View this email in your browser

CISO Series Podcast
Our Guardrails Only Fail When You Try To Go Around Them (LIVE in Seattle)

Securing emerging AI tools is not a solved problem. We lack basic visibility into how the underlying LLMs work. We’re told there are guardrails in place, but given the frequency of them breaking, how effective can they be?

This week’s episode was recorded in front of a live audience in Seattle as part of the National Cybersecurity Alliance’s event Convene. The recording is hosted by me, David Spark, producer of CISO Series and Nicole Ford, svp and CISO, Nordstrom. Joining us on stage was Varsha Agrawal, head of information security, Prosper Marketplace.

Who guards the AI guardrails?

GenAI tools are extraordinarily popular, but that doesn’t solve the challenges of implementing effective guardrails for large language models to prevent misuse. With a little work, a clever user can still get LLMs to generate harmful content like building a bomb, as covered in Superhuman. While AI red teaming exercises are valuable, the industry lacks dynamic tools to keep up with evolving threats. Training and ethical guidelines are crucial, as static guardrails are insufficient for the rapidly changing landscape. Adaptive AI, which could learn to recognize and block harmful queries over time, is a potential solution, but it doesn’t address the here and now. Human oversight is still necessary to guide and correct AI's learning process.

What should security awareness training look like?

Are traditional security awareness training programs effective? There are lots of companies offering these services, but Jacob Friedman of 3 Tree Tech recently challenged the category on LinkedIn. While phishing tests can provide useful metrics, such as identifying high-risk user groups, they are only a small part of the broader effort needed to build a security culture. Security training should be tailored to individual needs, considering factors like job roles and the varying levels of digital literacy across an intergenerational workforce. Assigning risk scores to employees is an option to ensure that training is more targeted and relevant, thereby increasing its effectiveness. Overall, we need a more nuanced approach to security training that goes beyond generic exercises and focuses on personalized, role-specific education.

The authentication point of failure

Managing identity and access is a constant challenge. The introduction of passkeys was supposed to improve the situation. Threat actors have been quick to adapt, as documented by Tara Seals in Dark Reading. While passkeys offer a promising alternative to traditional passwords, they have an inevitable weakness in the authentication process, especially when account recovery becomes necessary. Human involvement in these processes continues to present vulnerabilities, as adversaries increasingly exploit account recovery methods. While passkeys and other technologies like magic links can improve security, the need for robust backup systems remains critical. There’s no doubt advancements are being made, but the complexity and evolving nature of authentication will continue to be a significant challenge for organizations.

Uncommon sense

Every security professional has some opinion that clashes with collective wisdom. The cybersecurity subreddit recently did a great job digging into them. Sore spots included the inefficacy of password rotations, the role of AI in security products, and the stance that writing down passwords can be a valid method in certain scenarios. While password rotations can lead to weaker, predictable passwords, using multi-factor authentication or password managers is a more effective solution. Another major point was the misconception that Endpoint Detection and Response (EDR) can solve all security problems, rather than relying on defense in depth. The perceived cybersecurity talent shortage also reared its head. The issue may be more about the industry's reluctance to train new talent rather than claiming there’s a lack of qualified candidates. 

Listen to the full episode over on our blog or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to Jay Dance of StubHub for providing our “What’s Worse” scenario.

Listen to the episode.

Thanks to our podcast sponsors, KnowBe4, Proofpoint, and Vanta.

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Who Is Responsible for Securing SaaS Tools?

"People are signing up for these applications, and they’re inheriting the responsibility for those security features on behalf of their organization regardless of whether or not they have the appetite, the context, or even the interest in taking on that responsibility." - Russell Spitler, CEO and co-founder, Nudge Security.

Listen to full episode of "Who Is Responsible for Securing SaaS Tools?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Mike Rosen, CISO, ZwillGen.

Thanks to our Cyber Security Headlines sponsor, Conveyor

LIVE!
PREVIEW: CISO Series Podcast LIVE in Houston, TX 9-24-24

CISO Series Podcast will be heading to HOU.SEC.CON to do a live audience recording of our show. Joining me on stage will be the incomparable Jerich Beason, CISO, WM, and the inimitable Teresa Tonthat, vp and associate CIO, Texas Children's Hospital. Here's everything you need to know:

WHAT: Live audience recording of CISO Series Podcast at HOU.SEC.CON.

WHERE: George R. Brown Convention Center, 1001 Avenida De Las Americas, Houston, TX 77010

WHEN: September 24-25, 2024 is the conference. Our recording will be happening at 1:00pm, right after lunch.

COST: $75.

REGISTER: Here

And please join us the night before, September 23rd, 2024 on the eve of HOU.SEC.CON, for a meetup of CISO Series fans at the Frost Town Brewery in Houston. Free event. Register here.

Thanks to our sponsor, Vorlon Security

LIVE!
CISO Series Podcast LIVE at Stanford University (10-17-24)

CISO Series Podcast will be going back to school for another live show.

We're recording a show at Stanford University's Cybersecurity and Privacy Festival 2024, AKA "Cyberfest." Joining me on stage for the recording will be Amy Steagall-Hess, CISO, Stanford University, and Michael Tran Duff, CISO and data privacy officer, Harvard University. Here's everything you need to know:

WHERE: Frances C. Arrillaga Alumni Center, 326 Galvez Street, Stanford, CA 94305

WHEN: October 17, 2024. The event runs from 8 am to 4 am, but we'll be recording at 1:30 PM.

COST: Free for all Stanford University, Stanford Health Care, SLAC, and the broader higher education communities. Register here.

Thanks to our sponsors, Vorlon Security and Wiz

Super Cyber Fridays!
Join us Friday, 09-27-24, for “Hacking Alerts”

Join us next Friday, September 27, 2024, for “Hacking Alerts: An hour of critical thinking about triaging the deluge hitting your SOC.”

It all begins at 1 PM ET/10 AM PT on Friday, September 27, 2024 with guests Itai Tevet, CEO, Intezer and Russ Ayres, deputy CISO & head of cyber, Equifax. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Intezer

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.