Great Security Debate

The Great Security Debate

Two CISOs and a security-minded friend discuss and debate topics of security and privacy, with a focus on looking at the topic from various angles, both that they support and those they don't. Sign up for our newsletter to be notified when new episodes drop, or when new projects are announced https://newsletter.greatsecuritydebate.net read less
TechnologyTechnology
BusinessBusiness
Society & CultureSociety & Culture

Episodes

To Insure or Not To Insure: It’s Not Even a Question
Jul 1 2024
To Insure or Not To Insure: It’s Not Even a Question
This episode of 'The Great Security Debate' delves into the complexities surrounding cyber insurance, discussing its impact on minimising business risks and ensuring compliance. Erik, Brian, and Dan talk about how connected systems and automation increase risks and integrates AI reliance concerns. Insurance policies, force majeure, and government regulations get some quality discussion and debate time, revealing fears and misconceptions about standardised security controls vs. adaptive security practices. And last up: the practicality and pitfalls of self-insurance, government intervention, and the need for standardised security terminology.Show Links:CISA Secure by Design Pledge | CISACISA Releases Guidance on Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: (SMBs) | CISAThe 118th Congress is the third oldest since 1789Book - The End of the World Is Just the BeginningSupreme Court’s ‘Chevron’ ruling means changes for writing laws - Roll CallInsurers Warn Standardizing Cyber Policies Could Limit Future CoverageCyberattacks Disrupt Car Sales by Dealers in U.S. and CanadaHelp support the podcast: https://ko-fi.com/distillingsecurityThanks for listening! We have got some exciting changes ahead including ways to support the podcast, some big announcements, new shows and conversations, and more! Thanks for listening!Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!00:00 Introduction to the Great Security Debate00:30 The Role of Cyber Insurance01:49 Manual Processes and Business Continuity03:09 Manufacturing and Supply Chain Challenges06:11 Insurance Policies and Cybersecurity08:00 Standardization and Government Involvement19:14 The Complexity of Cyber Warfare22:35 Globalization and Cybersecurity30:33 Leadership vs. Boss Mentality33:53 The Role of Communication in Crisis36:51 The Cost of Compliance40:30 Global Cybersecurity Challenges44:22 The Complexity of Online Trust47:56 Insurance and Cybersecurity53:07 The Future of Cyber Insurance01:00:15 Conclusion and Final Thoughts
Wear a Stop Sign On Your Shirt
Jun 6 2024
Wear a Stop Sign On Your Shirt
In this episode of the Great Security Debate, Brian, Erik, and Dan dive into the latest trends in ransomware including an uptick in attacks against the hypervisor. Speaking of VMWare, we also "discuss" the way that Broadcom has handled the VMWare acquisition and why it both make sense (to them) and doesn't (to many customers).The debate also heads into the impact of AI in cyber threats, and compare strategies for mitigating risk, such as prioritising vulnerabilities and understanding the attack landscape. Additionally, the conversation shifts to business practices in tech acquisitions and the potential future disruptions in the market and importance of balancing security measures with user experience, and the need for adaptive, short-term security roadmaps to stay ahead in an ever-changing environment. And break the big news about an upcoming Distilling Security in-person meet-up in Michigan in July!Help support the podcast: https://ko-fi.com/distillingsecurityShow Notes:episode-linksBroadcom execs say VMware price, subscription complaints are unwarranted  | Ars TechnicaWhat happened with AI Overviews and next stepsBook - Titan: The Life of John D. Rockefeller, Sr.Thanks for listening! We have got some exciting changes ahead including ways to support the podcast, some big announcements, new shows and conversations, and more! Thanks for listening!Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.
