96 episodes

Discussions, tips, and debates around improving the communications and services that security vendors provide to their customers, the security buyer.

CISO-Security Vendor Relationship Podcast David Spark, Founder, Spark Media Solutions and Mike Johnson, CISO, Lyft

    • Technology

Discussions, tips, and debates around improving the communications and services that security vendors provide to their customers, the security buyer.

    The Department of "No, Thank You"

    The Department of "No, Thank You"

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-department-of-no-thank-you/)
    Just go to the front desk, sign in, and then the receptionist will say “no” in the most polite way possible.
    This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Nina Wyatt, CISO, Sunflower Bank.
    Thanks to this week's podcast sponsor, CyberArk.

    At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

    On this week's episode

    There’s got to be a better way to handle this
    The hot new cybersecurity threat is the Coronavirus. Not the virus itself or the possible fake phishing emails connected to it, but our overall fear and its impact on work. According to data from Boardish, there is a 42% increase over baseline in fear of immobility, or staff not being able to operate effectively remotely. To put that number in perspective, phishing and ransomware have each seen an 8% threat increase. I read immobility's huge number to mean companies are simply not prepared for how their staff may need to operate.

    What we’ve got here is failure to communicate
    What's the best way to say 'no' to a vendor? This was a question that was asked of me by Eric Gauthier, CISO at Scout Exchange. He wants to say no because his cloud business has no need for certain services, and he doesn't want to be rude, but just saying no doesn't seem to work. What are the most successful techniques of saying no to a security vendor? And what different kinds of "no" are there?

    "What's Worse?!"
    A tough decision on a company built on acquisitions.

    Walk a mile in this CISO’s shoes
    For many CISOs, there is a "What's Next?" as they don't necessarily expect "CISO" to be their final resting place professionally. Gary Hayslip, a CISO for Softbank Investment Advisers and frequent guest, wrote on both LinkedIn and Peerlyst about next steps for CISOs who want to move out of the role. The recommendations were other C-level positions, going independent, and starting a new company.


    On January 2 of this year, parking meters in New York City stopped accepting credit and parking cards. At fault? Security software that had expired on the first day of 2020. Reminiscent of Y2K, this draws attention to the next two time-related bugs predicted for 2036 and 2038. The 2038 problem affects 32-bit systems that rely on timecodes that max out on January 19 of that year. A similar rollover is expected in 2036 for Network Time Protocol systems.

    In all likelihood, affected systems either have been or will be replaced over the next 18 years, but the dangers still exist, in situations where vulnerable devices remain buried in a legacy system or in cases where advanced calculation of expiry dates are needed, or like New York City, where the upgrade was apparently overlooked.  It serves as a reminder that data security must look to its past while it plans for the future.

    More from our sponsor ExtraHop.

    Hey, you're a CISO. What's your take on this?
    What's the impact of Europe's Right to Be Forgotten (RTFB)? It's been five years and Google has received ~3.2 million requests to delist URLs, from ~502,000 requesters. Forty five percent of those URLs met the criteria for delisting, according to Elie Bursztein, leader of Google's anti-abuse research team. Search engines and media sites hold the greatest responsibility, but what responsibility are companies forced to deal with and do they have the capacity to meet these requests?
     

    • 35 min
    We Pick the Best Security Awareness Programs for Your Staff to Ignore

    We Pick the Best Security Awareness Programs for Your Staff to Ignore

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-pick-the-best-security-awareness-programs-for-your-staff-to-ignore/)
    It doesn’t matter which security awareness training program you purchase. Your staff is going to do whatever they can to either tune out or get out of this annual compulsory exercise.
    This week’s episode of CISO/Security Vendor Relationship Podcast was recording in front of a live audience at athenahealth in Watertown, Massachusetts. The recording features me, David Spark (@dspark), producer of CISO Series, my guest co-host, Taylor Lehmann (@BostonCyberGuy), CISO, athenahealth, and guest Marnie Wilking, global head of security & technology risk management, Wayfair.

    David Spark, producer of CISO Series, Taylor Lehmann, CISO, athenahealth, Marnie Wilking, global head of security & technology risk management, Wayfair
    Check out all the photos from our recording.
    Thanks to this week's podcast sponsors, Check Point and Skybox Security.
    It's no secret that today's cyber attacks are targeted and sophisticated. Leaving even one point of entry vulnerable to a cyber attack endangers your entire organization. Check Point created the Secure Your Everything Resource Center to help you develop a comprehensive approach to prevent cyber attacks.

