ISF Podcast Information Security Forum Podcast

In this episode, Steve speaks with Amanda Fennell, a security professional with over two decades in the industry who currently serves as CISO and CIO of Prove and adjunct professor of cybersecurity at Tulane University. She talks to Steve about why a CISO must be an educator at heart, how to embrace feedback in order to grow, and how young professionals can shape their careers in security as the role of the CISO evolves.


Key Takeaways:
1.  Important foundational principles in security include least privilege, risk mitigation, and vulnerability management.
2. Amanda Fennell suggests that new CISOs befriend their legal officers, in order to better understand security and risk.
3. Handing change can be a key indicator of high performance in security, with those who thrive in change being more likely to be high performers.


Tune in to hear more about:
1. Teaching technical skills and emotional intelligence in a technical field (2:25)
2. Security leaders’ communication and education strategies (4:35)
3. Security fundamentals and vulnerability management (10:37)
4. Evolving role of CISOs, career progression, and coping with stress in security leadership positions (13:21)
5. Managing stress and mental health in leadership roles (18:57)


Standout Quotes:
1. “It was a long, long time ago. My boss sat me down for a performance review and said, you have a reputation for not taking feedback well, because you're really sure that you're right. And I took that to heart. And for a long time, I did have to fake that feedback coming to me, like, ‘Thank you for the feedback. I'll think about this. That’s so …’ You know, whatever, and just freeze your face into a smile. Now, I love it. I invite it.” -Amanda Fennel.

2.  I think that probably, my other big advice for people who are first-time CISOs who are new in their role: become good friends with your legal officer.That’s going to be your best friend on the team. They understand, especially if they have compliance and audit — those people, and I say this as someone who worked at a legal tech company, software for five years — but your legal officers understand security and risk really well. And they're going to help you to interpret and translate things often. And that has been one of my biggest helps in my career. -Amanda Fennell


Mentioned in this episode:





ISF Analyst Insight Podcast




Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

Today, Steve is speaking with investigative tech journalist Geoff White, who has been covering tech and financial crime for more than 20 years. Listeners may be familiar with his popular podcast The Lazarus Heist for the BBC World Service, and now his new book, Rinsed: From Cartels to Crypto: How the Tech Industry Washes Money for the World's Deadliest Crooks, will be available from Penguin Random House next week.  Steve and Geoff discuss current trends in organized cybercrime, how these criminals are—or maybe aren’t—adopting AI, and the difficulties law enforcement still faces in helping the victims of these crimes.

Key Takeaways:
1.  Nation states and government agencies have been known to adopt tactics from organized crime gangs and activists – a sort of trickle-up effect.
2. As technological advancements are presenting criminals with new avenues for money laundering, law enforcement is not always able to keep up and instead is having to prioritize high level crimes.
3. The law enforcement landscape is a fast changing world, as agencies adapt and gain more awareness of cybercrime tactics relating to AI and cryptocurrencies.

Tune in to hear more about:
1. Cybercrime evolution, nation-state involvement, and tactics (3:31)
2. AI use in cybercrime, potential for innovation and defense (8:29)
3. Cybercrime and money laundering, with a focus on the role of technology and law enforcement (11:45)
4. Cybercrime, crypto, and organized crime evolution (15:59)

Standout Quotes:
1. “Sometimes the tools of organized cybercrime, gangs, nation states have also learned from hacktivists. From leaks from people like WikiLeaks or from Anonymous, they've learned the damage that a leak can do a leak of information can do. And that's fed into that disinformation piece nation states now extremely astute at getting in stealing information and then weaponizing that information to change elections, to change people's attitudes, to influence world events, the nation states have got both feet in to this cybercrime game.” -Geoff White

2. “I think maybe it's worth thinking like a criminal and understanding how thinking like a criminal is different to thinking like a different type of enterprise. The reason I enjoy thinking about organized crime and covering organized crime is because it's organized. These are networks, as you say, of professional, organized people. But they're not out to win customers. They're not like Microsoft and Google who wants to come out with innovation and innovative new products to win customers in their competition. No. They want to make money from victims. And frankly, as long as you're making enough money from your victims month in month out, you don't change. There's no reason to innovate. Crime gangs innovate when law enforcement and the force of authority stop them from making the money they usually make. That's when you innovate.” -Geoff White

3. “I think there was a time when, frankly, explaining Bitcoin to sort of rank and file police officers was a struggle. I think those days are gone … There's been this realization that things like cryptocurrency is something that law enforcement needs to be on top of.” -Geoff White

4. “As cryptocurrency gets larger, as more financial institutions get behind it, as governments get behind it, yes, it can make it more legitimate, it can expand the legitimacy of it. But it also creates more noise, if you like, for the criminals to hide.” -Geoff White


Mentioned in this episode:





ISF Analyst Insight Podcast




Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

Recently, British journalist Juliette Foster interviewed Steve for a feature in The European, and today we’re listening to that conversation. Steve and Juliette explore a range of topics, including how to get buy-in to your security strategy at all levels of the organization, how much security should cost, navigating the regulatory landscape, and which industries and enterprises Steve believes could be templates for security.

