The Great Security Debate

Great Security Debate Productions LLC

Two CISOs and a security-minded friend discuss and debate topics of security and privacy, with a focus on looking at the topic from various angles, both that they support and those they don't. Sign up for our newsletter to be notified when new episodes drop, or when new projects are announced https://newsletter.greatsecuritydebate.net read less

Episode 50: Jess and Jeff Invade
Apr 24 2023
Episode 50: Jess and Jeff Invade
Welcome to a very special Great Security Debate. If it is spring, it means that the annual Forrester “Top Recommendations For Your Security Program” report has come out, and we get to visit with one of the authors, Jess Burn. But this year, we get an added extra voice in that of Jess’ Forrester colleague Jeff Pollard. Both Jess and Jeff share a ton of insight on topics from that report and a few others (see the links below for blog posts about most of them) In this episode we cover: * How (if) CISOs have been able to become “part of the business” and help colleagues understand that in 2023 security is business. * Board reporting by CISOs and CIOs and where/how we succeed and fail. * Talent shortages in infosec: a self-created nightmare? * Consolidation in times of austerity: right or wrong for security? Huge thanks to Jess and Jeff for joining (find their LinkedIn and Twitter in the links section). Even though Jess is legacy, we are pretty sure that Jeff will be welcomed back in 2024 with open arms. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for Listening! Special Guest: Jessica Burn.
Episode 49: Bankplosion!
Mar 13 2023
Episode 49: Bankplosion!
This week, Brian, Erik, and Dan look into the security impacts of last week’s Silicon Valley Bank closure, both from a direct security risk, but also what we can learn about risk from the events leading up to the incident that we can apply to our information security responsibilities. Brian kicks it off with a great description of how Silicon Valley Bank got here (based on what we knew on 12 March 2023 - subject to change as more becomes known after). And from that, we go some of the direct and indirect lessons and implications such as: Fraud attempts amongst a bevvy of legitimate bank account payment change requests from companies. Check from a known source before changing where you pay. Putting all your eggs into one (infosec or financial) basket can be risky. And risk can bring great rewards, or great resentment Evaluating vendors for where they bank as part of third party risk management (or not) Clear insight to tough choices that have to be made to keep small business and startups running - sometimes that’s not “doing every thing of security” Business continuity planning requires a more realistic “yeah that could happen” when doing the review Remember that there is no such thing as no risk, just determining the right balance of (realistic) risk and downtime for your organisation If one vendor goes away suddenly, what happens? What about if 6 go away all at once? Diversity of suppliers vs. focusing on basics in the security stack Along with some strong recommendations (or maybe they are warnings) for our security vendor listeners on how not to use this incident as a sales tool (tl;dr: DON’T!), there are a few correlations to the automotive industry. And check out the book club recommendations in the show notes on our website www.greatsecuritydebate.net, too. Since we recorded another bank, Signature Bank, has also been closed and placed into receivership. On behalf of all of us at Great Security Debate, we wish all those affected either as companies of these banks or their customers good wishes and hope for good news ahead on the recovery of funds. Thanks for listening!
Episode 48: Back to Normal?
Feb 27 2023
Episode 48: Back to Normal?
The Great Security Debate Book Club is in FULL force this week as we talk about life after you’ve gotten the job in information security and are looking for the growth and promotion that come as you grow your career. Check out the show notes on our website www.greatsecuritydebate.net/48 to get links to all the books, articles, and references we discuss up through the show. A mere appetiser sized sampling of the topics we cover in this hour include: What does it mean to “return to normal” in work in 2023? How do you grow in your role once you are in the Infosec field? The “old-man” perspective on entitlement in growing within jobs What approaches work (and don’t work) when asking for promotions, raises, new roles, within your organisation Conversely, how to approach getting responsibilities added with out getting additional compensation Using the word “I” vs “We” when talking about a job and your team What to consider the factors and risks outside the office when looking at role and organisational growth The importance of knowing the difference between what you want to say vs how it will be received when read by the recipient What do you do when you find yourself as (or think you are) the smartest person in the room? What resources can people use to get ready for their next growth step at work? How can networking and mentoring be valuable to find the next position? Since it came up a few times in the show, remember that not every securty career path ends with becoming a CISO, or nor should we expect that everyone in infosec wants to become a CISO! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!
