View this email in your browser

CISO Series Podcast
​​4th Party Data Breach? We Can Barely Catch the 1st Party Ones!

The dangers of third-party data breaches have never been more apparent. Everyone is familiar with the problem. Given the interconnectedness of so many organizations, our problems don’t stop with our direct vendors, but our vendors’ vendors and so on. How deep (4th parties or further?) and how often do security audits have to go? And what does this mean for an organization’s incident response strategy? 

This week’s episode is hosted by David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining them is George Finney, CISO, The University of Texas System.

Aligning on privacy

A study by Marist College highlights that consumers are more likely to purchase from companies perceived as maintaining strong data privacy, positioning privacy as a competitive differentiator. However, this conflicts with marketing's goal of extensive data collection. While most companies give themselves a lot of leverage to collect data, marketers care more about demographics and segments than personal data. That’s why it's critical for CISOs to collaborate with marketing teams on what they really need. By understanding marketing's objectives, CISOs can guide them toward achieving goals through data minimization and compliance with privacy regulations. An organization-wide culture of privacy and security can integrate these principles into marketing efforts and align them with company values to benefit both businesses and customers.

Bringing Zero Trust to OT

Securing operational technology (OT) remains challenging due to outdated systems and unique protocols incompatible with modern security tools. In a LinkedIn post, Abhishek Kumar Singh of ETEK International Corporation laid out these challenges. Zero Trust is a viable strategy for securing OT through micro-segmentation and a comprehensive approach that includes visibility, monitoring, and testing. However, this needs to be tailored to the unique needs of OT environments. The outdated “big wall” approach to securing OT no longer works. Organizations need real-time data flows to ensure both security and operational agility.

Restores and resilience

Focus on operational resilience rather than just a suite of cybersecurity tools. This is perfectly articulated by the phrase “backups are worthless, restores are priceless.” On his blog, Leon Adato quoted his friend Tom LaRock of BlackLine. Cybersecurity isn’t about ROI in the traditional sense but about mitigating existential threats like ransomware, where failure to act could jeopardize the organization’s survival. Security, like disaster recovery, is about managing risk and trade-offs. 

Focus on what you can control

Managing fourth-party risk highlights the challenges of dealing with issues outside of an organization's direct control. But Phillip Addison of The Hershey Company wondered how far down we have to go with parties in our supply chain for incident reporting. The industry needs a better way to do systemic risk assessments. The Change Healthcare breach highlighted this issue, exposing the industry’s lack of preparedness for single points of failure. The solution will be found through strong partnerships and educating business stakeholders on the dependencies and risks in the supply chain. This also requires us to focus on what can be controlled—ensuring vendors have robust risk management programs and clear incident response contacts—while acknowledging the impossibility of monitoring every potential breach down the chain. Tabletop exercises can also help identify lines of communication, ensuring the chain of command is well-defined which will help foster a resilient response strategy.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Listen to the full episode.

Thanks to our podcast sponsor, Vanta

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Do We Want CISOs Dictating How Salespeople Should Engage?

"The idea that it takes half a dozen to a dozen touchpoints before they actually get a response back, it’s probably accurate because the first five or six times, you maybe didn’t need to talk to them. You don’t have time to talk to them. You didn’t even see the email. Right? So, even if it’s a product that you’re interested in, the question is whether or not you’re going to respond to them because you didn’t have time to, or you didn’t see it." - Ken Athanasiou, CISO, VF Corporation

Listen to the full episode of "Do We Want CISOs Dictating How Salespeople Should Engage?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Shaun Marion, vp, CSO, Xcel Energy.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
The Challenges and Nuances of Platformization

Selecting the right tools is critical for your organization. But how can your wider cybersecurity ecosystem help make these tools even more effective?

I spoke with Elad Koren, Vice President, Product Management, Palo Alto Networks, to dive into the intricate debate between platformization and best-of-breed strategies in cybersecurity. We dig into the idea that platforms can act as a connective tissue, blending central data management with specialized tools. Executing a platform that marries top-notch data, product integration, and specialized components is critical for modern cybersecurity.

On our next Super Cyber Friday, we’re going deep on the topic of “Hacking Platformization: An hour of critical thinking of how stitching together data, tools, and processes is necessary for the success of your security program.” Join us on Friday, January 24, 2025 at 1pm ET/10am PT for the show. Joining us for this conversation will be Yabing Wang, VP, CISO, Justworks.

Register

Thanks to our Super Cyber Friday sponsor, Palo Alto Networks

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.