This week we are debating modern AI systems, especially the commercial ones on just about everyone's lips when talking about CVs, high school term papers, and interview answers.Large Language Models (LLMs), of which ChatGPT and Bard are two examples, are growing in prominence, but will they disrupt the technology world, or are they nothing more than just another blockchain fizzle?In this episode:Are these even actually "AI" models, or really just very fast processing of large data sets?What should I (and should I not) be putting into LLMs? How does the re-teaching based on data entered impact what you should put into public LLMs?What are some valid use cases for LLMs?Does depending on tools like LLMs (or calculators) bring us further from core understanding of how things work? Or should we be OK with the efficiency it brings?How does copyright fit into the LLM expectation and model, and does the legal licensing of training data dull the shine of LLMs?Are the analyses from LLMs skewed not only by the data they chose to use for training, but also by the userbase that uses that LLM?How are any of the "good practise" security and privacy requirements for LLM different from any other systems? Spoiler alert: not at all.Unrelated to AI, we also talk about what happens to all the "smart" things in your house when the internet goes out? What stops working? Way more than you might think...We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Links:Is OpenAI almost bankrupt?: https://www.windowscentral.com/software-apps/chatgpts-fate-hangs-in-the-balance-as-openai-reportedly-edges-closer-to-bankruptcyMaybe not bankrupt, but has business problem: https://www.forbes.com/sites/lutzfinger/2023/08/18/is-openai-going-bankrupt-no-but-ai-models-dont-create-moats/?sh=3c8922845e22Gartner declares LLMs at the peak of inflated expectations: https://www.gartner.com/en/newsroom/press-releases/2023-08-16-gartner-places-generative-ai-on-the-peak-of-inflated-expectations-on-the-2023-hype-cycle-for-emerging-technologiesWhen ChatGPT goes Bad: https://sloanreview.mit.edu/article/from-chatgpt-to-hackgpt-meeting-the-cybersecurity-threat-of-generative-ai/https://venturebeat.com/security/how-fraudgpt-presages-the-future-of-weaponized-ai/The Circle (Movie): https://www.imdb.com/title/tt4287320/Amazon Sidewalk, and it's privacy issues: https://www.popsci.com/technology/amazon-sidewalks-privacy-concerns/Idiocracy (Movie): https://www.imdb.com/title/tt0387808/Moores law is dead:...

It's been a minute, but we are back with another Great Security Debate!Whether it is compliance, trust, questionnaires, we all sell something to someone and security is core to that process.In this episode, the focus is on how security integrates into the core of each of our businesses or organisations. From being part of strategic planning, the reminder that perfect being the enemy of progress, to the power in being a first mover on security and privacy topics:Compliance vs security: Is it pro forma? Do you check the SOC2 (and other) reports you get from your suppliers?You're not a special snowflake: Why won't more orgs use standard questionnaires on supplier assessments?There are multiple ways to solve a problem, and context is key. The process and environment may mean you don't need a technology control or a specific (prescribed) technology control."The business" is a term that should never be uttered again by security or technology practitioners and leaders.There is power and business value in governance and transparency in security and privacy; build trust in your brand.We need to move our programs a layer above the specific people. Risk is reduced by living at the process layer. Heroics are not scalable.How can preparing for a triathlon be used to describe adherence to targets that lead to good security (and the brand value that comes with it)Remember that you can't be "SOC2 Certified." And PFMEA is not always the answer to every question. Or is it?We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!

