- CISO Series Newsletter
- Posts
- They’re Young, Green, and Very Hackable.
They’re Young, Green, and Very Hackable.
They’re Young, Green, and Very Hackable.
CISO Series Podcast
They’re Young, Green, and Very Hackable
This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson. Our guest is Gene Spafford AKA "Spaf," professor, Purdue University. Here are the issues we discussed, please pipe up with your thoughts on any and all.We're not providing security awareness training fast enough. It appears that a popular target for malicious hackers are brand new employees who want to make a great impression yet don't yet know the company's policies and procedures, noted Susan Bradley in an article on CSO Online. Everyone needs security awareness training. It just appears they're going to need that information a lot sooner.Beware of security advice that will backfire. Bradley's CSO Online article goes on to advise people "don't announce your new job." People love to announce their new job. LinkedIn is so aware of this that they have a special feature enabling you to announce your new job. The advice is based on the article's finding that malicious attackers go after new employees. Announcing your new job on social media gives the bad guys the information they need to target you. While technically it may reduce a criminal's awareness of you, it's not good advice because it goes against what people really want to do. "If people keep getting bad advice, they're going to tune out," said Mike Johnson. What's more important advice is to explain that since you're a new employee you will be a target. Be aware of the following...Where are we making progress with security awareness? CISO Thom Langford once told me that security awareness is a long term effort like getting people to quit smoking and wear seatbelts. We were successful with both of those programs, but it took years to achieve. Gene Spafford's 2nd Law of Cybersecurity states: "If we had no computers, we'd have no computer crime. But if we had no people, we'd have no computer crime, either. We must include people in our plans and mechanisms to protect systems." Our security program has to improve both from the viewpoint of technology and people. How methodical are we working on the people aspect? And do we have a long term view of success?Should we shift our security program from asset-based to scenario based? This was the argument set forth by Brian Blakley, CISO, Transact Campus. Blakley argues that the controls/assets-risk model just invites confusion and a scenario-based approach can lead you to the elements that may be at risk. I argued that this might be a good place to start because one of the complaints we hear again and again is CISOs struggle to find out what their company's crown jewels are. Mike Johnson disagrees saying, "I think a scenario-based approach is a more mature one and jumping straight to that means you'll miss very important concerns. How do you even know which scenarios make sense if you don't understand what your crown jewels are?" So even if you don't know your crown jewels, don't avoid trying to learn what they are early on as that information will eventually better inform your security program.Do security professionals even know they're playing an infinite game? "The best way to 'win,' is to not try to 'win' at all," said Robert Slaughter of Defense Unicorns on a LinkedIn post about playing the infinite game. "It's to find something you're so passionate about, that you care so much for, that your goal is to just keep 'playing.'" It's very possible security professionals are trying to win a game that's unwinnable. That can lead to burnout. Instead, Mike Johnson suggests to look at a series of small wins that will allow you to keep playing the infinite game.Please head over to the blog post where you can also read the entire transcript. If you haven't already subscribed to CISO Series Podcast via your favorite podcast app, please do so now.
Thanks to our podcast sponsor, Lacework
What I hate about cybersecurity...
"I really dislike the fact that we have people who get exposed to a little bit of the field, think they're discovering new things, and just keep reinventing the past time and time again instead of making progress forwards." - Gene Spafford, Professor, Purdue University
Listen to full episode of
What are some of the technical and non-technical indicators of a company’s cyber health?
"Think about things like board experience, brand awareness, R&D, security staff. I think those are all great places to start. I would probably take it even a step further and look at things like employee turnover rate, satisfaction, pay gaps, Glassdoor reviews, other non-technical proxies that might indicate how healthy a program is at a company. There’s also things like bug bounty programs, which are also very public, vulnerability disclosure programs, and essentially it helps paint the picture of how they handle security incidents internally." - Matt Honea, CISO, SmartNews
Listen to full episode of
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Ken Athanasiou, CISO, VF Corporation.
Thanks to our Cyber Security Headlines sponsor, PlexTrac
Super Cyber Fridays!
Hacking Non-Traditional Cyber Risk
Join us in two weeks on Friday, December 16, 2022, for
“Hacking Non-Traditional Cyber Risk: An hour of critical thinking about how your third parties’ risks affect your business.”
It all begins at 1 PM ET/10 AM PT on Friday, December 16, 2022 with guests Jonathan Ehret, vp, strategy and risk, RiskRecon, A Mastercard Company, and Steve Zalewski, co-host,
Defense in Depth
. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, Mastercard
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.