Who Knows What Evil Lurks in the Heart of Low-Code/No-Code? (LIVE in Los Angeles)

CISO Series Podcast
Who Knows What Evil Lurks in the Heart of Low-Code/No-Code? (LIVE in Los Angeles)

Who Knows What Evil Lurks in the Heart of Low-Code/No-Code? (LIVE in Los Angeles)

The rush of new GenAI tools opens the doors to even more low-code and no-code business apps. But just as we’ve struggled with shadow IT, are we prepared for the shadow engineering these apps will bring? What controls can we implement to stop them from getting out of hand?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Sasha Pereira, CISO, WASH. Joining us is Cyrus Tibbs, CISO, PennyMac. This episode was recorded live in Santa Monica, CA, at the annual ISSA LA Summit.

Building the foundation for data minimization

Increasing data exposure and regulatory pressures mean more organizations are seriously considering the importance of a data minimization policy. As an industry, we’re still coalescing around best practices, as outlined in a recent post from the Forbes Technology Council. Organizations must implement immediate strategies like enforcing data retention policies and using tokenization or data masking to protect sensitive information. Long-term steps, such as using edge devices for processing before data is sent to the cloud, require more planning but can reduce exposure. This requires a backbone of data classification, access management, and activity monitoring to ensure organizations know where data is, who can access it, and who is using it. This approach strengthens defenses and builds customer trust, demonstrating a commitment to protecting their data.

No-code needs to be no problem

Organizations are increasingly looking to leverage the benefits of low-code and no-code apps. But just as the emergence of SaaS left organizations unprepared for shadow IT, no-code apps hold the risk of shadow engineering, as pointed out by Yair Finzi in Dark Reading. Tools like Gen AI make building apps easier for employees without coding experience, organizations now face this problem at scale. Organizations can help better frame the issue by eliminating the term "shadow IT" and empowering employees to use these tools responsibly. Security teams should enable innovation while ensuring safe usage rather than attempting to whitelist every tool. Training developers on new technologies and fostering education across departments is critical. These skills will become as commonplace as Microsoft Office proficiency, and organizations must be ready.

Seeking alignment in a SOC career

There is growing anxiety among SOC professionals about the future of their roles. Many SOC employees are looking to transition to DevOps. For those looking to make the move, those on r/cybersecurity recommend starting programming projects, getting certifications, and pursuing consulting roles in DevOps. SOC professionals need to adapt just as IT operations did when DevOps emerged. Getting certifications and exploring security roles can help future-proof their careers. SOC analysts may be better suited for security engineering or architecture roles, leveraging their knowledge of network gaps and security tool outputs. While many SOC employees seek to move on, some genuinely enjoy and excel in their roles. These professionals should explore paths that align with their interests, whether through security engineering, cloud certifications, or even applied data science within cybersecurity.

MFA is not a cybersecurity panacea 

Implementing multi-factor authentication (MFA) can carry risks if poorly executed. Despite MFA’s growing adoption, attackers have developed strategies like push notification bombing and session cookie theft to bypass it, as pointed out by David Strom in CSO Online. Organizations must educate users on MFA’s importance, mainly through personal use cases (e.g., enabling MFA on bank accounts). User education combined with well-implemented MFA can reduce resistance and improve security. MFA represents a shift from knowledge-based to possession-based factors like FIDO2 tokens. Users are too accustomed to frequent logins to avoid risks consistently, and simplifying authentication by moving to more secure, possession-based methods would significantly improve security. While necessary, MFA must evolve alongside better tools and regulatory support.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jonathan Waldrop, CISO, The Weather Company for providing our “What’s Worse” scenario. And thanks to Ashton Long of Beacon Hill, Fernando St. Jean of ISSA LA, Dan Drees of IT Security Now, and Richard Greenberg of ISSA LA for providing questions for our guests.

Thanks to our podcast sponsor, Nudge Security

Nudge Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Biggest mistake I ever made in security…

"The biggest mistake I ever made was back in the day when we all started realizing that signature-based AV wasn't working, that I quickly adopted and quickly deployed an early AI AV and learned the lesson the hard way through many outages and many lost nights of sleep and lost reputation." - Cyrus Tibbs, CISO, PennyMac

Listen to the full episode of "Who Knows What Evil Lurks in the Heart of Low-Code/No-Code? (LIVE in Los Angeles)."

Will We Ever Go Back From WFH?

"I would say that building a culture with a remote workforce is entirely doable, and I think the knee-jerk reaction to say that, "Oh, you have to have people in an office in order to build a culture or imbue a corporate culture," I think is a false paradigm. I think you have to be more deliberate when you're working from home and working remotely in order to establish and maintain a culture. You need to truly take stock and interest in your folks as humans." - Joe Lewis, CISO, CDC

Listen to the full episode of "Will We Ever Go Back From WFH?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

LIVE!
Cyber Security Headlines - Week in Review

CSH Week In Review Dmitriy Sokolovskiy, senior vice president, information security, Semrush

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Dmitriy Sokolovskiy, senior vice president, information security, Semrush.

Thanks to our Cyber Security Headlines sponsor, SpyCloud

SpyCloud

Black Hat 2024!
When Can You Ignore the Security Policy?

When Can You Ignore the Security Policy?

David Spark hit the show floor at Black Hat 2024 to ask security professionals when it's a good time to ignore security policy. The kneejerk reaction might be to say never, but there is surprising nuance to the discussion.

Thanks to our sponsor, Cyera

Cyera

Super Cyber Fridays!
Join us, Friday [11-01-24], for "Hacking Your Cyber Brand"

Hacking Your Cyber Brand

Join us this Friday, November 1, 2024, for “Hacking Your Cyber Brand: An hour of critical thinking about building how people see your company in this industry.”

It all begins at 1 PM ET/10 AM PT on Friday, November 1, 2024, with guests Gianna Whitver, co-founder and CEO, Cybersecurity Marketing Society and Andy Ellis, partner, YL Ventures. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.