Episode 47: Uninsurable!
Jan 16 2023
Episode 47: Uninsurable!
Insurance for information security is changing. Recently some reports came out that there were moves by insurance companies to leave the cybersecurity insurance market - that it was uninsurable. Dan, Brian, and Erik discuss on this week's Great Security Debate: What happens now that cybersecurity insurance is built into contracts and requirements by customers doing business with other companies? Are the carveouts such that it’s easier to just pay and not inform insurance that you want them to pay for the incident? Does having “easy” insurance give too many orgs a pass on having to actually improve their security control sets? How do insurance “formularies” make companies less secure by not letting them buy the newer, better technologies? Conversely, how does the formulary of products help prevent from buying junk tech that calls itself “security”? How does the threat of nonpayment of expenses and losses by insurance companies after the fact affect organisational security decisions for or against the formulary? How is relying on insurance to determine tech standards the same as the EU demanding all chargers be USB-C? Does insurance go away altogether? Do we want it to go away? What is the law of the horse and how does it apply to insurance in information security? Can shifting downstream supplier risk into insurance really work to reduce risk? Is security a cost centre, a cost of doing business, or a potential profit centre for orgs? Should we shift from insurance mandate to “figure it out” How does the conscious decision not to patch because the patch causes worse issues affect the insurance coverage? How can we balance the expectation with our technology suppliers to maintain support longer, especially on IOT or high-cost, long life devices? Can a move toward clear, yet broad expectations on controls be enough to meet security expectations for insurance without prescriptive formularies of technology and process? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!
Episode 46: A Niche Inside a Niche Is Really Just a Quiche
Dec 27 2022
Episode 46: A Niche Inside a Niche Is Really Just a Quiche
Welcome to the year-end 2022 episode of The Great Security Debate. In this hour, Brian, Erik, and Dan cover myriad ways hiring processes are failing job seekers and hiring organisations. It all kicked off with the impersonal nature of automated 1-way video interviews. It quickly jumped into the myriad of other ways we can do better on both sides, including (but not limited to): - Do video interviews encourage fraud? Multiple jobs for one person? A fake version of you applying for a job? - Why are hiring managers and HR using video interviews? Are there legitimate reasons? - Does the lack of ability to assess the candidate’s response to the interviewer’s response makes the interview less effective? - What is the impression left when a candidate is immediately rejected based on analytics and matching, not human interaction? - What’s the value of using your network around a broken applicant system? What do we lose by only depending on our networks for hiring? - How do these recorded methods exclude introverts and others that may not be camera comfortable in their presentation skills? - Can and should there be roles for people at higher levels that don’t include people management? - Is “AI” (term used in quotes on purpose) really the antithesis of diversity or inclusion? - How is connecting people to others and helping them expand their networks better than sending resumes to people you know? - In times of cash crunch, will hiring come from experienced people having been let go from roles, or hiring entry-level and ups killing them? You’ll also get a few mentions of Buzzword Bingo; the shocking revelation that Brian works for a vendor; and Dan goes on a tirade about new software that does recording and analysis in Zoom meetings with and without permission. It’s another great debate! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!
