How to Choose a Bad Security Product

How to Choose a Bad Security Product

July 25, 2018

CISO/Security Vendor Relationship Series

From podcast to full series!

I've decided to just rename this the "Series" because heck, there will be a lot more than just podcasting.

This week's podcast episode

How to Choose a Bad Security Product

How to Choose a Bad Security Product - CISO/Security Vendor Relationship Podcast

What you'll learn from our CISOs this week

On this week's podcast, co-host Mike Johnson, CISO, Lyft, and guest Randall (Fritz) Frietzsche, CISO, Denver Health, let us know the following:

  • Just because cybercriminals take a break to watch the World Cup, like the rest of the world does, that 90-minute respite doesn't change any company's security strategy. It's only amusing.

  • Even the smartest CISOs make stupid mistakes. Promises of something that a CISO needs today are a red flag. And just because the product initially appears cheap, the cost of integration may make total cost of ownership much higher.

  • Contrary to popular belief, there are emails CISOs love receiving. Our CISOs eagerly read the Verizon Data Breach Investigations Report, internal reports, and industry reports. Mike also recommends The Morning Paper.

  • One of the most useful metrics for CISOs is "dwell time" or the time between a breach and its discovery. The best measure of a security team's preparedness is incident response. If you aren't already, use the current stories of breaches to run your own exercises to see how quickly your team would respond.

  • It's often difficult to determine what are the best metrics to follow. One good barometer is if you can actually influence the metric. If it's something you don't have control over, don't bother tracking it. Examples of pointless metrics are number of firewall blocks, viruses detected, and patches missing.

  • Lastly, it's debatable how much CISOs are influenced by case studies. Video case studies are so heavily produced with great testimonials that CISOs discount them. But written case studies, if they go through hard technical details, can actually be of great interest.

Full series returning next month

Starting next month I'll be reintroducing the original CISO/Security Vendor Relationship Series with new articles and videos, plus a newsletter, ebook, and webinars. We're looking for a few more sponsors. If you're interested, please just reply to this email and I can send you details.

Subscribe to the podcast

Got a podcast catcher? Search for "CISO" and chances you'll find the CISO/Security Vendor Relationship Podcast. If it doesn't come up, go ahead and click on any of these links to subscribe to the feed.

If you're already a subscriber, THANK YOU! If you like the show, please write a review.

Listener contributions

I am always looking for contributions from listeners. Please reply to this email, and send me any of the following:

  • “Ask a CISO” question.

  • A vendor pitch you want us to critique (let me know if you want to be anonymous or not).

  • A hot security discussion (please provide a link).

  • A quick security tip.

  • A big industry story for which you want to know what that story means to security professionals.

  • An idea for a new segment for the show!

Sponsor the show!

We've been extremely fortunate to have a number of vendors eager to sponsor the show. If you'd like to sponsor the show, please feel free to reply to this email and I can send you details.