Ewww! How Long Has This Router Been in the Fridge?

January 07, 2025

CISO Series Podcast
Ewww! How Long Has This Router Been in the Fridge?

Ewww! How Long Has This Router Been in the Fridge?

We still struggle to identify and manage hardware once it reaches its point of usefulness or end of life (EOL). There’s often no stated expiration date upfront. After years of ownership, the manufacturers will let you know by no longer supporting with patch updates the now very vulnerable equipment. Do we need to change how cybersecurity sunsets hardware?

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining them is Yabing Wang, VP and CISO, Justworks.

Building a path to action

Data Security Posture Management (DSPM) focuses on securing data itself, offering capabilities like data classification, scanning, and control mapping that extend beyond the scope of traditional security tools. However, many DSPM solutions stop at identifying issues without providing actionable ways to address them, which limits their utility, argued Gunnar Peterson, CISO, Forter, in a recent blog post. DSPM tools must integrate with solutions like data loss prevention (DLP) or tokenization to deliver more comprehensive results. We should frame DSPM tools as a complement rather than a replacement for other posture management tools. Focus on identifying where data is stored, understanding its flow, and ensuring adequate protection while balancing the business' operational needs.

Cracking the EOL conundrum

The challenge of managing end-of-life hardware came to light in a recent case where D-Link advised users to replace outdated VPN routers vulnerable to remote code execution. While replacing such devices is critical for security, it highlights a broader challenge: unlike software updates, hardware replacements involve higher costs and logistical hurdles. Hardware end-of-life decisions must balance risk, cost, and the criticality of the device. For smaller devices, like routers, the transition is relatively straightforward. However, the stakes and challenges are significantly higher for critical systems like MRI machines or industrial equipment. This is all the harder due to a lack of clear communication from hardware vendors compared to software providers, who often give extended notice of support deadlines. Many organizations are caught off guard without proper notifications or warnings embedded in user interactions. 

The burning platform question

While consolidated platforms can reduce operational overhead for CISOs, overpromising often leads to tools that fail to address specific problems effectively, as Richard Stiennon of IT Harvest pointed out. Instead, platforms should focus on solving consistent, related challenges. Using a single platform also magnifies bad security practices, such as the continued reliance on username-password verification in new applications. Simplifying security configurations and prioritizing usability could significantly improve cybersecurity outcomes on these platforms.

Uncertainty is our only constant

To improve security and organizational resilience, embrace volatility, uncertainty, complexity, and ambiguity (VUCA). It’s the roadmap to prepare for uncertainty. Build flexible and adaptive systems, argued Dan Roberts in a CIO.com piece. For example, implementing tools like multi-factor authentication (MFA) or identity-based controls can address future threats without needing to predict their exact nature. When you don’t know what you’ll be facing in the future, you have to future-proof access controls. 

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to our podcast sponsor, Entro

Entro

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

What I love about cybersecurity…

"What I love most is cybersecurity is not black and white. It's not about right or wrong. It's more of art than science because everything is about what fits into the company, what kind of a risk we can take, what kind of a risk we cannot take. It's a decision based on many, many things. It's not black and white." - Yabing Wang, VP and CISO, Justworks

Listen to the full episode of "Ewww! How Long Has This Router Been in the Fridge?"

CISOs DO Own the Risk

"The other thing we’ve always been missing is the control and the authority around that, which is if I assume this risk, then you know what? I should also be able to drive the resources, and that’s something cyber has never had. If we have to choose between adding new features versus fixing old bugs, cyber would always say, “Fix the old bugs.” But do I actually have that direction over the IT developers to say this is our stance?" - Ross Young, CISO-in-residence, Team8

Listen to the full episode of "CISOs DO Own the Risk."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

LIVE!
Cyber Security Headlines - Week in Review

CSH Week in Review Bil Harmer, operating partner and CISO, Craft Ventures

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Bil Harmer, operating partner and CISO, Craft Ventures.

Thanks to our Cyber Security Headlines sponsor, Nudge Security

Nudge Security

Super Cyber Fridays!
Join us Friday [01-24-25], for "Hacking Platformization"

Hacking Platformization

Join us Friday, January 24, 2025, for “Hacking Platformization: An hour of critical thinking of how stitching together data, tools, and processes is necessary for the success of your security program.”

It all begins at 1 PM ET/10 AM PT on Friday, January 24, 2025 with guests Elad Koren, vice president, product management, Palo Alto Networks and a special guest (that means we’re still in booking mode). We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Thanks to our Super Cyber Friday sponsor, Palo Alto Networks

Palo Alto Networks

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.