View this email in your browser

CISO Series Podcast
Can’t Our Employees Just Go Back to Stealing Pens?

A CISO can't shake a stick without finding a solution for managing excessive privileges. Yet years of data in the Verizon DBIR show remarkably high rates of employees abusing privileges to steal company data. If we have the right tools, why is this still a problem? 

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Itzik Alvas, co-founder and CEO, Entro.

What to expect when you’re offboarding

Why do some organizations treat offboarding differently depending on how an employee leaves? The risks to the organization remain the same, as pointed out in a recent cybersecurity subreddit thread. Access termination processes should be consistent regardless of whether an employee leaves on good or bad terms, with timing as the primary distinction. Common failures include inadequate notification of departures, particularly for contractors, and poor inventory management of access permissions. Organizations often overlook access adjustments when employees change roles and fail to revoke programmatic access tokens, with 91% of tokens remaining active after employees leave. Organizations need comprehensive playbooks and lifecycle planning for technology and access to mitigate risks and ensure secure offboarding.

The threats are coming from inside the organization

Access management has been a major issue for decades. Insider threats, like employees abusing privileges to steal customer data or intellectual property, remain a significant concern, as outlined in Verizon’s most recent DBIR. One key problem is the disconnect between teams granting access, like IT, and those responsible for securing the data, like security teams. It's critical to involve data custodians and build workflows to properly review and approve access requests. However, there is a tension between speed and security, where fast-moving organizations risk granting excessive privileges, while overly strict policies can hinder productivity. The solution is balancing these priorities, using monitoring tools to reclaim control, and ensuring clear communication and accountability across teams.

The risk of stale identities

Non-human identities (NHIs), such as API keys and service accounts, are rapidly growing and often poorly managed. move beyond the outdated view of NHIs as merely an API key problem and embrace the need for full lifecycle management, from provisioning to decommissioning. Many organizations lack visibility into their NHIs, making it hard to secure them. Research shows that 40% of NHIs in customer environments are stale and unused, representing an easy opportunity to reduce attack surfaces. Organizations must right-size permissions and safely decommission identities without disrupting processes, using activity-based insights to make precise adjustments.

Working backward to risk

Third-party risk management suffers from an overreliance on questionnaires and scoring tools that fail to provide real risk reduction and security management. A more practical approach would be starting with the potential scenarios of a vendor breach and working backward to prioritize risks. Instead, focus on high-impact risks rather than applying the same scrutiny to all vendors. Understanding how vendors handle and access sensitive data is critical, but the current tools often lack real-time validation of vendor compliance. We need better tools, trust centers, and ongoing monitoring to improve third-party risk management effectively.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jonathan Waldrop, CISO, The Weather Company for providing our “What’s Worse” scenario.

Listen to the full episode.

Thanks to our podcast sponsor, Entro

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Vulnerability Management ≠ Vulnerability Discovery

"I mean it's operational discipline of how do you manage your infrastructure, how do you manage your applications, do you know who owns them, do you know what they are? What they've been used for? How critical they are? This is just brushing your teeth every morning. That's exactly what you're supposed to do. And that's why in my head, I also tend to distinguish between patch management and vulnerability management. I know a lot of people kind of mix them both." - Yaron Levi, CISO, Dolby

Listen to the full episode of "Vulnerability Management ≠ Vulnerability Discovery."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jimmy Sanders, president, ISSA International.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Super Cyber Fridays!
Strategies To Tackle Technical Debt

Every organization knows they are accruing technical debt, but dealing with it remains a problem.

I spoke with James Hauswirth, principal consultant at GuidePoint Security, about the unavoidable challenge of technical debt in cybersecurity. We explored why organizations delay addressing it until financial incentives arise and examined the consequences of neglecting it. From integrating new technologies to handling task saturation, James defined technical debt and shared best practices for managing it effectively.

On our next Super Cyber Friday, we're going deep on the topic of "Hacking Technical Debt: An hour of critical thinking about strategically modernizing your infrastructure." Join us on Friday, December 13, 2024 at 1pm ET/10am PT for the show. Joining us for this conversation will be Sam Jacques, vp, clinical engineering, McLaren Health Care.

Register

Thanks to our Super Cyber Friday sponsor, GuidePoint Security

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.