    At Skybox, we remove complexities from cybersecurity management. By integrating data, delivering new insights and unifying processes, we help you control security without restricting business agility. Our comprehensive solution unites security perspectives into the big picture, minimizes risk and empowers security programs to move to the next level.

    On this week's episode

    Pay attention, it’s security awareness training time
    Jinan Budge of Forester finished a report on security awareness training programs. She found a trend that supported both the need for compliance and the need to actually train employees to be more security aware. We discuss what actually works to get people to be more aware of cybersecurity.

    What do you think of this vendor marketing tactic?
    At RSA, I talked to a vendor who told me about their new solution. It was so unique that Gartner was creating a new category for their product with yet another acronym. UGGH, another category for which you have to educate the market? And now you have to convince buyers to create a new line item for this category? And now what is that going to do to your marketing budget? It didn't take much convincing for me to point out that their product was just third-party risk management.

    Admittedly, cybersecurity professionals love the new and shiny, but where do we draw the line about learning something new in cybersecurity and adding confusion to the marketplace?

    It's time to play, "What's Worse?!"
    Two rounds, lots of debate.

    Where does a CISO begin?
    When we hear about digital transformation, it is being done for purposes of speed, accuracy, and business competitiveness. Scott McCool, former CIO at Polycom was on our show Defense in Depth, disputed the common notion that security serves the business. Instead, he believes that security IS the business. And if you deem that to be true, then security can no longer can take a consultative role. It must take the role of brand and value building.

    This is more than just a discussion of "shifting left." What are actions that security must take to make it clear that they are part of making the business fast, innovative, and competitive?

    Um... maybe you shouldn't have done that
    We tell talks of the worst proof of concept (POC) efforts.

    Audience question speed round
    We close out the show with a series of quick answers to audience questions.

    • 43 min
    Buy Our Product. We Have No Idea What We're Selling.

    Buy Our Product. We Have No Idea What We're Selling.

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/buy-our-product-we-have-no-idea-what-were-selling/)
    What do you think of our confusing non-descriptive ad copy? We think it’s brilliant.
    We’re patting ourselves on the back on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience in NYC at the coworking space, Rise NYC. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and JJ Agha, vp, head of information security at WeWork. Our guest is Mike Wilkes (@eclectiqus), CISO, ASCAP.

    David Spark, producer, CISO Series, JJ Agha, vp, head of information security, WeWork, and Mike Wilkes, CISO, ASCAP
    Thanks to this week's podcast sponsor, Check Point

    It's no secret that today's cyber attacks are targeted and sophisticated. Leaving even one point of entry vulnerable to a cyber attack endangers your entire organization. Check Point created the Secure Your Everything Resource Center to help you develop a comprehensive approach to prevent cyber attacks.

    On this week's episode

    There’s got to be a better way to handle this
    How well are you configuring your controls today and tomorrow? At RSA, I chatted with Adam Glick, CISO, Rocket Software. He said what he'd like is a tool to test the maturity of his deployed controls. How are his controls optimized over time? What does it looks like today vs. a year from now? How are we currently trying to solve that problem and what could be done to improve it?

    Hey, you're a CISO, what's your take on this?
    "Which cybersecurity certification should I get?" It's a question I see repeated often, especially on Quora and Peerlyst. Your best bet would probably be the one that most employers are looking for. And according to job board searches, conducted by Business News Daily, CISSP is the overwhelming favorite. Do our CISOs prefer certain certifications over others? Is it a requirement for hiring? And what does a security professional with certifications vs. experience tell us about that person?

    What’s Worse?!
    Split decisions on both and the audience plays along as well.

    Is this the best use of my money?
    "One of the common complaints I repeatedly hear is that cybersecurity vendors are not solving real problems. They're just looking to make money. I think that's a rather unfair blanket statement, but regardless, I hear it a lot.

    I think why I hear that so often is that we're all in the cybersecurity fight together and we need to help each other. Helping each other is often done by participating in the open source community.

    Why is it critical to contribute to the open source community?

    Um... What do they do?
    I read copy that appeared on various booths at RSA 2020. Most are confusing and non-descriptive and don’t appear to assume a pre-existing understanding of cybersecurity.

    The expo hall at RSA is filled with security professionals who are already security minded. I honestly don't know exactly the reaction they're looking to get or what type of information these vendors are trying to convey.

