View this email in your browser

CISO Series Podcast
Once the Panic Subsides You’ll Appreciate This Phishing Test (LIVE in Houston, TX)

How should organizations use phishing tests? At best, they can provide context for employee behaviors. At worst, they can undermine trust in the security team or even cause a public health scare. No one is arguing against building security awareness, but do phishing tests serve to do that?

This week’s episode is hosted by me, David Spark, producer of CISO Series, and Jerich Beason, CISO, WM. Joining us is Teresa Tonthat, vp and associate CIO, Texas Children’s Hospital. This episode was recorded live at HOU.SEC.CON.

Connecting with the business  

It isn’t just essential to align cybersecurity efforts with broader business goals; it's the only way to ensure success. Cybersecurity leaders must connect their initiatives to key business objectives like revenue protection, cost-benefit analysis, and competitive positioning, argued Michael Winkler of Matthews International on LinkedIn. Security is not a direct revenue generator but is crucial in enabling business processes, protecting supply chains, managing new technologies like AI, and improving operational efficiency. Organizations can protect revenue, drive trust, and increase competitive advantages by aligning security efforts with business goals. This approach helps security teams avoid being viewed as a cost center and instead be seen as essential to the business’s growth and success.

Keep the users in mind

Security controls inevitably add friction for users. How much visibility do security teams have into that? Security must lead by understanding employee needs and creating feedback loops to minimize these disruptions. Lev Lesokhin shared OutThink's Cybersecurity Human Risk Management​ Report, which found that about 25% of users intended to follow secure behaviors. Yet, those respondents admitted if they did it, they'd lose productivity. Don’t make your users choose; security will lose out. To reduce friction, security teams should build relationships with key stakeholders, shadow employees to understand their workflows and adjust security controls without compromising safety. By aligning security with business operations and addressing issues promptly, organizations can foster trust and collaboration, creating security champions across the business.

Ground security in reality

There are many challenges in explaining cybersecurity concepts to the broader business. A cybersecurity subreddit thread blew up with examples. It’s easy to forget that users are not inherently lazy but are focused on getting their work done efficiently, and security teams need to make secure behaviors the easier choice. Simple cybersecurity hygiene practices like patching and asset management are often hard to explain despite their critical importance; they seem essential yet are challenging to maintain consistently. Use analogies, simulations, and storytelling to make complex concepts like risk acceptance easier for non-security teams to grasp. 

Teach, don’t shame

Phishing tests are increasingly becoming a loaded term in cybersecurity. A UC Santa Cruz test that sparked an Ebola scare doesn’t help matters. While phishing simulations can sometimes upset employees, especially if they feel tricked, these exercises are essential for building muscle memory and preparing users for real-world attacks. The key is balancing the intensity of the simulation with communication to prevent panic while reinforcing good security habits. Instead of aiming for zero clicks, the goal should be to teach users to identify phishing attempts and respond appropriately. Fostering trust between security teams and users is critical to the success of these tests. Security leaders can maintain a positive relationship with their staff by reframing negative experiences as teachable moments and avoiding public shaming.

Listen to the full episode over on our blog or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to Nir Rothenberg, CISO, Rapyd for providing our “What’s Worse” scenario.

Listen to the full episode.

Thanks to our podcast sponsor, Vorlon Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

The Lurking Dangers of Neglected Security Tools…

"I think that there is a big difference between having a leak in your house that ends up causing a bunch of water damage that costs you a lot of money to fix, and someone breaking into your house and stealing all of your valuables. They're not the same thing." - Adam Fletcher, CSO, Blackstone

Listen to full episode of "The Lurking Dangers of Neglected Security Tools."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Steve Person, CISO, Cambia Health.

Thanks to our Cyber Security Headlines sponsor, Conveyor

LIVE!
PREVIEW: CISO Series Podcast LIVE in La Jolla, CA 10-30-24

The CISO Series Podcast is getting ready for Halloween the only way we know how, with a live podcast recording. This extra spooky recording will be at the haunting Planet Cyber Sec CISO-CIO Forum. Joining me on stage for the recording will be two ghoulish guests, Gary Hayslip, CISO, Softbank Investment Advisers, and Keith McCartney, vp, security and IT, DNAnexus.

Here's everything you need to know:

WHERE: La Jolla, California

WHEN: October 30, 2024. The event runs from 9:00 am to 6:00 pm, but we'll be recording at 5:00 PM.

This event is invitation only for qualified CISOs, Directors of Information Security, CIOs, and their deputies. Register to attend HERE.

Thanks to our sponsor, Entro

Super Cyber Fridays!
Decoding Zero Trust with ThreatLocker

When you hear the phrase "Zero Trust" do your deflector shields go up?

OK, here we go. Here comes the BS.

That's because the phrase depicts some architectural security nirvana that seems unachievable.

So what IS achievable, and what is not when we talk about "zero trust?" THAT will be our discussion next Friday, October 18, 2024 (1 PM ET/10 AM PT) for Super Cyber Friday on CISO Series.

Our topic of discussion will be “Hacking the Hype of Zero Trust: An hour of critical thinking about what are the identity and access functions that are helping us achieve this security nirvana.”

REGISTER HERE

Joining me for this discussion will be Rob Allen, chief product officer, ThreatLocker and Antony Symonds, head of group IT operations, Westland Horticulture Ltd.

Thanks to our Super Cyber Friday sponsor, ThreatLocker

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.