PODCAST

The Great Security Debate

Great Security Debate Productions LLC

Two CISOs and a security-minded friend discuss and debate topics of security and privacy, with a focus on looking at the topic from various angles, both that they support and those they don't. Sign up for our newsletter to be notified when new episodes drop, or when new projects are announced https://newsletter.greatsecuritydebate.net

Episode 40: What Got You Here Won’t (Necessarily) Get You There
Dan, Brian and Erik look at how the past informs our security future, and how things we have done in the past may not get us where we need to be in the future. Join us for a live podcast recording with live audience Q&A, direct from the MCWT Executive Connection Summit. In the live recording we covered a flurry of topics focused on changing ourselves, refreshing ourselves and renewing ourselves including: * The barriers to entry to get into the security field * Experience vs. education requirements in security hiring * Changes afoot in hiring appetite as recession looms * Reporting requirements by public companies on breach or security events * Security beyond just confidentiality * Improvements that can be made to the hiring process * And lots more! Huge thanks to the wonderful team at the Michigan Council on Women in Technology (https://mcwt.org) for asking us to be part of this great event bringing the Michigan technology community together to build connections. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening!
Yesterday
45 mins
Episode 39: Program Your Program
Apr 25 2022
1 hr 2 mins
Episode 38: Laws and Regs
The Great Security Debate rolls on, this week looking at how governments, regulations and business values are and will shape the security posture of enterprises. Is attribution worth pursuing to the end? How can state and federal law enforcement help figure out who and what happened after an incident? Fast (agile) vs good (quality) vs cheap (cost) Are you chasing the right metrics in your organisation? Do they encourage the right behaviour? Is regulation required to make good security a greater market force? What will the regulations emerging in the US focus on? The “what”, the “why”, the “how”, or the “who”? How will they change when and how companies report material breaches? How does attribution of attack correlate to insurance coverage? How do IR firms fit into the equation? Erik, Dan and Brian also announce that the podcast is going LIVE and On the road. On May 5, Great Security Debate will be recording a live episode at the MCWT Executive Connection Summit in Novi, Michigan! More info and registration details are at https://mcwt.wildapricot.org/event-4630370. Ticket sales begin on 18 April 2022. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!
Apr 13 2022
45 mins
Episode 37: Squality!
Recently, Brian, Dan and Erik had the great fortune to do a live version of the podcast at the monthly meeting of the SIM Detroit Chapter (https://chapter.simnet.org/detroit/home). At the close of that discussion, the comment was raised as to whether or not security should be used as a competitive advantage by businesses. The topic seemed perfect for The Great Security Debate, so here we are. In this episode, we cover: Can security be used as a business differentiator? SHOULD security be used as a business differentiator? If security is added too deeply into the sales cycle does it incentivise the wrong behaviours just to make a sale? How can we quantify the value of security in the purchasing process when it is not easily attributable to direct cost saving or value? How do closed systems compare to open systems with regard to security? How does the rise of customer trust as a key organisational focus indicate the use of security as a business differentiator? Do the fears that using security as a differentiator means that the collaborative nature and history of security will disappear? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!
Mar 29 2022
1 hr 5 mins
Episode 36: How Do You Sleep At Night?
Current global events have led to increased focus on technology security. In this week's episode we debate to what extent this does or will confirm the rise of the information security roles within organisations. Our thoughts and good wishes go out to the people of Ukraine. Do current events confirm that the rise of the CISO organisation was warranted? How do CISOs sleep at night considering everything going on? How to reply to the question “what else should we be doing?” Are the attacks the primary objective or are they a smokescreen? How does the game of chess tie into to information security practises? What is the CISOs role in reducing FUD (fear, uncertainty, doubt)? Will current information it pay for acts of war? Does it raise our collective stature? Why is humility so important in the information security world? The underlying message is that while it is late in the process now to do all the steps to protect your organisation, it’s never too late to get started! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!
