Do you want a security vendor that says they’re good at protecting you from malware or a vendor that’s honest with you about their failure rates? Whatever happens you’ll take it on the latest episode of CISO/Security Vendor Relationship Podcast recorded live in NYC for the NY Information Security Meetup (@NYInfoSecurity). Thanks for hosting our recording!



This super-sized special episode features drop-in co-host, John Prokap (@JProkap), CISO of HarperCollins Publishers, and our guest Johna Till Johnson (@JohnaTillJohnso), CEO of Nemertes Research.

Check out all the awesome photos from the event.

Thanks to our sponsor Context Information Security

Context Information Security is a leading technical cyber security consultancy, with over 20 years of experience and offices worldwide. Through advanced adversary simulation and penetration testing, we help you answer the question – how effective is my current cyber security strategy against real world attacks?

Got feedback? Join the conversation on LinkedIn

On this episode

How CISOs are digesting the latest security news

To Facebook, our data in aggregate is very valuable. But to each individual, they view it as essentially worthless as they’re happy to give it away to Facebook for $20/month. I don’t see this ever changing. Does an employees carelessness with their own privacy affect your corporation’s privacy?

Why is everybody talking about this now?

Rich Mason, former CISO at Honeywell posted about the need to change the way we grade malware. He noted that touting 99 percent blocking of malware that allows for one percent failure and network infection is actually a 100 percent failure. It’s the classic lying with statistics model. How should we be measuring the effectiveness of malware?

What’s Worse?!

We play two rounds trying to determine the worst of bad security behavior.

What’s a CISO to do?

A CISO can determine their budget by:

1: Meeting compliance issues or minimum security requirements
2: Being reactionary
3: Reducing business risk
4: Enabling the business

Far too often, vendors have preyed on reactionary and compliance buyers. But the growing trend from most CISOs is the reduction of business risk. How does this change a CISO’s budgeting?

Let’s dig a little deeper

We bring up “do the basics” repeatedly on this show because it is often the basics, not the APTs, that are the cause of a breach or security failure. Why are the basics so darn hard and why are people failing at them?

What do you think of this pitch?

We’ve got two pitches for my co-host and guest to critique.

And now this…

We wrap up our live show with lots of questions from the audience.

Got feedback? Join the conversation on LinkedIn