We tried to pull off the Hamilton of security theater and we fell short.



This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Shawn Bowen (@smbowen), CISO, Restaurant Brands International which handles restaurants such as Burger King, Popeye’s, Tim Hortons, and Louisiana Kitchen.

Thanks to this week’s podcast sponsor GitGuardian

GitGuardian empowers organizations to secure their secrets – such as API keys and other credentials – from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

How CISOs are digesting the latest security news

We recorded this episode on June 24th, just a five days after Trump’s first rally in Oklahoma where purportedly TikTok fans en masse were able to register for Trump’s rally and fool his entire staff into believing that 1 million people had registered and were planning to attend his rally. In the end, the arena was less than half full. We are all well aware that some cyber protests can cause serious damage, but does this one? Is this the kind of peaceful cyber protests that we should encourage or not encourage? Dan Lohrmann at Security Mentor posted this discussion and said no matter what political affiliation you’re on this is a call for more cybersecurity because this will happen again. But is this the fault of Trump’s cyber team or his social media team for not keeping an eye on TikTok?

Why is everybody talking about this now?

On AskNetSec on reddit, NoInterestingGuy, a college student starting his first internship at a security firm, posted he likes to participate in “extracurricular activities”. He then asked, “If I were to get caught with a crime related to cyber security, would that impact my chances significantly of getting hired in the future for a security company?” The community almost resoundingly said, “Stop,” but has Mike and our guest ever hired someone with a cybercrime past or caught an employee engaging in cybercrime? How did they handled it. Is there an “it depends” meter? We all do stupid stuff in college.

What’s Worse?!

Is the unknowing always the worst?

It’s security awareness training time

On CSO Online, J.M. Porup wrote a piece about five examples of security theater and how to spot them. Security theater refers to the practice having a show of implementing security where its effectiveness is in question. Some examples are purposefully complex passwords, checkbox compliance, and bad security awareness training.

How do we spot security theater? Is there any value to security theater? What’s the antidote? If it’s in place, how do we eradicate it?

What Is It and Why Do I Care?

We played this game before and like the “What’s Worse?!” game, the title pretty much explains it. I have three pitches from three different vendors who are all in the same category, Security Awareness Training. I have asked the reps to first, in 25 words or less, just explain their category. That’s the “What Is It?” and then for the “Why Do I Care?” I asked them to explain what differentiates their product or makes them unique also in 25 words or less. It is up to Mike and Shawn pick their favorite of each and explain why. I only reveal the winning contestants and their companies.