View this email in your browser

CISO Series Podcast

A CEO’s Guide To Ignoring Your Security Program (LIVE in Santa Monica)

Usually the buck stops with the CEO. But for a CISO, what do you do when a CEO wants to exempt themselves from your security program? Whether it's granting privileged network access or just ignoring protocols, it can put a CISO in a tough spot. So how do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position? 

This week’s episode is hosted by me, David Spark, producer of CISO Series and John C. Underwood, VP, information security, Big 5 Sporting Goods. We’re joined by our guest Joshua Scott, Head of Security and IT, Postman. This show was recorded in front of a live audience in Santa Monica, CA for the ISSA LA annual summit.

(From L to R: David Spark, CISO Series, John C. Underwood, CISO, Big 5 Sporting Goods, and Joshua Scott, CISO, Postman)The life of a CISO is getting more complicated

The price of being a CISO seems to keep going up. Outside of the usual milieu of threat actors, we’ve seen CISOs held personally liable in court, like former Uber CISO Joe Sullivan, and we’ve got a bevy of new regulations on the way. It’s enough to make Sean Martin of ITSP Magazine ask if the role is still worth all the pressure that comes with it. While there seems to be more pressure on CISOs than ever, part of that is the role starting to become fully integrated into the C-Suite, which holds its own pressures and responsibilities. Some of the outsized pressure right now comes from an imbalance of the responsibilities of a CISO and still being on the outside of executive leadership in many organizations.   

If security automation is so prescriptive, why do we still struggle with it?

The concept of embracing cloud security automation is ubiquitous, yet adoption eludes many. In a recent ReadWrite article, Zac Amos outlined a strategic roadmap comprising six essential steps, commencing with meticulous risk assessments and expanding to encompass cloud visibility enhancement. The journey continues with the implementation of both generalized and tailored automation solutions, the integration of automated threat monitoring, and culminates in a diligent process of evaluation and refinement. However, the central question persists: What presents the most formidable challenge for CISOs and their security teams while navigating this complex terrain?

When the CEO wants to be above your security program

The cybersecurity subreddit recently posed a thorny question. What do you do when your CEO wants to break your security best practices, asked a redditor on the cybersecurity subreddit. The buck may stop with them, but if they are requesting something obviously risky, like admin rights to the network, how do you respond? What’s key in a real world situation is creating rapport and trust with a CEO to avoid getting to that point. If your CEO gets still demands his highly risky request, it’s up to the CISO to connect the inherent risk in bad practice with how it could impact the business. 

Self-inflicted security wounds

Data leaks from so-called “friendly fire” remain a problem. Look no further than Microsoft's recent leak of a staggering 38TB of data on GitHub, stemming from a misconfigured token—a reminder that not all security breaches are orchestrated by malicious actors. These issues impact everyone. A recent thread on the cybersecurity subreddit quickly filled up with examples. We know these issues are out there, but how can we measure how common they are so we can properly understand the risk they pose. 

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Veza

Best advice I ever got in security...

"Best advice I ever got was have empathy for your users. Make sure you have a better understanding of what it is that they are up against and ensure that you’re actually helping them achieve their goals, not just putting a control on them and being the team that creates work for them." - Joshua Scott, head of security and IT, Postman

Listen to full episode of

"A CEO’s Guide To Ignoring Your Security Program (LIVE in Santa Monica)."

New SEC Rules for Cyber Security...

"I don't see CISOs running away because there's going to be more transparency because they're going to have a seat at the table because they're going to have greater influence because boards and executives are going to care more about security because the SEC is looking at this more closely." - Jamil Farshchi, CISO, Equifax

Listen to full episode of

"New SEC Rules for Cyber Security."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Arvin Bansal, former CISO Americas, Nissan Motor Corporation.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!

Shadow IT Is Now Business As Usual

People want to get their jobs done. Often if a SaaS app can help them do that, they'll just throw down a credit card without going to IT first. We used to call this Shadow IT. Increasingly its normal business operations. To get ready for our Super Cyber Friday event happening this Friday, October 27th, 2023, Brian Vecci, Field CTO, Varonis, and I chatted about how organizations can think about securing their SaaS landscape in this kind of environment.

Our topic of discussion will be “Hacking Third-Party Risk in the Cloud: An hour of critical thinking about the under-appreciated risks introduced by your sanctioned and unsanctioned SaaS apps.”

Register

Thanks to our Super Cyber Friday sponsor, Varonis

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.