144 episodes

Discussions, tips, and debates around improving the communications and services that security vendors provide to their customers, the security buyer.

CISO-Security Vendor Relationship Podcas‪t‬ Mike Johnson and David Spark

    • Technology
    • 4.8 • 140 Ratings

Discussions, tips, and debates around improving the communications and services that security vendors provide to their customers, the security buyer.

    Unnecessary Research Reveals CISOs Hate Cold Calls

    Unnecessary Research Reveals CISOs Hate Cold Calls

    All links and images for this episode can be found on CISO Series
    https://cisoseries.com/unnecessary-research-reveals-cisos-hate-cold-calls/

    In a study we never actually conducted, our fellow security leaders said unequivocally that there never has been a time they welcome a phone call from someone they don't know trying to book a demo to see a product they have no interest in.

    This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Andy Steingruebl (@asteingruebl), CISO, Pinterest. Our guest this week is Andy Purdy (@andy_purdy), CSO, Huawei
    Thanks to our podcast sponsor, Living Security

    Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change.
    This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers.

    On this week's episode

    Here’s some surprising research
    As compared to small and medium companies, big enterprises don't appear to trust the big telcos to execute their 5G strategy. This according to new research from Omdia as reported by Iain Morris of Light Reading. When asked, "do you trust a communications service provider, AKA big telco, to execute your security strategy," SMEs overwhelmingly supported the telcos over all other options, and big enterprises didn't. They trusted their own expertise or wanted to lean on a cloud service provider like Amazon or Google. Let's investigate this discrepancy.

    If you're not paranoid yet here’s your chance
    As if you didn't know it already, get ready for some sobering news about third-party risk: According to a survey by BlueVoyant, as reported by SC Magazine, 80 percent of those surveyed had at least one breach caused by a third party vendor within the past year. Most of those surveyed didn’t monitor third-party suppliers for cyber risk. But, even if they wanted to, it's often a point in time measurement, sometimes only yearly, and organizations have an average of 1409 vendors. UK's National Cyber Security Center puts the focus of securing against third party risk squarely on the development of the software supply chain, and the need for isolation and proven security checks throughout the development process. That may be good advice, but it still seems so overwhelming given the volume and how much you can't control.

    "What's Worse?!"
    A vulnerability response and incident detection conundrum from Jonathan Waldrop, Insight Global

    What’s the best way to handle this
    Lessons learned from a big security incident and how these will be applied to the next big security incident.

    What do you think of this vendor marketing tactic
    Very few, if any, security leaders like cold calls. Yet, even with all the expressed distaste of them, they still exist, and that's probably because they still work, and still deliver significant ROI. But when these companies calculating that ROI, are they calculating all the people they've annoyed? One vendor sales rep who said after searching their CRM for "Do Not Call" there was a slew of vitriol from CISOs screaming to never contact them again. And as we all know, CISOs talk to other CISOs. So if you've angered one CISO sufficiently to never consider you, they've probably told a few friends as well. Let's discuss getting pushed over the edge by a vendor's aggressive sales tactics and what was done to essentially shut them off, including telling others about their actions.
     
     

    • 34 min
    One Day You'll Grow Up to Know Less Than You Do Now

    One Day You'll Grow Up to Know Less Than You Do Now

    All links and images for this episode can be found on CISO Series
    https://cisoseries.com/one-day-youll-grow-up-to-know-less-than-you-do-now

    We know so little when we're born. We're just absorbing information. But then we get older, and get the responsibility to secure the computing environment of a large company, we actually see that knowledge we absorbed start slipping away. What we thought we knew of what's in our network is so far afield from reality.

    This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Tomás Maldonado (@tomas_mald), CISO, NFL.

    Thanks to our podcast sponsor, Nucleus Security

    Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo

    It’s time to measure the risk
    Outside of security basics and popular controls like SSO, MFA, and password management, what are the most effective means (or security control) to reduce risk? People have been offering some great suggestions on LinkedIn such as reducing attack surface, knowing what you're protecting, education, more conversations about risk, and actually having someone in charge of security and risk. All reduce risk, but what truly gives the biggest bang for the buck in terms of risk reduction?

