CISO Series Newsletter
Posts
Join us tomorrow for “Hacking Cyber Insurance”

Join us tomorrow for “Hacking Cyber Insurance”

December 01, 2022

Defense in Depth

How Should We Gauge a Company's Cyber Health?

As an outside observer, how can you tell if a company is staying cyber healthy, asked Jamil Farshchi, CISO, Equifax in a post on LinkedIn. While there is no financial statement equivalency to let you know the strength of a company's security profile, there are signals that'll give you a pretty good idea.On this week's Defense in Depth, my co-host Geoff Belknap, CISO, LinkedIn and I welcome Matthew Honea, CISO, SmartNews to discuss the following issues. Please pipe up with your thoughts on any and all.We know we can't rely on any one data source, but at the same time we really want a third-party scorecard. We're in conflict. We want a Rotten Tomatoes scoring system that just gives us a simple 1-100 "they're THIS secure" rating. But at the same time, even if something like that existed, we know we should question its validity. Laura Whitt-Winyard, of HMG Strategy pointed out even in finance we can't count on financial statements to provide a full picture of financial risk.Look for signs of the company's attitude towards security. Mark Felegyhazi of Avatao Technologies suggests looking at who the CISO reports to. That's an early indicator of how leadership feels about security. A company that gets breached is not necessarily an indicator of poor security. Although, how a company handles a breach is far more telling, said Shawn M Bowen, CISO, World Fuel Services.There's a great need and demand for transparency, and more measurements, but there are far too many forces preventing that from happening. Many companies, and auditors as well, are using compliance as a health indicator. But we all know that compliance does not equal security. And as Michael M. of ClubCorp pointed out, those who did try to take the high road of being forthcoming about disclosing issues and vulnerabilities have been met with a lot of industry hostility. Many times the industry has tried to push for more collaboration, especially around threat intel. And while there has been some limited success stories, in general, for organizational safety, secrecy is seen as more desirable.How is the company improving their security posture over time? Brandy G. of Crum & Forster suggests looking at past security assessments, audits, and financial statements. Get a lot of them and see how they're improving over time. If it's not changing for the better, especially the vulnerabilities, that's a major red flag.Please go to our blog post to listen to the episode and also read the full transcript. And if you're not already a subscriber to Defense in Depth, please get on that now.

Thanks to our podcast sponsor, Automox

Super Cyber Fridays!

Join us TOMORROW, Friday [12-02-22] for “Hacking Cyber Insurance”

Tomorrow's discussion for

Super Cyber Friday

will be

"Hacking Cyber Insurance: An hour of critical thinking about getting the finance side to be working in concert with security and IT."

It all begins at 1 PM ET/10 AM PT on Friday, December 2, 2022 with guests Scott McCrady, CEO, SolCyber and Anthony Dagostino, CEO and founder, Converge. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, SolCyber

LIVE!

Cyber Security Headlines - Week in Review

We're live tomorrow and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Show is hosted by Richard Stroffolino and out guest will be Terrance Cooley, CISO, Air Force JADC2 R&D Center.

You can participate live in the conversation by registering on YouTube here.

Subscribe to the podcast or subscribe to the daily newsletter.

Thanks to this week's headlines sponsor, Automox

Cyber chatter from around the web...

Jump in on these conversations

"What are your thoughts on voluntary security measures versus regulatory mandates?" (

If you work in cybersecurity within one of the critical infrastructure sectors: what are your thoughts on voluntary security measures versus regulatory mandates? Please let me know which sector you work in as well.
— Lady G (@gabsmashh)
6:14 PM • Nov 1, 2022

)

"Chris Krebs is concerned over being able to buy verification on Twitter because it "opens the information space to a broader community of influencers, clout-chasers, election denialists..." (

Former Cybersecurity and Infrastructure Security Agency director Chris Krebs is concerned over being able to buy verification on Twitter because it "opens the information space to a broader community of influencers, clout-chasers, election denialists..."
— The Post Millennial (@TPostMillennial)
5:57 PM • Nov 6, 2022

)

"Now that Twitter is going up in flames, where is infosec Twitter going to go?" (

Now that Twitter is going up in flames, where is infosec Twitter going to go?
— P!bbl3 Ⓥ (@TechEmiiily)
4:09 AM • Nov 2, 2022

)

Super Cyber Friday...

Coming up in the weeks ahead we have:

[12-02-22] Hacking Cyber Insurance
[12-09-22] No show
[12-16-22] Hacking Non-Traditional Cyber Risk

Save your spot

and register for them all now!

Thank you!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.