Oct 10, 2019
All links and images for this episode can be found on CISO
How can software and our security programs better be architected
to get users involved?
Check out this post for the discussion that is the basis of our
conversation on this week’s episode co-hosted by me, David
Spark (@dspark), the
creator of CISO
Series and Allan
Alford (@AllanAlfordinTX). Our
sponsored guest for this episode is Adrian Ludwig,
CISO, Atlassian, a
customer of our sponsor, Castle.
Thanks to this week’s podcast sponsor,
Castle is helping businesses keep customers’ online accounts
safe from targeted account takeovers, automated credential
stuffing, and risky user transactions. Castle’s user-centric
approach to account security allows organizations to fully automate
threat response and account recovery in real-time with risk-based
authentication, granular access policies, and custom workflows.
Learn more at www.castle.io
On this episode of Defense in Depth, you'll
- It's impossible to create a security system that removes the
user from the equation. They are integral and they have to be part
of your security program.
- Security is defined by the individual.
- The minimum expectation you can have of your users is that
they'll operate in good faith.
- Avoid complexity because as soon as it's introduced it drives
- Instead, keep asking yourself, how can I make security more
- Individuals are suffering from alert fatigue. If you're going
to send an alert to a user, make it relevant and actionable. And
always be aware that your security alerts are not the only alert
the user is seeing and deciding or not deciding to take action
- Think about all the alerts you completely ignore, like the
confidentiality warning in a corporate email.
- One of the main problems with security is the party who suffers
is not the one who has to act.
- The user often does not have any stake in the goods he/she is