Episode 45: Live From the Big House
Oct 30 2022
Episode 45: Live From the Big House
Recorded on Saturday 29 October 2022, at the tailgate before the University of Michigan vs Michigan State University (American) football game, Brian, Erik and Dan chat about the news of the day, with more than a few correlations back to football. And we had a special guest join us, too: Zah Gonzalvo Rodriguez (https://www.linkedin.com/in/zahira-zah-rodriguez-gonzalvo-1a97692/) There was an upcoming OpenSSL vulnerability hitting the world this week. How would Software Bill of Materials (SBOM) make the response easier? A reminder of our dependence on the stability and security of some very core tools (like OpenSSL) to run our businesses. Mot to mention the fact that such tools are often within the libraries we use and don’t even realise it’s there. Similarities between football and security in the need to adjust based on what the other team shows signs of throwing at you, and further based on what they actually bring to the line. How repeatable process and inventory help make the response to these vulnerability disclosures less like a firedrill and more like standard ops. Did you know that credit ratings are being affected by information security posture and breach response? Same thing with M&A and investment valuation… if you’re not as mature in security and privacy you may see a discount taken on your value! How transparent should we be with the peer companies and the public world about our security posture (like incident response plans, and security controls in place)? And if you’re curious, you can find out what team Dan (the lifelong Badger) was supporting in the game. Congratulations to the University of Michigan in later winning this game, and to both teams for keeping the rivalry alive and spicy. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!
Episode 44: No More Ads, No More Privacy Problem?
Oct 3 2022
Episode 44: No More Ads, No More Privacy Problem?
This week’s debate comes amid a combo platter of increased analytics leading to near-immediate contact when visiting a product’s website, along with more clarity from enforcement bodies about how they will approach their respective privacy legislation. One such fine was the Sephora CCPA matter in which California Attorney General levied a $1.2M fine on the company ([https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement]) Listen in to hear Dan, Brian and Erik talk about: * Are privacy and shareholder value at odds? How does protecting the privacy of the consumer help shareholder value? * A reminder that security and privacy can serve as a business differentiator * How to deal with the reputation of a company being set by misleading headlines (and people not reading the actual article/detail)? * Does better privacy practices in companies lead to reduced data for sale on the illicit market? * Does just “saying no to data collection” by companies make for a better privacy posture? * How long should (vs. how long do) you hold onto data? * How will companies be judged in the future by how they manage data today? * Are ads themselves the source of all our problems? * Why does the push for more advertising to reduce costs increases the push for more data collection? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!
Episode 43: New Team, Who Dis?
Sep 1 2022
Episode 43: New Team, Who Dis?
We've all seen it (or been it): a new boss arrives at the company and quickly thereafter a bunch of their old colleagues get hired. It feels like they are getting the band back together at the new place. What does that say to the organisation about that leader? What does doing the opposite (pausing, growing from within) say differently? Brian, Dan and Erik discuss, debate and dissect this from a few angles, including some of the following: The power of threes: Three paths when you come in as a new leader: bring your own, nurture within, hire all new. And the three arcs of a company - startup/scrappy , growth/maturation, steady/run. Two critical skills we wish we were taught in school and earlier in work: communications and public speaking The impacts on culture on leadership and how they approach the staffing question, and how you bring people in will be the biggest impact on the culture of the organisation How can metrics hide the actual performance of the team? Are the CISO retention numbers as bad as the urban myth ? Are CISOs staying longer than we think they are? What organisational situations drive leaders to resort to bringing in the people they know and trust vs. Trusting those already there? How does growth by acquisition change the way we approach the listening and staffing of our teams and supporting our organisations? Approaches to finding people to provide new perspectives, without having already worked with them directly? How does geographic culture affect the decision on how to staff your team as a new leader in an organisation? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening!
Episode 42: Subscribe and Don't Like!
Aug 18 2022
Episode 42: Subscribe and Don't Like!