    Are we making this situation better or worse?
    When things break, what's the best tactic to remediation? A bigger/better version of the last thing, or critical thinking? Both actually have serious costs associated to them. The first being equipment and maintenance, and the second having the talent that's able to think of unique and innovative soluitons. In a post on LinkedIn, Greg van der Gaast of cmcg argues that bigger walls just result in continued security problems at a more expensive, yet slower rate. He argues many issues could be avoided with critical examination, especially in IT.

    It's time to play, "What's Worse?!"
    Ross Young asks how badly do you need to measure your security program.

    How would you handle this situation?
    Our guest, Tomás Maldonado, describes what's unique about being a CISO for the NFL - the specific security concerns that aren't necessarily on the radar at his previous organizations, and the security issues around huge global events like the Super Bowl.

    Well that didn’t work out the way we expected
    Perception vs. reality in security. On LinkedIn, Ross Young, CISO at Caterpillar Financial Services said, "In April 2018, McAfee published a survey asking 1,400 IT professionals to estimate the number of cloud services in use within their organization. The average response was 31, with only 2% of respondents believing that they had more than 80—yet the real average is 1,935." This supports the great need of asset inventory. There are many instances CISOs have to make an estimate of what they have given the best information. We look at examples of when the reality of a situation was far from the initial perception, and how to manage this.

    • 34 min
    Would You Look at that Unrealistic Licensing Deal?

    Would You Look at that Unrealistic Licensing Deal?

    All links and images for this episode can be found on CISO Series
    https://cisoseries.com/would-you-look-at-that-unrealistic-licensing-deal/ 

    CISOs know that salespeople want to make the best licensing deal they can possibly get. But unpredictability in the world of cybersecurity makes one-year licensing deals tough, and three-year licensing deals impossible.

    This episode is hosted by David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Mark Eggleston, (@meggleston) CISO, Health Partners Plans.
    This recording was recorded live in front of a virtual audience at the "SecTalks - Leading with grit in security" virtual conference brought to you by our sponsor, Cobalt.

    Thanks to our podcast sponsor, Cobalt

    Cobalt offers a faster more effective pentesting solution through its Pentest as a Service (PtaaS) platform. With it, you can schedule a pentest in as little as 24 hours for all kinds of assets. The platform also connects you with a global pool of pentesters called the Cobalt Core, whose skills can match what you need. And instead of sending you a huge PDF that raises more questions you can’t answer, they engage with your team throughout the pentest. Findings can land straight into Jira and GitHub, helping you fix vulnerabilities as soon as they’re discovered. Cobalt makes pentesting easy, quick to deploy, scalable, and simple to remediate.

    On this week's episode

    Why is everybody talking about this now?
    A redditor is struggling and overwhelmed! The person is in school studying, working, and loving cybersecurity, but has completely and utterly failed the foundations course and is on academic probation. The person told their story to the cybersecurity subreddit community, and the support came out in droves. We've seen this before. People hit a major wall professionally and they just reach out to the anonymous masses for support. The story hits a nerve and the community is eager to show encouragement. In fact, just this past week, the New York Times had an article about the unemployment subreddit offering advice and information to those struggling. We'll take a look at this tactic of reaching out for support and guidance through discussion boards.

    What do you think of this vendor marketing tactic?
    "Pro tip to vendors: don’t claim that you can’t do a one-year licensing deal. You might end up with a zero-year license deal", said Ian Amit, CSO, Cimpress on LinkedIn. We'll look at the art of negotiating a contract with a vendor: What is it ultimately you want? What are you willing to concede on and what must you have? And what are the situations that cause this to change?

    It's time to play, "What's Worse?!"
    Jason Dance of Greenwich Associates suggests two scenarios that others believe is security, but actually isn't.

    If you haven’t made this mistake, you’re not in security
    On Twitter, the CISO of Twitter, Rinki Sethi, said, "A career mistake I made, I rolled out a phishing testing program before the company was ready for it. The HR team said it was against the company culture and if I tried a trick like that again, I would be fired. Lesson - communication is important in #cybersecurity." Rinki asked for others' stories of failure. Let's explore a few.