Welcome to a very special Great Security Debate. If it is spring, it means that the annual Forrester “Top Recommendations For Your Security Program” report has come out, and we get to visit with one of the authors, Jess Burn. But this year, we get an added extra voice in that of Jess’ Forrester colleague Jeff Pollard. Both Jess and Jeff share a ton of insight on topics from that report and a few others (see the links below for blog posts about most of them)In this episode we cover:How (if) CISOs have been able to become “part of the business” and help colleagues understand that in 2023 security is business.Board reporting by CISOs and CIOs and where/how we succeed and fail.Talent shortages in infosec: a self-created nightmare?Consolidation in times of austerity: right or wrong for security?Huge thanks to Jess and Jeff for joining (find their LinkedIn and Twitter in the links section). Even though Jess is legacy, we are pretty sure that Jeff will be welcomed back in 2024 with open arms.We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for Listening!Special Guest: Jessica Burn.Support The Great Security DebateLinks:Cybersecurity's Staffing Shortage Is Self-InflictedLeadership Communication and Speaker Coaching | Speak by Design | United StatesBuild Better Bridges: Introducing Forrester’s BISO Role ProfileAnnouncing Analyst Experience: SOC Analysts Finally Escape The Shackles Of Bad UXThe Pay Gap Isn’t The Only Problem For Women In CISO RolesTop Recommendations For Your Security Program, 2023 | ForresterHow CISOs Can Navigate The 2023 DownturnJess Burn | LinkedInJeff Pollard | LinkedInJess Burn (@Jess_Burn_) / Twitter

This week, Brian, Erik, and Dan look into the security impacts of last week’s Silicon Valley Bank closure, both from a direct security risk, but also what we can learn about risk from the events leading up to the incident that we can apply to our information security responsibilities.Brian kicks it off with a great description of how Silicon Valley Bank got here (based on what we knew on 12 March 2023 - subject to change as more becomes known after). And from that, we go some of the direct and indirect lessons and implications such as:Fraud attempts amongst a bevvy of legitimate bank account payment change requests from companies. Check from a known source before changing where you pay.Putting all your eggs into one (infosec or financial) basket can be risky. And risk can bring great rewards, or great resentmentEvaluating vendors for where they bank as part of third party risk management (or not)Clear insight to tough choices that have to be made to keep small business and startups running - sometimes that’s not “doing every thing of security”Business continuity planning requires a more realistic “yeah that could happen” when doing the reviewRemember that there is no such thing as no risk, just determining the right balance of (realistic) risk and downtime for your organisationIf one vendor goes away suddenly, what happens? What about if 6 go away all at once? Diversity of suppliers vs. focusing on basics in the security stackAlong with some strong recommendations (or maybe they are warnings) for our security vendor listeners on how not to use this incident as a sales tool (tl;dr: DON’T!), there are a few correlations to the automotive industry. And check out the book club recommendations in the show notes on our website www.greatsecuritydebate.net, too.Since we recorded another bank, Signature Bank, has also been closed and placed into receivership. On behalf of all of us at Great Security Debate, we wish all those affected either as companies of these banks or their customers good wishes and hope for good news ahead on the recovery of funds.Thanks for listening!Support The Great Security DebateLinks:The Demise of Silicon Valley Bank - by Marc RubinsteinAll the Devils Are Here: A Novel (Chief Inspector Gamache Novel Book 16) - Kindle edition by Penny, Louise. Mystery, Thriller & Suspense Kindle eBooks @ Amazon.com.Silicon Valley Bank profit squeeze in tech dip attracts short sellers | Financial PostThe Tenth Man Rule - Principle ExplainedThe Innovator's Dilemma: The Revolutionary Book That Will Change the Way You Do Business: Christensen, Clayton M.: 8601300047348: Amazon.com: Books — https://amzn.to/3LcZKvTThe Innovator's...

