View this email in your browser

Super Cyber Fridays!

Join us TOMORROW, Friday [12-08-23], for "Hacking Cyber Resilience"

Join us Friday, December 8th, 2023, for “Hacking Cyber Resilience: An hour of critical thinking of shifting the risk conversation to maintaining business continuity during a cyber attack.”

It all begins at 1 PM ET/10 AM PT on Friday, December 8th, 2023 with guests Brian Spanswick, CISO/CIO, Cohesity and TC Niedzialkowski‌, CISO, Nextdoor. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Cohesity

Defense in Depth

Do We Have to Fix ALL the Critical Vulnerabilities?

For years we've heard mantras like "patch all the things." But with limited resources, how do you actually focus your patching efforts on the vulnerabilities that are seen as universally holding the most risk? 

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. Joining us is our guest, David Christensen, vp, CISO, PlanSource.

Context is the key

The actual severity of a CVSS score is far less important than how it applies to your organization. Often the severity of a bug just adds to the already cacophonous noise in cybersecurity. “In order to capture what really matters and has impact it requires determining which CVE's have a public and easily accessible exploit that can be used against your company. This will reduce 80% of the noise,” said Chris Galvan of HARMAN International. As David Ethington of Paramount succinctly put it, "If you can't identify which threats will directly impact your organization outside of simply looking at a CVSS score, what exactly are you being paid for?"

EPSS can be part of the puzzle

The Exploit Prediction Scoring System (EPSS) can play a role in helping to prioritize the flood of vulnerabilities. "It's not really feasible to do a technical investigation on millions of vulnerabilities. EPSS is good, and even better when combined with CVSS,” said Nicki Møller of Accenture Czech Republic. The good news is that CVSS isn’t standing still, with news versions helping to address the context gap. “Use version 4 of CVSS when it's released as there are many improvements including nomenclature to identify combinations of CVSS scores,” suggested Bryan Kavanagh of RPMI Railpen. 

You can’t prioritize everything 

With limited time, trying to be a completionist with all critical CVEs will just lead to slower patches for the things that really matter. The key is understanding how vulnerabilities impact business risk. “Not many organizations have a goal to remediate everything. Identify your business risk tolerance level and remediate above that,” said Carmine Fontana of the Federal Reserve Bank of Richmond. Organizations aren’t patching in a vacuum. As Peter Dowdall of Mintel pointed out, "One of the headaches with nuance is that the compliance and the 3rd party world doesn't like it.” 

Create a reliable patching framework

Because of the need for organizational context, there are no universal practices when it comes to your patching program. But that doesn’t mean you can’t have a framework and protocol to make patching decisions understandable. "Whatever your practice, DOCUMENT IT, and be able to support your active, conscious choices. Auditors will hit you for not following your practices before they hit you with the effectiveness of them," said Eric Stoever. 

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, SpyCloud

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Andy Ellis, operating partner, YL Ventures.

Thanks to this week's headlines sponsor, Barricade Cyber Solutions

CISO Series is going to Austin for Cyber Marketing Con

We are super excited to be sponsoring and presenting at Cybersecurity Marketing Society's Cyber Marketing Con happening from December 10-13, 2023 in Austin, TX. This is going to be an awesome opportunity to learn from other marketers.

CISO Series is super excited to be sponsoring, and we're going to be hosting a really fun workshop on December 11th, 2023 called "Business Networking Pickup Lines." No one sits during this workshop where all attendees will learn how to be a professional business flirt.

Please register and join us!

Cyber chatter from around the web...

Jump in on these conversations 

"Do HackTheBox Certifications hold any value in terms of Corporate Jobs?" (

More here

)

"Who Is Actually Applying the Patches in Your Company?" (

More here

)

"What is the appeal of ServiceNow GRC? I am baffled." (

More here

)

Coming Up On Super Cyber Friday...

Coming up in the weeks ahead on Super Cyber Friday we have:

• [12-08-23] Hacking Resilience

• [12-15-23] Hacking the SaaS Security Journey

Save your spot

and register for them all now!

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.