- CISO Series Newsletter
- Posts
- 7/30/19 - Just Click "Accept" As We Explain Informed Consent
7/30/19 - Just Click "Accept" As We Explain Informed Consent
Just Click "Accept" As We Explain Informed Consent
This week's episode of CISO/Security Vendor Relationship Podcast
Just Click "Accept" As We Explain Informed Consent
, Mike Johnson and our guest Francesco Cipollone, head of security architecture and strategy, HSBC Global Banking and Markets, discuss:
Startups have a different model for security.
In a race to get products to market quickly, startups often view security as an inhibitor to productivity. But there are ways to build secure systems that move fast. Create guardrails that allow developers to still write code.
The tech world has adopted "informed consent" from the medical field.
Appropriate informed consent around data privacy should communicate to us what the acquirer of that data plans on doing with that data. If we are OK with that, then we can provide "consent," but only after we've been "informed" of its use. The data's value to the acquirer should not factor into our decision of whether we're going to provide consent.
Not all of a security vendor's information is "highly confidential."
Security vendors may be unwilling to show you the keys to its kingdom regarding processes and procedures needed to build a SOC 2 Type 2 report. And heck, you probably don't want to read them. But that doesn't mean you won't have specific concerns that aren't initially revealed. Go ahead and make your requests specific for information. Just don't ask to see everything.
Business owns the risk, not you, and yet still you'll have to adhere to risky security practices.
There are going to be times where you'll communicate the risk to the business and they'll choose a decision that you wouldn't choose. You have to live with it and unfortunately, you'll still be required to provide the best security and potentially be on the hook if and when things go south.
Special thanks to this week's CISO/Security Vendor Relationship Podcast sponsor, ExtraHop.
Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop.
Watch our recording at ExtraHop's booth at Black Hat 2019
Mike Johnson and I will be at Black Hat this year where we'll be recording an episode of the
CISO/Security Vendor Relationship Podcast
in ExtraHop's booth (#822) on August 8th at 12 PM. Our sponsored guest will be Tom Stitt, ExtraHop's senior director, product marketing - security.
Be forewarned it's not going to be like our regular live recordings in that there won't be seating, and given the noise I don't know how well you'll hear, but come by and see us in our recording. We're happy to chat with you before or afterwards - just not during.
The 1979 movie When a Stranger Calls gave us that unforgettable horror moment when the police informed Jill that the calls from the stalker were coming from inside the house. Nineteen years earlier, Hitchcock’s Psycho did a similar type of thing with the shower scene. We humans have a real problem when danger pops up in the place we feel safest – our homes. A similar problem happens in corporate IT security. We place a great deal of attention on watching for external hackers, as well as those that seek to dupe our overstressed employees into clicking that spearfishing link. What was it that Edward Hermann’s character, the vampire, said in the Lost Boys? “You have to invite us in.”But what about internal bad actors? There are those who see great opportunity in accessing, stealing and selling company resources – data – like social security numbers, credit card numbers and medical files.Read more...
Check out more Cloud Security Tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company's data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.
SUBSCRIBE TO BOTH PODCASTS
Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.
If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.