The Great Security Debate Book Club is in FULL force this week as we talk about life after you’ve gotten the job in information security and are looking for the growth and promotion that come as you grow your career. Check out the show notes on our website www.greatsecuritydebate.net/48 to get links to all the books, articles, and references we discuss up through the show. A mere appetiser sized sampling of the topics we cover in this hour include:What does it mean to “return to normal” in work in 2023?How do you grow in your role once you are in the Infosec field?The “old-man” perspective on entitlement in growing within jobsWhat approaches work (and don’t work) when asking for promotions, raises, new roles, within your organisationConversely, how to approach getting responsibilities added with out getting additional compensationUsing the word “I” vs “We” when talking about a job and your teamWhat to consider the factors and risks outside the office when looking at role and organisational growthThe importance of knowing the difference between what you want to say vs how it will be received when read by the recipientWhat do you do when you find yourself as (or think you are) the smartest person in the room?What resources can people use to get ready for their next growth step at work?How can networking and mentoring be valuable to find the next position?Since it came up a few times in the show, remember that not every securty career path ends with becoming a CISO, or nor should we expect that everyone in infosec wants to become a CISO!We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Support The Great Security DebateLinks:High-Earning Men Are Cutting Back on Their Working Hours - WSJCensus: Michigan's population drops again for 2nd consecutive year5 Whys - Getting to the Root of a Problem QuicklyLittle Giants: 10 Hispanic Women Who Made History: Calderon, Raynelda A., Donna, Wiscombe: 9781733139229: Amazon.com: BooksAmazon.com: True North, Emerging Leader Edition:

Insurance for information security is changing. Recently some reports came out that there were moves by insurance companies to leave the cybersecurity insurance market - that it was uninsurable. Dan, Brian, and Erik discuss on this week's Great Security Debate:What happens now that cybersecurity insurance is built into contracts and requirements by customers doing business with other companies?Are the carveouts such that it’s easier to just pay and not inform insurance that you want them to pay for the incident?Does having “easy” insurance give too many orgs a pass on having to actually improve their security control sets?How do insurance “formularies” make companies less secure by not letting them buy the newer, better technologies? Conversely, how does the formulary of products help prevent from buying junk tech that calls itself “security”?How does the threat of nonpayment of expenses and losses by insurance companies after the fact affect organisational security decisions for or against the formulary?How is relying on insurance to determine tech standards the same as the EU demanding all chargers be USB-C?Does insurance go away altogether? Do we want it to go away?What is the law of the horse and how does it apply to insurance in information security?Can shifting downstream supplier risk into insurance really work to reduce risk?Is security a cost centre, a cost of doing business, or a potential profit centre for orgs?Should we shift from insurance mandate to “figure it out”How does the conscious decision not to patch because the patch causes worse issues affect the insurance coverage?How can we balance the expectation with our technology suppliers to maintain support longer, especially on IOT or high-cost, long life devices?Can a move toward clear, yet broad expectations on controls be enough to meet security expectations for insurance without prescriptive formularies of technology and process?We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Large Insurer Says Cyber Attacks Are Becoming 'Uninsurable'3 Times Businesses Were Denied Cyber Insurance Payouts. | Managed ITUSB-type C to become EU's common charger by end of 2024 | News | European...

Welcome to the year-end 2022 episode of The Great Security Debate. In this hour, Brian, Erik, and Dan cover myriad ways hiring processes are failing job seekers and hiring organisations. It all kicked off with the impersonal nature of automated 1-way video interviews. It quickly jumped into the myriad of other ways we can do better on both sides, including (but not limited to):Do video interviews encourage fraud? Multiple jobs for one person? A fake version of you applying for a job?Why are hiring managers and HR using video interviews? Are there legitimate reasons?Does the lack of ability to assess the candidate’s response to the interviewer’s response makes the interview less effective?What is the impression left when a candidate is immediately rejected based on analytics and matching, not human interaction?What’s the value of using your network around a broken applicant system? What do we lose by only depending on our networks for hiring?How do these recorded methods exclude introverts and others that may not be camera comfortable in their presentation skills?Can and should there be roles for people at higher levels that don’t include people management?Is “AI” (term used in quotes on purpose) really the antithesis of diversity or inclusion?How is connecting people to others and helping them expand their networks better than sending resumes to people you know?In times of cash crunch, will hiring come from experienced people having been let go from roles, or hiring entry-level and ups killing them?You’ll also get a few mentions of Buzzword Bingo; the shocking revelation that Brian works for a vendor; and Dan goes on a tirade about new software that does recording and analysis in Zoom meetings with and without permission. It’s another great debate!We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Our Love-Hate Relationship With Security CertificationsCyber Certifications - The Self Licking Ice Cream Cone of MiseryThe Great Security Debate Episode 45: Live From the Big HouseThe Great Security Debate Episode 43: New Team, Who Dis?Michigan Council of Women in Technology Foundation / Michigan council of women in technology...

