View this email in your browser

CISO Series Podcast
… And the Business Listened to the CISO and Everyone Lived Happily Ever After

It’s not enough for cybersecurity professionals to talk amongst themselves. Storytelling is a vital way to connect technical security controls and policies to the rest of the business. So how can we go about turning metrics into a narrative that can get buy-in?

This week’s episode is hosted by me, David Spark, producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining us is Stephen Harrison, CISO, MGM Resorts International.

Understanding the AI attack surface

To secure the new wave of LLM-based technologies without introducing additional risks, CISOs should focus on key emerging threats, including prompt injection attacks, hallucinations, and theft of service, noted Daniel Miessler in his newsletter Unsupervised Learning. Prompt injection can manipulate AI systems into producing harmful outputs, while hallucinations—where AI generates incorrect or misleading information—can erode trust in AI systems, especially when they’re used for critical tasks. Theft of service, such as unauthorized use of AI platforms exposed on the internet, is another growing concern. Additionally, securing LLMs requires dynamic security testing and robust input validation to prevent malicious inputs from causing errors in AI decision-making. The expanded attack surface in AI, combined with the complexity of language as a variable, necessitates enhanced security measures across development and DevOps practices.

Low code, low security?

To effectively manage the security risks associated with low code and no code development tools, organizations should implement clear policies and approval processes before these tools are adopted. Without proper oversight, these tools can act as a form of shadow IT, leading to security vulnerabilities, argued Ericka Chickowski on CSO Online. Establishing standardized platforms that meet security requirements and providing clear guidelines can help prevent rogue usage and ensure secure development practices. Add to that efforts to foster a company culture that prioritizes collaboration with security teams will also significantly reduce risks. By offering approved platforms and setting clear expectations, companies can avoid the pitfalls of unregulated tool usage and promote secure, efficient development.

Chief information storytelling officer

To effectively motivate business leaders to adopt better cybersecurity practices, storytelling is crucial. Rather than relying solely on technical data, which can often fall on deaf ears, successful CISOs leverage real-world examples that resonate with the business's core concerns, such as risk to reputation, operational disruptions, and financial losses. Building emotional connections through stories helps bridge the gap between viewing security as a mere technical issue and recognizing it as a critical business risk. The most compelling stories are those based on actual experiences, where past mistakes have led to significant challenges. These examples can be used to underscore the importance of proactive measures. Simplifying complex technical concepts into relatable scenarios also ensures that non-technical leaders can grasp the implications and support necessary actions. 

Finding the right partners

Public-private partnerships have proven to be an effective strategy in managing the growing threat from sophisticated cyber attackers. Agencies like CISA have been instrumental in providing valuable resources, like the Known Exploited Vulnerabilities Catalog (KEV), which helps organizations prioritize the most critical security threats, as profiled by Jonathan Greig on The Record. Establishing relationships with law enforcement and federal agencies before a crisis occurs is crucial, ensuring that organizations know who to contact in the event of an emergency. Engaging with these partnerships not only enhances threat intelligence but also prepares companies to respond more effectively to cyber incidents.

Listen to the full episode over on our blog or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to Jonathan Waldrop, CISO, The Weather Company for providing our “What’s Worse” scenario.

Listen to the episode.

Thanks to our podcast sponsor, Vectra AI

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Are Phishing Tests Helping or Hurting Our Security Program?

"Understanding why things are happening and which kinds of things your employees are more susceptible to and then reacting to that I feel is an excellent tool to have in the toolbox. We can’t always expect to be able to block things at the perimeter. It’s the whole defense in depth concept that the podcast is named after. You have to assume at some point something is going to get through, and what can you do about it then?" - Dennis Pickett, vp, CISO, Westat

Listen to the full episode of "Are Phishing Tests Helping or Hurting Our Security Program?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jason Elrod, CISO, MultiCare Health System.

Thanks to our Cyber Security Headlines sponsor, Vanta

AMA!
I've done a greenfield or a complete reboot of a cybersecurity program. Ask Me Anything.

For this month's AMA ("Ask Me Anything"), the editors at CISO Series assembled a handful of cybersecurity professionals who have been responsible for implementing or completely rebooting a cybersecurity program. They are here to answer any relevant questions you have.

Go ahead and ask your question.

“I've done a greenfield or a complete reboot of a cybersecurity program. Ask Me Anything.”

This AMA runs until September 27th, 2024.

LIVE!
PREVIEW: CISO Series Podcast LIVE in Los Angeles, CA 10-9-24

The CISO Series Podcast is set to return to the ISSA LA summit just in time for the start of the spooky season. But don't be afraid, we've got amazing guests for our recording, Cyrus Tibbs, CISO, PennyMac, and Sasha Pereira, CISO, WASH. Here's everything you need to know:

October 9, 2024: Join us at the Annenberg Beach House for the Summit and our live recording. We're the closing entertainment at 5:00 PM, but the event goes from 9:00 AM until 6:00 PM.

Get your tickets here.

HUGE thanks to our sponsor, Nudge Security

Super Cyber Fridays!
When Can AI Take Over Decision Making in the SOC?

There are varied decisions SOC analysts have to make multiple times every day. It's hard to describe each one, and so much of the decision making is happening in the SOC analysts' heads, noted Itai Tevet, CEO, Intezer. If you want to automate, you need to take advantage of AI. And that's exactly what we're going to be talking about this Friday, September 27, 2024 for Super Cyber Friday.

Our topic of discussion will be “Hacking Alerts: An hour of critical thinking about triaging the deluge hitting your SOC.”

REGISTER for the Super Cyber Friday event on 09-27-24.

Joining me and Itai for this discussion will be Russ Ayres, deputy CISO & head of cyber, Equifax.

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific], we'll switch gears to our meetup, where everyone will get a chance to chat face-to-face.

Thanks to our Super Cyber Friday sponsor, Intezer

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.