SC Media, and our sponsor RegScale, are proud to present this month's CISO Stories program. Each month, the CISO Stories Program explores a cybersecurity topic selected by CyberRisk Alliance’s CISO Community and provides content that examines that topic from a variety of perspectives. Hosted by Todd Fitzgerald, best-selling author of CISO COMPASS, the CISO Stories weekly podcast features content powered by the 1,100+ members of CyberRisk Alliance’s CISO Community. Listen to previous CISO Sto ...
…
continue reading
1
Governing Cyber Humanely: Leveraging Wellness Techniques - Jothi Dugar - CSP #181
31:24
31:24
Play later
Play later
Lists
Like
Liked
31:24
We discuss the topic of Human Centric Cybersecurity and the importance of empowering the 'people' aspect of the People, Process, Tech framework. In this conversation we raise the importance of well-being amongst Tech and Cyber leaders and how to keep calm through the chaos to lead our teams well. Also important is diversity in this field and the Ho…
…
continue reading
1
CISOs Advising Cybersecurity Companies, Get on Board! - Bob West - CSP #180
28:16
28:16
Play later
Play later
Lists
Like
Liked
28:16
Advisory Boards - helping cybersecurity companies grow is foundational to helping enterprises select best in class tools to protect their environments. If done properly, scaling cybersecurity companies can have a positive global impact on how information is protected and minimizing business disruption. Visit https://cisostoriespodcast.com for all t…
…
continue reading
1
As We Implement Zero Trust, Let's Not Forget About Metrics - George Finney - CSP #179
29:10
29:10
Play later
Play later
Lists
Like
Liked
29:10
Many organizations are starting today down the Zero Trust path. Zero Trust is a strategy (vs an architecture) and to prove the value of this investment, we need to start thinking about metrics to demonstrate value. Join us as we discuss some of the metric directions to consider when moving our organizations towards Zero Trust. Visit https://cisosto…
…
continue reading
1
CISO and the Board: Demonstrating value and relevant metrics - Max Shier - CSP #178
30:34
30:34
Play later
Play later
Lists
Like
Liked
30:34
The importance of CISO skills/metrics for the board, demonstrating the business value and necessity of good cybersecurity posture, as capabilities the CISO must master to be effective in securing the appropriate investment level. Join us as we discuss interactions with the board and leveraging metrics to show business value. Visit https://cisostori…
…
continue reading
1
Point Vs. Platform: Improving TCO Cost/Benefit - Patrick Benoit - CSP #177
28:38
28:38
Play later
Play later
Lists
Like
Liked
28:38
CISOs must prioritize the intelligent selection of cybersecurity products by considering the total cost of ownership (TCO) and whether point products or platforms are best suited. This includes the costs of deployment and operations for people, processes, and technology, as well as the ongoing maintenance and support of a product. By considering th…
…
continue reading
1
Data Governance is Critical to Info Security and Privacy - Michael Redmond - CSP #176
28:44
28:44
Play later
Play later
Lists
Like
Liked
28:44
Data Governance is a key component in protecting the data from different points of view including information security confidentiality, integrity, and availability. There are several standards that have control requirements for Data Governance relating to PCI, HIPAA, and PII, data security and more. Two of the Internal Standards having Data Governa…
…
continue reading
1
The Riddle of Data Governance - Steven Fox - CSP #175
30:17
30:17
Play later
Play later
Lists
Like
Liked
30:17
Data is the fuel of modern organizations. Data governance ensures the quality of that fuel, as well as ensure its optimal utilization. It ensures that people use and access data appropriately. This value is timely in the face of artificial intelligence offerings whose utility relies on quality data. This segment is sponsored by Spirion. Visit https…
…
continue reading
1
That Data Sprawl is Here! What Should We Do About it? - Nick Ritter - CSP #174
29:50
29:50
Play later
Play later
Lists
Like
Liked
29:50
