View this email in your browser

Defense in Depth

Reducing the Attack Surface

The cyber attack surface just keeps growing to the point that it seems endless. Protecting it all is impossible. Is there anything that can be done to reduce that attack surface and limit your exposure? On this week's Defense in Depth, Steve Zalewski and sponsored guest Jonathan Trull, CISO, Qualys debated these very issues:Attack surface management vs. vulnerability management vs. exposure management. What the heck is the difference? Are we just rebranding the term vulnerability management OR are we shifting the way we're dealing with our own weaknesses? Abhishek Singh of Araali Networks asks, "Is it more around detecting accidental and new exposure vs monitoring for known unmitigated exposure?" And Pramod Gosavi of JupiterOne agrees, saying that the debate is "more about known knowns than unknowns.""Isn't everything exposure management," asked Clifford Ziarno of World Fuel Services. It seems like it's a more digestible term for non-security people. Vulnerability management is technical. It's dealing with patching, CVSS scores, and honestly a lot of stuff the business doesn't need to know about. "Exposure management seems like it is moving towards risk management," said Jason Hoffman, global CISO of Saba Software. "Boards want to hear about things in terms of risk."How about we don't create more issues for us to manage? One solution to reducing attack surface is not creating or holding onto so much sensitive information. Marketing will push to "let's just collect it all" to which legal and security might say, "but that's going to open us up to privacy and security concerns." Question is how much do you need that data for the business and is it worth it for all the risk it's going to create? How costly will it be to create it and destroy it? And speaking of that, how much old useless, yet sensitive data do you have lying around that is only creating risk by it's existence and not providing any business value?If the perimeter disappeared, what the heck are we dealing with? "For a long time we were talking about the perimeter, and then many people said that the perimeter disappeared but I would argue that it didn't. In fact it transformed to be a collection of hundreds or thousands of smaller perimeters," said Yaron Levi, CISO, Dolby Laboratories. That kind of defines what we're dealing with now. Look at the multitude of new categories of cybersecurity vendors? And all the microsegmentation, not just with firewalls, but also with how we need to configure every darn cloud instance. Listen to the full episode on the blog post where you can also read the full transcript, and make sure you subscribe via your favorite podcast app so you don't miss another episode. 

Thanks to our podcast sponsor, Qualys

Super Cyber Fridays!

Join us TOMORROW, Friday [11-18-22] for “Hacking Cybersecurity Budgets for 2023”

Tomorrow's discussion for

Super Cyber Friday

will be 

"Hacking Cybersecurity Budgets for 2023: An hour of critical thinking about how to invest in the right products to maximize your return."

It all begins at 1 PM ET/10 AM PT on Friday, November 18, 2022 with guests Pankaj Goyal, Senior VP, Safe Security and Ngozi Eze, CISO, Levi Strauss. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Safe Security

LIVE!

 Cyber Security Headlines - Week in Review 

We're live tomorrow and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Show is hosted by Richard Stroffolino and out guest will be John Scrimsher, CISO, Kontoor Brands.

You can participate live in the conversation by registering on YouTube

.

Subscribe to the podcast

or subscribe to the

daily newsletter

.

Thanks to this week's headlines sponsor,

AppOmni

Cyber chatter from around the web...

Jump in on these conversations 

"Does specialising early on limit your career?" (

More here

)

"Freelancing - How to?" (

More here

)

"What cybersecurity positions will see the most growth in the next 10 years?" (

More here

)

Coming Up On Super Cyber Friday...

Coming up in the weeks ahead we have:

• [11-18-22] Hacking Cybersecurity Budgets for 2023

• [11-25-22] No show

• [12-02-22] Hacking Cyber Insurance 

Save your spot

and register for them all now!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.