Defense in Depth

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-how-much-log-data-do-you-need You're a CISO struggling with an influx of log data into your SIEM. What's the data you want to keep, and for how long? You want insights, but you also want to keep costs down. Holding onto everything is going to cost a fortune. Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, deputy CISO, Levis, and our guest Naomi Buckwalter (@ineedmorecyber), director of information security and IT at Beam Technologies . Thanks to our podcast sponsor, TrustMAPP Does your board want to see yet more heat maps? No, they do not. They want to see that security investments align with business goals, and that their costs are objectively justified. TrustMAPP's data visualization helps you communicate with your board in a way they can understand – and approve. In this episode So, what is the sweet spot for retaining log files? 90 days? 1 year? Should you categorize according to business criticality? How do you separate the "junk" from the valuable data?

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-should-finance-or-legal-mentor-cyber Cybersecurity leaders are constantly looking for ways to improve how they think about risk, and how they communicate risk. But they're not the only ones. Others have been managing risk long before CISOs existed. So, who could be the best mentor to help a CISO gain better insight into business risk and how to communicate about it: the chief financial officer, or the legal department's general counsel? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest, David Schellhase (@davidschellhase), general counsel, Slack. Thanks to our podcast sponsor, TrustMAPP TrustMAPP delivers Security Performance Management, giving CISOs a real-time view of the effectiveness of their security program. TrustMAPP tells you where you are, where you're going, and what it will take to get there. TrustMAPP gives organizations the ability to manage security as a business, quantifying and prioritizing remediation actions and costs. To learn about the MAPP methodology, download the white paper at https://trustmapp.com/mapp-paper/ In this episode Which executive could a CISO learn more about risk? Determining ROI of finance, legal and other execs Analyzing why its so important to establish the ideal mentorship relationship

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-data-destruction How do you deal with data at end of life? Holding onto data too long can be very costly and increase risk. So how do you get rid of it... safely? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Shawn Bowen, CISO, Restaurant Brands International (RBI), and our sponsored guest, Frank Milia, partner, (@ITAssetRecvry), IT Asset Management Group. Thanks to our podcast sponsor, IT Asset Management Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties. Is it clear who is responsible for the performance of your data disposition practice? IT Asset Management Group's free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. Download the program guide today at itamg.com/CISO In this episode Is the risk of holding onto data greater than the value of keeping it? Should client data be considered a "toxic byproduct"? When disposing of client data, how much destruction is enough? What legal and regulatory requirements should be considered before destroying data?

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-how-to-make-cybersecurity-more-efficient/ You're a new CISO told to hold headcount even and find the resources to do 20% more work. We're already maxed out. So how do we do more? Coming up next we're getting smart and more efficient with security. Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest, Mike Morgan, (@theywerecones) head of information security, infrastructure director, Foster Farms Thanks to our podcast sponsor, IT Asset Management Group Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties. Is it clear who is responsible for the performance of your data disposition practice? IT Asset Management Group's free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. Download the program guide today at itamg.com/CISO In this episode Improving processes right from the beginning of the pipeline Looking for waste - and knowing what "waste" is Doing more with less means at some point, something important will break Delegating and crossing over skills Watching out for IT sprawl and "new fangled" solutions

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-does-a-ciso-need-tech-skills Does a CISO need technical skills to be an effective cybersecurity leader? Many CISOs don't have them. Are they still effective and does it affect their ability to lead? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, and guest co-host Ben Sapiro, (@ironfog), CISO, Great-West LifeCo, and our guest, Zach Powers, CISO, Benchling. Thanks to our episode sponsor, IT Asset Management Group Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties. Is it clear who is responsible for the performance of your data disposition practice? IT Asset Management Group's free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. Download the program guide today at itamg.com/CISO. In this episode Why having the skills helps with realistic expectations Being able to see through the nonsense The value of staying passionate about the profession

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-how-do-you-know-if-youre-good-at-security/ What metrics or indicators signal to you that an organization is "good at security"? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Justin Berman (@justinmberman), former CISO, Dropbox. Thanks to our podcast sponsor, Imperva Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it's stored and who's accessing it. Start a free trial now. In this episode How do go about measuring risk Assessing the ratio of critical/high severity issues to issues closed The difference between a reactive or proactive threat management policy

All links and images for this episode can be found on CISO Series You're a new CISO at a new org given a headcount of ten to build a cybersecurity team. What's your strategy to build that team? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest JJ Agha (@jaysquaredx2), CISO, Compass. Thanks to our podcast sponsor, Imperva Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it's stored and who's accessing it. Start a free trial now. In this episode The importance of assessments and gap analyses Why you need to leveraging your network Educating and empowering teams Introspection and self-awareness as a leader

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-are-our-data-protection-strategies-evolving/) As we're evolving from putting data on premises to the cloud, are our data protection strategies evolving as well? There are issues of securing data, knowing where it travels, and privacy implications of data. How are we handling all of that? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest, Chris Brown, senior director, data security at Imperva. Thanks to our podcast sponsor, Imperva. Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it's stored and who's accessing it. Start a free trial now. In this episode Cloud platforms and exposure make it easier to deploy with less oversight, making mistakes easier. There's a need for a change of mindset of product and marketing leaders to consider consequences of taking in different data types in the design phase. There's also a need for SIEM tools and access management.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-cisos-be-licensed-professionals/) Many professionals are required to obtain a license before they can do their job legally. The demands of cybersecurity professionals, especially CISOs, has become more critical as evidenced by the increasing number of regulations demanding a person oversee security and privacy controls. Should CISOs be licensed to maintain a minimum standard? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Patrick Benoit (@patrickbenoit), vp, global head of GRC and BISO, CBRE. Thanks to this week's podcast sponsor, F5 External threats to your organization's security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial. Highlights from this episode of Defense in Depth: Almost universally, nobody liked the idea of requiring a CISO to have a license in order to practice. But, with that said, the subject stirred up a hornet's nest of discussion. Main complaint is the job changes so drastically depending on what industry you're in. Many argued that a license won't translate into success. Hard to tell how to put a license around someone who is managing risk, but doesn't own the risk.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-inherently-vulnerable-by-design/) Much of what we do as practitioners is to prevent inadvertent security problems - oversights, zero-days, etc. What about inherent and unavoidable problems? When the very design of the thing requires a lack of security? What do you do then? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Dan Woods, vp of the Shape Intelligence Center, F5. Thanks to this week's podcast sponsor, F5. External threats to your organization's security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial. On this episode of Defense in Depth, you'll learn: The mere act of conducting business requires you to have certain procedures that would make you vulnerable. Simple things like taking customer information to create user accounts and processing credit cards. That's inherent to doing business, and by opening that up, it makes you vulnerable. A lot of this inherent vulnerability comes down to having users or customers and needing to authenticate them. When you start a business you're also accepting the inherent vulnerability and you have to ask yourself to what level can the business function having that vulnerability abused? It's all about risk appetite. Two factor authentication sure is nice, but there has to be multiple "behind the scenes" authentications going on to verify identity continuously. As you're collecting all these additional data points you can use that information to ask the user to verify. Provide discounts to customers and users for good security practices. Insurance companies do this with people who prove safe driving practices. It could be a win-win for everybody. For example, with Mailchimp, they give you a discount if you enable 2FA. Why not offer a discount for a really long and complicated password? One of the major issues is the password reset process happens through email. Email wasn't designed for critical authentication. Many hacks happen through the reset process via email.