While you do have to claim all of your vulnerabilities and your children, you don’t have to like all of them.
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Ben Sapiro, global CISO, Great-West LifeCo.
HUGE thanks to our sponsor, Kenna Security
Got feedback? Join the conversation on Linkedin.
On this week’s episode
Why is everybody talking about this now
Do you have a clear overall picture of how you’re protecting your environment? The Cyber Defense Matrix, an open source tool created by Sounil Yu, a former guest, offers a simple five-by-five grid with the x-axis being the five operational functions of the NIST Cybersecurity Framework and the Y-axis are the five asset classes cyber professionals are trying to secure (devices, applications, networks, data, users). The idea is you are supposed to fill in all 25 squares as best as possible to see where you might have gaps in your security program. Ross Young, CISO, Caterpillar Financial Services Corporation, and a recent guest on this show, has adapted the matrix, by changing the Y-axis to four risks of phishing, ransomware, web app attacks, third party risks.
So what’s a better way of building out at your security program: by the assets that you’re trying to protect or the risks that you’re facing? What are the pros and cons of each method?
Can you change Mike’s mind
On a previous show Mike said he is NOT a fan of security through obscurity. Utku Sen of HackerOne argues that security through obscurity is underrated. His argument was that adding “obscurity” is often costless and it adds another layer in your defense in depth program. It is far from bulletproof, but obscurity reduces the likelihood which lowers your overall risk. Examples he included were obfuscating your code in your program, and/or using random variables in the code.
Can we change Mike’s mind? Is there a level of security through obscurity he has deployed and/or would consider?
What’s better? Good and bad data or no data?
Please, enough! No, more.
Today’s topic is vulnerability management, or specifically, vulnerability remediation. What have you heard enough of on vulnerability management, and what would you like to hear a lot more?
Question for the board
What misconceptions does the board have of the role of the CISO? On LinkedIn, Amar Singh of Cyber Management Alliance Limited, listed off what the CISO is and, isn’t, and what inappropriate demands are made on them. He said the CISO is
-NOT a super-being or a magician
-NOT there to fix IT blunders
-NOT the only guardian of the realm
-Unable to STOP all cyber-attacks.
-NOT a scapegoat/sacrificial lamb
-NOT accountable but responsible
We often get the sense that CISOs do play these roles as they come in and out. What can be done to temper these beliefs? “