    What Is It and Why Do I Care?
    For this week's game, the topic is vulnerability management. We look at four pitches from four different vendors. Contestants must first answer what "vulnerability management" is in 25 words or less, and secondly must explain what's unique about their vulnerability management solution. These are based on actual pitches - company names and individual identities are hidden. The winners will be revealed at the end.
     

    • 38 min
    This Is the Year I'm Going to Lose Weight and Care About Security

    This Is the Year I'm Going to Lose Weight and Care About Security

    All links and images for this episode can be found on CISO Series
    https://cisoseries.com/this-is-the-year-im-going-to-lose-weight-and-care-about-security/

    Every year I say I'm going to do it. I'm going to get healthy and be much better about securing my digital identity and my data. But then after about two weeks I give up, use the same password across multiple accounts, and eat a pint of Häagen-Dazs.

    This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Dan Walsh, CISO, VillageMD. Our sponsored guest this week is Drew Rose, (@livsecaware)CSO, Living Security

    Thanks to our podcast sponsor, Living Security


    Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change.

    This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers.
    On this week's episode

    What would you advise?
    Over on the AskNetSec subreddit, a pentester wants out. The redditor is looking for exit opportunities into another job in cybersecurity. Other redditors suggested IT audit, SOC operations, incident response, forensics. What would be an ideal next step for a pentester?

    We don’t have much time. What’s your decision?
    What happens when a previous employer of yours gets hacked and your information is potentially stolen. This happened to a redditor who asked this question on the cybersecurity subreddit. If nothing has actually happened, what can they do and what can potentially happen? Is a warning of "I may be compromised" to anyone going to do anything?

    "What's Worse?!"
    Jason Dance of Greenwich Associates delivers a really annoying "What's Worse?!" scenario.

    Please, Enough. No, More.
    The topic is "Security Awareness Training". David prefaces this with a top finding from a Forrester report that said, "Unless You Capture Hearts And Minds, No Amount Of Training Will Work". So with that said, what have people heard enough about with regard to security awareness training and what would they like to hear a lot more?

    Pay attention. It’s security awareness training time
    What if security behavior was rated as a performance score, suggested Ashish Paliwal of SONY. In his LinkedIn article, he agreed you can't train yourself to better security. It requires positive reinforcement. He suggested psychometric tests and a scoring system where you would gain points for good security behavior and lose points for bad security behavior (-10 for clicking on a phish, +10 for reporting). Creative ideas that he acknowledges have lots of challenges. The focus here is changing human behavior, possible the hardest feature to implement. What user experience does change behavior? And why would or why wouldn't Ashish's suggestions work?

    • 33 min
    Please Accept This Not-a-Bribe Gift as an Act of Desperation

    Please Accept This Not-a-Bribe Gift as an Act of Desperation

    All links and images for this episode can be found on CISO Series
    https://cisoseries.com/please-accept-this-not-a-bribe-gift-as-an-act-of-desperation/
    Offering me a gift for a meeting was definitely not Plan A. Or was this a situation that you ran out of creative ideas and it's actually more cost efficient to buy your way into meeting with me?
    This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is
    John Overbaugh, (@johnoverbaugh) vp, security, CareCentrix.
    Thanks to our podcast sponsor, Nucleus Security





    Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo.
    On this week's episode

    OK, what’s the risk?
    People hear all too often that risk security isn't compliant security and vice versa, but isn't compliance just another form of risk? Shouldn't it be given quantitative and qualitative ratings like any other risk, prioritized, and remediated especially in highly regulated environments?

    Why is everyone talking about this now?
    On LinkedIn, LinkedIn CISO, Geoff Belknap asked, "Tech Vendors: Please, stop offering cash or gift cards for meetings. It throws into question the entire basis for a relationship and It's not ethical."

    Vendors take CISOs out for lunch all the time. That is a form of a gift. One vendor said because they can't take a CISO out they send a Starbucks card in lieu of the coffee they were going to purchase. Then there are the gifts that arrive for attending an event.

