View this email in your browser

CISO Series Podcast

Hey, Let’s Merge Our Technical Debt With Your Understaffed Security Team! (LIVE in Miami)

Security is always going to be an issue in a merger or acquisition because you're consolidating two completely different environments with different security cultures. When is cybersecurity brought into the discussion when a merger is underway? An analysis of the security program of the acquired company can help with negotiations, revealing issues, and costs that would otherwise be overlooked. If we know it's so important, why does it always feel like we're reinventing the wheel each time? 

This week’s episode is hosted by me, David Spark, producer of CISO Series and Adam Zoller, svp, CISO at Providence. Joining us is our guest Sam Jacques, vp of clinical engineering, McLaren Health Care. We appear left to right in the photo below as this episode was recorded in front of a live audience in Miami as part of the Nexus ‘23 conference being held by Claroty.

Why do medical devices need first aid?

Patching remains a challenging aspect of cybersecurity. It’s not just enough to know if a vulnerability is critical, you have to factor in the actual risk it poses to your organization. This becomes even more challenging with medical devices, where these can not only pose a danger to a network, but to someone’s physical health. Patching these devices remains a problem. According to an upcoming Claroty Team82 Healthcare CPS Security Report, 14% of all medical devices have unsupported OS, 23% of medical devices have known exploited vulnerabilities or KEVs, and 24% of surgical devices have active internal connections. Organizations either need to find a way to apply patches in a timely fashion or look to other ways to limit the threat to the network they can pose. 

The cybersecurity challenges of a merger

Acquisitions and mergers always represent organizational challenges. This is particularly acute in cybersecurity, where you’re merging different security cultures, tech stacks, and personnel. Given the increasing importance of cybersecurity, should organizations start to take that into account before a merger. If nothing else, an analysis of the security program you’re merging with might prove to be an advantage in negotiations. No one is without some scar tissue when it comes to these types of mergers, but we found some best practices to help make it easier.  

Creating malware with generative AI

With the rise in generative AI tools, a lot of security concerns have been speculative so far, or based around data leaks. But Aaron Mulgrew at Forcepoint demonstrated some more real world possibilities using a string of ChatGPT prompts to create a zero-day. This shows not only the potential to use these tools to develop malware, but also that even when these systems have robust controls to prevent this type of use case, clever and determined threat actors can use persistence and social engineering to get around them. 

Are too many vendors a security problem?

One might be tempted to think that using more security vendors would prove to be a net positive for your security posture. A recent report from Kroll found a correlation between the number of vendors used and cybersecurity incidents. While this doesn’t speak to causation, it does beg the question of how do we know when too many security vendors actually start to impede your security program? Is it just a matter of a signal to noise problem, or does it extend into when these vendors overlap in functionality, increasing the chance that things fall in that gap.

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsor, Claroty

Best advice I ever got in security...

"Security doesn’t just happen. It’s a result of public investment and collective consensus. I think we talk a lot about investment, but we don’t talk a lot about public consensus. We really need to have a conversation about what minimum expectations are for everybody – your grandmother, your son – on what cyber security education needs to be." -  Sam Jacques, vp of clinical engineering, McLaren Health Care

Listen to full episode of

"Hey, Let’s Merge Our Technical Debt With Your Understaffed Security Team! (LIVE in Miami)."

People Are the Top Attack Vector (Not the Weakest Link)

"I think that humans sometimes, we're looking for an Easy button to solve a problem and then get back to our day job. And I think that the more we educate and help people understand that it's about awareness and about culture and about how we get people to understand that the weakest link isn't tied to a human, I think that is really what we should be doing versus looking to a person for root cause for a security incident." - Christina Shannon, CIO, KIK Consumer Products

Listen to full episode of

"People Are the Top Attack Vector (Not the Weakest Link)."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines

 with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Howard Holton, CTO and industry analyst, GigaOm.

Thanks to our Cyber Security Headlines sponsor, OffSec

Live!

[12-06-23] CISO Series Podcast Live in La Jolla, CA

CISO Series Podcast came back strong post pandemic in 2023 with a string of great live shows in Clearwater, FL, Denver, Miami, Tel Aviv, New Orleans, New York, Los Angeles, Washington, D.C., Nashville, Las Vegas, Silicon Valley, and our very last one, La Jolla, CA.

Here's what you need to know:

WHAT: Planet Cyber Sec, a small collaborative conference for executive cyber leaders. You can see a list of the speakers here.

WHERE: San Diego Marriott La Jolla (4240 La Jolla Village Dr, La Jolla, CA 92037)

WHEN: All day conference, but our recording begins at 5:35pm PT

Joining me on stage for the recording will be Billy Norwood, CISO, FFF Enterprises and Joshua Barons, head of information security, San Diego Zoo Wildlife Alliance.

If you're an executive security leader and are interested in attending, please request an invitation by emailing [email protected].

Huge thanks to our sponsor, Praetorian

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.