Recorded on Saturday 29 October 2022, at the tailgate before the University of Michigan vs Michigan State University (American) football game, Brian, Erik and Dan chat about the news of the day, with more than a few correlations back to football. And we had a special guest join us, too: Zah Gonzalvo RodriguezThere was an upcoming OpenSSL vulnerability hitting the world this week. How would Software Bill of Materials (SBOM) make the response easier?A reminder of our dependence on the stability and security of some very core tools (like OpenSSL) to run our businesses. Mot to mention the fact that such tools are often within the libraries we use and don’t even realise it’s there.Similarities between football and security in the need to adjust based on what the other team shows signs of throwing at you, and further based on what they actually bring to the line.How repeatable process and inventory help make the response to these vulnerability disclosures less like a firedrill and more like standard ops.Did you know that credit ratings are being affected by information security posture and breach response?Same thing with M&A and investment valuation… if you’re not as mature in security and privacy you may see a discount taken on your value!How transparent should we be with the peer companies and the public world about our security posture (like incident response plans, and security controls in place)?And if you’re curious, you can find out what team Dan (the lifelong Badger) was supporting in the game. Congratulations to the University of Michigan in later winning this game, and to both teams for keeping the rivalry alive and spicy.We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Support The Great Security Debate

This week’s debate comes amid a combo platter of increased analytics leading to near-immediate contact when visiting a product’s website, along with more clarity from enforcement bodies about how they will approach their respective privacy legislation. One such fine was the Sephora CCPA matter in which California Attorney General levied a $1.2M fine on the company ([https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement])Listen in to hear Dan, Brian and Erik talk about:Are privacy and shareholder value at odds? How does protecting the privacy of the consumer help shareholder value?A reminder that security and privacy can serve as a business differentiatorHow to deal with the reputation of a company being set by misleading headlines (and people not reading the actual article/detail)?Does better privacy practices in companies lead to reduced data for sale on the illicit market?Does just “saying no to data collection” by companies make for a better privacy posture?How long should (vs. how long do) you hold onto data?How will companies be judged in the future by how they manage data today?Are ads themselves the source of all our problems? Why does the push for more advertising to reduce costs increases the push for more data collection?We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Sephora Hit with $1.2M Fine in First CCPA Enforcement - CompliancePointPatagonia Founder Gives Away the Company to Fight Climate Change - The New York TimesRMISC - Rocky Mountain Information Security Conference500 million LinkedIn users' data is for sale on a hacker site | CNN BusinessUber breached by hacker in cybersecurity incident - The Washington Post'Astonishing.' Morgan Stanley hard drives holding sensitive client data got auctioned off online | CNN Business

We've all seen it (or been it): a new boss arrives at the company and quickly thereafter a bunch of their old colleagues get hired. It feels like they are getting the band back together at the new place. What does that say to the organisation about that leader? What does doing the opposite (pausing, growing from within) say differently? Brian, Dan and Erik discuss, debate and dissect this from a few angles, including some of the following:The power of threes: Three paths when you come in as a new leader: bring your own, nurture within, hire all new. And the three arcs of a company - startup/scrappy , growth/maturation, steady/run.Two critical skills we wish we were taught in school and earlier in work: communications and public speakingThe impacts on culture on leadership and how they approach the staffing question, and how you bring people in will be the biggest impact on the culture of the organisationHow can metrics hide the actual performance of the team?Are the CISO retention numbers as bad as the urban myth ? Are CISOs staying longer than we think they are?What organisational situations drive leaders to resort to bringing in the people they know and trust vs. Trusting those already there?How does growth by acquisition change the way we approach the listening and staffing of our teams and supporting our organisations?Approaches to finding people to provide new perspectives, without having already worked with them directly?How does geographic culture affect the decision on how to staff your team as a new leader in an organisation?We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:The Great Security Debate Episode 40: What Got You Here Won’t (Necessarily) Get You ThereSteve Jobs Last Words – Jessica PengAmazon.com: Power Moves: Lessons from Davos (Audible Audio Edition): Adam Grant, Adam Grant, Audible Originals: Audible Books & OriginalsAmazon.com: Small Giants: Companies That Choose to Be Great Instead of Big: 9781591840930: Burlingham, Bo: BooksZingerman's Community of Businesses - inside the center of the gastro-deli universeWarren Buffett - Only when the tide...

