Our CISOs and Miss Manners have some rules you should follow when leaving your security program to someone else. It’s all coming up on CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is newly free agent CISO, Gary Hayslip (@ghayslip).

Thanks to this week’s podcast sponsor Trend Micro

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Why is everyone talking about this now?

Mike, you asked a question to the LinkedIn community about what department owns data privacy. You asserted it was a function of the security team, minus the legal aspects. The community exploded with opinions. What responses most opened your eyes to the data privacy management and responsibility issue you didn’t really consider?

Hey, you’re a CISO, what’s your take on this?’

Someone who is writing a scene for a novel, asks this question on Quora, “How does a hacker know he or she has been caught?” Lots of good suggestions. What’s your favorite scenario? And, do you want to let a hacker know he or she has been caught, or do you want to hide it? What circumstances would be appropriate for either?

What’s Worse?!

Mike decides What’s Worse?! and also what’s good for business.

First 90 days of a CISO

Paul Hugenberg of InfoGPS Networks asks, “What fundamentals should the CISO leave for the next, as transitions are fast and frequent and many CISOs approach their role differently. Conversely, what fundamentals should the new CISO (or offered CISO) request evidence of existence before saying YES?” Mike, this is a perfect question for you. You exited and you will eventually re-enter I assume as a CISO. What did you leave and what do you expect?

Imagine how hard it would be to live in a house that is constantly under attack from burglars, vandals, fire ants, drones, wall-piercing radar and virulent bacteria. Most of us are used to putting a lock on the door, cleaning the various surfaces and keeping a can of Raid on hand for anything that moves in the corner. But could you imagine keeping a staff of specialists around 24/7 to do nothing but attack your house in order to find and exploit every weakness?

This, of course, is nothing new to IT security specialists who must develop and maintain a program of constant penetration testing to identify weaknesses in software code, on APIs and apps, and within every communication protocol that their organization touches. The list is endless and the attackers are relentless.

Pen testing is an art and a science that must not only seek out weaknesses within a system, but must help to understand the sinister nature of hackers who, for example, see a SQL opportunity where the rest of us merely see a Contact Us form.

The challenge will always be to question whether we are doing enough. What do we not know that we don’t know? It’s a vital task that essentially goes unrewarded when everything stays safe. But such is the nature of IT security.

Check out more cloud security tips.

Ask a CISO

Fernando Montenegro of 451 Research asks, “How do you better align security outcomes with incentives?” Should you incentivize security? Have you done it before? What works, what doesn’t?