- CISO Series Newsletter
- Posts
- We Built This City on Outdated Software
We Built This City on Outdated Software
We Built This City on Outdated Software
CISO Series Podcast
We Built This City on Outdated Software
Andy Ellis, operating partner, YL Ventures and I had a great discussion with sponsored guest Richard Marcus, vp, information security, AuditBoard. Please give us your thoughts on these issues:
Our greatest threat is outdated and insecure software.
It's actually a threat to national security and the planet's most vital systems, argued Robert Slaughter of Defense Unicorns. Robert is so adamant about this that he says debates of risk, an area we spend a lot of time, takes our eye off the real issue which is that software simply needs to be updated. And yes, Robert is right as updating software would fall under the category of "the fundamentals," an area we hammer as often as we talk about risk. If you're not doing this, your business can be a risk to others. And businesses need to start identifying those vendors who are not patching and therefore are a risk to others, said Richard Marcus.
How are you handling the breach, and how much do you tell the public?
"How transparent companies are before, during, and after a breach tells you a lot about their corporate character," said Richard Marcus. When a breach becomes public, those affected want answers and transparency. But, you can't just tell all, as Marcus points out. It's a balancing act because you have to protect your security posture and disclosing too much can put your customers at further risk. Ultimately, whatever decision you choose, you want to be honest. Andy Ellis also offers the tip to actually write the update to what you're going to release prior to the meeting about whether to release the information. That was you can keep to a timeline and the discussion is only "We have the information ready for publication, do we release it?"
Yeah, we get it. Compliance doesn't equal security.
We're well aware of this mantra that has been hammered into our collective security heads again and again. "I'd like to see less generic requirements and reliance on standard frameworks," said Marcus. The company being audited should really understand their threats and that's the discussion they should have. A compliant AND secure company could converse openly and understand their risks and threats. Standard requirements that barely apply only satisfy a regulatory body and don't necessarily provide any security.
If you've got responsibility, but no corresponding authority, it's time to look for a new job.
This was the wisdom of Gene Spafford of Purdue University and it echos an issue of whether CISOs are C-level executives that have the power to make decisions and influence others. If you are a security leader, what are the signs this is happening to you?
Listen to the full episode and
. Note, we've got chapter markers on our segments so you can jump to any segment you'd like. If you haven't already
.
Thanks to our podcast sponsor, AuditBoard
Best advice I ever got in security...
"The best advice I ever got in security is that good news should travel fast, but bad news should travel faster, so I make it my mission to foster transparency and accountability through the connectedness of people and data." --Richard Marcus, VP of information security, AuditBoard
Listen to full episode of
What’s fueling the increase in cybersecurity budgets?
"I don’t think my budget has gone up 100%, but I think in general we’re seeing a lot of budgets go up. I would like to attribute that to two things – one, that people understand security is a business differentiator. Security done well is part of maximizing upside for your business, not just minimizing downside. It’s not just insurance. It’s a way to compete more aggressively in your sector. And two, I think people are realizing if we just bring this to the macro-economic climate that exists at the moment that we’re recording this, if you were going to go through a tough time, and you’re a business that’s going shields up and ensuring your business succeeds in the long-term, you realize that security is going to be a big part of that." --Geoff Belknap, CISO, LinkedIn
Listen to full episode of
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily
Cyber Security Headlines
newsletters also available on LinkedIn. Go ahead and subscribe to one or both!
- Twice every week
- Every weekday
Cyber Security Headlines - Week in Review
Make sure you
to join the LIVE "Week In Review" this Friday for
Cyber Security Headlines
. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be John Scrimsher, CISO, Kontoor Brands.
Thanks to our Cyber Security Headlines sponsor, AppOmni
Super Cyber Fridays!
"Hacking Cybersecurity Budgets for 2023" - Super Cyber Friday
Join us this Friday for “Hacking Cybersecurity Budgets for 2023: An hour of critical thinking about how to invest in the right products to maximize your return.” You can watch this preview of our discussion with Pankaj Goyal, Senior VP, Safe Security. Also joining us will be Ngozi Eze, CISO, Levi Strauss.
It all begins at 1 PM ET/10 AM PT this Friday, November 18th, 2022. At the end we'll have our meetup.
Thanks to our Super Cyber Friday sponsor, Safe Security
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.