Feb 28 2022
1 hr 4 mins
Episode 35: Security Super Agent
This week’s episode was sparked by a recent TechCrunch article https://techcrunch.com/2022/02/01/free-agent-series-a/ asking whether tech workers should have agents to negotiate their salaries. We took up the debate on this and a few adjacent topics including: The Great Resignation’s impact on working habits Should security practitioners and leaders be represented by “agents” to negotiate better compensation for roles? What are the ways that formal agents exacerbate bias and increase the gaps between levels? The importance of networks for getting advice to help you be your own “agent” Is it the Great Resignation or the Great Realisation? How do ethics and values play into staff’s desire to go to or stay at a company? At different levels in one’s career who can help be your agent of change?
We should not be afraid to talk about our salaries and numbers And yes, those are Pączki on Brian’s hat. If you are not sure what this about, take a look at the video version on our YouTube channel https://www.youtube.com/watch?v=CAYRL1flZic We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!
Feb 15 2022
1 hr 2 mins
Episode 34: From the Inside Out
We got a message from a listener asking for some discussion about putting the data first and securing it with that mind - the inside out, rather than looking at the perimeter and infrastructure and working back toward the data - outside in. And since we love our listeners and your feedback, we took the chance to cover this topic in depth. In the process we also covered: * Data Loss Prevention - Is it possible to improve this without the painful data classification, startup work or culture change? * When doing data analysis for attacks (or fraud) you have to account for the fraud already baked in the normal you know today * We can’t meaningfully count on IP address for geography…thanks to security asking for more use of VPNs * The pros and cons and risks to ponder when securing data in on premise vs. cloud/SaaS arrangements * When is the right time to establish a security team in a growing company? And how bad will the data sprawl be when they arrive? * Will the CTO/CIO and the CISO merge into a single role? Will the CIO report to the CISO eventually? It depends, of course, on the people and the organisation * Controls today may not be the controls we need for tomorrow * We try to secure things, but there’s also important value in good use of data to improve a business * Sunk cost fallacy and Security: when to burn it all down and start over * Audit is the best friend of the CISO: a new set of eyes and accountability partner makes all the difference Dan also goes on a small tirade over the way security professionals use the term “the business” as something distinct from the security team that is absolutely part of the business itself. Enjoy that soapbox moment. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!
Jan 20 2022
1 hr 5 mins
Episode 33: Log4Jelly of the Month Club
Some say that Log4J is the gift that keeps on giving, much like the Jelly of the Month Club. After the initial surge of discussion a couple weeks ago there were mitigations, a vaccine and multiple iterations of official patches to keep the issue at bay and the new ones that cropped up afterwards. Brian, Dan and Erik discuss the log4j vulnerability as it relates to enterprise systems, supportability, balancing the risk of patching and the ways that open-source software are used within the enterprise. Join us this week as we cover: The Log4J vulnerability and saga in a nutshell The pros and cons of waiting to patch until there's a stable one vs. patching again with each iteration and risk my system's stability The critical need for system and application (and library) inventory and keeping up to date How best to react when the media and public discussion picks up on a vulnerability and causes a stir The challenges in the flurry of email and surveys from and to SaaS and service providers about their state on the vulnerability of the day What is the cost of "free" when it comes to running (and maintaining) open source software like Log4j How to make sure procurement departments are not just involved but include the risks of procurement decisions into the process Are the external capability assessments like SOC2 able to move beyond perfunctory review by those asking for them We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.
Jan 3 2022
1 hr 3 mins
Episode 32: Sweet or Suite?
It's a sports analogy-filled episode of The Great Security Debate, but don't let that scare you away. This week, we cover a whole host of topics, primarily focused on the ideas of simple vs. complex and best-of-breed vs. tightly integrated when dealing with technology, change, process or securing your environment. Pace of change in security is ridiculous right now How does reducing complexity and technical debt improve security and technology? (Said differently: simplicity is the heart of good security) Tech is nothing without process or people (see Episode 29 - People Process and Product (https://www.greatsecuritydebate.net/29)) Can security vendors be everything to everyone? In what environments do "suites" give better security balance than "best of breed"? What are the risks and benefits of a set of suite technologies vs. best of breed? How does securing your organisation parallel with American Football? What's changing in how we buy technology (and security technology)? Shorter contracts, even if it means less "savings"? Should we invest in security technology heavily up front to win one battle at all costs, or plan for the long-term war? Note that all American Football references were to games that had not yet been played at the time of recording. Congratulations, University of Michigan Wolverines on winning the Big Ten championship later that evening. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.
