or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to Ymir Vigfusson of Keystrike for providing our “What’s Worse” scenario.

Listen to the episode.

Thanks to our podcast sponsor, Material Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Hiring Cyber Teenagers with Criminal Records…

"The majority of fraud and cybercrime is not committed by youngsters or teenagers or people just getting into it. It's by well-seasoned people. And some of the worst breaches in the world have occurred from people on the inside who fit every descriptor of what's qualified and still chose to make bad decisions." - Adam Arellano, former vp, enterprise cybersecurity, PayPal.

Listen to full episode of "Hiring Cyber Teenagers with Criminal Records."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Patrick Heim, co-founder and partner, SYN Ventures.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
Join us, Friday [09-13-24], for "Hacking Leadership Skills"

Join us Friday, September 13, 2024, for ”Hacking Leadership Skills: An hour of critical thinking about building the skills you need to succeed.”

It all begins at 1 PM ET/10 AM PT on Friday, September 13, 2024 with guests Alexandra Landegger, executive director and CISO, Collins Aerospace and Jodie Lash, cybersecurity senior director, FanDuel. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

LIVE!
CISO Series Podcast LIVE in Houston (09-24-24)

CISO Series Podcast will be heading to HOU.SEC.CON to do a live audience recording of our show. Joining me on stage will be the incomparable Jerich Beason, CISO, WM, and the inimitable Teresa Tonthat, vp and associate CIO, Texas Children's Hospital. Here's everything you need to know:

WHAT: Live audience recording of CISO Series Podcast at HOU.SEC.CON.

WHERE: George R. Brown Convention Center, 1001 Avenida De Las Americas, Houston, TX 77010

WHEN: September 24-25, 2024 is the conference. Our recording will be happening at 1:00pm, right after lunch.

COST: $75. You can register here.

And please join us the night before, September 23rd, 2024 on the eve of HOU.SEC.CON, for a meetup of CISO Series fans at the Frost Town Brewery in Houston. Free event. Register here.

HUGE thanks to our sponsor, Vorlon Security

LIVE!
CISO Series Podcast LIVE in Boca Raton, FL (09-21-24)

My first video EVER with a Hawaiian shirt. SHOCKING!

Why? Because we're doing a show in Boca in just a couple of weeks on September 21st, 2024. Yep, CISO Series Podcast will be recording an episode live at the 2024 South Florida ISSA Hack the Flag Conference. Not only will be it an awesome FREE event for security professionals, but there's also going to be a chili cookoff.

Joining me on stage for our podcast recording will be Adam Fletcher, CSO, Blackstone and Brett Conlon, CISO, American Century Investments.

Remember it's free, but you DO need to REGISTER.

HUGE thanks to our sponsors: Fortra, Quadrant Information Security, and Savvy Security

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.