67 episodes

Join Allan Alford, former CISO of Mitel, and David Spark, founder of CISOSeries.com, each week as we choose one controversial cybersecurity debate and use the InfoSec community’s insights to lead our discussion.

Defense in Depth Allan Alford and David Spark

    • Technology
    • 5.0, 32 Ratings

Join Allan Alford, former CISO of Mitel, and David Spark, founder of CISOSeries.com, each week as we choose one controversial cybersecurity debate and use the InfoSec community’s insights to lead our discussion.

    Data Classification

    Data Classification

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-classification/)
    The more data we horde, the less useful any of it becomes, and the more risk we carry. If we got rid of data, we could reduce risk.
    Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Nina Wyatt, CISO, Sunflower Bank.
    Thanks to this week's podcast sponsor, Cmd.

    Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems.
    On this episode of Defense in Depth, you’ll learn:
    Usable, user-friendly, viable-in-every-scenario data protection that is invisible, seamless, and always on does not exist, but could exist, and should exist. Classification tools that tout automation, really aren't. There is still a good amount of manual intervention. Another way to solve the data protection issue is to get rid of data. Our data protection problem amplifies as we find ourselves protecting more data. But a lot of data simply doesn't need to be protected. It could be classified for non-protection or just destroyed. Data is mostly unstructured and it needs to be structured to the sense that you know how data is flowing, and that is extremely difficult to do. We spend more time on hardware and networking diagrams but what we should be doing is diagramming data flow. Mandate retention limits on data. People don't like it, but it's going to make you a lot safer. Just mandate the lifespan of data. If it's not needed or accessed in a certain period of time, archive it or possibly kill it. People think holding onto data is costless, but reality is the more you hold onto it becomes very costly from a security perspective. Utility to you vs. utility to the bad guys is relative. For example, a bank statement from five years ago has little utility to you now, but if a bad guy is looking for information, that has the same value as a bank statement from today. The questions you need to be asking: Is your data sensitive, does it have open permissions, how long has it been since the data was accessed? Data with PII is both an asset and a liability. Classifying data also has a major problem with consistency. Often data can be put into multiple categories or classes. Security of data is usually not the factor many consider. We are often thinking about the security around data.  

    • 24 min
    Prevention vs. Detection and Containment

    Prevention vs. Detection and Containment

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-prevention-vs-detection-and-containment/)
    We agree that preventing a cyber attack is better than detection and containment. Then why is the overwhelming majority of us doing detection and containment?
    Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Steve Salinas (@so_cal_aggie), head of product marketing, Deep Instinct.
    Thanks to this week's podcast sponsor, Deep Instinct.

    Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play.

    On this episode of Defense in Depth, you’ll learn:
    A recent Ponemon study notes that most security professionals agree that prevention is a better security strategy than detection and containment. Even with the acceptance that prevention is a better security posture, most security spending goes into detection and containment. By implementing firewalls, patching, and security training, many of us are already doing prevention, but may not classify it as such. Prevention is not nearly as expensive as creating a detect and respond security program. The two halves work in concert together. No prevention program can be perfect, and that's why you always need a detect and contain program as well. The reason you don't only go with detect and respond without prevention is that the flood of valid information will be too much for a security program to handle. There was a strong argument for detect and respond because it shows the products you spent money on are actually working. This is not just to humor the security professional, but also to give some "evidence" to the senior executives. A lot of prevention comes down to the individual. But since it's so tough to get people to change behavior, there's less friction to just purchase another prevention tool to protect people from their own behavior. Prevention tools won't stop the attackers who sit dormant on a network waiting to attack. Their behavior has to be spotted with the use of detection and containment.

    • 26 min
    Asset Valuation

    Asset Valuation

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-asset-valuation/)
    What's the value of your assets? Do you even understand what they are to you or to a criminal looking to steal them? Do those assets become more valuable once you understand the damage they can cause?
    Check out this post for the basis for our conversation on this week’s episode which features me and Allan Alford. Our guest is Bobby Ford, global CISO, Unilever.
    Thanks to this week's podcast sponsor, CyberArk.

    At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

    On this episode of Defense in Depth, you’ll learn:
    Allan revised the well known formula for risk (Risk = Likelihood x Impact) to reflect an asset's importance. So instead, Risk = Threat plus Vulnerability as aimed at an Asset. It's hard to get a stakeholder to tell you the value of their assets. Instead, ask them the reverse. Describe the absolute worst breach scenario. What's the second worse? And then on down until you have an understanding of the hierarchy of the assets. A business impact analysis (BIA) will also help uncover asset valuation. Allan Alford has a BIA calculator on his site. The simple question of "What are you defending?" is one that most business leaders struggle to answer. They need to be able to answer that question often. Once you know what to defend the question is how much to defend and then after that is there anything that doesn't need to be defended. You may actually not be able to start this process if you doing know what your asset inventory is. This should be managed with a discovery tool and multiple iterations of discovery. While you're valuing your own assets, try to make sense of what these assets mean to an attacker. That will help you answer the question of "how much to defend".