Are we getting subscription overload? The move to more and more subscriptions is good for those selling, but are they good for those buying, too?Do subscriptions offset by other non-cash costs (e.g. data collection, advertising) reduce subscription fatigue? How does that fit into the security product world? What are the risks of making security technology only for those that can't afford it? Why are the ad-supported versions more heavily marketed than the no-ad versions?How do subscriptions encourage continuous development of software and features? What about innovation?What's a persistent feature, and what can be revoked or shifted into a different subscription tier (take a look at Slack's recent move to make the free tier way less valuable and encourage the need to move to a paid tier)Do the combinatoric vastness of features that can go on and off based on the subscriptions you buy introduce an unnecessary or unsafe risk of not working well together in specific combos?What are the legalities of jailbreaking your software rather than paying to activate it by subscription? How does doing so affect the liability and effectiveness of the product?We also talk about some things unrelated to subscriptions (and cars)!What is needed to adapt your communications (and subscription sales pitch) to VC/PE vs the CIO/CISO at a company? East coast vs west coast? Etc. Tips for job candidates on looking for public info on what a company thinks is important from security and risk (hint: it's SEC filings like the 8-K and 10-K!)Tune in to delight as Dan rants in Yiddish and then mess up the name of some of the most popular movies of our time. Enjoy seeing (or hearing) Erik get on a soapbox stumping for Sig Sigma. Binge on Brian talking about automotive manufacturing (who knew) and for once not be broadcasting from a "train station".We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.If you're watching on YouTube, we are very sorry for the video sync issues this week! The sound is great, but one of our hosts does a very poor Milli Vanilli impression. We are writing up the root cause analysis documents and issuing CAPAs to keep it from happening agaiSome of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Crossing the Chasm, 3rd Edition: Marketing and Selling Disruptive Products to Mainstream Customers (Collins Business Essentials): Moore, Geoffrey A.: 9780062353948: Amazon.com: BooksThis Is How They Tell Me the World Ends: The Cyberweapons Arms Race - Kindle edition by Perlroth, Nicole. Politics & Social Sciences Kindle eBooks @ Amazon.com.

It's the dog days of summer here in the northern hemisphere, and we have some episodes to make the hot, muggy days go by faster (or the drive up to the cabin in the woods to escape it all).This week Dan, Brian and Erik talk about what it takes to be a Virtual or Fractional CISO. Does someone that calls themselves one need to have had in-house CISO experience to do the job? Or do the fresh perspectives of someone that doesn't come with history benefit the organisation in a different way? Risks, challenges, and talking to Boards of Directors definitely have a strong place in the debate (and we hit on all of them)We will be back with more episodes through August and then back to our usual bi-weekly pace as we hit the autumn. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.If you're watching on YouTube, we are very sorry for the video sync issues this week! The sound is great, but one of our hosts does a very poor Milli Vanilli impression. We are writing up the root cause analysis documents and issuing CAPAs to keep it from happening agaiSome of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Sonny 🇨🇦❄️⚓ on Twitter: "WTF is this ??? #CyberSecurity #InfoSec https://t.co/DLHivTJ9Qw" / TwitterThis Is How They Tell Me the World Ends: The Cyberweapons Arms Race: Perlroth, Nicole: 9781635576054: Amazon.com: BooksSajay Rai — Securely Yours LLCSecurely Yours LLCSajay Rai CPA, CISSP, CISM | LinkedInAmazon - Extreme Ownership: How U.S. Navy SEALs Lead and Win: Willink, Jocko, Babin, Leif: 9781250067050: BooksCISO MindMap 2022: What do InfoSec Professionals really do?Rafeeq Rehman | Cyber | Automation | Digital

