We’re spoon-feeding “respect” to the CISO on this week’s CISO/Security Vendor Relationship Podcast.



This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week, thanks to Trend Micro, is Jim Shilts, founder, North American DevOps Group.

Thanks to this week’s podcast sponsor Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Why is everyone talking about this now?

Gary Hayslip, CISO, Softbank Investment Advisers and regular guest, posted an article about a growing trend of CISO frustration and why they don’t last at an organization. This article addresses many issues around burnout, but I want to focus on this one stat from an ISC(2) study which states, “Sixty three percent of respondents said they wanted to work at an organization where their opinions on the existing security posture were taken seriously.” Hard to keep any security staff in place if they’re not respected. We talk a lot about being able to talk to the board, but the communications has to be two way. How clear are executives in understanding that respect and listening to their cyberstaff is in their best interest?

What annoys a security professional

Deidre Diamond of CyberSN, asks this very pointed question, “We are short 500k cyber professionals in the US and 89% of our current cyber professionals are open to new opportunities; why are jobs taking on average 4-9 months to fill?” That last stat is CyberSN’s data estimates. She’s arguing there is plenty of supply. Why is this taking so darn long? Nobody’s happy.

What’s Worse?!

We’ve got a question tailored for our DevOps guest this week.

Please, enough. No, more.

DevOps and security. This is a topic that has grown over time, evolved in branding, and Mike has spoken out about how much he don’t like the term DevSecOps. As we regularly do in this segment, what have you heard enough of on the DevOps and security debate and what would you like to hear a lot more?

This image has an empty alt attribute; its file name is Cloud_Security_Tip_Teal_ColorLogo.png

Two factor authentication is a smart step towards more secure password management but what happens the moment after you have convinced the employees of your company to adopt 2FA, when you then say, “Oh yes, don’t forget your SIM PIN.”

2FA might stop hackers from using easily searchable information like someone’s mother’s maiden name, but these bad actors have already discovered the weak link in this particular chain. They call the phone provider, pretend to be that specific victim and ask to swap the victim’s SIM account information to a new SIM card – one that is in their possession. That way, everything the victim did with their phone – texting, banking, and receiving 2FA passcodes – all goes to this new phone.

Most of this crime is reported as happening outside of North America, and many phone companies are changing their policies away from remote reprogramming of SIM cards demanding in-person proof instead. But as workplaces bring global collaborators and their personal phones deeper into the corporate ecosystem, a proactive education campaign on SIM PINs might be in order.  

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Hey, you’re a CISO, what’s your take on this?

Nigel Hedges, CISO, CPA Australia, asked, “Should security operations exist in infrastructure/operations teams?”

Nigel asked this questions to colleagues and got mixed results. One CISO said it was doomed to fail, others said its up to leadership and a CISO doesn’t need to own secops.

“Other people were adamant that the focus required to manage secops, and streamlined incident response cant work within infra because the primary objectives of infra are towards service availability and infra projects,” said Nigel who went on to ask, “Is this important prior to considering using a security vendor to provided managed security operations? Is it important to ‘get the house in order’ prior to using managed secops vendors? And is it easier to get the house in order when secops is not in infra?”