How CISOs Stay Current When They're Ignoring Vendor Pitches

How CISOs Stay Current When They're Ignoring Vendor Pitches

August 14, 2018

CISO/Security Vendor Relationship Series

This week's podcast episode

How CISOs Stay Current When They're Ignoring Vendor Pitches

How CISOs Stay Current When They're Ignoring Vendor Pitches

What you'll learn:

On this week's podcast, co-host Mike Johnson, CISO, Lyft, and guest Allan Alford, CISO, Mitel, discuss the following:

  • Why don't more people use two-factor authentication? The UX on 2FA still stinks and there's no agreement on what it should be. Universal 2nd Factor (U2F) may be the saviour, but hoping for a solution is not a plan. 

  • How do you tell if an employee is about to go rogue? Traditionally, an employee looking at job listings and checking out job sites (e.g., LinkedIn, Glassdoor) would be possible signs they're about to turn on the organization. But that shouldn't be the only indicator as people look for jobs all the time. Building a fear system that employees will go rogue is not a good security plan.

  • Monitor the tools that are doing the monitoring. Instead of instilling fear in fellow employees and to avoid the "creep" factor, simply monitor the monitors. Make everyone account for what they do with the key tools. Do it for everyone, even the CISOs.

  • Minimize insider attacks with strategic employee scheduling: Segregate assignments so there's no crossover among employees (e.g., admins and auditors duties should be separate). Also, rotate their duties so if there is a rogue employee, it limits their time to carry out an insider attack. 

  • Compliance can be used to a market advantage. With each new regulation you adhere to, it affords your company the ability to participate in yet another regulated market. Often the ability to comply with one industry is just a small step away from another industry. Look for those opportunities. 

    • Don't look at compliance as just check boxes. Compliance is just proving you already have a security plan in place. Use it as a means to align with the rest of the business. 

    • CISOs are overwhelmed by vendor pitches, yet they still want to stay current. In an effort to find balance they look to CISO peer groups (in person and online), LinkedIn, VCs, Twitter, and reddit.

    • Fastest way to get on a CISO's radar. LinkedIn posts have proven to be really powerful. A fast and unique post or infographic that's eye catching and sells a unique concept will catch a CISO's eye..

    Special thanks to our sponsor,

    , for supporting this episode of the podcast.

    about their autonomous endpoint protection.

    YOUR STORY: How security vendors overcome roadblocks

    I'm working on a series of articles on vendors overcoming roadblocks. I'm interested in hearing your story of hitting a roadblock, and how you overcame that roadblock. Just reply to this newsletter and tell me your tale. You're welcome to keep whatever information you'd like anonymous, or not. 

    Subscribe to the podcast

    Got a podcast catcher? Search for "CISO" and chances are you'll find the CISO/Security Vendor Relationship Podcast. If it doesn't come up, go ahead and click on any of these links to subscribe to the feed.

    If you're already a subscriber, THANK YOU! If you like the show, please write a review.

    Contributions. Contributions. Contributions.

    I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just reply to this email or connect with me on LinkedIn.

    Sponsor the podcast or the series!

    Starting in just a few weeks I'll be restarting

    with articles, videos, an ebook, and webinars. We've been extremely fortunate to have a number of vendors eager to sponsor the podcast. If you'd like to sponsor the podcast or the full series starting in just a few weeks, please feel free to reply to this email.