We’re playing hard to get on the latest episode of CISO/Security Vendor Relationship Podcast.



This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Al Ghous, head of cloud security at GE Digital.

Thanks to this week’s podcast sponsor Carbon Black

Carbon Black (NASDAQ: CBLK) is a leader in endpoint security dedicated to keeping the world safe from cyberattacks. The company’s big data and analytics platform, the CB Predictive Security Cloud (PSC), consolidates endpoint security and IT operations into an extensible cloud platform that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Why is everybody talking about this now?

On LinkedIn, Marcus Capone, Partner at Onyx, a physical and cybersecurity firm said, “I laugh when clients balk at prices. They expect champagne but want to pay for Coors Light…” This caused a flurry of discussion of price/value in security. There was an attitude across the board that we’re the absolute best and we should be paid that. But as Allan Alford said on Defense in Depth, there’s a market for a slightly worse, but way cheaper version of Splunk. Do CISOs want beer-level security solutions?

It’s time to measure the risk

How can startups and large companies get along better? Enterprises are jealous of startup’s agility, and startups are eager to get at an enterprises’ assets. But startups can be a security nightmare and it’s a non-starter if they can’t pass the third-party risk management process. With all this frustration, is there any middle ground?

What’s Worse?!

We have a common real-world scenario in this week’s game.

You’re a CISO, what’s your take on this?

We have talked in the past about how the term “AI” can mean a lot of things. It can be a simple script or it can be an algorithm that actually learns by itself. Both will do something for you automatically, but the expectations are vastly different. When security vendors tout AI, what would CISOs like to hear so your expectations can be set appropriately?

Understanding security sales

The frustration of the vendor follow up process after a demo. An anonymous listener asks, “We are usually told some sort of next step or asked to follow up in a few weeks.” The challenge is they’re often left chasing the potential client getting no response. This can go on for months. “Is there a way to make this more productive for all involved?” Should the prospect be blamed? What can be done to improve the process?

Application Programming Interfaces (API’s) are wonderful for customizing and enhancing the cloud experience, but as a common front door, they pose a significant security risk. Regardless how secure a cloud service provider is, their primary role as an interface means APIs will always pose a weakness that can be exploited by hackers.

API providers that work with toolkits may offer access control, but that’s not the same as security. In fact, 9 of the top 10 vulnerabilities listed in the OWASP Top 10 now mention APIs.

APIs are gateways, often shared with different customers and applications. As a single point of entry, it can become a hacker’s primary target. Once the API is compromised, all other applications and systems become vulnerable.

It is vital to embed secure API gateways within the cloud itself. This means using Secure API Gateway technologies which put security as top priority rather than simply integration or ease of access.

This is something else that should not be left to Cloud Providers, but instead demands proactive awareness and action by individual companies working with their cloud suppliers.

Got feedback? Join the conversation on LinkedIn.