Aww, Your Cybersecurity Concerns Are So Adorable (LIVE in San Diego)
CISOs face a tough task. They must manage risk, but surveys show they feel increasing pressure to downplay those risks to the board. So, how does a CISO do their job without getting dismissed as a buzzkill?
This week’s episode is hosted by me, David Spark , producer of CISO Series and Gary Hayslip , CISO, SoftBank Investment Advisers . Joining us is Keith McCartney , vp, security and IT, DNAnexus .
This episode was recorded in front of a live audience at the Planet Cyber Sec show in La Jolla, California hosted by Layer 8 Masters .
Closing the Credibility Gap
CISOs need to avoid being perceived as alarmist while communicating cyber risks to the board. A recent Trend Micro study found that boards dismissed many CISOs out of hand. That doesn’t help anyone. The key is presenting cyber risk management as part of the overall business strategy, emphasizing support for business operations, innovation, and risk reduction without solely focusing on potential disasters. Effective communication involves framing cyber risks within the context of the business’s broader concerns, using a balanced approach like a “compliment sandwich,” and having a mentor to refine the message.
Clarifying the Role of Security Engineering
Ask CISOs in different industries, “What is security engineering?” and you’ll get varied definitions, ranging from architecture and programming to system administration. The cybersecurity subreddit recently highlighted a bevy of examples. This is largely because the role evolves based on the needs of the business and the environment. Security engineers must be adaptable, acting as advisors who understand the various business components they’re supporting, such as marketing or software development. This adaptability makes the role varied but essential in managing company-specific security needs.
Building Resilience at Scale
Cybersecurity is increasingly focusing on resilience. It’s a noble goal, but can we get there? It’s easy to talk about building anti-brittle systems as Bruce Schneier did in a recent blog post. However, not every organization can operate properly with tools like Netflix's Chaos Monkey, which intentionally causes failures to force infrastructure resilience. While testing and simulating failures is valuable, scaling this approach across all systems remains challenging. Building resilience requires prioritizing which components need redundancy based on cost and business needs. The idea of playing an "infinite game"—focusing on long-term resilience rather than short-term wins—is a strategic mindset for security leaders.
AI Frameworks and Cybersecurity
CISOs love frameworks. They are a critical tool to help push compliance conversations forward as organizations attempt to manage risk. Regarding AI, we already have many options for addressing either governance or technical implementation, as outlined by Google ’s Sita Lakshmi Sangameswaran in a recent Medium post. There is a temptation to create more frameworks to account for this technology's rapid change. However, the existing ones should be selected based on the problem being addressed. Frameworks must also account for unique AI-related risks, like over-reliance on technology. CISOs need to understand AI profoundly to manage these new challenges effectively.
Thanks to Richard Greenberg, CISSP of Layer 8 Masters, Emily O'Carroll , field CISO of GuidePoint Security , Haral Tsitsivas of Arlo Technologies, Inc. , and Matt Stamper, CIPP/US, CISA, CISM, CRISC, CDPSE, QTE of Executive Advisors Group, LLC . Thanks to Entro Security .
Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.
Huge thanks to our sponsor, Entro Security
Subscribe to CISO Series Podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.
Best advice I ever got in security…
"Gosh, it had to be skipping out on empathy. We had a big project, we needed IT support to get a vulnerability management client rolled out. They had to do their own server hardening. We thought this was great, do both of them at once. They did not agree. Wish I would have put myself in their shoes." - Keith McCartney, VP, security and IT, DNAnexus
Listen to the full episode of "Aww, Your Cybersecurity Concerns Are So Adorable (LIVE in La Jolla)."
Recommended by LinkedIn
Are Security Awareness Training Platforms Effective?
"I feel like security awareness training is part of my overall security program. It is not mutually exclusive, right? It comes to layer in defense, right? You got to have your tools and platforms to prevent the phishing attack to come in place to your users or your inbox, but you still need to have your users be aware of what they should and should not be doing, right?" - Sharon Milz , CISO, Time Inc.
Listen to the full episode of "Are Security Awareness Training Platforms Effective?"
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
LIVE! No Cyber Security Headlines - Week in Review This Week!
In observance of the Thanksgiving holiday weekend, there will be no Cyber Security Headlines Week In Review show this Friday, November 29, 2024.
Join us Friday [12-06-24], for "Hacking the AI Supply Chain"
Join us Friday, December 6, 2024, for “Hacking the AI Supply Chain: An hour of critical thinking about what's new and familiar about securing the foundations of your AI applications.”
It all begins at 1 PM ET/10 AM PT on Friday, December 6, 2024 with guests Niv Braun , co-founder and CEO, Noma Security and Caleb Sima , builder, WhiteRabbit . We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, Noma Security
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.
CISO| Founder| Navy Veteran| Non-Executive Director
2wThanks you David Spark and team, terrific newsletter as ever. I really appreciate the insights