    • 28 min
    DevSecOps

    DevSecOps

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-devsecops/)
    We know that security plays a role in DevOps, but we've been having a hard time inserting ourselves in the conversation and in the process. How can we get the two sides of developers and security to better understand and appreciate each other?
    Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Sumedh Thakar (@sumedhthakar), president and chief product officer, Qualys.
    Thanks to this week’s podcast sponsor, Qualys.

    Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

    On this episode of Defense in Depth, you’ll learn:
    It's debatable whether the term "DevSecOps" should even exist as a term. The argument for the term is to just make sure that security is part of the discussion, but security people feel that's redundant. Security is not an additional process. It should be baked in. It's an essential ingredient. But should it really be seen as "embedding" or rather a partnership? Developers and operations operate as partners. Instead of dumping security tools on developers and just demanding "implement this" security needs to go through the same transition development had to go through to be part of "Ops". As DevOps looks forward to what's next, how can security do the same? Security is unfortunately seen as an afterthought, and that's antithetical to the DevOps philosophy. Security is an innate property that imbues quality in the entire DevOps effort. Security will slow down DevOps. It's unavoidable. Not everything can be automated. But, if you deliver the security bite-sized chunks you can get to an acceptable level of speed. Business needs to specify the security requirements since they were the ones who specified the speed requirements. That's how we got to DevOps in the first place.

    • 26 min
    Fix Security Problems with What You've Got

    Fix Security Problems with What You've Got

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-fix-security-problems-with-what-youve-got/)
    Stop buying security products. You probably have enough. You're just not using them to their full potential. Dig into what you've got and build your security program.
    Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Brent Williams (@brentawilliams), CISO, SurveyMonkey.
    Thanks to this week's podcast sponsor, Deep Instinct.

    Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play.

    On this episode of Defense in Depth, you’ll learn:
    It's very possible you're not using the tools you've purchased to their full potential. What would happen if you completely stopped buying security products and tried to fix your problems with the tools you've already purchased? The reason this is such a popular discussion is that as an industry we're still struggling with managing the fundamentals of security. Shelfware happens because we buy before we're ready. Purchase decisions should be made in conjunction with knowing if you have the staff and understand the integration points to implement the solution. Tooling for the few layers must be dealt with first. You don't need a solution selling a higher layer of security if you don't have the foundation built. Much of this argument is based on the messaging we hear from vendors. They're understandably in the business of selling product. Be cognizant of how you're absorbing information. We need to also focus on the people who unfortunately are fallible and can make non-malicious, but poor decisions. If there was going to be any additional spending, the argument was to invest in your people - from the entire staff to specific training for your security staff.

    • 28 min
    Should Risk Lead GRC?

    Should Risk Lead GRC?

    All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-risk-lead-grc/)
    Defining risk for the business. Is that where a governance, risk, and compliance effort should begin? How does risk inform the other two, or does calculating risk take too long that you can't start with it?
    Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our guest is Marnie Wilking (@mhwilking), global head of security & technology risk management, Wayfair.
    Thanks to this week’s podcast sponsor, Qualys.

    Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

    On this episode of Defense in Depth, you’ll learn:
    The model of risk = likelihood x impact doesn't take into account the value of assets. Assets have to be valued first before you calculate risk. Is the reason risk isn't used to lead governance, risk, and compliance (GRC) because it's so darn hard to calculate? Many CISOs say their toughest job starting out is trying to understand what the crown jewels are and what the board's risk tolerance is. Risk management allows the board to know when you have enough security. Some assets may require eight layers where others may only require one or two. Determining likelihood of an attack involves a good amount of guesswork. We've discussed on a previous episode of CISO/Security Vendor Relationship Podcastthat we don't go back to see how good our risk predictions were. If you want to get better at it, you should. Otherwise, it will always be guesswork. Even if you can get someone to agree what their risk tolerance is, or what asset is of importance, trying to get agreement among a group can be a blocker. Keep in mind that each person is going to have a different viewpoint and concerns. Knowing risk appetite is critical. You can apply security controls without knowing it, but that's providing a unified security layer across all data, people, and applications when they are all not equal when it comes to asset valuation.

    • 24 min

Customer Reviews

5.0 out of 5
32 Ratings

32 Ratings

Financialadventure ,

Love this show

This is a great podcast. I listen to it in double speed on my commute. I highly recommend it for all aspiring CISOs to go and think like a cyber leader

Rocco21 ,

A kick to the face with Knowledge!

This podcast is by far my favorite infosec podcast. The in-depth knowledge we are party to from the industry’s best is so invaluable. What I like most is that it gives context to the decisions that shape the workday of those of us on the lower tiers. It also helps shape our thought process into how the work we do everyday affects the arching business decisions that keep our companies at the forefront. For anyone in infuse that has an aspiration to one day be at the top, this podcast is for you.

Omnicron David ,

Great resource for the current security landscape.

I listen every day and learn something new each episode. They have high power guests and the discussions are spirited. Security is a complex concept and this podcast provides clarity for security professionals.

Top Podcasts In Technology

Listeners Also Subscribed To