View this email in your browser

CISO Series Podcast

I Taught DeNiro Security Theater, I Can Teach You

In principle, most agree that security theater is a waste of time. But the reality is that these are things that look good, so it can be hard to justify to non-technical leadership why you’re eliminating something they view as secure. How can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Joining us is our guest, Davi Ottenheimer, VP of Trust and Digital Ethics, Inrupt.  

Is generative AI ready for the enterprise? 

With the flood of consumer-facing LLMs and other generative AI tools, it's easy to think that this kind of AI is ready for business. But the enterprise has much higher standards, argues Jon Reed in a piece for diginomica. The “good enough” output consumers will accept doesn’t matter much to an enterprise, especially when they are paying customers. Davi Ottenheimer suggested companies start testing personal data stores now to get ready to apply these tools safely. Organizations should also start planning for interoperability to avoid sticker shock if they ever want to change vendors. 

Closing the curtain on security theater

We can all think of practices that constitute security theater. These are things that might look good, but don’t actually help your security posture. Responding to a piece by Taylor Lehmann of AWS and CISO Series alum Seth Rosenblatt on how to identify and eliminate security theater, Davi Ottenheimer and Andy Ellis recognized the importance of feelings within an organization, but found that shouldn’t get in the way of sound security methodologies. They also highlighted that while compliance checkboxes may look like theater, they do at least establish an efficient baseline for a safety control. 

Sensing the stress in cyber security

There is stress in just about every job. It’s something taken as a given in cybersecurity, so much that we can often assume we don’t need hard data on it. But that stress can both meaningfully impact performance and longevity in the field. We discussed a recent Tines survey profiled by CyberScoop’s Tonya Riley, showing that over half of respondents had “significant levels of stress at work” in cybersecurity. This paired with a recent report from Gartner that predicted half of cybersecurity leaders would leave positions over stress in the next 2 years. For Davi Ottenheimer, a lot of this stress comes from security practitioners feeling isolated in their organizations and not having concerns about risk and privacy heard by the rest of the business. 

Where does infosec Twitter go from here?

Since November, 2022, there’s been a significant drop in engagement from the cybersecurity community on X, formerly known as Twitter, according to the Cyentia Institute which saw conversatiions around CVEs down 87% as of June 2023. The long term question is if a decline in interactions on X will make information sharing worse overall for the industry. 

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Sysdig

How do you eliminate security theatre without ruffling a lot of feathers?

"I think first of all, eliminating theater sounds like a bad idea. Because theater is like fiction. It has a purpose. And if you use it wisely then it can really be like a placebo. It can be a way of addressing peoples’ fears, and that’s important because fears matter, and people want a sense of comfort, so you can give that to them. Feelings are real, but you shouldn’t replace or get in the way of security. And probably the worst form of theater is the corrupt theater." - Davi Ottenheimer, vp of trust and digital ethics, Inrupt

Listen to full episode of

"I Taught DeNiro Security Theater, I Can Teach You."

What's Entry Level in Cybersecurity?

"I think the solution here is for people like me, and especially for organizations like me, to make sure that we are building pipelines that, almost like the military or like the medical profession, that start in a structured way of you have a base set of knowledge and you will build it over the years into being a fully high-performant InfoSec engineer in one discipline or another." - Geoff Belknap, CISO, LinkedIn

Listen to full episode of

"What's Entry Level in Cybersecurity?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Allan Cockriel, CIO of global functions and group CISO, Shell.

Thanks to our Cyber Security Headlines sponsor, Hunters

Super Cyber Fridays!

SOC 2 Will Tell You More About Your Security and Data Management

You don’t have to get everything perfect to get a SOC 2. You don’t pass or fail. You can’t get rejected. This was the sage advice of Kim Elias, senior compliance specialist, Vanta. She admitted to making this very mistake of “perfection” when trying to achieve her first SOC 2.

In this video, Kim and I discussed in advance of our upcoming Super Cyber Friday event “Hacking SOC 2: An hour of critical thinking on trust, security, and compliance.”

REGISTER for 11-03-23 Super Cyber Friday event

Joining Kim and me will be Jared Mendenhall, head (CISO) of information security & infrastructure, Impossible Foods.

It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face to face.

Thanks to our Super Cyber Friday sponsor, Vanta

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.