Mine Everything
Jun 5 2024
Mine Everything
Sorry about the audio on this one. We have got the tech back on track for the next episode. I promise!Join the Great Security Debate as Brian, Erik, and Dan delve into 'pig slaughtering,' a scam involving rapport building to swindle victims out of money. The discussion explores the intersections of security awareness, blockchain technology, and the ethical implications of digital tracking tools like chain analysis. Featuring real-world cases, including child exploitation traced through blockchain, and the broader debate on privacy versus legality in technology use. Are public blockchain transactions truly private? And how can we balance innovative tech with ethical concerns? Tune in to hear all about itHelp support the podcast: https://ko-fi.com/distillingsecurityShow Notes:Movie: OppenheimerAdobe has built a deepfake tool, but it doesn’t know what to do with it - The VergeMovie: Defending Your LifeMicrosoft Edge May Import Your Chrome Tabs Without Your ConsentAdobe content analysis FAQHow the Federal Government Buys Our Cell Phone Location DataPublic By Default - Stories Found in Venmo CommentsChainalaysisBook: Tracers in the DarkPig Butchering Scams: Last Week Tonight with John Oliver7 Months Inside an Online Scam Labor CampThanks for listening!Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.
Spoiler Alert: Leave the World Behind
Jun 4 2024
Spoiler Alert: Leave the World Behind
Join Dan, Brian, and Erik in the latest episode of The Great Security Debate as they explore the impact and implications of the movie 'Leave the World Behind.' Delving into cyber security, societal impacts of technology, and philosophical elements, this discussion touches upon vulnerability management, risk management, and the effect of constant connectivity on modern life. Tune in to hear not only their analysis of the film but also personal reflections on communication, societal changes, and practical steps for improving individual security resilience. This episode also marks the exciting announcement of the Great Security Debate becoming a part of the Distilling Security network. Don't miss out!Help support the podcast: https://ko-fi.com/distillingsecurityShow Notes:episode-linksDistilling Security – Consumable security, privacy, and complianceHackers Remotely Kill a Jeep on the Highway—With Me in It | WIREDAugust 2023 Data Incident | U-M Public AffairsRecent power outages in Ann Arbor have multiple causes, DTE Energy saysWatch Leave the World Behind | Netflix Official SiteEditor note: This episode was recorded in the final days of 2023... but was lost to technology demons until now. One of those demons made it necessary to show the Zoom screen rather than our usual edited video cast. Sorry for the inconvenience and pain on your eyes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.
The Downfall of All Security (Sales)
Nov 27 2023
The Downfall of All Security (Sales)
It's not easy to sell things. It's even harder to sell to security practitioners and leaders. The Great Security Debate this week covers some angles in security tools (and selling those tools to security teams) that have taken their toll on the trust that needs to exist between those who buy and those who make the products that we use. From the software providers to the VAR (resellers) in the middle to the people and techniques used to market and sell the solutions. Some of the key topics of the discussion include:The challenges of security tool consolidation by non-security vendorsSecurity is not a lock-in tool, and security is not an upsell toolPushing changes to products without telling the customers before they happen or letting those customers have control over the change (and if they take it or not)Security Selling with VARs & Deal Registration What are the motivators when a product is recommended to youYou can still buy direct (and why you might want to)The challenge of selling into the SMBThe power of the “vouch” that flies in the face of some sales methodsThe importance of being genuine in sales communications (aka knock off the programmatic drip campaigns that pretend to be personal)Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!
