Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-devsecops/) We know that security plays a role in DevOps, but we've been having a hard time inserting ourselves in the conversation and in the process. How can we get the two sides of developers and security to better understand and appreciate each other? Check out this post and this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Sumedh Thakar (@sumedhthakar), president and chief product officer, Qualys. Thanks to this week's podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you'll learn: It's debatable whether the term "DevSecOps" should even exist as a term. The argument for the term is to just make sure that security is part of the discussion, but security people feel that's redundant. Security is not an additional process. It should be baked in. It's an essential ingredient. But should it really be seen as "embedding" or rather a partnership? Developers and operations operate as partners. Instead of dumping security tools on developers and just demanding "implement this" security needs to go through the same transition development had to go through to be part of "Ops". As DevOps looks forward to what's next, how can security do the same? Security is unfortunately seen as an afterthought, and that's antithetical to the DevOps philosophy. Security is an innate property that imbues quality in the entire DevOps effort. Security will slow down DevOps. It's unavoidable. Not everything can be automated. But, if you deliver the security bite-sized chunks you can get to an acceptable level of speed. Business needs to specify the security requirements since they were the ones who specified the speed requirements. That's how we got to DevOps in the first place.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-fix-security-problems-with-what-youve-got/) Stop buying security products. You probably have enough. You're just not using them to their full potential. Dig into what you've got and build your security program. Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Brent Williams (@brentawilliams), CISO, SurveyMonkey. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct's on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution's wide covering platform play. On this episode of Defense in Depth, you'll learn: It's very possible you're not using the tools you've purchased to their full potential. What would happen if you completely stopped buying security products and tried to fix your problems with the tools you've already purchased? The reason this is such a popular discussion is that as an industry we're still struggling with managing the fundamentals of security. Shelfware happens because we buy before we're ready. Purchase decisions should be made in conjunction with knowing if you have the staff and understand the integration points to implement the solution. Tooling for the few layers must be dealt with first. You don't need a solution selling a higher layer of security if you don't have the foundation built. Much of this argument is based on the messaging we hear from vendors. They're understandably in the business of selling product. Be cognizant of how you're absorbing information. We need to also focus on the people who unfortunately are fallible and can make non-malicious, but poor decisions. If there was going to be any additional spending, the argument was to invest in your people - from the entire staff to specific training for your security staff.

Marnie Wilking, Global Head of Security & Technology Risk Management at Wayfair, brings IRM experience aligning security to business goals. She discusses valuing assets before calculating likelihood. Conversations cover why risk is hard to quantify, getting stakeholder consensus, BIA-light workshops, and using risk to drive meaningful governance and compliance decisions.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-responsible-disclosure/) Security researchers and hackers find vulnerabilities. What's their responsibility in disclosure? What about the vendors when they hear the vulnerabilities? And do journalists have to adhere to the same timelines? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Tom Merritt (@acedtect), host, Daily Tech News Show. Thanks to this week's podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you'll learn: Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure. Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure. While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor's Hippocratic Oath, the goal is to minimize harm. You can't announce a vulnerability without offering a fix. It's opening the door to the bad guys to come in and cause havoc. There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities. One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure." There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they're not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn't a good fix yet.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth:-internet-of-things/) When Internet of Things or IoT devices first came onto the market, security wasn't even a thought, let alone an afterthought. Now we're flooded with devices with no security and their openness and connectivity are being used to launch malicious attacks. What are methods to secure environments today and how should these IoT devices being secured in the future? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Josh Corman (@joshcorman), founder of I Am The Cavalry. Thanks to this week's podcast sponsor, Pulse Secure. Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance. On this episode of Defense in Depth, you'll learn: For years, manufacturers didn't consider device security. As a result, attackers have used insecure devices like connected webcams to gain entry into a corporate network. If you're manufacturing devices, then make security and patches a top concern even after end of life support. Big gap between public trust and the reality. Almost all people trust manufacturers to secure their devices. The reality is most manufacturers aren't securing their devices. While we've seen webcams used to launch distributed denial of service (DDoS) attacks, the greatest concern is of a similar style attack being launched against industrial IoT. The discussion of IoT security goes beyond security of devices. We know there are devices with zero security connected to our network. This is where a larger discussion of zero trust and defense in depth style security programming comes into play. We have a growing number of unmanaged devices. Devices that are just always on and connected to the Internet providing simple functions like reading their environment. How much responsibility do manufacturers have for the security of their devices after they've been purchased and shipped? They can create updates and patches, but they can't enforce them.