    Audience question speed round
    We close out the show with a series of quick answers to audience questions.

    • 44 min
    We're Market Leaders in Customer Confusion

    We're Market Leaders in Customer Confusion

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/were-market-leaders-in-customer-confusion/)
    We could offer a simpler explanation of our technology, but if we confuse you we can charge a lot more.
    This episode was recorded in front of a live audience at BsidesSF 2020 in San Francisco. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Olivia Rose, former CISO, Mailchimp.

    Look at that screen! We were in a movie theater. Those small people in the lower right are David Spark, producer, CISO Series, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, and Olivia Rose, former CISO, Mailchimp. Photo credit to @ash1warya.
    Thanks to this week's podcast sponsors, Vulcan Cyber and CyberArk.
    Vulcan is a vulnerability management platform built for remediation. By orchestrating the entire remediation process, Vulcan ensures that vulnerabilities aren’t just found, they’re fixed. Pioneering a remediation orchestration approach, the platform enables security, operational and business teams to effectively remediate cyber risks at scale.


    At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

    On this week's episode

    How to become a CISO
    What is some actionable "let's start today" advice. What could an individual do right now to develop the skills to be a cyber leader and make it clear to management, that's what they're gunning for?

    What we’ve got here is failure to communicate
    If all vendors stopped sending cold emails, which is what we constantly hear CISOs say they should do, how should they spend their time and money instead to greatly improve their success? If a CISO played the role of a vendor, which happens often, what should you do, to get to you?

    What's Worse?!
    We play TWO rounds.

    What do you think of this vendor marketing tactic?
    According to a recent study by Valimail, CISOs are very suspect of security vendors' claims. In general, the numbers are horrible for vendor credibility. Close to half of security professionals claim the following:

    Vendors' tech and explanation are confusing Practitioners have a hard time seeing and measuring value Practitioners don't know how a vendor's product will stay valid on their security roadmap.  
    What could cybersecurity vendors do to make their claims more believable?

    Close your eyes and visualize the perfect engagement
    Rafal Los, Armor Cloud Security asked, "If you could implement one thing in your organization that would receive universal adoption without push-back, what would it be?" The question, which seems reasonable, but in the security world often feels impossible, generated a ton of responses on both LinkedIn and Twitter. Many wanted company-wide adoption of one solution, such as MFA or vulnerability management. Others wanted widespread and ongoing security education. Our CISOs debate the one pushback-free solution that would yield the greatest results.

    • 41 min
    Last Chance to Vote for "Most Stressed-Out CISO"

    Last Chance to Vote for "Most Stressed-Out CISO"

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/last-chance-to-vote-for-most-stressed-out-ciso/)
    Think you or your CISO has what it take to shoulder all the tension, risk, and security issues of your organization? You may be a perfect candidate for "Most Stressed Out CISO".
    This episode was recorded in person at Zenefits' offices in San Francisco. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Keith McCartney (@kmflgator), CISO, Zenefits.

    Keith McCartney, CISO, Zenefits and Mike Johnson, co-host,
    CISO/Security Vendor Relationship Podcast
    Thanks to this week's podcast sponsor, CyberArk

    At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.
    On this week's episode

    There’s got to be a better way to handle this
    CISO Stress. We've talked about it before on the show, and now Nominet just released a new study that claims stress levels are increasing.

    8% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year (27%). 31% of CISOs said that stress had affected their ability to do their job. Almost all surveyed CISOs (90%) said they’d take a pay cut if it improved their work-life balance.
    How could a CISO negotiate better work/life balance upfront and have either of our CISOs done it?

    Hey, you're a CISO. What's your take on this?
    Gary Hayslip shared this Peerlyst article by Ian Barwise of Morgan Computer Services about the incredible array of OSINT tools. What OSINT tools do our CISOs find most valuable and for what purposes.

    What's Worse?!
    A little too much agreement on this week's "What's Worse?!"

    Here's some surprising research
    Why are cloud security positions so much harder to fill? Robert Herjavec of the Herjavec Group posted a number of disturbing hiring statistics. Most notably was one from Cyber Seek that stated jobs requesting public cloud security skills remain open 79 days on average — longer than almost any other IT skills. Why isn't supply meeting demand? Why is it such a difficult security skill to find? And how easy and quickly can you train for it?