Key Takeaways:
1. Good cyber strategy aligns with business strategy, is quantifiable, and involves all employees.
2. Durbin suggests involving security in project planning to avoid retrofitting security measures.
3. Durbin suggests that security teams need to spend more time explaining security implications to business leaders in a way they can understand.
4. Durbin suggests that leaders must create a personal investment in security by providing feedback and justifying costs in a way that resonates with each individual’s role and responsibilities.
5. Durbin highlights the evolving regulatory landscape, with a shift from standardization to protectionism and complexity for organizations.
6. Durbin highlights the evolving threat landscape, including malware, ransomware, and phishing attacks.

Tune in to hear more about:
1. Aligning cybersecurity strategy with business goals and outcomes (1:36)
2. Cybersecurity strategies, testing, and budgeting (10:42)
3. Regulation complexity and its impact on businesses (18:00)
4. Cybersecurity investment, risk management, and emerging threats (22:44)
5. Evolving cyber threats and the importance of resilience (26:58)

Standout Quotes:
1. “What is important for organizations is not to become over fixated on the threats — that’s necessary, obviously, to have a good defense — but also to figure out this whole notion of resilience. How quickly could we get our systems back up and running? How quickly could we get our organization functioning again? How are we going to recover our data? Where are we storing it? Those sorts of things.” - Steve Durbin

2. “... the crux of good cyber strategy is having an alignment with a business strategy happening in alignment with what it is that the organization is looking to do on a daily basis, which in the majority of cases is: increase revenue, increase shareholder value, deliver back to employees, customers, and to further the ideals of the organization.” - Steve Durbin

3. “So the role of the security leader in any budget cycle is to try to align whatever spend she or he wishes to have with the future direction of travel of that organization. And if you can start to do that, then the whole conversation becomes very much easier. But I'm not a huge fan of setting fairly random percentages, because I think it sends entirely the wrong message. You run the risk of overspend or underspend. And what you actually want to be doing is spending appropriately to deliver the right level of protection for your critical assets, for your company, for your employees, for your shareholders, so that you can continue to provide a thriving environment.”  - Steve Durbin


Mentioned in this episode:





ISF Analyst Insight Podcast




Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

Today, Steve is speaking about security leadership with executive coach and CEO and Founder of Serenity in Leadership Thom Dennis. Thom brings his expertise in psychology to bear in their discussion of the role of leaders in culture change, how to let go and trust your workforce, and practical tips for embracing the challenges leaders face day to day.

Key Takeaways:
1. Fast-paced change and unease about people being away from work for extended periods of time are impacting leadership development.
2. Trust and clarity are key to successful remote work, letting go of control and setting clear objectives.
3. Incorporating breaks into work schedules serves to avoid burnout and increase productivity.
4. Thom Dennis predicts a shift in leadership thinking, where society’s demands will be prioritized over corporate standards.


Tune in to hear more about:
1. Trust, fear, and delegation in leadership (3:56)
2. Creating space for focus, trust, and organizational leadership evolution (11:29)
3. Leadership evolution, prioritizing people over analysis, and fostering trust and community in organizations (17:22)


Standout Quotes:

1. Let people go. Tell them what you want them to achieve, tell them what the objectives are, and then let them get on with it. There's this sort of sense of fear that one isn't going to be in control. So I think people have got to learn to trust, and to be very clear about what it is that they're looking for. And then letting go. And I think often, you will get a far better result from that. Above anything else, I think, in forcing the briefer to be absolutely clear about what they want to achieve, that can save an awful lot of time and money in and of itself. -Thom Dennis

2. Some people who write and have incredibly busy jobs, they're up at five o'clock, or even four o'clock, and they’re writing for an hour, and then they go to the gym, and then they … and so on. Whatever your routine is. But if they're doing that, they're probably in bed at eight o'clock in the evening. So look, a part of this is self discipline, isn't it? It’s deciding on your routine, and then doing whatever it is that you can do to keep yourself to it. -Thom Dennis

3. I think we need to create quiet spaces for ourselves so that we can actually hear our inner knowing. They say that there's more signals that go from the heart to the brain than the other way around. And they've identified that there are brain type cells in the heart, and also in the gut. So all these things people have been talking about oh, well, I just go by my gut feelings, well, that's not as silly as it sounds. And I think that leaders of the future have got to become just a little bit less — not totally, but a little bit less cerebral, and more in touch with their inner knowing. — Thom Dennis

Mentioned in this episode:




ISF Analyst Insight Podcast


Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

Today, Steve is speaking with Erik Avakian, who served as CISO for the Commonwealth of Pennsylvania in the United States for more than twelve years before moving into the private sector, where he currently works as the technical counselor at Info-Tech Research Group. Erik brings his passion and experience to a lively conversation in which he and Steve discuss coping with change through multiple leadership turnovers, practical examples of how security leaders can demonstrate their department’s value to an organization beyond theoretical breach prevention, and overcoming challenges in the public and private sectors.

