There are so many fantastic certifications out there for security professionals. But we’ve found the one certification that will really help you land the right job really quickly, is to provide proof that you know some people at our company who can vouch for you. Remember, we are a business that operates on trust, not giving people their first chances in cybersecurity.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Jesse Whaley (@jbit4n6) CISO, Amtrak

Thanks to this week’s podcast sponsor, Adaptive Shield

Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company’s SaaS estate, and enables quick remediation of any potential threats.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Why is everybody talking about this now?

Should cybersecurity professionals fight back rather than block and tackle? former US government cyber security chief Chris Krebs, has called on law enforcement and others to fight back against ransomware attackers. Krebs, suggested posting private information of the hackers, with malicious intent, AKA doxxing. “Hacking back” is dangerous as it’s hard to determine the attacker, and you’re essentially taking the law into your own hands, but Chris Krebs is recommending this, seeing that ransomware is the biggest threat.

Dan Lohrmann of Security Mentor shared this article from the Financial Times and it drove a lot of debate. We’ve heard this before, but from someone like Chris Krebs, that’s astonishing. What level of fighting back should people be comfortable with?

Are we having communication issues?

“I push back [on vendors] because I want depth and context from first contact,” said John Keenan, director of Information Security, at Memorial Hospital at Gulfport. In this post on LinkedIn he said he’s annoyed with vendors’ generic first outreach and when he declines their response is “Well, I had to give it a shot”. If they want a real connection, include “What’s In It for Me”. A generic response of “I think you’ll really like what we’ve got to show,” does not qualify. Let’s talk about who has ever received a first (or heck any) contact that did have depth and context and could clearly articulate the “what’s in it for you” message.

“What’s Worse?!”

This week’s challenge is from Nir Rothenberg, CISO, Rapyd.

How have you actually pulled this off?

Hiring in cybersecurity is a bear. As we’ve discussed before on this show, there’s actually plenty of supply and demand in cybersecurity, yet jobs are not getting filled, possibly because of unreasonable requirements. Let’s talk about what percentage of all the ideal skills people are willing to accept in a new hire, and situations where someone was hired who didn’t possess that must have-skill for the job. ? And also let’s look at the most effective training or mentoring technique used to get employees to adopt those skills.

Hey you’re a CISO. What’s your take?

On Twitter, Alyssa Miller AKA @alyssaM_InfoSec asked: “You’re the CISO, rank the priority of the following list from a security perspective and explain your reasons:

A. A well-defined vulnerability management program
B. A reliable configuration management database/Asset Inventory
C. A comprehensive metrics and reporting practice.

A slight majority voted BAC or asset management, vulnerability management, then metrics. But there was plenty of disagreement. Let’s look at that.