Preview Mode Links will not work in preview mode

Defense in Depth

Jun 4, 2019

All links and images can be found on CISO Series (

In security, you never have enough of anything. But the scarecest resource are dedicated security people. When you're running lean, what are some creative ways and techniques to improve overall security?

Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Matt Southworth (@bronx), CISO of Priceline.

Thanks to this week’s podcast sponsor, SecurityBridge


Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation.

On this episode of Defense in Depth, you'll learn:

  • When you manage too many people you get to a point of saturation. Are you doing security or are you managing people?
  • Core success comes from looking outside your immediate staff for security help. Most common programs are Security Champions and Security Prime. The first are just people outside of the InfoSec team who really want to learn about security, and the Prime players are actually implementing it.
  • Look for ways to reduce overheard in terms of paperwork, meetings, and unnecessary programs. If what you're doing is not helping, stop doing it.
  • Empower individuals to make their own decisions about security without the chain of command of approvals.
  • Avoid giving orders, because once you do you'll always be called into a meeting on that topic.
  • Use artificial intelligence (AI) to take work off of the security operations center (SOC) and incident response team.
  • The "lazy" sysadmin who automates all his tasks is a highly productive member.
  • Communicate to everyone that security requires the entire company's support, not just the security staff.

And here's Jan Schaumann's presentation at BsidesNYC 2016 entitled "Defense at Scale". Matt mentioned it on the show.