    EKANS is the backward spelling of SNAKE. It is also the name of new ransomware code that targets the industrial control systems in oil refineries and power grids. Not only does it extort a ransom, it also has the ability to destroy software components that do things like monitor the status of a pipeline, or similar critical functions in a power grid or utility. A recently documented attack on Bahrain’s national oil company reveals the architecture and deployment of EKANS not to be the work of a hostile nation-state, but of cybercriminals.

    The chilling message behind that, of course, is that penetrating and sabotaging critical components of a country’s infrastructure is no longer exclusive to sophisticated national intelligence agencies. Lower level criminal agencies may have motives that are far less predictable and trackable, and when combined with the complexities of an industrial control system, these may have cascading effects beyond the wildest dreams of the instigators themselves.

    More from our sponsor ExtraHop.

    What do you think of this pitch?
    We get a pitch with some suggestions on how best to improve the pitch. We want more pitches!

     

    • 36 min
    Let's Blow Our Entire Marketing Budget at RSA

    Let's Blow Our Entire Marketing Budget at RSA

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-blow-our-entire-marketing-budget-at-rsa/)
    Security professionals only think about security one week out of the year, right? So let's drop every single dollar we have budgeted for marketing on the last week of February. Whaddya say?
    This episode was recorded in person at Intel's offices in Santa Clara, California. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Tom Garrison (@tommgarrison), vp and gm of client security strategy at Intel (@IntelNews).

    David Spark, CISO Series, Tom Garrison, Intel, and Mike Johnson,
    CISO/Security Vendor Relationship Podcast.
    Thanks to this week's podcast sponsor, Intel.

    The globalization of technology has created an environment of complicated supply chains with limited transparency. Intel’s Compute Lifecycle Assurance (CLA) initiative solves this through a range and tools and solutions that deliver assurances of integrity throughout the entire lifetime of a platform --from build to retire.

    On this week's episode

    There’s got to be a better way to handle this
    Next week is RSA and by podcast law we're required to talk about it. We offer up tips on maximizing the following: education, engagement, and follow up.

    What’s the return on investment?
    On Peerlyst, John Mueller, a security architect with the US Navy, suggested ways to use incident response metrics to help determine whether your cybersecurity program is improving. But as Mueller points out, it's not easy as you could fool yourself into believing you're doing well if you don't valuable discovery tools. We discuss methods to measure improvements in security programs.

    What's Worse?!
    A really tough one that delivers a split decision.

    Please, enough. No, more.
    Our topic is trust and hardware manufactures. We discuss what we've heard enough about with trusting hardware manufacturers of tech products, and then we discuss what we'd like to hear a lot more.


    The fable of Walt Disney having been cryogenically frozen to be revived in an age where the science to do so existed is just that – a fable. But there is still something to be taken from that when it comes to documents archived on the cloud or consigned to data landfills. Just because encrypted data cannot be easily decrypted by hackers using today’s tools, that doesn’t mean tomorrow’s tools can’t do the job and revive the information stored inside.

    When threat actors take it upon themselves to steal data, through hacking, ransomware, or AI, they might, of course be searching for material that is immediately exploitable, such personal data, or data that has immediate value in being returned or unlocked as in the case of ransomware.

    But other players are in it for the long game, counting on the fact that the inexorable momentum of progress will lead to a decryption solution in time for stolen archived data to still be of use for future crimes, frauds and deep fakery.

    More from our sponsor ExtraHop.

    Close your eyes. Breathe in. It’s time for a little security philosophy.
    I got back from Tel Aviv where cybersecurity professionals find themselves innovating out of necessity. They're often short on resources. We discuss the kinds of exercises we've tried to help ourselves and our team to think creatively about cybersecurity.

    One suggestion is the interrogation technique of "Five Whys" to get at the root reason of why we make our choices.

    • 35 min

Customer Reviews

DH74abc ,

The best CISO podcast available today

I thoroughly enjoy listening to these every week. The podcast is carefully segmented and entertaining while educational. The timing length of the shows are great. Keep up the good work, I hope it never finishes!

journeyman2K ,

Great format and good content

I always enjoy listening to this podcast when driving to a meeting re-center myself in understanding what’s important to a cyber security professional and what they absolutely despise from reps. Great way to keep yourself in check and bring up topics that are important to them. Thank you David Spark and Mike Johnson!

Dudegggggggganj ,

Invaluable

This podcast is a wealth of insight and perspective for both CISOs and vendors. It is an absolute must for anyone who wants to succeed in this industry.

Top Podcasts In Technology

Listeners Also Subscribed To