View this email in your browser

CISO Series Podcast

Security Awareness Lifecycle: Turn On, Tune In, Drop Out

When it comes to security awareness, the advice generally doesn't change. There are a set of best practices that have proven to be effective. We know what we want to tell people. Communicating it consistently without someone's eyes glazing over is another. So how do we relay that information without sounding like a broken record? 

This week’s episode is hosted by me, David Spark, producer of CISO Series and Steve Zalewski. Joining us is our sponsored guest, Daniel Krivelevich, CTO for Appsec, Palo Alto Networks.

Cloud configurations can complicate cyber 

We see it all the time in the headlines. There was a data leak caused by a “cloud misconfiguration.” But that simple phrase can hide real systemic issues, both in organizations and cloud providers, that are anything but simple. In a Medium post, Anton Chuvakin of Google's Cloud Security Podcast laid out why these misconfigurations keep happening. Some of this has to do with IT teams holding to legacy practices from the time of on-prem security that just don’t scale to the cloud. These kinds of larger structural issues mean that we can’t just blame “human error” for these leaks. That implies training can fix it, when really we need to reorient an organization as a whole for better cloud security. 

Hearing the same old song in cybersecurity

Cybersecurity can be thought of as a design discipline. We often understand how to build secure systems, but these need to interface with legacy infrastructure and human frailty, all while updating that design as threat actors evolve. What’s simple in the abstract becomes complicated to implement. The result is often security leaders repeating the same well-worn wisdom of how to keep an organization secure. Case in point, a recent question on the cybersecurity subreddit on the on measures to prevent a cyberattack. Lots of great advice there, but things employees have probably heard dozens of times. 

Open source software supply chains are a Gordian knot

In the wake of several high-profile software supply chain attacks over recent years, we’ve seen renewed efforts to secure the whole ecosystem, CISA recently published a roadmap for securing the open source supply chain as an example. But for open source software, this can be particularly challenging. Chris Hughes, CISO of Aquia, considered that framing software as a supply chain in the first place, using an analogy from manufacturing, is problematic for open source software. These projects use a myriad of inconsistently maintained components, with many solely maintained by volunteers. 

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Palo Alto Networks

What I love about cyber security...

"What I love is that it’s full of industry defining moments happening on a very frequent basis provided mainly by the attackers of the world." - Daniel  Krivelevich, CTO for Appsec, Palo Alto Networks

Listen to full episode of

"Security Awareness Lifecycle: Turn On, Tune In, Drop Out."

TONIGHT [10-17-23]: CISO Series Podcast is LIVE in Mountain View, CA

This is it! We're recording an episode in front of a live audience as part of the entertainment for the ISSA-SF/SV chapter meeting at Microsoft's headquarters in Mountain View, CA. They have an absolutely BEAUTIFUL theater. Come at 5pm for networking. Our recording begins at 6pm, and immediately after food and drinks. Do not miss it! You MUST register though if you want to come. Do that now.

REGISTER for Tuesday, October 17th, 2023 event in Mountain View, CA

The Value of RSA, Black Hat, and Mega Cyber Tradeshows...

"I think that is the most unspoken open secret of all of these conferences, whether it be RSA or Hacker Summer Camp in Las Vegas, the real conference for practitioners, and really I think for corp dev and VC and salespeople, are it's not the conference, it's not the show floor. The conference value is outside the conference.

"It's where everyone's going to have lunch or a dinner or going to grab a quick meeting in the St. Regis lobby or whatever it might be, that's where the real magic is happening. I do think it's still very expensive to go, people have to man those show floors and give away those tchotchkes or whatever they're giving away to allegedly attract people to the booth, but the real magic is not actually happening at the conference." - Geoff Belknap, CISO, LinkedIn

Listen to full episode of

"The Value of RSA, Black Hat, and Mega Cyber Tradeshows."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

 Cyber Security Headlines - Week in Review  

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Andrew Wilder, CISO, Community Veterinary Partners.

Thanks to our Cyber Security Headlines sponsor, Vanta

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.