Jul 23, 2020
All links and images for this episode can be found on CISO
Have we reached peak InfoSec fatigue? Revolving CISOs and
endless cyber recruitment OR the fact that we're spending more
money to reduce even greater risk. Is it all leaving our grasp?
this post for the basis of our conversation on this week’s
episode which features me, David Spark (@dspark), producer of CISO Series,
Alford (@allanalfordintx), and
CISO, The Ohio State
Thanks to this week's podcast sponsor, Sonrai
Identity and data access complexity are exploding in your
public cloud. 10,000+ pieces of compute, 1000s of roles, and a
dizzying array of interdependencies and inheritances. Sonrai
Security delivers an enterprise cloud security
platform that identifies and monitors every
possible relationship between identities and data that exists
inside your public cloud.
On this episode of Defense in Depth, you’ll
- Are we sliding in our effort to get ahead of security issues?
There's a sense the tools and our ability isn't keeping up with the
- Are we able to prove risk reduction to show that our efforts
- Those people who don't burn out are the ones who thrive on the
technical and political challenges of cybersecurity.
- Disagreement on how you lead a discussion. Should it be
story-based or data-based?
- Classic complaint about cybersecurity is success is measured by
the absence of activity.
- Preventative security is not easily quantifiable as reactive
- CISOs have to step up and show evidence of security's success
in the most understandable and digestible format. Suggested
measures and metrics: likelihood and impact, business impact
analysis, security program maturity curve, framework compliance,
pen test results, and threat modeling.
- FUD (fear, uncertainty, and doubt) may be effective in the
short run, but it's exhausting. It never works in the long
- Approach cybersecurity altruistically. If it benefits you and
those around you, then it's worth doing.
- Lean on security vendors to help you show the value of their
product. The business impact will be on the CISO's shoulder, but
the vendor should help build the case.