Less LLM, More Piano
Aug 21 2023
Less LLM, More Piano
This week we are debating modern AI systems, especially the commercial ones on just about everyone's lips when talking about CVs, high school term papers, and interview answers.Large Language Models (LLMs), of which ChatGPT and Bard are two examples, are growing in prominence, but will they disrupt the technology world, or are they nothing more than just another blockchain fizzle?In this episode:Are these even actually "AI" models, or really just very fast processing of large data sets?What should I (and should I not) be putting into LLMs? How does the re-teaching based on data entered impact what you should put into public LLMs?What are some valid use cases for LLMs?Does depending on tools like LLMs (or calculators) bring us further from core understanding of how things work? Or should we be OK with the efficiency it brings?How does copyright fit into the LLM expectation and model, and does the legal licensing of training data dull the shine of LLMs?Are the analyses from LLMs skewed not only by the data they chose to use for training, but also by the userbase that uses that LLM?How are any of the "good practise" security and privacy requirements for LLM different from any other systems? Spoiler alert: not at all.Unrelated to AI, we also talk about what happens to all the "smart" things in your house when the internet goes out? What stops working? Way more than you might think...We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Links:Is OpenAI almost bankrupt?: https://www.windowscentral.com/software-apps/chatgpts-fate-hangs-in-the-balance-as-openai-reportedly-edges-closer-to-bankruptcyMaybe not bankrupt, but has business problem: https://www.forbes.com/sites/lutzfinger/2023/08/18/is-openai-going-bankrupt-no-but-ai-models-dont-create-moats/?sh=3c8922845e22Gartner declares LLMs at the peak of inflated expectations: https://www.gartner.com/en/newsroom/press-releases/2023-08-16-gartner-places-generative-ai-on-the-peak-of-inflated-expectations-on-the-2023-hype-cycle-for-emerging-technologiesWhen ChatGPT goes Bad: https://sloanreview.mit.edu/article/from-chatgpt-to-hackgpt-meeting-the-cybersecurity-threat-of-generative-ai/https://venturebeat.com/security/how-fraudgpt-presages-the-future-of-weaponized-ai/The Circle (Movie): https://www.imdb.com/title/tt4287320/Amazon Sidewalk, and it's privacy issues: https://www.popsci.com/technology/amazon-sidewalks-privacy-concerns/Idiocracy (Movie): https://www.imdb.com/title/tt0387808/Moores law is dead:...
Security *is* Business!
Jul 5 2023
Security *is* Business!
It's been a minute, but we are back with another Great Security Debate!Whether it is compliance, trust, questionnaires, we all sell something to someone and security is core to that process.In this episode, the focus is on how security integrates into the core of each of our businesses or organisations. From being part of strategic planning, the reminder that perfect being the enemy of progress, to the power in being a first mover on security and privacy topics:Compliance vs security: Is it pro forma? Do you check the SOC2 (and other) reports you get from your suppliers?You're not a special snowflake: Why won't more orgs use standard questionnaires on supplier assessments?There are multiple ways to solve a problem, and context is key. The process and environment may mean you don't need a technology control or a specific (prescribed) technology control."The business" is a term that should never be uttered again by security or technology practitioners and leaders.There is power and business value in governance and transparency in security and privacy; build trust in your brand.We need to move our programs a layer above the specific people. Risk is reduced by living at the process layer. Heroics are not scalable.How can preparing for a triathlon be used to describe adherence to targets that lead to good security (and the brand value that comes with it)Remember that you can't be "SOC2 Certified." And PFMEA is not always the answer to every question. Or is it?We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!
Jess and Jeff Invade
Apr 24 2023
Jess and Jeff Invade
Welcome to a very special Great Security Debate. If it is spring, it means that the annual Forrester “Top Recommendations For Your Security Program” report has come out, and we get to visit with one of the authors, Jess Burn. But this year, we get an added extra voice in that of Jess’ Forrester colleague Jeff Pollard. Both Jess and Jeff share a ton of insight on topics from that report and a few others (see the links below for blog posts about most of them)In this episode we cover:How (if) CISOs have been able to become “part of the business” and help colleagues understand that in 2023 security is business.Board reporting by CISOs and CIOs and where/how we succeed and fail.Talent shortages in infosec: a self-created nightmare?Consolidation in times of austerity: right or wrong for security?Huge thanks to Jess and Jeff for joining (find their LinkedIn and Twitter in the links section). Even though Jess is legacy, we are pretty sure that Jeff will be welcomed back in 2024 with open arms.We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for Listening!Special Guest: Jessica Burn.Support The Great Security DebateLinks:Cybersecurity's Staffing Shortage Is Self-InflictedLeadership Communication and Speaker Coaching | Speak by Design | United StatesBuild Better Bridges: Introducing Forrester’s BISO Role ProfileAnnouncing Analyst Experience: SOC Analysts Finally Escape The Shackles Of Bad UXThe Pay Gap Isn’t The Only Problem For Women In CISO RolesTop Recommendations For Your Security Program, 2023 | ForresterHow CISOs Can Navigate The 2023 DownturnJess Burn | LinkedInJeff Pollard | LinkedInJess Burn (@Jess_Burn_) / Twitter
Bankplosion!
