View this email in your browser

Defense in Depth

Cybersecurity Questions Heard Around the Kitchen Table

What do the people least in the know about cyber, want to know? What are they asking?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO at LinkedIn. Joining us for this episode is our guest, Caitlin Sarian, AKA cybersecuritygirl on TikTok. 

People know they have a threat surface, but don’t know what it looks like 

There’s an understanding out there that people’s data is at risk, but many don’t know where to start. Some questions sound like people who have maybe received security awareness training, but still lack context. “Why shouldn't I use public Wi-Fi without protection?" was an example cited by Scott Norton of Trellix. Attack vectors are also increasingly in the parlance of our times, but still can cause confusion, Nika Kokhreidze of Mambu cited phishing as an example. There also can be an air of defeatism with cyber, with Michelle Levesley asking, “If they know everything about me, why should I bother staying private?"

Everyday users can struggle to understand their personal risk 

For many people, their exposure to cyber security comes through the news. While these stories can be important, they often don’t reflect the cyber threats most likely to impact them. "The news only focuses on the big events. The average user doesn't see how that applies to them. They don't know what to ask,” said Humberto Gauna of DOT Security. Troy Fine of Drata also notes that people don’t understand the risks associated with using personal devices for work.

People don’t know how to respond to an attack 

For the attacks that are mostly likely to hit everyday consumers, most people don’t know the first steps to remediation. Social media attacks happen every day. But after an account takeover, “No one really knows how to deal with the situation, which leads to stressful decisions," said Yannis Pierroutsakos of Detectify. For high profile attacks, we often hear about initial intrusions, but not the months of hard work to minimize the damage. This can lead to a numbing effect with everyday users. To paraphrase Yael Citro of OX Security, people see no one is panicking and assume everything just works out. 

When we don’t communicate cybersecurity on their level, people tune out 

“How do regular people know what is safe and best practices without a clear path or studying cybersecurity in depth," said Heather Noggle of Codistac. It speaks to the communication challenge of cybersecurity. This can quickly go down technical paths of a particular vulnerability or attack vector. These are great for communicating with peers, but makes it harder to get everyone else engaged with cybersecurity. The result is people tune out. As Rebecca Harness, CISO at Quickbase says, "The second I tell people I work in cybersecurity they change the subject." 

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, DataBee from Comcast Technology Solutions

Super Cyber Friday!

Join us Friday [09-29-23] for "Hacking Bosses"

Please join us on Friday, September 29, 2023 for Super Cyber Friday.Our topic of discussion will be “Hacking Bosses: An hour of critical thinking about how to manage conflict and engage with higher ups to advance your career.”Joining David Spark, producer of CISO Series for this discussion will be:

• Rusty Waldron, chief business security officer, ADP

• Steve Zalewski, co-host, Defense in Depth

REGISTER

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Shawn Bowen, CISO, World Kinect Corporation.

Thanks to our Cyber Security Headlines sponsor, Hyperproof

From Black Hat 2023!

What's A Red Flag When Applying for a Cybersecurity Job?

We've all seen things listed in a cybersecurity job posting that tells us this role isn't the right fit. I

hit the show floor at Black Hat 2023

to find out some of the worst horror stories from security professionals looking for their next gig. Sometimes it's employers looking for impossible levels of experience, sometimes it's setting new employees up for immediate failure, or an insistence on specific certifications. A lot of these red flags seem to stem from a misalignment between human resources and cybersecurity. That's enough to keep a lot of top talent from going forward with a prospective position.

Thanks to all those who participated!

Huge thanks to our sponsor, Hyperproof

Cyber chatter from around the web...

Jump in on these conversations 

"Has anyone completed the google cybersecurity certificate?" (

More here

)

"Do I need to constantly be studying/learning outside of work to make it in this industry?" (

More here

)

"Is cybersecurity work mostly mundane?" (

More here

)

Coming Up On Super Cyber Friday...

Coming up in the weeks ahead on Super Cyber Friday we have:

• [09-29-23] Hacking Bosses

• [10-06-23] Hacking Container Security

• [10-13-23] Hacking the Risks and Rewards of AI

Save your spot

and register for them all now!

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.