Rest Assured, We’re Confident Our Security Sucks

We may not have the protection you want, but what we lack in adequate security we make up in confidence. Sleep better at night after you listen to this week’s episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Billy Spears (@billyjspears), CISO, loanDepot.

Thanks to this week’s podcast sponsor, CyberInt

The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505’s latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Why is everybody talking about this now?

Tip of the hat to Eduardo Ortiz for forwarding this discussion Stuart Mitchell of Stott and May initiated on LinkedIn asking if there should be a “golden bullet” clause in a CISO’s contract. He was referring to the CISO of Capital One who had to step down and take on a consulting role after the breach. What are arguments for and against?

Ask a CISO

Nir Rothenberg, CISO, Rapyd asks, “If you were given control of company IT, what would be the first things you would do?”

What’s Worse?!

Should a CISO be closing sales or securing the company?

Hey, you’re a CISO, what’s your take on this?

According to Nominet’s Cyber Confidence Report, 71 percent of CISOs say their organization uses the company’s security posture as a selling point, even though only 17% of CISOs are confident about their security posture. There are probably many factors that contribute to this disparity. Is it a gap that will ever close, or is this just the nature of security people vs. sales?

This image has an empty alt attribute; its file name is Cloud_Security_Tip_Teal_ColorLogo.png

Bluetooth is a convenient and easy method of sharing data between devices, which, of course, qualifies it as a prime target for exploitation. A trio of researchers has discovered a vulnerability that has the potential of attacking billions of Bluetooth-enabled devices, including phones, laptops, IoT and IIoT technologies.

In short, this Key Negotiation of Bluetooth vulnerability, which has been given the acronym KNOB, exploits the pairing encryption protocol within the Bluetooth Classic wireless technology standard, which supports encryption keys with entropy between 1 and 16 bytes/octets. It inserts between the pairing devices forcing both to agree to encryption with 1 byte or 8 bits of entropy, after which it simply brute-forces the encryption keys.

This is not an easy hack, and relies a lot on time and place, and it does not affect all Bluetooth devices. However, when successful, it can steal data and inject ciphertext. More information is available at

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

What do you think of this pitch?

How targeted should your pitch have to be?

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.