As technology has enabled high speed access and massive amounts of inexpensive storage, data is being created at a logarithmic hockey-stick pace. Not all this data is important for the organization, however the organization must understand what data is important to run the business. Join us as we discuss this dilemma, with an eye to protecting esse…
…
continue reading
1
Why CISO’s Fail: Some Practical Lessons for the Future - Barak Engel - CSP #173
25:33
25:33
Play later
Play later
Lists
Like
Liked
25:33
Security is both overcooked and underdeveloped at the same time, and we keep doubling down on insanity. Our own community is at great fault for pushing fear and ignoring service, leading to consistent, negative experiences for all other stakeholders in the organization - and ultimately the CISOs themselves. "Do more cyber" never had, does not, and …
…
continue reading
1
Air Gapped! The Myth of Securing OT - Thomas Johnson - CSP #172
28:50
28:50
Play later
Play later
Lists
Like
Liked
28:50
The terminology of ICS has morphed into OT (Operational Technology) security; however many organizations are lacking in addressing the OT security controls. As some companies talk about air gapping as the primary method of securing OT, the reality is many times true air gapping does not exist. Join us as we discuss why these gaps occur and what nee…
…
continue reading
1
The Challenges of Managing Security in an IT/OT Environment - John Germain - CSP #171
28:05
28:05
Play later
Play later
Lists
Like
Liked
28:05
For manufacturing companies, technology has taken over a good deal of the day-to-day operations occurring on the manufacturing floor. Things like robotics, CNC machines and automated inventory management. There are even systems that track what tools are used, by whom and for how long. This technology often works outside of or flies under the radar …
…
continue reading
1
The Importance of OT Security: The Evolving Threat Landscape - Ken Townsend - CSP #170
30:00
30:00
Play later
Play later
Lists
Like
Liked
30:00
Manufacturing environments rely heavily on Operational Technology (OT) systems – such as industrial control systems, supervisory control, PLCs etc. to manage production processes. Compromises of these networks and systems can have devastating consequences, including: • Production disruptions and downtime • Safety hazards: • Data breaches and intell…
…
continue reading
1
Tips for a Successful Cyber Resilience Program - Olusegun Opeyemi-Ajayi - CSP #169
31:15
31:15
Play later
Play later
Lists
Like
Liked
31:15
The cybersecurity threat landscape is constantly evolving, and experience has shown that everyone and every organization is prone to being breached. How do you prepare for what seems inevitable? You assume breach and plan accordingly. Cyber resilience has become a top priority as organizations figure out how to build a network that can either conti…
…
continue reading
1
Operational Technology (OT) and the Art of War - Glenn Kapetansky - CSP #168
32:30
32:30
Play later
Play later
Lists
Like
Liked
32:30
Operational Technology (OT) security is concerned with protecting embedded, purpose-built technologies enabling our industrial processes. You also may have heard “adjacent” buzzwords like Internet of Things (IOT) and Fog (like “cloud” but close to the ground). OT security has significant challenges in terms of cost/size/weight, capability, ability …
…
continue reading
1
Third-Party Risk Management - BEC Compromises and the Cloud - Michael Swinarski - CSP #167
23:00
23:00
Play later
Play later
Lists
Like
Liked
23:00
Third-Party Risk Management is essential for safeguarding an organization's assets, reputation, and operations. By identifying, assessing, and managing risks associated with external partners, organizations can enhance their resilience, protect sensitive information, and maintain the trust of stakeholders in an increasingly interconnected business …
…
continue reading
1
52,000 Suppliers:Third-Party Supply Chain CyberRisk Approach - Cassie Crossley - CSP #166
30:13
30:13
Play later
Play later
Lists
Like
Liked
30:13
Schneider Electric has over 52,000 suppliers and sells hundreds of thousands of products of which 15,000 would be classified as intelligent products. To address risks stemming from third-party suppliers, and in recognition of the risks posed to customers, we have a holistic approach to value chain security, by implementing security controls at ever…
