This department manager thinks their data is the most important. But then this department manager thinks their data is the most important. Are everyone’s crown jewels that important? How’s a CISO supposed to prioritize?
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), executive vp, consumer products and engineering, and CISO, Fox.
Thanks to this week’s podcast sponsor, Herjavec Group
Got feedback? Join the conversation on LinkedIn.
On this week’s episode
Hey, you’re a CISO, what’s your take?
Recently, we did a Friday video chat on “Hacking the Crown Jewels” where we talked about what’s really important, where it resides, and who’s accessing it and when. One of the questions that came up from consultant Ian Poynter was how do you handle the conflicts from the different department leaders as to what the crown jewels are? And Jakub Kaluzny of SecuRing asked, “What’s harder, identifying your crown jewels, or protecting them?”
Can you change Mike’s mind?
Our guest, Melody Hildebrandt mentioned that as of recently she was in a pro-vendor mood Only three months into the year she has taken more new vendor meetings than in all of 2020. What changed? And can she convince Mike to do the same?
As always, this will be a surprise on the show. And no one will like the options.
If you haven’t made this mistake, you’re not in security
Even if you’ve configured your email security platform correctly, you can still fail early and often as our guest Melody discovered. But she actually published her findings on Tech Insiders, along with Paul Cheesbrough. Examples she provided included email account compromises that resulted in full evasion of standard email defenses. And given that her business is often an early target for new attacks, protection through threat analysis has become essentially useless. Her solution for enterprise email is to adopt an API-based solution instead of gateways, along with deep machine learning, and continuous protection of email rather than initial scanning and approval. Let’s look at how difficult this shift was and how Melody is managing it.
There’s got to be a better way to handle this
On Twitter I asked, “Since security people don’t get applause when nothing happens, how do you let the rest of the company know how well the security team is doing?” One mentioned a slide on reports that says “X days without a breach” others suggested showing improvements to metrics like vulnerability and mean time to response. So what do we say to the whole company, not just the board?