View this email in your browser

CISO Series Podcast
​​As Long as We Keep Moving the Goalposts, We Have a Great Security Culture (LIVE in Dallas, TX)

While building a security culture is a bedrock for overall resilience, identifying it and quantifying it is quite difficult. It’s quite unlike the more metrics-driven side of cybersecurity. How do you evaluate the cultural aspects of your security program?

This week’s episode is hosted by David Spark, producer of CISO Series and Rinki Sethi, vp and CISO, BILL. Joining them is their sponsored guest, Lamont Orange, CISO, Cyera.

This episode was recorded in front of a live audience at Cyera’s first DataSec conference (November 2024) in Dallas. Thanks to Adam Holland, CISO, Wendy's, Farray Rahman of Vibrant Emotional Health and 988 Lifeline, and Biji John of USAA for our questions in the episode.

Shifting from traditional recovery

The last few years has seen an evolution of security philosophy with more focus on resilience. On Venture in Security, Ross Haleliuk and Nathan Case argued that organizations will never be able to get incidents down to zero. And because of that, security teams should focus on making it easier and faster to recover. This requires strong crisis management planning and partnerships across business functions. Traditional recovery may not always be possible. Ask yourself, how can operations run seamlessly in a degraded state? To test readiness and resilience, implement realistic exercises like surprise breach drills to assess and enhance resilience strategies.

Do you know where your data is?

Organizations are expanding the role of Data Security Posture Management (DSPM) in modern cybersecurity due to its ability to automate data discovery, classification, and governance. A recent Cyera survey sadly discovered that a distressing number of executives don’t know where their data resides. Given its categorization capabilities, thanks to the rising utility of AI, DSPM can solve many legacy problems while addressing challenges like data deletion and integrating identity management for Zero Trust, a key component for compliance. 

The science of tradeoffs

Balancing security with business needs requires a long-term perspective. This inevitably involves tradeoffs; the CIA triad (Confidentiality, Integrity, Availability) offers a suitable evaluation methodology. But as Vincent Triola noted in a recent Medium post, it can’t stop there. Improve user experience to make security seamless and less obtrusive. Think of it this way. Don’t create unnecessary and unwanted barriers. Instead, create “calculated friction” to guide users to make proper “just in time” decisions. 

How do you measure security culture?

No one argues against building a security culture. However, it remains a squishy target as no one agrees on how to measure its effectiveness. Amanda Draeger of Liberty Mutual Insurance argued that culture is inherently harder to fit into quantitative boxes. But that doesn’t mean it's impossible. Certain metrics, like employee self-reporting of mistakes or participation in security improvements, can indicate that the security culture is shifting from a siloed, single-department responsibility to a collaborative, supportive approach, enhancing overall organizational resilience.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Listen to the full episode.

Thanks to our podcast sponsor, Cyera

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

AMA (“Ask Me Anything”) on r/cybersecurity
I'm a Security Leader who has built a successful security metrics and reporting program - Ask Me Anything about demonstrating security's value to the business.

This week CISO Series is running its monthly AMA ("Ask Me Anything") on r/cybersecurity.

This week's discussion: I'm a Security Leader who has built a successful security metrics and reporting program.

Our participants:

Chris Donaldson, Director, risk3sixty

Jack Jones, Principal Consultant, Risk Management Insight

Brandon Pinzon, CISO and Advisor, SPKTR Ventures

Jack Freund, Advisor and Former CRO at Kovrr Risk Modeling, Ltd.

Jump into the conversation here.

If and When Should a CISO Have a Long Term Security Plan?

"It's all about influence, and I think CISOs are not only subject matter experts in cyber, but they have to be great communicators, they have to be good relationship builders, and they have to be able to influence people. And you influence people by aligning with their ideas and their goals and translating that to within the program itself." - Gaurav Kapil, CISO, Bread Financial

Listen to the full episode of "If and When Should a CISO Have a Long Term Security Plan?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Alexandra Landegger, Global Head of Cyber Strategy & Transformation, RTX.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Super Cyber Fridays!
Understanding Vendor Security Posture

How do you tackle third-party risk when the rules keep changing?

I recently spoke with Crystal Jackson, SME, Security, Governance, Risk and Compliance, Vanta, to unpack the ever-evolving challenges of third-party risk management. From time-tested strategies to actionable tips for assessing vendor security, they dive deep into the tools and tactics CISOs need to stay ahead. Learn how questionnaires, online resources, and smart strategies can help validate vendor security postures in an unpredictable landscape.

Plus, don't miss our next Super Cyber Friday, where we'll take an even closer look at the complexities of managing third-party risk!

Join us on January 31, 2025, for "Hacking Third-Party Risk Management" at 1 pm ET/10 am PT for Super Cyber Friday. Joining David and Crystal for this conversation will be Joshua Brown, former CISO, H&R Block.

Register

Thanks to our Super Cyber Friday sponsor, Vanta

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.