On this episode of CISO/Security Vendor Relationship Podcast, cybercrime fails and we brag about it.
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Geoff Belknap (@geoffbelknap), CISO, LinkedIn.
Thanks to this week’s podcast sponsor Trend Micro
Got feedback? Join the conversation on LinkedIn.
On this week’s episode
How CISOs are digesting the latest security news
We simply don’t hear enough good news cybersecurity stories that make those involved proud. What are the cybersecurity stories that aren’t being told publicly that should be?
First 90 Days of a CISO
Michael Farnum, Set Solutions, said, “If you come into the job and aren’t willing to critically review existing projects AND put a stop to the ones that are questionable, then you are going to cause yourself problems later. It might seem like an unwise political move when new to the company, but you have to be willing to swing the axe (or at least push the pause button) on anything that doesn’t make sense.” Not so easy, but where’s the line where you can actually push and say, “We’re changing course”?
It’s time to play, “What’s Worse?!”
We’ve got a split decision!
Hey, you’re a CISO, what’s your take on this?
On a previous episode of Defense in Depth, we talked about employee hacking or getting the staff on the same page as the CISO and the security program. I quoted instructor Sarah Mancinho who said, “I am a firm believer that CISOs/CIOs should have their own dedicated IT strategic communications person(s) that report to them, and not any other office. Most comms roles I’ve seen…had to report to HR/PR/General Comms….none of whom really knew anything about technology/technical comms/infosec….and had little to no interaction with the IT/security team.”
My co-host, Allan Alford, loved this idea, never had it, but would love to have it. What value could a dedicated PR person bring to the security team?
The devious new Android malware called Cerberus steals credentials by using a downloaded fake Adobe Flash player. That is not really innovative in itself, but what’s interesting is the way it seeks to avoid detection by using the phone’s accelerometer to confirm that the infected target is a real device and not on the screen of a security analyst. According to ESET researcher Lukas Stefanko, quoted in Forbes, the app actually counts a number of physical footsteps taken by the phone’s owner, and deploys once the required number has been reached.
This points to an insidious reality that bad actors are not just trying to out-code the good guys. It shows that to a bad guy, everything is an opportunity, and every element we take for granted or in trust no matter how mundane or innocent – especially when it comes to downloadable files – is a potential infection.
There is no 100% secure way of preventing such creative genius, which means companies must continue to rely on the conjoined forces of their own infosec team paired with an as-a-service specialists to watch for exploitable weaknesses that hide in plain sight.
Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.
Why is everybody talking about this now?
What’s behind the cybersecurity skills shortage? In an article on the Forbes Council, Mark Aiello, president of cybersecurity recruiting firm CyberSN, pointed out some ugly truths as to why it’s so difficult to hire cybersecurity talent. He pointed to low pay, the desire to find unicorns, poor job descriptions, training and growth. Is the core issue that the cybersecurity industry just does a very poor job welcoming new entrants?
Today, what does a cybersecurity professional need walking in the door? And what are CISOs willing to accept no knowledge of, yet willing to train?