Are we getting subscription overload? The move to more and more subscriptions is good for those selling, but are they good for those buying, too? Do subscriptions offset by other non-cash costs (e.g. data collection, advertising) reduce subscription fatigue? How does that fit into the security product world? What are the risks of making security technology only for those that can't afford it? Why are the ad-supported versions more heavily marketed than the no-ad versions? How do subscriptions encourage continuous development of software and features? What about innovation? What's a persistent feature, and what can be revoked or shifted into a different subscription tier (take a look at Slack's recent move to make the free tier way less valuable and encourage the need to move to a paid tier) Do the combinatoric vastness of features that can go on and off based on the subscriptions you buy introduce an unnecessary or unsafe risk of not working well together in specific combos? What are the legalities of jailbreaking your software rather than paying to activate it by subscription? How does doing so affect the liability and effectiveness of the product? We also talk about some things unrelated to subscriptions (and cars)! * What is needed to adapt your communications (and subscription sales pitch) to VC/PE vs the CIO/CISO at a company? East coast vs west coast? Etc. * Tips for job candidates on looking for public info on what a company thinks is important from security and risk (hint: it's SEC filings like the 8-K and 10-K!) Tune in to delight as Dan rants in Yiddish and then mess up the name of some of the most popular movies of our time. Enjoy seeing (or hearing) Erik get on a soapbox stumping for Sig Sigma. Binge on Brian talking about automotive manufacturing (who knew) and for once not be broadcasting from a "train station". We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. If you're watching on YouTube, we are very sorry for the video sync issues this week! The sound is great, but one of our hosts does a very poor Milli Vanilli impression. We are writing up the root cause analysis documents and issuing CAPAs to keep it from happening agai Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening!
Episode 41: Fake It Till You Make It?
Aug 3 2022
Episode 41: Fake It Till You Make It?
It's the dog days of summer here in the northern hemisphere, and we have some episodes to make the hot, muggy days go by faster (or the drive up to the cabin in the woods to escape it all). This week Dan, Brian and Erik talk about what it takes to be a Virtual or Fractional CISO. Does someone that calls themselves one need to have had in-house CISO experience to do the job? Or do the fresh perspectives of someone that doesn't come with history benefit the organisation in a different way? Risks, challenges, and talking to Boards of Directors definitely have a strong place in the debate (and we hit on all of them) We will be back with more episodes through August and then back to our usual bi-weekly pace as we hit the autumn. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. If you're watching on YouTube, we are very sorry for the video sync issues this week! The sound is great, but one of our hosts does a very poor Milli Vanilli impression. We are writing up the root cause analysis documents and issuing CAPAs to keep it from happening agai Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening!
Episode 40: What Got You Here Won’t (Necessarily) Get You There
May 26 2022
Episode 40: What Got You Here Won’t (Necessarily) Get You There
Dan, Brian and Erik look at how the past informs our security future, and how things we have done in the past may not get us where we need to be in the future. Join us for a live podcast recording with live audience Q&A, direct from the MCWT Executive Connection Summit. In the live recording we covered a flurry of topics focused on changing ourselves, refreshing ourselves and renewing ourselves including: * The barriers to entry to get into the security field * Experience vs. education requirements in security hiring * Changes afoot in hiring appetite as recession looms * Reporting requirements by public companies on breach or security events * Security beyond just confidentiality * Improvements that can be made to the hiring process * And lots more! Huge thanks to the wonderful team at the Michigan Council on Women in Technology (https://mcwt.org) for asking us to be part of this great event bringing the Michigan technology community together to build connections. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening!
Episode 39: Program Your Program
Apr 25 2022
Episode 39: Program Your Program
This week on The Great Security Debate we have arrived at one of our favourite episodes of the year (and what is and will be an annual thing!) when Forrester Senior Analyst, Jess Burn, returns to the show to share this years recommendations for security programs. An overarching theme of the report is to use the captital that the CISO has acquired over the past few years and build out your program to where it needs to be. AKA, “strike while the iron is hot” More detailed topics including: - Career paths and changes in comp methodology for security teams need to change - Security Awareness needs adjustment for work for anywhere - Minimum viable security - it’s definitely not just “barely secure” And a reminder that Dan, Brian and Erik will be doing a live episode of the podcast at the upcoming Michigan Women in Technology ExecutiveManagement Conference on May 5 in Novi, Michigan. Tickets for the whole conference are now available (https://MCWT.org) and the agenda for the day is great. See you there If you want to listen to Jess’s previous episode, check out Episode 20, “It All Comes Down To Relaltionships.” https://www.greatsecuritydebate.net/20 You can find Jess on LinkedIn (https://www.linkedin.com/in/jessburn), Twitter (https://twitter.com/jessburn) and at the Forrester blog (https://go.forrester.com/blogs/author/jess_burn/). Thanks for joining us, Jess! And thanks to you for listening and watching. Special Guest: Jessica Burn.