Mar 13 2023
Bankplosion!
This week, Brian, Erik, and Dan look into the security impacts of last week’s Silicon Valley Bank closure, both from a direct security risk, but also what we can learn about risk from the events leading up to the incident that we can apply to our information security responsibilities.Brian kicks it off with a great description of how Silicon Valley Bank got here (based on what we knew on 12 March 2023 - subject to change as more becomes known after). And from that, we go some of the direct and indirect lessons and implications such as:Fraud attempts amongst a bevvy of legitimate bank account payment change requests from companies. Check from a known source before changing where you pay.Putting all your eggs into one (infosec or financial) basket can be risky. And risk can bring great rewards, or great resentmentEvaluating vendors for where they bank as part of third party risk management (or not)Clear insight to tough choices that have to be made to keep small business and startups running - sometimes that’s not “doing every thing of security”Business continuity planning requires a more realistic “yeah that could happen” when doing the reviewRemember that there is no such thing as no risk, just determining the right balance of (realistic) risk and downtime for your organisationIf one vendor goes away suddenly, what happens? What about if 6 go away all at once? Diversity of suppliers vs. focusing on basics in the security stackAlong with some strong recommendations (or maybe they are warnings) for our security vendor listeners on how not to use this incident as a sales tool (tl;dr: DON’T!), there are a few correlations to the automotive industry. And check out the book club recommendations in the show notes on our website www.greatsecuritydebate.net, too.Since we recorded another bank, Signature Bank, has also been closed and placed into receivership. On behalf of all of us at Great Security Debate, we wish all those affected either as companies of these banks or their customers good wishes and hope for good news ahead on the recovery of funds.Thanks for listening!Support The Great Security DebateLinks:The Demise of Silicon Valley Bank - by Marc RubinsteinAll the Devils Are Here: A Novel (Chief Inspector Gamache Novel Book 16) - Kindle edition by Penny, Louise. Mystery, Thriller & Suspense Kindle eBooks @ Amazon.com.Silicon Valley Bank profit squeeze in tech dip attracts short sellers | Financial PostThe Tenth Man Rule - Principle ExplainedThe Innovator's Dilemma: The Revolutionary Book That Will Change the Way You Do Business: Christensen, Clayton M.: 8601300047348: Amazon.com: Books — https://amzn.to/3LcZKvTThe Innovator's...
Back to Normal?
Feb 27 2023
Back to Normal?
The Great Security Debate Book Club is in FULL force this week as we talk about life after you’ve gotten the job in information security and are looking for the growth and promotion that come as you grow your career. Check out the show notes on our website www.greatsecuritydebate.net/48 to get links to all the books, articles, and references we discuss up through the show. A mere appetiser sized sampling of the topics we cover in this hour include:What does it mean to “return to normal” in work in 2023?How do you grow in your role once you are in the Infosec field?The “old-man” perspective on entitlement in growing within jobsWhat approaches work (and don’t work) when asking for promotions, raises, new roles, within your organisationConversely, how to approach getting responsibilities added with out getting additional compensationUsing the word “I” vs “We” when talking about a job and your teamWhat to consider the factors and risks outside the office when looking at role and organisational growthThe importance of knowing the difference between what you want to say vs how it will be received when read by the recipientWhat do you do when you find yourself as (or think you are) the smartest person in the room?What resources can people use to get ready for their next growth step at work?How can networking and mentoring be valuable to find the next position?Since it came up a few times in the show, remember that not every securty career path ends with becoming a CISO, or nor should we expect that everyone in infosec wants to become a CISO!We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Support The Great Security DebateLinks:High-Earning Men Are Cutting Back on Their Working Hours - WSJCensus: Michigan's population drops again for 2nd consecutive year5 Whys - Getting to the Root of a Problem QuicklyLittle Giants: 10 Hispanic Women Who Made History: Calderon, Raynelda A., Donna, Wiscombe: 9781733139229: Amazon.com: BooksAmazon.com: True North, Emerging Leader Edition:
Uninsurable!
