We Could Lower Risk If We Shrunk Our Business
Every business wants to grow. But every CISO is tasked with managing and ultimately reducing risks. Being too cautious makes a CISO seem like an impediment to growth. So how do you manage the risks of growth with the realities of cybersecurity?
This week’s episode is hosted by me, David Spark , producer of CISO Series and Mike Johnson , CISO, Rivian . Joining us is our sponsored guest, Matthew Radolec , vp, incident response and cloud operations, Varonis .
Dealing with growth as a CISO
The role of the CISO is to enable the business through the purview of cybersecurity. Every business wants to grow, so how do CISOs best enable that? Growing while maintaining the security mission remains challenging, noted Rita Gurevich of SPHERE on Dark Reading , given that a bigger business often correlates to a bigger threat surface. Growth is the goal for business, but this is a scale challenge for the CISO. Avoid thinking of a ratio of your staff to the overall business, and instead embrace automation and other technology to truly let you scale operations. This can help meet both challenges.
Does GenAI throw security wisdom out the window?
How do we even start thinking about securing new large language model-based tools when we don’t know how traditional cybersecurity tooling even applies to them? How do we red-team ChatGPT, asked Ben Lorica 罗瑞卡 of Gradient Flow ? It may be tempting to think we need to start from scratch, but the entire cybersecurity industry needs to focus on the hard work of adapting known processes to this transformative technology. It’s easy to forget cybersecurity has dealt with technological disruption before. Not everything will work perfectly, but hard work will allow you to tweak existing processes to meet the needs of generative AI.
No more magic boxes
When it comes to incident response, don’t get caught in the trap thinking that a new black box solution will automatically solve an incident. Every vendor is telling you their SIEM or MDR will make all your problems go away. While those tools are important, they don’t offer the same grounding as engineering-based approaches to incident response. Putting those in place is part of the scaling piece that allows organizations to be ready for changing threats, not just the attack vector of the month.
Embracing industrial-grade cybersecurity
Many cybersecurity teams start out small, one or a handful of people. From there, habits of individual IT heroism can become part of a cybersecurity culture. But as organizations grow and threat actors become more pernicious, organizations need to move to more industrial approaches, argues Google Cloud CISO Phil Venables . This shift isn’t easy, so organizations should start applying principles of scale, predictability, and reliability to new systems, products, or problems before attempting to rip and replace existing ones. This will naturally grow out an industrialized mentality and make getting buy-in for expanding the program easier.
Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.
Thanks to our contributor Katie for providing this week’s “What’s Worse?!” scenario. Thanks Varonis .
Huge thanks to our sponsor, Varonis
Best advice I ever got in security…
"A good plan executed now is better than a perfect plan executed next week." - Matt Radolec, vp, incident response and cloud operations, Varonis
What Are the Risks of Being a CISO?
"The purpose of your security team is to certainly reduce the amount of breaches that the organization has, but also to mitigate the impact of breaches when they occur. And so being able to communicate that effectively in the organization is important." - Phil Davis , attorney, healthcare cybersecurity and privacy, Hall Render , and a former CISO
Listen to full episode of "What Are the Risks of Being a CISO?"
TOMORROW: CISO Series Podcast LIVE in Mountain View 4-17-24
Big news! CISO Series Podcast makes its triumphant return to Silicon Valley as the afternoon entertainment at Planet Cyber Sec's CISO-CIO Forum at the Hyatt Centric Mountain View, California on April 17, 2024. That’s TOMORROW! Joining me on stage will be Mike Johnson , CISO, Rivian and TC Niedzialkowski , CISO, Nextdoor .
This is an executive level event, so you need to apply to attend.
Thanks Eclypsium, Inc. and Normalyze .
Recommended by LinkedIn
HUGE thanks to our sponsors, Eclypsium and Normalyze
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino . We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Dan Walsh , CISO, Paxos . Thanks Conveyor .
Thanks to our Cyber Security Headlines sponsor, Conveyor
Join Us 04-26-24 for “Hacking Your Cybersecurity Career” – Super Cyber Friday
Please join us on Friday April 26, 2024 for Super Cyber Friday.
Our topic of discussion will be “Hacking Your Cybersecurity Career: an hour of critical thinking about how to level up your professional development.”
Joining me will be Jesse Whaley, CISO, Amtrak and Jerich Beason, CISO, WM.
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.