Episode 38: Laws and Regs
Apr 13 2022
Episode 38: Laws and Regs
The Great Security Debate rolls on, this week looking at how governments, regulations and business values are and will shape the security posture of enterprises. Is attribution worth pursuing to the end? How can state and federal law enforcement help figure out who and what happened after an incident? Fast (agile) vs good (quality) vs cheap (cost) Are you chasing the right metrics in your organisation? Do they encourage the right behaviour? Is regulation required to make good security a greater market force? What will the regulations emerging in the US focus on? The “what”, the “why”, the “how”, or the “who”? How will they change when and how companies report material breaches? How does attribution of attack correlate to insurance coverage? How do IR firms fit into the equation? Erik, Dan and Brian also announce that the podcast is going LIVE and On the road. On May 5, Great Security Debate will be recording a live episode at the MCWT Executive Connection Summit in Novi, Michigan! More info and registration details are at https://mcwt.wildapricot.org/event-4630370. Ticket sales begin on 18 April 2022. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!
Episode 37: Squality!
Mar 29 2022
Episode 37: Squality!
Recently, Brian, Dan and Erik had the great fortune to do a live version of the podcast at the monthly meeting of the SIM Detroit Chapter (https://chapter.simnet.org/detroit/home). At the close of that discussion, the comment was raised as to whether or not security should be used as a competitive advantage by businesses. The topic seemed perfect for The Great Security Debate, so here we are. In this episode, we cover: Can security be used as a business differentiator? SHOULD security be used as a business differentiator? If security is added too deeply into the sales cycle does it incentivise the wrong behaviours just to make a sale? How can we quantify the value of security in the purchasing process when it is not easily attributable to direct cost saving or value? How do closed systems compare to open systems with regard to security? How does the rise of customer trust as a key organisational focus indicate the use of security as a business differentiator? Do the fears that using security as a differentiator means that the collaborative nature and history of security will disappear? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!
Episode 36: How Do You Sleep At Night?
Feb 28 2022
Episode 36: How Do You Sleep At Night?
Current global events have led to increased focus on technology security. In this week's episode we debate to what extent this does or will confirm the rise of the information security roles within organisations. Our thoughts and good wishes go out to the people of Ukraine. Do current events confirm that the rise of the CISO organisation was warranted? How do CISOs sleep at night considering everything going on? How to reply to the question “what else should we be doing?” Are the attacks the primary objective or are they a smokescreen? How does the game of chess tie into to information security practises? What is the CISOs role in reducing FUD (fear, uncertainty, doubt)? Will current information it pay for acts of war? Does it raise our collective stature? Why is humility so important in the information security world? The underlying message is that while it is late in the process now to do all the steps to protect your organisation, it’s never too late to get started! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!
Episode 35: Security Super Agent
Feb 15 2022
Episode 35: Security Super Agent
This week’s episode was sparked by a recent TechCrunch article https://techcrunch.com/2022/02/01/free-agent-series-a/ asking whether tech workers should have agents to negotiate their salaries. We took up the debate on this and a few adjacent topics including: The Great Resignation’s impact on working habits Should security practitioners and leaders be represented by “agents” to negotiate better compensation for roles? What are the ways that formal agents exacerbate bias and increase the gaps between levels? The importance of networks for getting advice to help you be your own “agent” Is it the Great Resignation or the Great Realisation? How do ethics and values play into staff’s desire to go to or stay at a company? At different levels in one’s career who can help be your agent of change?
