- CISO Series Newsletter
- Posts
- Sound Security Advice That’s Perfect to Ignore
Sound Security Advice That’s Perfect to Ignore
Sound Security Advice That’s Perfect to Ignore
CISO Series Podcast
Sound Security Advice That’s Perfect to Ignore
This week’s episode of CISO Series Podcast is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Our sponsored guest is Patrick Harr, CEO, SlashNext. We debate the following issues. Please give us your thoughts.
People are not the weakest link, they're just the top attack vector.
This is a quote from Lance Spitzner of SANS Institute who got a lot of support on LinkedIn for his “top attack vector” viewpoint. If users are getting hammered, eventually someone is going to get through. Security needs to be made simpler, but Andy Ellis said, “It's not about making security simpler, it's about making the system simpler and the interfaces that they present.”
We know we shouldn’t keep making these career mistakes, but we always do.
The Internet is awash with self-help and career advice. I have a hard time swallowing that the people writing all this great advice are adhering to it themselves. But Vicente Aceituno Canal at Lottoland doesn’t claim to be an expert. Instead, he offers his list of career mistakes he’s made for the rest of us to avoid. Those include classic ones like ignoring your network, not looking for a job when you don’t need one, and not learning non-technical skills. But the one I found very interesting was ignoring industry trends, like “zero trust” and APTs (advanced persistent threats). It’s very easy to try to sound cool and dismiss the marketing nature of “zero trust” but that doesn’t mean you should ignore the principles.
Why do so many security programs only rely on the human to stop messaging attacks?
We put too much reliance on security awareness training and each individual’s vigilance to stop a malicious attack. While we’re trained to look out for suspicious emails, attackers are also trained to break through by gaining trust and getting us to break our procedures. Building that trust can happen anywhere, not just email. We message on lots of non-email platforms. If you’re only relying on the human to stop malicious attacks, you have only a single line of defense that we all know is fallible.
We need security action training.
It appears our security awareness training is falling short at the point of taking any type of real action. While most people are aware of the need for secure passwords, they don't
create
secure passwords. They are taking the easier way out rather than the secure path which isn’t that far from the easy path.
Listen to the full episode
to listen and read the full transcript. And if you’re not already
via your favorite podcast app, do that right now.
Thanks to our podcast sponsor, SlashNext
What I love about cybersecurity...
"I've been around the block for many, many years now starting back when at Novell, and I think what I've seen from that point 25 years ago to now, (A) it's ever-changing, (B) I think we've shifted focus from just the network security inside-the-boundary point of view to now it's all about the user. And with that, there's always these ever-changing techniques of how the bad actors are attacking those humans or those users, and for us it's about how do you stay ahead of the curve." --Patrick Harr, CEO, SlashNext
Listen to full episode of
Can You Be a vCISO If You’ve Never Been a CISO?
"I think this all comes down to there is a lot of demand for security maturity and help maturing security programs. There are a lot of companies that are not large, well-funded organizations or companies that need guidance and leadership for those things. And vCISOs often fill that gap. Now, I think what’ll be really interesting to chat about with our guest is what kind of background should you expect from a vCISO. I think more importantly, what kind of work and what kind of input and impact should you expect from a vCISO versus a full time CISO." - Geoff Belknap, CISO, LinkedIn
Listen to full episode of
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
Cyber Security Headlines - Week in Review
Make sure you
to join the LIVE "Week In Review" this Friday for
Cyber Security Headlines
with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jeremy Embalabala, CISO, HUB International.
Thanks to our Cyber Security Headlines sponsor Fortra
Super Cyber Fridays!
Hacking Non-Traditional Cyber Risk
Join us this Friday, December 16, 2022, for
“Hacking Non-Traditional Cyber Risk: An hour of critical thinking about how your third parties’ risks affect your business.”
It all begins at 1 PM ET/10 AM PT on Friday, December 16, 2022 with guests Jonathan Ehret, vp, strategy and risk, RiskRecon, A Mastercard Company, and Steve Zalewski, co-host, Defense in Depth. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, Mastercard
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.