The bouquet of this particular vendor BS is a mixture of FUD, unnecessary urgency, and a hint of pecan. Look to your left and grab the spittoon because we don’t expect everyone to swallow what you’re about to hear on this week’s episode of CISO/Security Vendor Relationship Podcast.



This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Olivia Rose, CISO for MailChimp.

Thanks to this week’s podcast sponsor Remediant

Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant’s SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Why is everyone talking about this now?

One of the reasons we hate hearing security buzzwords is because it doesn’t help us understand what it is a vendor is trying to sell. When a vendor says we have a “zero trust” product, what does that mean?

We delve into some of the tell-tale signs that a vendor or consultant is trying to BS you.

According to Olivia Rose, if you’re going to pitch a CISO, make sure you can answer the following simply and succinctly:

What does our product/service do?
What specific security problem does it solve?
How will it affect the typical strategic/business drivers for a company?

It’s time for “Ask a CISO”

Fernando Montenegro, analyst for 451 Research, asked, “How can the CISO be a change agent for the security team so it can better align with the business?”

What’s Worse?!

For this week’s game I picked a question very apropos for our guest’s current situation.

Um… maybe you shouldn’t have done that

Unconscious bias towards women in professional settings is not always overt nor intentional, but it happens. We discuss some examples of unconscious bias for both women and men. And we discuss how too much of it can really push women out of the security industry.

A distributed denial of service attack is the scourge of IT security. According to Verisign, one-third of all downtime incidents are attributed to DDoS attacks, and thousands happen every day. Are they created by sophisticated black hatted evil doers from an underground lair? Of course not. Welcome to the world of cybercrime-as-a-service.

You too can silence a competitor or cause havoc for pretty much anyone for as low as $23.99 a month. Just have your credit card or Bitcoin ready.

DDoS attacks are made cheap and easy by leasing access to botnets which exploit company security through phishing or brute force and also rustle the wild and unencrypted herds of IoT devices. On top of these rides a type of software called stressers, which are supposed to be used to test your own company’s defenses, but hey, if you point them at someone else, so be it.

And so long as someone keeps the apps up-to-date, there will be subscribers.

And as usual this opens the door to a world of crime being driven by lazy criminals with little sophistication.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

First 90 days of a CISO

Being just six weeks in, our guest, Olivia Rose is living the first 90 days of a CISO. We asked her and Mike what it’s like those first few weeks. And to no one’s surprise, it’s beyond overwhelming.