View this email in your browser

CISO Series Podcast
Wait, We Can Prioritize Data Privacy Before an Incident? (LIVE at Stanford)

Gathering more information about existing and potential customers is critical to marketing and sales. However, the chronic collection and retention of all that personal data has begun to raise privacy red flags. In general, businesses won’t make expensive changes to infrastructure or procedures just on principle (e.g., “we should protect others’ privacy.”). To rectify, CISOs must find a business reason to make these changes before an incident occurs. Where should the conversation start?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Amy Steagall-Hess, CISO, Stanford University. Joining us is Michael Tran Duff, CISO, data privacy officer, Harvard University.

This episode was recorded in front of a live audience at Stanford University as part of their annual Cyberfest event. Check out all these photos from the event.

Turning a mirror on zero trust

Are we not going far enough when we apply zero trust principles? Andy Ellis recently argued in a piece for CSO Online that we need to turn zero trust on our internal IT systems, particularly administrative software used by security teams. These internal tools should operate without inherent trust in the organization's ecosystem, but is that feasible? In environments like academic institutions, achieving complete zero trust is impractical due to the need for flexibility and collaboration, contrasting this with stricter contexts like the Department of Defense. Zero trust is a critical framework, but it is a gradual, long-term endeavor that could take years to achieve fully. Zero trust is valuable but challenging to implement in varied settings, especially where collaboration is essential.

Is AI coming for our jobs?

AI's impact on cybersecurity jobs is an open question. A recent cybersecurity subreddit post wondered aloud if AI could eventually replace a significant portion of roles due to its ability to perform cognitive tasks more cost-effectively and continuously. While there’s no doubt this technology will reshape what work looks like, AI can enhance productivity and aims to help cybersecurity teams manage repetitive tasks, such as contract reviews and incident response. This will enable professionals to focus on more strategic and technical work. While AI brings efficiency, human oversight remains essential, especially given the complexities of cybersecurity.

Responding to skepticism about CISOs

Because CISOs serve as the bridge between the business and their cybersecurity teams, some CISOs encounter skepticism over their capabilities, facing stereotypes or imposter syndrome. A recent cybersecurity subreddit post pegged them as technical micromanagers or underqualified buzzword speakers. These experiences can lead to self-doubt, compounded by personal insecurities and external biases, which many CISOs confront in environments where they feel their authority or expertise is questioned. Building confidence comes from accepting that leadership is about wisdom and openness rather than knowing everything. CISOs can’t be "the expert in the room," it’s not their job. This ongoing journey is supported by mentoring, training, and embracing feedback, strengthening a CISO’s leadership presence and reinforcing their confidence in high-stakes situations.

A CISO at the crossroads 

The federal government’s progress toward a comprehensive privacy law remains uncertain, with the American Privacy Rights Act stalling despite state-level privacy regulations building momentum. Apu Pavithran suggested businesses prepare now by creating robust data protection plans and considering a dedicated data protection officer, aligning privacy efforts with global standards like GDPR. While it can be easy to see privacy as a compliance requirement, it's fundamentally about ethics and responsible stewardship of personal data. This puts the CISO at the crosssection of privacy and security. There are two general approaches to this. Combine them into a unified "PrivSec" program, or split privacy and security into separate functions to prevent conflicts of interest and foster specialized expertise. 

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Tim Collier of Stanford, Jonathan Rodriguez of Cybersity, Louw Smith of Harvard, and Biniam Debezion of Stanford for their questions during the show. 

Listen to the full episode.

Thanks to our podcast sponsor, Vorlon Security and Wiz

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

How Are New SEC Rules Impacting CISOs?

"This role is in flux. CIOs and CISOs have wanted to be elevated from a leadership perspective for many, many years, and the CISO is now being elevated in terms of importance, in terms of visibility, and in the US in terms of liability. And it’s one of those things, be careful what you wish for because you just might get it." - Allan Cockriel, group CISO, Shell

Listen to the full episode of "How Are New SEC Rules Impacting CISOs?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Brett Conlon, CISO, American Century Investments.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

CISO Series Podcast LIVE!
CISO Series Podcast LIVE in Dallas, TX (11-14-24)

The CISO Series Podcast will be rustling up some fun, heading down to Texas for another fun live recording!

We’re recording a podcast episode at DataSec Conference 2024. Joining me on stage for the recording will be Rinki Sethi, vp and CISO, BILL and Lamont Orange, field CISO, Cyera. Here’s everything you need to know:

WHERE: Kimpton Pittman Hotel, 2551 Elm St, Dallas, TX 75226 (MAP)

WHEN: November 14, 2024. The event runs from November 13 through 14.

This event is invitation-only for qualified CISOs, CIOs, CTOs, CDOs, cybersecurity VPs, Data Security Architects, and Data Privacy Leaders. Register to attend HERE.

HUGE thanks to our sponsor, Cyera

Super Cyber Fridays!
Join us NEXT Friday [11-22-24], for "Hacking E-Crime Trends"

Join us Friday, November 22, 2024, for “Hacking E-Crime Trends: An hour of critical thinking about staying on top of an ever-evolving threat landscape.”

It all begins at 1 PM ET/10 AM PT on Friday, November 22, 2024, with guests Jason Baker, principal security consultant, GuidePoint Security and Howard Holton, CTO and industry analyst, GigaOm. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, GuidePoint Security

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.