Jan 16 2023
Uninsurable!
Insurance for information security is changing. Recently some reports came out that there were moves by insurance companies to leave the cybersecurity insurance market - that it was uninsurable. Dan, Brian, and Erik discuss on this week's Great Security Debate:What happens now that cybersecurity insurance is built into contracts and requirements by customers doing business with other companies?Are the carveouts such that it’s easier to just pay and not inform insurance that you want them to pay for the incident?Does having “easy” insurance give too many orgs a pass on having to actually improve their security control sets?How do insurance “formularies” make companies less secure by not letting them buy the newer, better technologies? Conversely, how does the formulary of products help prevent from buying junk tech that calls itself “security”?How does the threat of nonpayment of expenses and losses by insurance companies after the fact affect organisational security decisions for or against the formulary?How is relying on insurance to determine tech standards the same as the EU demanding all chargers be USB-C?Does insurance go away altogether? Do we want it to go away?What is the law of the horse and how does it apply to insurance in information security?Can shifting downstream supplier risk into insurance really work to reduce risk?Is security a cost centre, a cost of doing business, or a potential profit centre for orgs?Should we shift from insurance mandate to “figure it out”How does the conscious decision not to patch because the patch causes worse issues affect the insurance coverage?How can we balance the expectation with our technology suppliers to maintain support longer, especially on IOT or high-cost, long life devices?Can a move toward clear, yet broad expectations on controls be enough to meet security expectations for insurance without prescriptive formularies of technology and process?We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Large Insurer Says Cyber Attacks Are Becoming 'Uninsurable'3 Times Businesses Were Denied Cyber Insurance Payouts. | Managed ITUSB-type C to become EU's common charger by end of 2024 | News | European...
A Niche Inside a Niche Is Really Just a Quiche
Dec 27 2022
A Niche Inside a Niche Is Really Just a Quiche
Welcome to the year-end 2022 episode of The Great Security Debate. In this hour, Brian, Erik, and Dan cover myriad ways hiring processes are failing job seekers and hiring organisations. It all kicked off with the impersonal nature of automated 1-way video interviews. It quickly jumped into the myriad of other ways we can do better on both sides, including (but not limited to):Do video interviews encourage fraud? Multiple jobs for one person? A fake version of you applying for a job?Why are hiring managers and HR using video interviews? Are there legitimate reasons?Does the lack of ability to assess the candidate’s response to the interviewer’s response makes the interview less effective?What is the impression left when a candidate is immediately rejected based on analytics and matching, not human interaction?What’s the value of using your network around a broken applicant system? What do we lose by only depending on our networks for hiring?How do these recorded methods exclude introverts and others that may not be camera comfortable in their presentation skills?Can and should there be roles for people at higher levels that don’t include people management?Is “AI” (term used in quotes on purpose) really the antithesis of diversity or inclusion?How is connecting people to others and helping them expand their networks better than sending resumes to people you know?In times of cash crunch, will hiring come from experienced people having been let go from roles, or hiring entry-level and ups killing them?You’ll also get a few mentions of Buzzword Bingo; the shocking revelation that Brian works for a vendor; and Dan goes on a tirade about new software that does recording and analysis in Zoom meetings with and without permission. It’s another great debate!We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Our Love-Hate Relationship With Security CertificationsCyber Certifications - The Self Licking Ice Cream Cone of MiseryThe Great Security Debate Episode 45: Live From the Big HouseThe Great Security Debate Episode 43: New Team, Who Dis?Michigan Council of Women in Technology Foundation / Michigan council of women in technology...
