We’ve got better ways to determine the overall quality of your security posture than asking this unanswerable question. It’s all coming up on CISO/Security Vendor Relationship Podcast.



This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Helen Patton (@osucisohelen), CISO, Ohio State University.

Thanks to this week’s podcast sponsor Trend Micro

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Why is everyone talking about this now?

Jamil Fashchi, CISO, Equifax, “In speaking with a CEO the other day, I was asked, ‘As someone who isn’t technical, what questions should I ask to determine if my security team is effective?'” This caused a flurry of discussion. What’s your advice, and do you agree it’s a lot better question than “How secure are we?”

Hey, you’re a CISO, what’s your take on this?

One issue that comes up a lot in cybersecurity is the lack of diversity. We have discussed the value of diversity, in that it avoids “one think” and brings in the critical need of different viewpoints. The problem is we’re often attracted to people like us, and we ask for referrals which if you hired people like you is probably going to deliver more people like you. We focus this discussion on actionable tips that CISOs can take to bring in a diverse workforce.

What’s Worse?!

What’s it like to work with the business and their acceptance or lack of acceptance of risk?

First 90 days of a CISO

Steve Luczynski, just became CISO of T-Rex Corporation. In the past the CIO has handled both IT and security at the company.

“Now with a CISO onboard, the struggle is figuring out who does what with the expected reluctance by the CIO to let go of certain things and trust me, the new CISO to maintain the same standards. For example, I wanted to change our password policy when I first showed up to match the new NIST guidance of not changing based on a set time period. There was disagreement and it did not change even when I showed the NIST verbiage,” said Luczynski.

How should Steve deal with such disagreements?

Ask a CISO

For a while, FUD (fear, uncertainty, and doubt) worked on the average person, to get them to install basic security measures, like an anti-virus. But it appears that’s all changed. The cause could be apathy. When there’s so many breaches happening the average person feels powerless. Are we marketing cyber-awareness wrong to non-security people? What would get them to be true advocates?

The Pre-nup. It’s a difficult thing for most people to talk about in their personal lives, but it’s something that should always be considered when setting up a relationship with a cloud service provider. Not all business relationships last, and if your organization needs to move its data to another provider, it’s not like packing up your furniture and saying goodbye to your half of the dog. 

A primary challenge with data is that it can both be there and not there. You will need to understand the procedures both obtaining and safely moving your data to a new location and also ensuring that it has been completely and securely removed from the first company’s system. Completely. And securely. This is not mere housekeeping. There are strict compliance and procedural issues, privacy issues, and of course the perpetual concerns regarding hacking and data breaches, all of which might continue to reverberate around the vestiges of improperly removed data. 

When entering an agreement with a cloud services provider, there needs to be a certain amount of clairvoyance into the future: how does this provider plan to grow as a business? What type of scalability does it offer? What are its plans regarding other client co-locating in the space? What is the tenure and career lifespan of the executive and the technicians? 

Saying goodbye actually starts at hello, and it must be one of the most focused projects you undertake. 

Check out lots more cloud security tips sponsored by OpenVPN.