Future of Exposure Management NopSec
-
- Business
-
The Future of Exposure Management podcast is dedicated to helping security professionals tackle real issues in the vulnerability management space. In each episode, NopSec’s CEO Lisa Xu will interview industry experts and leading practitioners about what can be done to prepare for the future of exposure management. This show is brought to you by NopSec.com
-
Hussein Syed: Healthcare InfoSec – where we are and where we’re headed
In this episode, we talk with Hussein Syed, CISO of RWJBarnabas Health. Hussein has a wealth of experience in computer science, information systems management, regulatory compliance, and more. To him, the security community’s strength is the people, who come from almost any background imaginable. That diverse background has helped Hussein understand and excel in his role in the healthcare industry – being willing to learn new things is his key to success.
Other topics discussed:
Understanding how data is stored and shared in the healthcare industry
How to ensure security helps protect the progress and development of healthcare innovations
How to prioritize risks according to potential cascading impacts from a breach
The maturity progression of attitudes and tools over time
Ways to collaborate with peers to further understand the needs of each stakeholder
What the future holds and how we can predict the next threats -
Jason Loomis: Seeing risk from all sides- holistic vulnerability management
In this episode, we speak with Jason Loomis, CISO of Freshworks. Jason has been in tech for over 20 years, working with various companies in fashion, health, finance, and banking. He is passionate about leadership and team-building, which influences how he approaches vulnerability risk management. Hear him discuss why people and the process are at the root of vulnerability risks and how configurations can help address them, plus more.
Other topics discussed:
How system shortcomings from 20 years ago are still creating problems and challenges
Understanding that patches are only one solution to preventing exploitation
How not to get distracted by “celebrity vulnerabilities” and stay focused on the risks that are causing the big problems
Methods to calculate your metrics to determine accountability and ownership of risks
What it means to be mature or immature in corporate policies, processes, and reporting
The importance of CISOs physically talking to people and avoiding screen-only interacting
How to make the best of your tools and understand how they work (or don’t work) -
Sailaja Kotra-Turner: How ”happy accidents” led to a career in IT
In this episode we speak with Sailaja Kotra-Turner, who is the Global CISO at Brown-Forman. Sailaja became a leader in IT by a series of “happy accidents” – she landed in the industry unexpectedly, thanks to a manager who saw her as a leader and mentors who have supported her along the way. We get into how vulnerability management spans across multiple industries, while having some common work tools such as computers and IT systems: tools that all have vulnerabilities and different risk footprints.
Other topics discussed:
Most common cyber mistakes that companies make and what we need to take more seriously
Importance of people in vulnerability management and reducing risk
Why education and awareness among employees are key to cybersecurity
How to engage stakeholders so they understand why it’s not just about compliance
Worries and concerns about the future of the industry
Learning from mistakes and using teamwork -
Ed Covert: Reducing risk trumps constant patching
In this episode we speak with Ed Covert, who is the Head of Cyber Risk Engineering at Bowhead Specialty Underwriters. Ed started in the mid-1990s working for the US military in IT support work, eventually evolving into a cyber role. We get into how he “made the jump” into the cyber vulnerability world by leaving the safety of the federal government, the professional industry that he had always known.
Other topics discussed:
How his wealth of experience has prepared him well for his current role
Importance of asking why your company may need a particular security tool or technology
Why reducing a risk in the first place is a better strategy than constantly patching previous vulnerabilities
Where to place cyber vulnerabilities on the list of priorities
Understanding your data and how that determines what tools you need
How to match the skill sets of employees and what your company needs, and whether degrees are a must
Knowing how your business makes money and cybersecurity enables profits
Where the world of security fixes and patches is headed -
Ed Harris: How to enter and thrive in the infosec industry
In this episode, Ed Harris, Director of Global Information Security at Mauser Packaging, discusses how his 32 years of experience have taught him how to lead cyber security teams and zero in on the what, why, and how of cyber risks. We hash out how you can enter and thrive in the infosec industry, as well as ways to use all your observational skills to provide top-notch vulnerability management services.
Other topics discussed:
The relationship between vulnerability management and knowing your environment
Understanding how vulnerable your data is to identify weaknesses
Identifying vulnerabilities and how they change over time
Determining when to install patches with the least disruption and risk
Communicating and negotiating with businesses about when to apply security patches
Building relationships and trust with clients
Managing external exposure when providing security services
Whether vulnerabilities will ever go away -
Jim Scott: How to make security and vulnerability management a priority
In this episode we speak with Jim Scott, Manager of Information Security at Insurance Auto Auction (IAA). Jim has more than 15 years of diverse experience leading security projects and corporate information initiatives. We get into his early days of working in cybersecurity, how it has evolved into a passion, and how we can succeed if we see security as more than just a technology problem.
Other topics discussed:
The pushback and challenges of making security a priority
The long-term value a company can realize by prioritizing security
How application security and vulnerability management is constantly changing
Relationships between the business and security, and how to bridge the differences
Overcoming the perception that security is not a “revenue generator,”
How to speak to clients in relatable and non-technical terms
Respecting failure and using it as a tool for learning
Whether we have enough people working in vulnerability management
How to measure the ROI of vulnerability management (and whether it is even measurable)