Live From the Big House
Oct 30 2022
Live From the Big House
Recorded on Saturday 29 October 2022, at the tailgate before the University of Michigan vs Michigan State University (American) football game, Brian, Erik and Dan chat about the news of the day, with more than a few correlations back to football. And we had a special guest join us, too: Zah Gonzalvo RodriguezThere was an upcoming OpenSSL vulnerability hitting the world this week. How would Software Bill of Materials (SBOM) make the response easier?A reminder of our dependence on the stability and security of some very core tools (like OpenSSL) to run our businesses. Mot to mention the fact that such tools are often within the libraries we use and don’t even realise it’s there.Similarities between football and security in the need to adjust based on what the other team shows signs of throwing at you, and further based on what they actually bring to the line.How repeatable process and inventory help make the response to these vulnerability disclosures less like a firedrill and more like standard ops.Did you know that credit ratings are being affected by information security posture and breach response?Same thing with M&A and investment valuation… if you’re not as mature in security and privacy you may see a discount taken on your value!How transparent should we be with the peer companies and the public world about our security posture (like incident response plans, and security controls in place)?And if you’re curious, you can find out what team Dan (the lifelong Badger) was supporting in the game. Congratulations to the University of Michigan in later winning this game, and to both teams for keeping the rivalry alive and spicy.We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Support The Great Security Debate
No More Ads, No More Privacy Problem?
Oct 3 2022
No More Ads, No More Privacy Problem?
This week’s debate comes amid a combo platter of increased analytics leading to near-immediate contact when visiting a product’s website, along with more clarity from enforcement bodies about how they will approach their respective privacy legislation. One such fine was the Sephora CCPA matter in which California Attorney General levied a $1.2M fine on the company ([https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement])Listen in to hear Dan, Brian and Erik talk about:Are privacy and shareholder value at odds? How does protecting the privacy of the consumer help shareholder value?A reminder that security and privacy can serve as a business differentiatorHow to deal with the reputation of a company being set by misleading headlines (and people not reading the actual article/detail)?Does better privacy practices in companies lead to reduced data for sale on the illicit market?Does just “saying no to data collection” by companies make for a better privacy posture?How long should (vs. how long do) you hold onto data?How will companies be judged in the future by how they manage data today?Are ads themselves the source of all our problems? Why does the push for more advertising to reduce costs increases the push for more data collection?We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Sephora Hit with $1.2M Fine in First CCPA Enforcement - CompliancePointPatagonia Founder Gives Away the Company to Fight Climate Change - The New York TimesRMISC - Rocky Mountain Information Security Conference500 million LinkedIn users' data is for sale on a hacker site | CNN BusinessUber breached by hacker in cybersecurity incident - The Washington Post'Astonishing.' Morgan Stanley hard drives holding sensitive client data got auctioned off online | CNN Business
New Team, Who Dis?
Sep 1 2022
New Team, Who Dis?
We've all seen it (or been it): a new boss arrives at the company and quickly thereafter a bunch of their old colleagues get hired. It feels like they are getting the band back together at the new place. What does that say to the organisation about that leader? What does doing the opposite (pausing, growing from within) say differently? Brian, Dan and Erik discuss, debate and dissect this from a few angles, including some of the following:The power of threes: Three paths when you come in as a new leader: bring your own, nurture within, hire all new. And the three arcs of a company - startup/scrappy , growth/maturation, steady/run.Two critical skills we wish we were taught in school and earlier in work: communications and public speakingThe impacts on culture on leadership and how they approach the staffing question, and how you bring people in will be the biggest impact on the culture of the organisationHow can metrics hide the actual performance of the team?Are the CISO retention numbers as bad as the urban myth ? Are CISOs staying longer than we think they are?What organisational situations drive leaders to resort to bringing in the people they know and trust vs. Trusting those already there?How does growth by acquisition change the way we approach the listening and staffing of our teams and supporting our organisations?Approaches to finding people to provide new perspectives, without having already worked with them directly?How does geographic culture affect the decision on how to staff your team as a new leader in an organisation?We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:The Great Security Debate Episode 40: What Got You Here Won’t (Necessarily) Get You ThereSteve Jobs Last Words – Jessica PengAmazon.com: Power Moves: Lessons from Davos (Audible Audio Edition): Adam Grant, Adam Grant, Audible Originals: Audible Books & OriginalsAmazon.com: Small Giants: Companies That Choose to Be Great Instead of Big: 9781591840930: Burlingham, Bo: BooksZingerman's Community of Businesses - inside the center of the gastro-deli universeWarren Buffett - Only when the tide...