…
continue reading
1
Securing Connections: 3rd Party Risk Mgmt Expert Insights - Charles Spence - CSP #165
30:49
30:49
Play later
Play later
Lists
Like
Liked
30:49
Breaches at software vendors used by many organizations have highlighted the external software supplier risk, requiring organizations to be even more diligent. Join us as we discuss the supply chain issues and their relationship to software supply chain issues and how organizations should approach environment with supplier software risk, geo-politi…
…
continue reading
1
A Printout on Secure by Design When Utilizing 3rd Parties - Bryan Willett - CSP #164
24:14
24:14
Play later
Play later
Lists
Like
Liked
24:14
With CISA just putting out new “secure by design” guidance, Lexmark CISO Bryan Willett pulls the curtain back on the curtain back on how Lexmark is approaching secure-by-design in its products Lexmark is at the forefront of secure by design as their products constantly touch highly confidential information in regulated industries, along with an est…
…
continue reading
1
Intelligent Generative AI Handling - Aaron Weismann - CSP #163
26:01
26:01
Play later
Play later
Lists
Like
Liked
26:01
Generative AI security and integrity. This is important to me because it's a cool new commercially available technology that promises efficiency and time savings--and therefore everyone wants to use it without a thorough understanding of how to secure data used with it or correcting model bias introduced through improper governance. The implication…
…
continue reading
1
Responsible Use and Vetting of AI Solutions - Jon Washburn - CSP #162
32:58
32:58
Play later
Play later
Lists
Like
Liked
32:58
Responsible use and governance of AI are key issues today, as training data limitations and data retention issues must be addressed. The risk of exposing PII or other confidential data, managing bias, hallucination, misinterpretation risks and other AI considerations are discussed. Fitzgerald, T. 2019. Chapter 4: Emerging Technologies and Trends in…
…
continue reading
1
The Business Side of AI - Edward Contreras - CSP #161
23:58
23:58
Play later
Play later
Lists
Like
Liked
23:58
Artificial Intelligence: Currently these two words can mean a world of difference to different people. How do you bring this topic to the board, to executives, or to business partners, and help them understand the risks without the FUD or technical language that so often creeps into the conversation? The goal is to engage in an action driven conver…
…
continue reading
1
Generative AI and Corporate Security – Getting it Right - Bill Franks - CSP #160
32:22
32:22
Play later
Play later
Lists
Like
Liked
32:22
Generative AI has hit the world by storm, but unfortunately is widely misunderstood. While it brings great promise for companies, it also has risks. As employees and corporate applications begin making use of generative AI, it is important to ensure that proper safety and security mechanisms are put in place to allow value to be obtained while mini…
…
continue reading
1
Better CISO Health in the New Year: From Burnout to Balance - Steve Shelton - CSP #159
29:05
29:05
Play later
Play later
Lists
Like
Liked
29:05
Heidrick and Struggles released a global CISO survey last year, stating 53% of CISOs were most concerned about significant stress and 60% were concerned about burnout. In Steve’s 20 years of software sales, significant stress and burnout have been longstanding issues that have yet to be effectively addressed and have negatively impacted his own lif…
…
continue reading
1
Cloud Security Staffing in a Hybrid World – It Can Be Done! - Larry Lidz - CSP #158
30:41
30:41
Play later
Play later
Lists
Like
Liked
30:41
Over the course of two years, and during the pandemic, we established a new security team and grew that team from five cloud security people to over eighty. What was our talent strategy to enable that rapid growth, how did we find the right talent in a tight market, and what did we learn from the approach? Additionally, what rituals and tactics ser…
…
continue reading
1
You want the CISO Title & Pay? Responsibility Comes Also! - Malcolm Harkins - CSP #157
35:11
35:11
Play later
Play later
Lists
Like
Liked
35:11