    Edward Kiledjian at OpenText, said, "I recently had a vendor get upset with me that I wasn't willing to accept his gifts. He said others in my position accept it and he couldn't understand why I was being so 'stubborn.'"

    How should this situation be handled and does a CISO's opinion of the vendor change as a result?

    "What's Worse?!"
    David tried to second guess Mike and was wrong on this bad idea from Jesse Whaley, CISO, Amtrak.

    If you haven’t made this mistake you’re not in security
    When Zero Day bugs arrive, security flaws just keep perpetuating. Garrett Moreau of Augury IT posted an article from MIT Technology Review about Google's research finding that when patches are released for zero days, they're often incomplete. Hackers can actually find the vulnerability sitting on the next line of code right next to the patched line of code, making it very easy for a hacker to reignite the zero day vulnerability. How can this problem stop perpetuating itself?

    Someone has a question on the cybersecurity subreddit
    A frustrated redditor eager to learn cybersecurity is getting stuck on CTFs (Capture the Flags ) and is losing the motivation as a result. The person is worried that relying on walkthroughs will be harmful. Responses from the reddit community were that the walkthroughs are there to help people learn, and that most CTFs don't resemble real life. They're there to teach a few tricks. So, is that the case?

    • 36 min
    Foul! That Interview Question Is Unfair

    Foul! That Interview Question Is Unfair

    All links and images for this episode can be found on CISO Series
    https://cisoseries.com/foul-that-interview-question-is-unfair/

    Pick a side. You either want your employees to have a work/life balance, or you want them to be obsessed with security 24/7. You can't have both.

    This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Arpita Biswas, (@0sn1s) senior incident response engineer, Databricks
    Thanks to our podcast sponsor, StackRox

    StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle.

    What would you advise?
    People speak a lot about the importance of integrating security and DevOps. Now it's time to learn some specifics, like how to energize developers to be more security minded in their development. What works? What hasn't worked?

    "What's Worse?!"
    You just learned something was breached. Uggh. (Thanks to Mike Toole, Censys)

    What’s the best way to handle this ?
    What questions should be asked to see if a security team is cloud incident ready? A good article over on F5 by Sara Boddy, Raymond Pompon, and Sander Vinberg, provides some suggestions such as "Can you describe our attack surface and how have you reduced it to the bare minimum?" and "How are we managing access control?" and "What do we do when systems or security controls fail?" Which of the questions is the most revealing to cloud security readiness and why?

    Should you ignore this security advice?
    On the AskNetSec subreddit someone inquired about a good hiring question. One redditor suggested asking "What do you do on your own home network with respect to security?" to which another redditor argued that the question was unfair. He left the security and networking for work. He had other hobbies and interests for home life. Another person said, yes it is unfair, but there are plenty of candidates who do breathe security 24/7 and if given a choice, the redditor would take that person. The politically correct thing to say is you want the person with the work-life balance, but wouldn't we be more impressed with the person who has security in their blood day and night?

    Close your eyes and visualize the perfect engagement
    Another question on AskNetSec subreddit asked "What are the most important skills you see missing among other coworkers or your team?" The two most common answers I saw on the thread were communications and critical thinking. Are these correct. or should something else go there? ? And if those two did improve, what would be the resulting effect to a company's security program?

    • 33 min

Customer Reviews

4.8 out of 5
140 Ratings

140 Ratings

roselinevelee ,

Value Added

If you aren’t listening to these podcasts what are you even doing with your life. Security professionals add value to your core knowledge with these injections of absolutely vital industry knowledge and trends.

Financialadventure ,

Fantastic Show

I really like this show and have been listening to it since it began. Some of the things I enjoy the most is just how approachable the hosts are. If you send them questions they can go on the show.

I also enjoy the what’s worse. It’s a great risk management exercise where I get to see some interesting perspectives as I try to grow my understanding to become a valuable CISO

Thanks again for all that you do
Ross Young
CISO, Cat Financial

DH74abc ,

The best CISO podcast available today

I thoroughly enjoy listening to these every week. The podcast is carefully segmented and entertaining while educational. The timing length of the shows are great. Keep up the good work, I hope it never finishes!

Top Podcasts In Technology

Listeners Also Subscribed To