Get Out! The Data Leak Is Coming from the Inside

Get Out! The Data Leak Is Coming from the Inside

January 15, 2019

CISO | Security Vendor Relationship Series

This week's podcast episode

Get Out! The Data Leak Is Coming from the Inside

Get Out! The Data Leak Is Coming from the Inside

What you'll learn:

On this week's podcast, co-host Mike Johnson, CISO of Lyft, and our guest Leon Ravenna, CISO at KAR Auction Services, discuss the following:

  • Conflicting security reports can actually both be right. The first security report you read isn't necessarily the right one. And the second one you read that conflicts the first one isn't necessarily wrong. In actuality, if they're looking at different audiences, it's possible they're both right.

  • Give employees tools to work securely. Employees are just trying to do their job. Often the complexity of security or a simple human mistake can result in an unintended data breach.

  • Be wary of being aggressive protecting internal threats. A study by Kroll showed that close to 90 percent of all data breaches were internal. That might lead one to think they need to shift their security efforts to mostly deal with internal threats. But if you did that, it would send a really nasty "we don't trust you" message to your employees. Not good.

  • Get cozy with your lawyers. If and when a data breach occurs, you're going to need to be very tight with your legal team. Do not wait until that day. Build a rapport with them now on how establishing possession, custody, and control of your data.

Synack

Special thanks to this week's podcast sponsor, Synack.

Synack provides crowdsourced security testing that provides more than older style penetration testing. Instead of using a few researchers who output a final report, Synack uses a globally-sourced crowd of researchers backed by a purpose-built hacking platform. This gives organizations access to security talent that is not available from any one company, and data and insights into the testing process. All Synack security testing is recorded, measured, and analyzed to not only output results like new vulnerabilities and compliance checks, but displays attack patterns and quantities in real-time. By using bug bounties as incentives, researchers are rewarded for the great finds that Synack verifies and shares with its customers. To find out more about the Hacker-Powered Security used by the Internal Revenue Service and many other organizations, go to synack.com.

Allan Alford, CISO of Mitel, on the merger between privacy and security

JOIN US IN SAN FRANCISCO

In a little over a week, January 23rd Mike Johnson and I will be recording in front of a live audience with our special guest, Andy Steingruebl, CSO of Pinterest. This is a free event with food, drink, and a super fun security show. You can have it all! Just REGISTER and then come to the event. We're eager to see you.

Mike Johnson, CISO of Lyft, on not being distracted by the latest and greatest in cybersecurity

Preparing for and Determining Your Legal Risk in a Data Breach Investigation

Preparing for and Determining Your Legal Risk in a Data Breach Investigation

If you want to better understand what your legal risk is during a data breach investigation, then read this article and watch the companion video.This great article by Elliot Lewis, CEO of Encryptics, walks you through what you need to do to answer the question, "Do you have possession, custody, and control of your data?"Watch the video and read the article on CISO Series for preparation tips if (probably 'when') you do get breached.

Allan Alford, CISO of Mitel, on finding how best to align security with the business

Best Moments from “Shoving Money Down Security’s Bottomless Pit”

Best Moments from “Shoving Money Down Security’s Bottomless Pit”

Here are three of the best moments from last week's episode of the CISO/Security Vendor Relationship Podcast, “Shoving Money Down Security’s Bottomless Pit.”

Highlights in this video include:

  1. The intersection of risk and money

  2. Underground InfoSec data exchange

  3. Is security a state or a process?

CORRECTION:

In last week's newsletter I incorrectly wrote that the CCPA would go into effect on January 1, 2010. It will actually go into effect on January 1, 2020.

SUBSCRIBE TO THE PODCAST

Got a podcast catcher? Search for "CISO" and chances are you'll find the CISO/Security Vendor Relationship Podcast. If it doesn't come up, go ahead and click on any of these links to subscribe to the feed.

If you're already a subscriber, THANK YOU! If you like the show, please tell all your friends on social media and write a review on iTunes.