Mustapha Kebbeh, CISO at Brinks, shares his deep insights on the intersection of governance, risk management, and compliance (GRC). He emphasizes that strong governance practices are essential for meaningful GRC programs. Without effective leadership, achieving compliance becomes challenging. The discussion covers how actionable and accountable policies drive successful outcomes and the significance of integrating stakeholder perspectives for cohesive risk management. Discover how prioritizing governance can help organizations navigate the complexities of cybersecurity.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-who-should-the-ciso-report-to/) Who should the CISO report to? What factors determine that decision? And why is that single decision so critical to a company's overall security? Check out this post for the basis for our conversation on this week's episode which features me, special guest co-host Yaron Levi (@0xL3v1) CISO, Blue Cross Blue Shield of Kansas City. Our guest is Gary Harbison, vp, global CISO, Bayer. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you'll learn: We're having this discussion because as Allison Berey, M:CALIBRATE explained, "Wrong reporting lines can mean poor decision-making." There is no definitive answers as to what the reporting line should be. The final answer on this this discussion was "it depends." A CISO's placement within an organization should depend on where a company derives its value. All companies say security is important. How they place the CISO within the reporting structure and the influence they have on the organization is very telling as to whether the company truly does value security. There was a lot of concern reporting to other C-level executives that are not the CEO as the CISO's concerns could play second fiddle to a CFO, CIO, or CRO's primary desires. Many felt the most desirable reporting line was CISO-to-CEO. But, assuming every department is dealing with some sort of business risk, don't they all have the right to report to the CISO? Where do you draw the line?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-hybrid-cloud/) The consistency of your security program becomes a challenge once you introduce the cloud. Controls and visibility are not necessarily transferable. How do you maintain the control you want in a hybrid environment? Check out this post for the basis for our conversation on this week's episode which features me, special guest co-host Taylor Lehmann (@BostonCyberGuy), vp, CISO, athenahealth, and our sponsored guest, Chris Meenan (@chris_meenan), director, offering management and strategy, IBM Security. Chris Meenan, director, offering management and strategy, IBM Security, David Spark, producer, CISO Series, Taylor Lehmann, vp, CISO, athenahealth. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you'll learn: Moving to the cloud, like any other technology initiative, is a business decision. What controls are you ceding over to the cloud provider? What service level agreements (SLAs) and performance measurements do you have for the provider? Be realistic about what's going to be done if a service provider violates the SLA. You're not going to all of a sudden dump the provider. You're going to put some types of corrections in place. Make sure you know what those are and how that can be handled, realistically. Understand your shared responsibility in the cloud. According to a report by FireMon on hybrid cloud use and adoption, about one-third do not fully understand the shared responsibility model of the cloud. Start slow. While you may need to go with multiple cloud providers to fill distribution and requirements, begin with one and learn from that experience. Use cloud adoption as an excuse to join forces with your privacy team to understand where data is being placed and what control you have over it. Cloud providers are not interchangeable like a utility. Cloud providers are chosen based on the services they offer.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-tenure/) The CISO has the shortest tenure of any C-level role. Why so brief? Is it the pressure, the responsibility, the opportunities, or all of the above? Check out this LinkedIn discussion to read the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. Our guest is John Meakin, CISO, Equiniti. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you'll learn: There's a lot of confusion as to what a CISO needs to do. All job descriptions for CISOs are different. There are humans behind the data and as a result CISOs are tasked with protecting the humans. CISOs can improve their tenure if they seek out a business mentor to allow them to better support the business. CISOs who aren't able to communicate clearly will not last long. It's a CISO's job to communicate in the language of the business, not the other way around. Before the CISO ever arrives, there's a business culture. There's always going to be a natural push back from the business. "Why are you making us change?" A simple walkabout the office can solve a lot of uncertainty. If employees start asking questions about their personal security, that's a good sign the CISO has successfully inserted security into the business culture. Another huge factor that impacts CISO tenure are the increased opportunities. Regulations and privacy laws are pushing companies to get CISOs to provide much needed oversight. What does the reporting structure in your organization mean in regards to the CISO being heard at the executive and board level?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-toxic-security-teams/) There's an endless number of variables that contribute to creating a toxic security teams. How does it happen, and what are ways to manage and eradicate the toxicity? Check out this LinkedIn discussion to read the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Jinan Budge (@jinan_forrester), principal analyst serving security & risk professionals at Forrester. On this episode of Defense in Depth, you'll learn: Toxic security teams happen because of tribalism, not just within security, but across all departments. Security is seen as an expense and an IT problem and many don't think it's everyone's issue. One core issue is the lack of security culture and management simply not supporting the InfoSec team's efforts. There are many ways a security team's culture can become toxic. The issues are so numerous that it seems more of a challenge to prevent a team from its natural tendency to go sideways. The hero mentality of one individual, who thinks only he/she can solve the problem, can poison an entire group. It can be argued that it's an issue of ego, but many see it as insecurity. Often the individual needs to prove to themselves and others in order to maintain their cybersecurity rockstar status. A toxic security team will have a very hard time hiring new staff. People will leave and tell others you don't want to work there. If you have a diverse team and there's toxicity, the team won't last. There's an enormous cost to disengaged employees.