Subscribe and Don't Like!
Aug 18 2022
Subscribe and Don't Like!
Are we getting subscription overload? The move to more and more subscriptions is good for those selling, but are they good for those buying, too?Do subscriptions offset by other non-cash costs (e.g. data collection, advertising) reduce subscription fatigue? How does that fit into the security product world? What are the risks of making security technology only for those that can't afford it? Why are the ad-supported versions more heavily marketed than the no-ad versions?How do subscriptions encourage continuous development of software and features? What about innovation?What's a persistent feature, and what can be revoked or shifted into a different subscription tier (take a look at Slack's recent move to make the free tier way less valuable and encourage the need to move to a paid tier)Do the combinatoric vastness of features that can go on and off based on the subscriptions you buy introduce an unnecessary or unsafe risk of not working well together in specific combos?What are the legalities of jailbreaking your software rather than paying to activate it by subscription? How does doing so affect the liability and effectiveness of the product?We also talk about some things unrelated to subscriptions (and cars)!What is needed to adapt your communications (and subscription sales pitch) to VC/PE vs the CIO/CISO at a company? East coast vs west coast? Etc. Tips for job candidates on looking for public info on what a company thinks is important from security and risk (hint: it's SEC filings like the 8-K and 10-K!)Tune in to delight as Dan rants in Yiddish and then mess up the name of some of the most popular movies of our time. Enjoy seeing (or hearing) Erik get on a soapbox stumping for Sig Sigma. Binge on Brian talking about automotive manufacturing (who knew) and for once not be broadcasting from a "train station".We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.If you're watching on YouTube, we are very sorry for the video sync issues this week! The sound is great, but one of our hosts does a very poor Milli Vanilli impression. We are writing up the root cause analysis documents and issuing CAPAs to keep it from happening agaiSome of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Crossing the Chasm, 3rd Edition: Marketing and Selling Disruptive Products to Mainstream Customers (Collins Business Essentials): Moore, Geoffrey A.: 9780062353948: Amazon.com: BooksThis Is How They Tell Me the World Ends: The Cyberweapons Arms Race - Kindle edition by Perlroth, Nicole. Politics & Social Sciences Kindle eBooks @ Amazon.com.
Fake It Till You Make It?
Aug 3 2022
Fake It Till You Make It?
It's the dog days of summer here in the northern hemisphere, and we have some episodes to make the hot, muggy days go by faster (or the drive up to the cabin in the woods to escape it all).This week Dan, Brian and Erik talk about what it takes to be a Virtual or Fractional CISO. Does someone that calls themselves one need to have had in-house CISO experience to do the job? Or do the fresh perspectives of someone that doesn't come with history benefit the organisation in a different way? Risks, challenges, and talking to Boards of Directors definitely have a strong place in the debate (and we hit on all of them)We will be back with more episodes through August and then back to our usual bi-weekly pace as we hit the autumn. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.If you're watching on YouTube, we are very sorry for the video sync issues this week! The sound is great, but one of our hosts does a very poor Milli Vanilli impression. We are writing up the root cause analysis documents and issuing CAPAs to keep it from happening agaiSome of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Sonny 🇨🇦❄️⚓ on Twitter: "WTF is this ??? #CyberSecurity #InfoSec https://t.co/DLHivTJ9Qw" / TwitterThis Is How They Tell Me the World Ends: The Cyberweapons Arms Race: Perlroth, Nicole: 9781635576054: Amazon.com: BooksSajay Rai — Securely Yours LLCSecurely Yours LLCSajay Rai CPA, CISSP, CISM | LinkedInAmazon - Extreme Ownership: How U.S. Navy SEALs Lead and Win: Willink, Jocko, Babin, Leif: 9781250067050: BooksCISO MindMap 2022: What do InfoSec Professionals really do?Rafeeq Rehman | Cyber | Automation | Digital