Integrity & Materiality. Get them wrong, you jeopardize your organization, its shareholders, possibly customers, as well as yourself. Join us as we discuss CISO role and accountability, Geopolitics, SEC Regulation and materiality, AI Impact, and seismic changes occurring in the past 5 Years as articulated in the 5 year CyberRisk Alliance Blog dated…
…
continue reading
1
Reimagining Risk in the Emerging Cloud: A GRC Perspective - Solomon Ugah - CSP #156
28:07
28:07
Play later
Play later
Lists
Like
Liked
28:07
More and more services and products are being cloud-delivered. This leads to a concentration of risk in the hands of a few industry players and a few jurisdictions. It means risk needs to be addressed and thought about differently. Join us as we discuss managing cloud risk from a Governance, Risk and Compliance (GRC) perspective. Fitzgerald, T. 201…
…
continue reading
1
Why Don’t We Care About Identity Security? - Don Baham - CSP #155
27:21
27:21
Play later
Play later
Lists
Like
Liked
27:21
Identity & Access Management - Why do organizations still insist that provisioning/deprovisioning is an IT function? Effective IAM requires collaboration across the business units and responsibilities for multiple departments. Join us as we discuss IAM and some of the challenges organizations are facing today to secure the perimeter – the identity …
…
continue reading
1
High Consequences Cyber: Make or Break the CISO’s Reputation - Andy Jaquith - CSP #154
29:30
29:30
Play later
Play later
Lists
Like
Liked
29:30
“High Consequences Cyber” are high-risk, high-stakes cyber projects that can make or break a company or make or break the CISO’s reputation. These include issues such as, how do you architect your networks if you are a multinational with exposure to high-risk countries? What are key choices you can make when moving critical workloads such as email …
…
continue reading
1
Four Pieces of Transitional Advice: Incoming CISOs - Sean Zadig - CSP #153
32:28
32:28
Play later
Play later
Lists
Like
Liked
32:28
There’s been a boom of sudden CISOs for regulatory and practical reasons — forcing technical security leaders to transition. And the transition isn't easy. Join us, as Sean shares the lessons he has learned as he moved into the CISO role from technologist. As CISO Stories also focuses on Identity Management this month, we also discuss architecting …
…
continue reading
1
Is there really an Information Security Jobs Crisis? - Ben Rothke - CSP #152
27:15
27:15
Play later
Play later
Lists
Like
Liked
27:15
Are there really millions of open information security jobs available? Or is much of the numbers hyped up? Join us as we discuss these numbers , boot camps, regional differences, and where these job openings come from. Visit https://securityweekly.com/csp for all the latest episodes! Follow us on Twitter: https://www.twitter.com/cyberleaders Follow…
…
continue reading
1
Prioritizing Identity and Getting the Fundamentals Right - Bezawit Sumner - CSP #151
29:25
29:25
Play later
Play later
Lists
Like
Liked
29:25
Prioritizing identity and getting the fundamentals right. We are managing more identities than ever – people-people, machine-to-machine, and people-machines. What actions should CISOs be ensuring are being done within the environment to prioritize identities? Join us as we discuss where Bezwit has focused to enhance the identity management process.…
…
continue reading
1
Do You Really Want to Be a CISO? - Spencer Mott - CSP #150
27:21
27:21
Play later
Play later
Lists
Like
Liked
27:21
Reaching the level of CISO in a large corporation requires time and determined application as well as aptitude and very specific professional and personal attributes. It's the role against which many security professionals set their career sights without really knowing what they'll be getting themselves into. Fitzgerald, T. 2019. Chapter 14. CISO S…
…
continue reading
1
All in One CISO: There Is Nothing We Can't Do - Jessica Hoffman - CSP #149
29:22
29:22
Play later
Play later
Lists
Like
Liked
29:22
As a CISO, the opportunities we must positively cultivate the cybersecurity landscape for our organizations are endless. From driving projects to implementing innovative technologies to strengthening basic cybersecurity hygiene, reshaping the organization's culture, protecting from ransomware, and diversifying the cyber workforce, the CISO is a cer…
…
continue reading
1