Key Takeaways:
1. Embracing change in state/local government requires technical architecture and common architecture.
2. Public sector security faces unique challenges, including political considerations.
3. It’s critical for public funds to be used efficiently while also reducing duplication of work and building knowledge sharing across agencies.
4. Security testing and phishing simulations can demonstrate return on security investment, saving time and money in the long run.

Tune in to hear more about:
1. Embracing change in security leadership in the public sector (0:00)
2. Building security foundations in public sector organizations (4:45)
3. Funding challenges in security, with tips for effective resource utilization, building strong teams, and collaboration (8:48)
4. Demonstrating security value to business leaders through cost-benefit analysis and service metrics (14:02)
5. Demonstrating security value to non-technical stakeholders through practical examples (18:33)


Standout Quotes:

1. One of the reasons I love the industry and I loved the position of CISO is you're constantly trying to just improve, right? You're not trying to rebuild every, all the time. You know that the business might want to rebuild, but you're there to constantly improve that foundation, continuingly building your team, and continually building your capabilities. So regardless of who comes and goes, you have that foundation, and you continue to grow it. - Erik Avakian

2. It's really about enabling the business. How can we say yes, but do things more securely and put a positive spin on it? Whereas, you know, in the past, you know, security is looked at oh, these are the guys that say no. So really, a CISO's a partner to the business, a collaborator building relationships, and really, that's been the change, right? It's gone from less of a technical kind of a thing to being a coach, being a leader, and really working and building those relationships at the business level. - Erik Avakian

3. I look at it as almost like a baseball team. So in the baseball world, you have a catcher, you have a pitcher, you have all these people on the field. And it's identifying what are the strengths of your team, and letting those players — if we look at it from that perspective — letting them thrive, letting them grow in the position that they're passionate about. And then you can just grow in that passion, give them the training, give them extra training, helping them build where they're really good at and what they really like to do. And then the baseball world is that example. We wouldn't necessarily make the pitcher catch — they might not be comfortable with that — or the catcher pitch, and all sorts of other things. Because they do what they do well, that's their position on the field. And what I've found is that if we can do that, we can build our teams and build rock stars out of them in the places where they really are passionate about, then we have retention.

I think my retention throughout my tenure was almost 99%, because I looked at people as to what drives them. - Erik Avakian

Mentioned in this episode:





ISF Analyst Insight Podcast




Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leadi

Today, Steve and producer Tavia Gilbert discuss the impact artificial intelligence is having on the threat landscape and how businesses can leverage this new technology and collaborate with it successfully.

Key Takeaways:
1.  AI risk is best presented in business-friendly terms when seeking to engage executives at the board level.
2. Steve Durbin takes the position that AI will not replace leadership roles, as human strengths like emotional intelligence and complex decision making are still essential.
3. AI risk management must be aligned with business objectives while ethical considerations are integrated into AI development.
4. Since AI regulation will be patchy, effective mitigation and security strategies must be built in from the start.


Tune in to hear more about:
1. AI’s impact on cybersecurity, including industrialized high-impact attacks and manipulation of data (0:00)
2. AI collaboration with humans, focusing on benefits and risks (4:12)
3. AI adoption in organizations, cybersecurity risks, and board involvement (11:09)
4. AI governance, risk management, and ethics (15:42)


Standout Quotes:

1. Cyber leaders have to present security issues in terms that board level executives can understand and act on, and that's certainly the case when it comes to AI. So that means reporting AI risk in financial, economic, operational terms, not just in technical terms. If you report in technical terms, you will lose the room exceptionally quickly. It also involves aligning AI risk management with business needs by you know, identifying how AI risk management and resilience are going to help to meet business objectives. And if you can do that, as opposed to losing the room, you will certainly win the room. -Steve Durbin

2. AI, of course, does provide some solution to that, in that if you can provide it with enough examples of what good looks like and what bad looks like in terms of data integrity, then the systems can, to an extent, differentiate between what is correct and what is incorrect. But the fact remains that data manipulation, changing data, whether that be in software code, whether it be in information that we're storing, all of those things remain a major concern. -Steve Durbin

3. We can’t turn the clock back. So at the ISF, you know, our goal is to try to help organizations figure out how to use this technology wisely. So we're going to be talking about ways humans and AI complement each other, such as collaboration, automation, problem solving, monitoring, oversight, all of those sorts of areas. And I think for these to work, and for us to work effectively with AI, we need to start by recognizing the strengths both we as people and also AI models can bring to the table. -Steve Durbin

4. I also think that boards really need to think through the impact of what they're doing with AI on the workforce, and indeed, on other stakeholders. And last, but certainly not least, what the governance implications of the use of AI might look like. And so therefore, what new policies controls need to be implemented. -Steve Durbin

5. We need to be paying specific attention to things like ethical risk assessment, working to detect and mitigate bias, ensure that there is, of course, informed consent when somebody interacts with AI. And we do need, I think, to be particularly mindful about bias, you know? Bias detection, bias mitigation. Those are fundamental, because we could end up making all sorts of decisions or having the machines make decisions that we didn't really want. So there's always going to be in that area, I think, in particular, a role for human oversight of AI activities. -Steve Durbin


Mentioned in this episode:





ISF Analyst Insight Podcast




Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.