We’re starting to get a little self-conscious that our vulnerabilities are starting to show. People we don’t even know are telling us we have them on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Fredrick Lee (AKA “Flee”) (@fredrickl), CSO of Gusto.

Thanks to this week’s podcast sponsor Tenable

Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

What’s a CISO to do?

Chris Romeo, CEO of Security Journey, wrote a post where he asked, “What if I had to develop an application security program with a budget of zero dollars?” What he presented was a means to lean on the OWASP open source community and tools to build an application security program.

You’re a CISO, what’s your take on this?

I was chatting with a pentester, Benjamin McEwan, from Scotland, who reaches out to CISOs trying to responsibly disclose, not expose, a credible security vulnerability. It’s his effort to get recognized. He’s frustrated though in his ability to find permanent work because those hiring only see him as an independent researcher. Is his exercise the right approach? What can a talented security person in his position do to make himself more attractive to CISOs?

What’s Worse?!

We’ve got a couple of scenarios that shocked our guest at the sheer InfoSec horror.

Breathe In, It’s Time for a Little Security Philosophy

On Quora, a question right out of the Matthew Broderick movie WarGames asks, “If a student hacked into university computers and changed his grade in cyber security to an A, does he actually deserve the A?” Except for one person, everyone said, “No,” but for different reasons. Mike, are you saying no, and if so, what reason?

What do you think of this pitch?

We’ve got two pitches from vendors this week. One came directly to me.

The idea behind an Advanced Persistent Threat is both intriguing and a little distracting. It sounds like the title of a Tom Clancy novel – maybe a sequel to Clear and Present Danger.

Designed to penetrate a network, operate while hidden for a long time, all the while receiving commands from an outside agent, an APT is more sophisticated than everyday malware and tends to be deployed against large targets.

But it’s still a concern. Especially when the cloud comes into play. The cloud’s limitless volume, used by millions of organizations in close proximity make it a treasure trove of available data and an ideal platform to enable an attack and to distribute command-and-control files. In addition, managed service providers who oversee and maintain cloud infrastructure for their clients can become a natural point for exploitation.

Perhaps the best lesson to take from the advanced persistent threat is that they might not be something you’re most susceptible to, and although they should not be ignored, it would not be wise to be distracted by them when you really should be focused on basic cyberhygiene.

Got feedback? Join the conversation on LinkedIn.

Creative Commons photo attribution with logo addition to Flickr user Bruno French Riviera.