View this email in your browser

CISO Series Podcast
​​Once You Show Me Your Diploma, I’ll Explain Why We Don’t Gatekeep

To be successful working in cybersecurity, you need an inquisitive mind with an eye for problem solving. Yet so many organizations are turning a blind eye to talent who lack technical degrees. How do we move past this kind of criteria to find the talent we need for our security programs?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining us is Jimmy Benoit, vp, cybersecurity, PBS.

Starting early on security awareness 

Do we need to introduce cybersecurity awareness training earlier (like as students?) to establish security-conscious habits instead of waiting until employment? Alex Martin recently highlighted a security awareness toolkit for children, with games like “spot the phish” that can help build a security mindset from a young age, potentially reducing the need for extensive corporate training later. More generally, interactive approaches, like gamified "cyber fairs," have proven effective in workplaces by engaging employees in hands-on activities that make security concepts more relatable and memorable, unlike traditional computer-based training, which often struggles to keep attention. This shift to more targeted, relevant training aims to foster proactive security behavior and improve organizational culture.

The limits of gamification

Gamification is helpful in cybersecurity awareness, but it could hold us back with higher-level training. Daniel Gilbert on LinkedIn argues that it may stifle curiosity and lead to hollow achievements if it emphasizes task completion over actual learning. Gamification can effectively introduce concepts, but excessive reliance risks reducing training to a series of superficial milestones. Effective gamification can be a helpful roadmap, especially for newcomers, providing a structured path to key skills. The key is ensuring each activity promotes genuine skill development, not just compliance. Just as a football player’s helmet stickers signify progress and accomplishments relevant to their sport, cybersecurity "badges" should reflect meaningful growth in security awareness and capabilities, fostering personal development and business relevance.

Technically qualified

There’s been a concerted effort to break down the traditional walls around cybersecurity hiring, such as reducing requirements for technical degrees. Programs like Service for America promote skills-based hiring, apprenticeships, and collaborations with nonprofits to open cybersecurity roles to diverse backgrounds, as highlighted by Chris Konrad of World Wide Technology on LinkedIn. Non-traditional candidates, like philosophy or journalism majors, often bring critical thinking and communication skills that are invaluable in cybersecurity. While practical skills can be trained on the job, these problem-solving mindsets are more challenging to teach but are essential in roles requiring quick, analytical thinking. Degree requirements still pose hurdles, particularly in the H-1B visa process, which mandates degrees for foreign hires, complicating efforts to lower entry barriers. To build long-term careers for individuals without degrees, companies may need to provide training in writing, critical thinking, and other foundational skills typically gained in college.

Understanding your risk tolerance

To align departmental objectives with risk tolerance, CISOs should focus on concrete, scenario-based discussions rather than hypothetical metrics. Many organizations lack a clear understanding of their risk tolerance, often due to vague or overly simplistic assessments. Rosalyn Page in CSO Online highlighted an example of a team assuming internet downtime could last 48 hours, only to discover during an incident that they couldn't function without it for even an hour. Effective risk tolerance validation involves conducting a business impact analysis, identifying core functions, supporting systems, and interdependencies, and speaking with each system's actual users or “customers” rather than just the system’s owners. This structured approach, involving continuity planning and real-world stories, allows CISOs to understand genuine business needs and set realistic recovery time objectives, helping bridge the gap between security and operational priorities.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Nir Rothenberg, CISO, Rapyd for providing our “What’s Worse” scenario.

Listen to the full episode.

Thanks to our podcast sponsor, Bitdefender

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

AMA (“Ask Me Anything”) on r/cybersecurity
I'm a CISO who broke into the cyber industry WITHOUT a technical background

This week CISO Series is running its monthly AMA ("Ask Me Anything") on r/cybersecurity.

This week's discussion: I'm a CISO who broke into the cyber industry WITHOUT a technical background.

Our participants:

Patty Ryan, CISO, QuidelOrtho - Background in economics, sports TV, MBA, and then IT.

Lee Parrish, vp & CISO, Newell Brands - Background with Marines where he did lots of coordination and operations, which was technical, but not IT or cyber. Also worked as a correctional officer,

Davi Ottenheimer, vp trust and digital ethics, Inrupt -Background in history, philosophy and political science (ethics of intervention).

Jump into the conversation here.

The Argument For More Cybersecurity Startups

"My point is this. If cybersecurity is indeed and everybody's problem, then having 4,000 to 5,000 startups is probably not as many. In fact, I would argue that we do need cybersecurity companies. We need more cybersecurity companies. First of all, we need to have a way to innovate as fast as the adversaries do, right?" - Ross Haleliuk, author, Venture in Security

Listen to the full episode of "The Argument For More Cybersecurity Startups."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jimmy Benoit, vp, cybersecurity, PBS.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Super Cyber Fridays!
Understanding the Ransomware Realignment

Your cybersecurity program doesn’t stand still and neither does the ransomware ecosystem.

I recently spoke with Jason Baker, principal security consultant, GuidePoint Security about the latest trends in cybercrime, including the realignment of ransomware groups and reduced barriers to entry for cyber criminals. He emphasizes the importance of fundamental security practices like defense in depth and network segmentation to counteract the surge in opportunistic attacks. We also covered the nature of targeted attacks by hacktivists and nation states, and the importance of adapting to new defensive measures.

But that’s just a tease for what’s going to happen THIS Friday, November 22nd, 2024, where our Super Cyber Friday discussion will be “Hacking E-Crime Trends” on November 22, 2024 at 1 PM ET/10 AM PT. Joining David and Jason for this conversation will be Howard Holton, CTO, GigaOm.

REGISTER HERE for November 22th, 2024, Super Cyber Friday

Thanks to our Super Cyber Friday sponsor, GuidePoint Security

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.