Dan, Brian and Erik look at how the past informs our security future, and how things we have done in the past may not get us where we need to be in the future. Join us for a live podcast recording with live audience Q&A, direct from the MCWT Executive Connection Summit.In the live recording we covered a flurry of topics focused on changing ourselves, refreshing ourselves and renewing ourselves including:The barriers to entry to get into the security fieldExperience vs. education requirements in security hiringChanges afoot in hiring appetite as recession loomsReporting requirements by public companies on breach or security eventsSecurity beyond just confidentialityImprovements that can be made to the hiring processAnd lots more!Huge thanks to the wonderful team at the Michigan Council on Women in Technology (https://mcwt.org) for asking us to be part of this great event bringing the Michigan technology community together to build connections. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:The Infinite Game: Sinek, Simon: 9780735213500: Books - AmazonLeaders Eat Last Deluxe: Why Some Teams Pull Together and Others Don't eBook : Sinek, Simon: Kindle StoreMarcus Stefanide - LinkedIn PostBio-IT World Conference & Expo 2022 In Person & VirtualJess Burn · ForresterApple, Google and Microsoft team up on passwordless logins | TechCrunchSEC.gov | SEC Proposes Rule to Provide Transparency in the Securities Lending MarketFuture Crimes: Inside the Digital Underground and the Battle for Our Connected World: Goodman, Marc: 9780804171458: BooksCISO MindMap 2022 - RecommendationsRafeeq Rehman | Cyber | Automation | Digital

This week on The Great Security Debate we have arrived at one of our favourite episodes of the year (and what is and will be an annual thing!) when Forrester Senior Analyst, Jess Burn, returns to the show to share this years recommendations for security programs. An overarching theme of the report is to use the captital that the CISO has acquired over the past few years and build out your program to where it needs to be. AKA, “strike while the iron is hot”More detailed topics including:Career paths and changes in comp methodology for security teams need to changeSecurity Awareness needs adjustment for work for anywhereMinimum viable security - it’s definitely not just “barely secure”And a reminder that Dan, Brian and Erik will be doing a live episode of the podcast at the upcoming Michigan Women in Technology ExecutiveManagement Conference on May 5 in Novi, Michigan. Tickets for the whole conference are now available (https://MCWT.org) and the agenda for the day is great. See you thereIf you want to listen to Jess’s previous episode, check out Episode 20, “It All Comes Down To Relaltionships.” https://www.greatsecuritydebate.net/20You can find Jess on LinkedIn (https://www.linkedin.com/in/jessburn), Twitter (https://twitter.com/jess_burn_) and at the Forrester blog (https://go.forrester.com/blogs/author/jess_burn/). Thanks for joining us, Jess! And thanks to you for listening and watching.Special Guest: Jessica Burn.Support The Great Security DebateLinks:Forrester's 2022 Top Recommendations For Your Security ProgramThe Return Of The Forrester Wave™: Cybersecurity Incident Response ServicesStarlink fought off Russian jamming attack faster than the military could

The Great Security Debate rolls on, this week looking at how governments, regulations and business values are and will shape the security posture of enterprises.Is attribution worth pursuing to the end?How can state and federal law enforcement help figure out who and what happened after an incident?Fast (agile) vs good (quality) vs cheap (cost)Are you chasing the right metrics in your organisation? Do they encourage the right behaviour?Is regulation required to make good security a greater market force?What will the regulations emerging in the US focus on? The “what”, the “why”, the “how”, or the “who”? How will they change when and how companies report material breaches?How does attribution of attack correlate to insurance coverage? How do IR firms fit into the equation?Erik, Dan and Brian also announce that the podcast is going LIVE and On the road. On May 5, Great Security Debate will be recording a live episode at the MCWT Executive Connection Summit in Novi, Michigan! More info and registration details are at https://mcwt.wildapricot.org/event-4630370. Ticket sales begin on 18 April 2022.We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:Homepage | CISASEC.gov | SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public CompaniesSenate passes cybersecurity bill amid fears of Russian cyberattacks | The HillCutting Edge Cybersecurity Event Experience - FutureCon EventsCourt denies SolarWinds bid to throw out breach lawsuitAbout the Data Management & Sharing Policies | Data SharingMCWT Foundation - Executive Connection SummitForrester's 2022 Top Recommendations For Your Security Program