Building a People-Centric Security Program - Cathy Olsen - CSP #148
21:48
21:48
Play later
Play later
Lists
Like
Liked
21:48
In security, we can get buried in the tools, standards, issues and risks. But an effective security program is built upon people, process, and technology. Let's talk about how you can approach your security program in a way that is focused on the people who use and manage your company assets and data. Fitzgerald, T. 2019. Chapter 13. Multigeneratio…
…
continue reading
1
Veterans Impacting Cybersecurity - David Cross - CSP #147
27:05
27:05
Play later
Play later
Lists
Like
Liked
27:05
Veterans bring along some valuable skills from the military that organizations can greatly benefit from. From loyalty, executing to a playbook, incident response, responding to crisis’s, to supporting the organizational mission – Veterans are a resource that is eager to transition to organizations and apply their skills and continuously learn. With…
…
continue reading
1
Should We Be Relying on Our Cybersecurity Risk Matrices? - Doug Hubbard - CSP #146
29:17
29:17
Play later
Play later
Lists
Like
Liked
29:17
A key role for the CISO and the team is to identify and plan for mitigation of the most damaging risks. Various approaches have been used over the years with varying levels of success. Are we measuring the right things? Are we using the right instruments? Join us as we discuss some of the flaws present in measuring risk today and considerations to …
…
continue reading
1
OT Is Not IT But Security Can Handle Both - Mea Clift - CSP #145
25:07
25:07
Play later
Play later
Lists
Like
Liked
25:07
Join us as we discuss the OT security landscape, the solutions for protecting it, and the future of protecting these pieces of critical infrastructure. With attacks to these networks on the rise, it’s important for cybersecurity professionals to acknowledge that they are just as important as information in our protection, and that it requires speci…
…
continue reading
1
Effective Communication is Critical for CISO Success - Wes Knight - CSP #144
29:03
29:03
Play later
Play later
Lists
Like
Liked
29:03
Technical people, CISOs included, may have challenges communicating well with executive management due to a different career path evolution . To maximize our success, we must all improve our communication skills with technical and non-technical people. Join us as we discuss some of the nuanced communications and areas to pay closer attention to. Fi…
…
continue reading
1
Terminology Matters: Changing 'Cybersecurity' to Data Care - Cyndi Gula, Ron Gula - CSP #143
27:04
27:04
Play later
Play later
Lists
Like
Liked
27:04
Cybersecurity touches all our lives, however there is a belief that only experts in all of the technical disciplines need to apply. The term ‘cybersecurity’ does not invoke a personal sense of responsibility to care for the protection of data. Join us as we discuss the concept of reframing cybersecurity to “Data Care”, like the concepts used in the…
…
continue reading
1
NextGen Security Tooling: Investments in Intelligence - Mike Coogan - CSP #142
31:54
31:54
Play later
Play later
Lists
Like
Liked
31:54
Security tools have become overwhelming in number, yet companies continue to get breached. With all the recent focus on artificial intelligence, security leaders must avoid neglect of natural intelligence. When your opponent is thinking and adapting to your every move, can you really afford to neglect your most critical defenses? Visit https://secu…
…
continue reading
1
Uber CISO Trial Learnings for CISOs: In the CISO's Own Words - Joe Sullivan - CSP #141
40:21
40:21
Play later
Play later
Lists
Like
Liked
40:21
In the Fall, 2016, Uber experienced a data breach, and the CISO faced the possibility of prison time for felony obstruction and misprison for failure to report the 2016 breach. He was sentenced in May, 2023 to 3 years’ probation. Join the former CISO of Uber as we discuss the events which led to the prosecution case, the results of the trial and af…
…
continue reading
1
Managing CyberRisk in a Mid-Cap Company - Walter Lefmann - CSP #140
25:43
25:43
Play later
Play later
Lists
Like
Liked
25:43
