Everyone Has a Zero-Trust Plan Until They Get Punched in the Face

As a principle, zero trust can be taken for granted as a best practice. But the reality is that many aspects of IT infrastructure, from legacy systems to IoT, were architecturally never designed with zero trust in mind. So how do you manage creating a zero-trust environment where numerous endpoints don't allow for it? 

This week’s episode is hosted by me, David Spark , producer of the CISO Series , and Mike Johnson , CISO, Rivian . Joining us is our sponsored guest, Danny Jenkins , CEO, ThreatLocker .

The limits of zero-trust

When is zero trust not enough? Areas like legacy systems, pervasive IoT devices, and third-party services do not inherently support zero-trust principles, noted by Maria Korolov on CSO Online . While zero trust is ideal, practical implementation often requires adaptation, such as micro-segmentation, especially in non-cloud environments with specific latency and connectivity requirements. These exceptions can still benefit from a least privilege methodology using nuanced approaches, like ring-fencing to minimize access and permissions, ensuring operational continuity without compromising security. 

Pentesting for SMBs

Small and medium-sized businesses don’t have the resources for internal pentest teams, so how do they outsource? It’s simple. Find exposed vulnerabilities that need to be patched and avoid simple mistakes, such as leaving unnecessary ports open or passwords in configuration files, noted Vicente Aceituno Canal on Medium . What sounds simple requires rigorous pen testing. Rotating secondary pen testers every few months can bring fresh perspectives and insights, preventing the same threats from being repeatedly overlooked. Also, don’t forget the importance of networking with other CISOs. This can be invaluable when selecting a pen testing provider and avoiding firms with poor communication. 

An ounce of prevention is worth a pound of response

Are we focusing on the wrong things with endpoint detection and response (EDR)? Detecting threats alone is insufficient. The goal should be to prevent malicious activities from occurring in the first place. Detection should be a last resort, used only to identify failures in other security measures. Blocking unauthorized software and limiting application capabilities to prevent attacks goes a long way. Standard EDR systems can be bypassed using simple tools. You can help make detection a moot point by hardening endpoints and removing unnecessary administrative permissions. Some may view deny-by-default approaches as hindrances to business operations. However, since most businesses rely on a limited set of software, managing that list can allow for a deny-by-default approach without significant business disruption. 

The cream of the security crop

Standing out as a cybersecurity professional can be tough. What separates the best often this comes down to soft skills and the ability to communicate complex technical issues. In particular, CISOs must be able to articulate risks and recommendations in a way that business stakeholders can understand. Different roles within a security company require different personality traits to stand out, with some positions suited for more introverted individuals who excel in technical tasks. The key is knowing yourself and your audience and tailoring communication strategies accordingly to be effective and authentic in conveying cybersecurity concepts.

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to Conner Biolsi of Lewis County, New York , for providing our “What’s Worse” scenario.

Huge thanks to our sponsors, ThreatLocker

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

What I hate about cybersecurity...

" I hate buzzwords, mainly because vendors overuse them, and they use them wrongly. In addition to this, CISOs often don't understand what they need to achieve solutions because they're so overwhelmed with buzzwords." - Danny Jenkins, CEO, ThreatLocker

Do Companies Undergoing a Merger or Acquisition Get Targeted for Attacks?

"I certainly do agree that in times of distraction, whether it’s M&A distraction, or holiday distraction, or just life in general, we are more susceptible to not taking that five-second pause, deep breath, ‘Why would the CEO be sending me a text telling me that he needs me to be in this meeting and to bring gift cards on the way into the meeting?’ Anybody with a half a second of pause would say, ‘No, that’s not happening.’" - Andrew Cannata, Veteran , CISO, Primo Brands

Listen to full episode of "Do Companies Undergoing a Merger or Acquisition Get Targeted for Attacks?"

Join CISO Series Podcast LIVE in Seattle (08-21-24)

We’re going to Seattle!

It’ll be our first time ever producing a live recording of CISO Series Podcast in that beautiful city.

We’ll be the closing entertainment on the first day of the National Cybersecurity Alliance ’s Convene conference happening August 21-22nd, 2024 at the Rosehill Community Center in Mukilteo, WA, just outside of Seattle. Convene is a conference all about security awareness designed for security awareness professionals. And I believe this will be our fifth appearance at one of their events!

Joining me on stage for our recording will be Nicole Darden Ford , svp and CISO for Nordstrom and Varsha Agarwal , head of information security for Prosper Marketplace .

Watch the video for a preview of our recording and the event.

If you work in the security awareness industry, this is a must attend conference. Be sure to register by going here and use our 15 percent discount code: Convene15.

HUGE thanks to our three sponsors, KnowBe4, Proofpoint, and Vanta

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino . We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jana M. , CISO, Belron® . Thanks Vanta .

Thanks to our Cyber Security Headlines sponsor, Vanta

Join us NEXT Friday [08-02-24], for "Hackings CISOs"

Join us Friday, August 02, 2024, for “Hackings CISOs: An hour of questions for our CISOs.”

Let us know what you want to ask our CISOs. Whether it's career questions, organizational issues, or technical considerations, our CISOs are game to answer.

It all begins at 1 PM ET/10 AM PT on Friday, August 02, 2024 with guests Steve Zalewski , co-host, Defense in Depth (and former CISO For Levi Strauss) and William Harmer, CISSP, CISM, CIPP , operating partner and CISO, Craft Ventures . We'll have fun conversations and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup on Discord.

Register for 08-02-24 Super Cyber Friday

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.