Recently, Brian, Dan and Erik had the great fortune to do a live version of the podcast at the monthly meeting of the SIM Detroit Chapter (https://chapter.simnet.org/detroit/home). At the close of that discussion, the comment was raised as to whether or not security should be used as a competitive advantage by businesses. The topic seemed perfect for The Great Security Debate, so here we are. In this episode, we cover:Can security be used as a business differentiator?SHOULD security be used as a business differentiator?If security is added too deeply into the sales cycle does it incentivise the wrong behaviours just to make a sale?How can we quantify the value of security in the purchasing process when it is not easily attributable to direct cost saving or value?How do closed systems compare to open systems with regard to security?How does the rise of customer trust as a key organisational focus indicate the use of security as a business differentiator?Do the fears that using security as a differentiator means that the collaborative nature and history of security will disappear?We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:SEC Proposes Cybersecurity Rules for Public CompaniesTISAX: Information security for the automotive industry | TÜV SÜDFailure mode and effects analysis - WikipediaBridgestone Americas confirms ransomware attack, LockBit leaks dataQuantitative Information Risk Management | The FAIR InstituteDawn of the Code War: America's Battle Against Russia, China, and the Rising Global Cyber Threat: Carlin, John P.: 9781541773837: Amazon.com: BooksSaudi Aramco facing $50 million cyber extortion over leaked dataLeaked Conti files reveal life inside ransomware gang • The Register

Current global events have led to increased focus on technology security. In this week's episode we debate to what extent this does or will confirm the rise of the information security roles within organisations. Our thoughts and good wishes go out to the people of Ukraine.Do current events confirm that the rise of the CISO organisation was warranted?How do CISOs sleep at night considering everything going on?How to reply to the question “what else should we be doing?”Are the attacks the primary objective or are they a smokescreen?How does the game of chess tie into to information security practises?What is the CISOs role in reducing FUD (fear, uncertainty, doubt)?Will current information it pay for acts of war? Does it raise our collective stature?Why is humility so important in the information security world?The underlying message is that while it is late in the process now to do all the steps to protect your organisation, it’s never too late to get started!We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine - SentinelOneThe Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIREDAmazon.com: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers eBook : Greenberg, Andy: Kindle StoreElon Musk says SpaceX's internet service is available in UkraineDestructive Malware Targeting Organizations in Ukraine | CISAMorris worm - WikipediaAmazon.com: Dawn of the Code War: America's Battle Against Russia, China, and the Rising Global Cyber Threat eBook : Carlin, John P., Graff, Garrett M.: Kindle StoreMoonlight Maze - WikipediaNew Shadow...

This week’s episode was sparked by a recent TechCrunch article https://techcrunch.com/2022/02/01/free-agent-series-a/ asking whether tech workers should have agents to negotiate their salaries. We took up the debate on this and a few adjacent topics including:The Great Resignation’s impact on working habitsShould security practitioners and leaders be represented by “agents” to negotiate better compensation for roles? What are the ways that formal agents exacerbate bias and increase the gaps between levels?The importance of networks for getting advice to help you be your own “agent”Is it the Great Resignation or the Great Realisation?How do ethics and values play into staff’s desire to go to or stay at a company?At different levels in one’s career who can help be your agent of change?
We should not be afraid to talk about our salaries and numbersAnd yes, those are Pączki on Brian’s hat. If you are not sure what this about, take a look at the video version on our YouTube channel https://www.youtube.com/watch?v=CAYRL1flZicWe also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:TechCrunchWho Is Driving the Great Resignation?The Great Resignation looks more like The Great Renegotiation : Planet Money : NPRBusiness Roundtable Redefines the Purpose of a Corporation to Promote ‘An Economy That Serves All Americans’ | Business RoundtableThe Infinite Game: Sinek, Simon: 9780735213500: Amazon.com: BooksScott BorasHow to Negotiate the Tech Salary You Deserve – The New StackAmazon.com: Lego Movie 70819 Bad Cop Car Chase : Toys & Games

