No security alert is too small for us to completely misrepresent its severity. The sky is falling on the latest episode of CISO/Security Vendor Relationship Podcast.



This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Dena Bauckman (@dbauckman), vp of product management, Zix.

Thanks to this week’s podcast sponsor, Zix

Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Why is everybody talking about this now?

Two recent stories showed some fallibility in multi-factor authentication or MFA. We repeatedly recommended MFA on this show. But, the FBI announced some technical and social engineering techniques that are being used to break multi-factor authentication. In addition, Twitter admitted that email addresses and phone numbers used to set up MFA might have been sent to third party advertisers. The FBI says its news shouldn’t change our trust in MFA. William Gregorian, CISO, Addepar, posted on LinkedIn that the press is claiming that MFA is broken and that’s irresponsible journalism.

Let’s dig a little deeper

Security professionals thrive on hearing about and learning about the latest threats. It feeds the latest security headlines and conferences. While it’s often fascinating and keeps everyone interested, to what level are security concerns based on well-known years old threats vs. the latest threats?

“What’s Worse?!”

Whose mistakes are worse? Yours or the vendors’?

Please, enough. No, more.

We’ve talked a lot about machine learning on this show and the definition of it is broad. What’s ML’s value in threat protection. We discuss what we’ve heard enough about with regard to machine learning being used for threat protection And what would we like to hear a lot more.

When companies in retail or enterprise remind their online visitors to change their passwords, are they doing them a favor or causing them grief? Password managers exist, of course, as do newer forms of passwordless authentication, multifactor authentication and behavioral and biometric data.

But ultimately, whose responsibility is this? Should a merchant website place the onus of personal security back on the customer? And if so, how would this protect the merchant’s own property? If this jeopardizes a sale or transaction, the cost of proactive security, at least for the short term appears too great. And it’s obvious, from the avalanche of data breaches of recent years that stored data of any sort becomes a permanent liability.

Password managers offer the unique benefit of hashing and encrypting personal data so that it doesn’t exist in full form at either end. Much like tokenization technology being used in point of sale transactions no data is kept static. Ultimately the marketplace will decide. Customers will go where they feel safest AND where they feel they are getting the best deal. But as always, in a trustless economy, it is vital to trust no one else. Because unlike a straight-up robbery, lost data remains a commodity forever.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Ask a CISO

Gina Yacone, a consultant with Agio, asks, “If you’re performing a table top exercise. Who are the only three people you would want to have a seat at that table?”