We should not be afraid to talk about our salaries and numbers And yes, those are Pączki on Brian’s hat. If you are not sure what this about, take a look at the video version on our YouTube channel https://www.youtube.com/watch?v=CAYRL1flZic We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!
Episode 34: From the Inside Out
Jan 20 2022
Episode 34: From the Inside Out
We got a message from a listener asking for some discussion about putting the data first and securing it with that mind - the inside out, rather than looking at the perimeter and infrastructure and working back toward the data - outside in. And since we love our listeners and your feedback, we took the chance to cover this topic in depth. In the process we also covered: * Data Loss Prevention - Is it possible to improve this without the painful data classification, startup work or culture change? * When doing data analysis for attacks (or fraud) you have to account for the fraud already baked in the normal you know today * We can’t meaningfully count on IP address for geography…thanks to security asking for more use of VPNs * The pros and cons and risks to ponder when securing data in on premise vs. cloud/SaaS arrangements * When is the right time to establish a security team in a growing company? And how bad will the data sprawl be when they arrive? * Will the CTO/CIO and the CISO merge into a single role? Will the CIO report to the CISO eventually? It depends, of course, on the people and the organisation * Controls today may not be the controls we need for tomorrow * We try to secure things, but there’s also important value in good use of data to improve a business * Sunk cost fallacy and Security: when to burn it all down and start over * Audit is the best friend of the CISO: a new set of eyes and accountability partner makes all the difference Dan also goes on a small tirade over the way security professionals use the term “the business” as something distinct from the security team that is absolutely part of the business itself. Enjoy that soapbox moment. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!
Episode 33: Log4Jelly of the Month Club
Jan 3 2022
Episode 33: Log4Jelly of the Month Club
Some say that Log4J is the gift that keeps on giving, much like the Jelly of the Month Club. After the initial surge of discussion a couple weeks ago there were mitigations, a vaccine and multiple iterations of official patches to keep the issue at bay and the new ones that cropped up afterwards. Brian, Dan and Erik discuss the log4j vulnerability as it relates to enterprise systems, supportability, balancing the risk of patching and the ways that open-source software are used within the enterprise. Join us this week as we cover: The Log4J vulnerability and saga in a nutshell The pros and cons of waiting to patch until there's a stable one vs. patching again with each iteration and risk my system's stability The critical need for system and application (and library) inventory and keeping up to date How best to react when the media and public discussion picks up on a vulnerability and causes a stir The challenges in the flurry of email and surveys from and to SaaS and service providers about their state on the vulnerability of the day What is the cost of "free" when it comes to running (and maintaining) open source software like Log4j How to make sure procurement departments are not just involved but include the risks of procurement decisions into the process Are the external capability assessments like SOC2 able to move beyond perfunctory review by those asking for them We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.
Episode 32: Sweet or Suite?
Dec 6 2021
Episode 32: Sweet or Suite?
It's a sports analogy-filled episode of The Great Security Debate, but don't let that scare you away. This week, we cover a whole host of topics, primarily focused on the ideas of simple vs. complex and best-of-breed vs. tightly integrated when dealing with technology, change, process or securing your environment. Pace of change in security is ridiculous right now How does reducing complexity and technical debt improve security and technology? (Said differently: simplicity is the heart of good security) Tech is nothing without process or people (see Episode 29 - People Process and Product (https://www.greatsecuritydebate.net/29)) Can security vendors be everything to everyone? In what environments do "suites" give better security balance than "best of breed"? What are the risks and benefits of a set of suite technologies vs. best of breed? How does securing your organisation parallel with American Football? What's changing in how we buy technology (and security technology)? Shorter contracts, even if it means less "savings"? Should we invest in security technology heavily up front to win one battle at all costs, or plan for the long-term war? Note that all American Football references were to games that had not yet been played at the time of recording. Congratulations, University of Michigan Wolverines on winning the Big Ten championship later that evening. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.