We got a message from a listener asking for some discussion about putting the data first and securing it with that mind - the inside out, rather than looking at the perimeter and infrastructure and working back toward the data - outside in.And since we love our listeners and your feedback, we took the chance to cover this topic in depth. In the process we also covered:Data Loss Prevention - Is it possible to improve this without the painful data classification, startup work or culture change?When doing data analysis for attacks (or fraud) you have to account for the fraud already baked in the normal you know todayWe can’t meaningfully count on IP address for geography…thanks to security asking for more use of VPNs The pros and cons and risks to ponder when securing data in on premise vs. cloud/SaaS arrangementsWhen is the right time to establish a security team in a growing company? And how bad will the data sprawl be when they arrive?Will the CTO/CIO and the CISO merge into a single role? Will the CIO report to the CISO eventually? It depends, of course, on the people and the organisationControls today may not be the controls we need for tomorrowWe try to secure things, but there’s also important value in good use of data to improve a businessSunk cost fallacy and Security: when to burn it all down and start overAudit is the best friend of the CISO: a new set of eyes and accountability partner makes all the differenceDan also goes on a small tirade over the way security professionals use the term “the business” as something distinct from the security team that is absolutely part of the business itself. Enjoy that soapbox moment. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links.Thanks for listening!Support The Great Security DebateLinks:The Security of Cloud Services and SaaS in 2021 – Part 1 – SecraticThe Great Security Debate Episode 33: Log4Jelly of the Month ClubThe Future Of The CISO — Six Types Of Security LeadersAmazon.com: Rocket Fuel: The One Essential Combination That Will Get You More of What You Want from Your Business: 9781942952312: Wickman, Gino, Winters, Mark C.: BooksThe Sunk Cost Fallacy - The Decision LabAmazon.com: The Infinite Game eBook : Sinek,

Some say that Log4J is the gift that keeps on giving, much like the Jelly of the Month Club. After the initial surge of discussion a couple weeks ago there were mitigations, a vaccine and multiple iterations of official patches to keep the issue at bay and the new ones that cropped up afterwards. Brian, Dan and Erik discuss the log4j vulnerability as it relates to enterprise systems, supportability, balancing the risk of patching and the ways that open-source software are used within the enterprise.Join us this week as we cover:The Log4J vulnerability and saga in a nutshellThe pros and cons of waiting to patch until there's a stable one vs. patching again with each iteration and risk my system's stabilityThe critical need for system and application (and library) inventory and keeping up to dateHow best to react when the media and public discussion picks up on a vulnerability and causes a stirThe challenges in the flurry of email and surveys from and to SaaS and service providers about their state on the vulnerability of the dayWhat is the cost of "free" when it comes to running (and maintaining) open source software like Log4jHow to make sure procurement departments are not just involved but include the risks of procurement decisions into the processAre the external capability assessments like SOC2 able to move beyond perfunctory review by those asking for themWe also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.Support The Great Security DebateLinks:UPDATED: Cybereason Log4Shell Vaccine Offers Permanent Mitigation Option for Log4j Vulnerabilities (CVE-2021-44228 and CVE-2021-45046)log4j-affected-db/SOFTWARE-LIST.md at develop · cisagov/log4j-affected-db · GitHubA Log4J Vulnerability Has Set the Internet 'On Fire' | WIREDAlibaba Employee First Spotted Log4j Software Flaw but Now the Company Is in Hot Water With Beijing - WSJMeltdown and SpectreHackers launch over 840,000 attacks through Log4J flaw | Ars Technica5 Whys: The Ultimate Root Cause Analysis ToolNSO Group spyware used to hack at least nine US officials’ phones – report | Surveillance | The Guardian