MidCap enterprise security is challenge – SMB’s have all the needs of a large enterprise, but not the same large budget or army of defenders. We are also a "sweet spot" target for cybercriminals -- you have enough money to be worth some real effort, but again not a large army of defenders. MidCap is at the front lines of "doing more with less"! Vis…
…
continue reading
1
Collective Defense: The Importance of Partnerships in Cybersecurity - Jamil Farshchi - CSP #139
36:52
36:52
Play later
Play later
Lists
Like
Liked
36:52
With cybersecurity emerging as a board-level agenda item, collaboration is becoming increasingly high-stakes and multifaceted. Join us as we examine the opportunities and potential pitfalls of this new era, as well as the skills needed. Visit https://securityweekly.com/csp for all the latest episodes! Follow us on Twitter: https://www.twitter.com/c…
…
continue reading
1
Teams are Built around Key Players Performing Great Functions - Ralston Simmons - CSP #138
30:19
30:19
Play later
Play later
Lists
Like
Liked
30:19
Skills can be evolved and provide teams with the necessary talent. Join Ralston as he shares his experiences in recruiting, rotational programs, and supporting the key players with the right support system. Visit https://securityweekly.com/csp for all the latest episodes! Follow us on Twitter: https://www.twitter.com/cyberleaders Follow us on Linke…
…
continue reading
1
Championship Results: No Bank Breaking or Boat Rocking! - Steve Hunt - CSP #137
27:33
27:33
Play later
Play later
Lists
Like
Liked
27:33
Top-performing CISOs shared with me their hacks for creating a team atmosphere, getting excellent and consistent results, and creating buy-in from management for their budgets, projects, and big ideas. This discussion goes beyond risk management into the realm of performance excellence. Impact Leaders Pod Training for Cyber Teams is a unique 8-week…
…
continue reading
1
Supply Side Security: How to Maintain a Talent Pipeline - Helen Patton - CSP #136
28:43
28:43
Play later
Play later
Lists
Like
Liked
28:43
There are a ton of entry-level candidates for security roles, but we need mid- to late- career cyber candidates to fill our open positions. Hiring managers need to partner with non-security people to build and maintain that pipeline. Let's talk about how to go about getting this done. Visit https://securityweekly.com/csp for all the latest episodes…
…
continue reading
1
Deploying Zero Trust Without Destroying End User Trust - Mike Zachman, Colin Chisholm - CSP #135
26:52
26:52
Play later
Play later
Lists
Like
Liked
26:52
Deploying SASE (Secure Access Service Edge) is a critical step on your Zero Trust journey. It is not without risk, especially to the end user experience. Join us as we discuss our lessons-learned fresh from the deployment trenches. This segment is sponsored by Google. Visit https://securityweekly.com/chrome to learn more about them! Visit https://s…
…
continue reading
1
Security Musings from a Psychotherapeutic Perspective - Mark Eggleston - CSP #134
28:33
28:33
Play later
Play later
Lists
Like
Liked
28:33
Come listen in on hearing a CISO's story of going from carpenter to psychotherapist to security leader. The stories told will help anyone working in cyber - from those looking to break into cyber to those who are battle tested and looking for new support or coping strategies. Morin, A. 2017. 13 Things Mentally Strong People Don’t Do. Harper Collins…
…
continue reading
1
Cyber Risk Governance: The Hype, Hope, & Harsh Reality - John Sapp - CSP #133
27:40
27:40
Play later
Play later
Lists
Like
Liked
27:40
Cyber Risk Governance or Cyber Risk Management has been an often talked about concept for more nearly two decades yet remains one of the most elusive and sought after outcomes by every C-level executive across every line of business in every industry sector and particularly in the Board room. In this session, we are going to jump into the shoes of …
…
continue reading
1
The Tactics of Being Strategic in Cybersecurity - Jason Elrod - CSP #132
26:55
26:55
Play later
Play later
Lists
Like
Liked
26:55
Discussion about what it means to be strategic as a CISO and, more importantly, what specific, tactical steps are you can take to bring that into reality. This segment is sponsored by Google. Visit https://securityweekly.com/chrome to learn more about them! Visit https://securityweekly.com/csp for all the latest episodes! Follow us on Twitter: http…
…
continue reading