Defense in Depth

All links and images for this episode can be found on CISO Series In the cyber industry we pat each other on the back and give each other awards, all while the statistics for breaches appear to be worsening, Are we celebrating growing failure? Does the cyber industry suck? Check out this post for the discussions that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Fredrick Lee (AKA "Flee") (@fredrickl), Flee, CSO, Gusto. Thanks to our podcast sponsor, Cymulate The Ultimate Guide to Security Posture Validation: Learn how to effectively measure and reduce risk through continuous validation of your enterprise's security posture. Download the playbook here. In this episode: We ask if our very own industry, ourselves, are the ones to blame for our constant woes? Where do we stand in accepting fault and responsibility for the industry's continued problems? Are the companies to blame for not taking IT seriously within their organizations? Are industry awards just fluff for patting each other on the back?

All links and images for this episode can be found on CISO Series For some, the definition of zero trust has expanded from how we grant access to networks, applications, and data to how we trust individuals in the real world. Are we taking zero trust too far? Check out this post for the discussions that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Thomas Doughty, CISO, Prudential Financial. Thanks to our podcast sponsor, Netfoundry NetFoundry, built on OpenZiti, is the only solution purpose-built to connect massively distributed apps, edges, clouds and devices in minutes, ensuring zero trust of the internet, local and OS host network and delivered as SaaS. Isolating the app to make network security irrelevant and remove the pain of public DNS, VPNs, bastions, as well as complex firewall rules. In this episode: We ask if we're taking the concept of zero-trust too far. We try to distinguish between where do we have to trust and where do we have to implement zero trust principles? Differentiating between humans and machines when it comes to trust. And is zero trust supposed to be a silver bullet or a cure-all?

All links and images for this episode can be found on CISO Series Developers and security professionals have been heavily sold on the concept of "shift left" or deal with security issues early in development rather bolting it on at the end. It all made logical sense, but now we've been doing it for a few years and has shift-left actually reduced application security concerns? Check out this post, this post, and this post for the discussions that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Mike Gorman (@gormamic), head of security and compliance, NetFoundry. Thanks to our podcast sponsor, Netfoundry NetFoundry, built on OpenZiti, is the only solution purpose-built to connect massively distributed apps, edges, clouds and devices in minutes, ensuring zero trust of the internet, local and OS host network and delivered as SaaS. Isolating the app to make network security irrelevant and remove the pain of public DNS, VPNs, bastions, as well as complex firewall rules. In this episode: We look at dealing with security issues early in development rather than bolting it on at the end. We ask whether or not application developers and security professionals are actually reducing security issues with "shift left" framework. And do they actually reduce or even eliminate the need for other security controls?

All links and images for this episode can be found on CISO Series Do we have a Monitgue/Capulet rivalry between technical and compliance professionals? Why is this happening, and what can be done to improve it? Does it need to be improved? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Linda White, director of InfoSec, Axiom Medical. Thanks to our podcast sponsor, Netfoundry NetFoundry, built on OpenZiti, is the only solution purpose-built to connect massively distributed apps, edges, clouds and devices in minutes, ensuring zero trust of the internet, local and OS host network and delivered as SaaS. Isolating the app to make network security irrelevant and remove the pain of public DNS, VPNs, bastions, as well as complex firewall rules. In this episode: We look at the Monitgue/Capulet rivalry between technical and compliance professionals. Is there a solution to this never-ending feud? And what can be done to improve relations?

All links and images for this episode can be found on CISO Series Why do we end up with so many bad security products? Who is to blame and how can we fight back an ecosystem that may be fostering subpar products? Check out this post for the discussions that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Haroon Meer (@HaroonMeer), founder and researcher, Thinkst Canary. Thanks to our podcast sponsor, Thinkst Canary Most Companies find out way too late that they've been breached. Thinkst Canary changes this. Deploy Canaries in minutes and then forget about them. Attackers tip their hand by touching 'em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents. In this episode: Is the cybersecurity ecosystem giving a rise to subpar products? Why are so many security products implemented poorly How important is vendor feedback?

All links and images for this episode can be found on CISO Series What are you doing to prepare for the next cyber disaster? You must train for it, because when it happens, and it will happen, everyone should know what they need to do. Check out this post for the discussions that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Roland Cloutier (@CSORoland), CISO, TikTok. Thanks to our podcast sponsor, Keyavi Data that protects itself? Now it does! We made data so smart it can think for itself. Secure itself. Stay continually aware of its surroundings. Control where, when and who is allowed access. And automatically report back to its owner. This changes the entire cybersecurity paradigm. Learn how. In this episode: What is the importance of cyber crisis management and training? What are the best ways to prepare for a cyber disaster? How to build exercises and training into a successful cybersecurity culture?

All links and images for this episode can be found on CISO Series What if you didn't spend all your time patching vulnerabilities but instead created a security policy that prevented known vulnerabilities from being exploited. How doable is this solution of virtual patching? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ody Lupescu, CISO, Ethos Life. Thanks to our podcast sponsor, Araali Networks Managing vulnerabilities at the speed and scale of the cloud is challenging, especially when the implications of a single mistake gives attackers an asymmetric advantage over defenders. Araali allows your security teams to resilient patch and monitor the most valuable apps and services so they cannot be exploited even if they are vulnerable. To learn more, visit araali. In this episode: What is virtual patching really? Is it a misnomer? What gets missed when it comes to virtual patching? Looking at a comprehensive approach to virtual patching.

All links and images for this episode can be found on CISO Series A 500+ person company doesn't have a security department. They need one and they need to convince the CEO they need one. How do you build a cybersecurity team and program from scratch? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rishi Tripathi (@ris12hi), CISO, Mount Sinai Health System. Thanks to our podcast sponsor, Tines Tines was founded by experienced security practitioners who cared about their teams. When they couldn't find an automation platform that delivered, they founded a company and built their own. A few years later, customers like Coinbase, McKesson, and GitLab run their most important security workflows on Tines – everything from phishing response to employee onboarding. To learn more, visit tines.com. In this episode: How to go about measuring risk? Leveraging compliance to get the point across. What needs to be considered to make a program uniquely geared to your company's needs?

All links and images for this episode can be found on CISO Series "If you want to catch a cybercrook, you need to think like one." But how do you actually go about thinking like a cybercriminal? What's the actual process? Check out this post and this post for the discussions that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Brian Brushwood (@shwood), creator of Scam School and World's Greatest Con. Plus he's launched multiple channels with millions of subscribers and multiple number one comedy albums. Plus, he's a touring magician. He's our first non-cyber professional guest, but he is so perfect for this episode. Thanks to our sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to "Zero Trust." Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: How much does actively thinking like a crook help build your cyber defenses? How do you actually go about thinking like a cybercriminal How do you break down their process?

All links and images for this episode can be found on CISO Series Could you build a data-first security program? What would you do if you focused your security program on just the asset? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Brian Vecci (@brianthevecci), field CTO, Varonis. Thanks to our sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to "Zero Trust." Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: Do I know where my sensitive data lives? How can I tell? Why do all the tools that try to classify data fail miserably? How much should we teach the data owners about risks in collecting and storing the information?