If you’ve got lots of critical data, a massive insurance policy, and poor security infrastructure, you might just be a perfect candidate to be hit with ransomware. This week and this week only, it’s an extortion-free episode of CISO/Security Vendor Relationship Podcast.



This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Walls (@sean_walls2000), vp, cybersecurity, Eurofins.

Thanks to this week’s podcast sponsor Core Security

Assigning and managing entitlements rapidly to get employees the access they need is critical, but it can come at the cost of accuracy and security. Core Security’s identity governance and administration (IGA) solutions provide the intelligent, visual context needed to efficiently manage identity related security risks across any enterprise.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

How CISOs are digesting the latest security news

An article in the NYTimes points to a new trend in ransomware that is specifically attacking small governments with weak computer protections and strong insurance policies. Payments from $400-$600K. Lake City, Florida, population 12K paid $460K to extortionists. They got some of their information back but they have been set back years of what will require rescanning of paper documents. Mike, I know your standard philosophy is to not pay the ransom, but after a ransomware attack against the city of Atlanta, the mayor refused to pay $51,000 in extortion demands, and so far it’s cost the city $7.2 million. Probably more. These payments by the small cities must be incentivizing more attacks. Does this information change the way you’re willing to approach ransomware. What can a small city with zero cybersecurity staff do to create a program to reduce their risk to such a ransomware attack?

Ask a CISO

Bindu Sundaresan, AT&T Consulting Solutions, asks a very simple question, “How is each security initiative supporting the right business outcome?” Do you find yourself selling security into the business this way? If not, would you be more successful selling security to the business if you did do this?

What’s Worse?!

We’ve got a split decision on what information we prefer after a breach.

Listen up, it’s security awareness training time

Jon Sanders, Elevate Security, said, “Security awareness involves A LOT of selling… there’s no cookie cutter approach in security awareness or sales!” Is the reason security training is so tough because so many security people are not born salespeople? I’ve interviewed many and there’s a lot of “just listen to me attitude,” which really doesn’t work in sales.

We talk a lot about penetration testing here, given that it remains a staple of proactive IT security. But not everyone feels it’s all it’s cracked up to be. Or should that be, all it’s hacked up to be?” More than one cybersecurity organization points out there are a few flaws in the pen testing concept that make it worth a second look.

Pen testing often consists of a small collection of attacks performed within a set time period against a small sample of situations. Some experts doubt the efficacy of testing against a limited field of known vulnerabilities, without knowing what other weaknesses exist in plain sight, or merely invisible to jaded eyes.

Since so much of data and network operations remains in a state of flux, what works to detect an anomaly one day might be completely lost at sea the next. Much depends on the ability and knowledge of the tester. Frameworks designed to offset these flaws can go quickly out of date. And who is doing the testing anyway? Are they prone to intentional or accidental sabotage of the very system they were hired to test? Is there a clear definition between actual penetration and simple breaking of stuff?

And as paradoxical as this sounds, sometimes there is greater liability in discovering a flaw than in letting sleeping dogs lie.

The weakness largely stems from the conscious decision to test, similar to doctors who diagnose a patient based on a pre-existing bias: “We were looking for evidence of cancer and we found none,” which does not eliminate a myriad of other causes of an illness, and in fact sometimes precludes them from detection.

Opinions about pen testing will always be divided, but I always like to go back to a fundamental analytical question: “what do we not know that we don’t know?”

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

What do you think of this pitch?

We have a pitch from Technium in which our CISOs question what exactly are they selling?