Dec 6 2021
55 mins
Episode 31: The Infinite GameEpisode 30: Monkeys On Your BackEpisode 29: People, Process and ProductEpisode 28: Stop, Collaborate and Pivot
Sep 13 2021
1 hr
Episode 27: Risks, Regulations, and ReputationsEpisode 26: It's Personal
If you want to check out the new video edition of the podcast, please go to: https://youtu.be/FBBmA9YDNfQ where you can subscribe, give thumbs up and ring bells like YouTubers have been asking you to do for years. You know the drill. Also, our apologies for the hum in the audio throughout the entire episode. The problem has been identified and the source (Dan) has been taken out back and schooled on the difference between mic-level and line-level audio feeds. He promises it won't happen again... often. Now, on to the show. This week, Dan, Brian and Erik tackle the recent changes announced by Apple regarding moves to protect children from online predators and from the passing of illegal material about children. The project has three parts, each with its own benefits and concerns. We cover them each individually: First, the scanning of messages inbound to minors (Under 18s) on a Apple Family Sharing account in which images are tested for inappropriateness, blurred and the child alerted that they may be about to look at something that they may want to reconsider. If they are under 13 and decide to view the image the parents are notified. This is an opt-in programme and parents decide whether or not to join for the family. Next comes the proactive scanning of iCloud Photo Library stored at Apple. For a long time many have wondered why end-to-end encryption had not been put into iCloud, and this is a likely factor. The photos are tested against the hashes of a set of known images containing child pornography and issues are raised to the authorities. This is and has been happening on other cloud photo services including Microsoft and Flickr for some time. Finally, and most controvertially from a privacy perspective, Apple is implementing a proactive test of the hashes ofphotos stored on customers' Apple devices against this same set of known images. In the US there is no law that prevents this but runs counter to the marketing emphasis Apple has placed on the privacy of data within their devices. The method is rather intricate and strives to prevent Apple from seeing anything unless it suspects there are systemic child pornography issues at bay. These technology approaches change the game for prosecutors and law enforcement, and they expose issues earlier. But what happens when this capability gets expanded, or brought into law as mandatory for use against its citizens who speak out politically, or is taken over by bad actors? Look at the link in the show notes regarding the keys the TSA made for physical locks at the airport - every hole is a potential future vulnerability. Does the end justify the means? We discuss in depth on this week's Great Security Debate! If you want to support the efforts of The Great Security Debate, please feel free to become a patron and get some cool benefits of supporting this independent show - https://www.patreon.com/securitydebate
Aug 9 2021
1 hr 1 min
Episode 25: We'll SeeEpisode 24: Back to Basics
Recently a lot of newsworthy security incidents have taken place. A common thread through many is not that they were sophisticated or required lots of time to plan and execute, or even that the victim had not invested in a lot of whizbang security technology which led to them not noticing the attack. The common thread much more simple: that fundamental security measures were not being taken by the organisation. Things like turning off accounts when people left the organisation, removing disused technology from the network, and the reuse of passwords by staff amongst public-facing and internal systems. The fundamentals make it easy for attackers to get into networks and systems, both enterprise and personal, and are all things that we can each work on individually and within our organisations to improve and make the attacks that much harder for the bad actors to execute. This week's episode discusses those fundamentals and how to approach them. The "slide" that is often referenced in the episode comes from a talk that Dan gave to the National Information Standards Organisation (NISO) last week on why it was so important to maintain the security of their systems. The whole presentation deck is available at http://slideshare.net/secratic/security-is-an-enabler-not-securing-is-an-inhibitor-249421889 and the specific slide is on Slide 8. Thanks for listening. You can subscribe to the podcast on your favourite podcast application or by visiting our website https://www.greatsecuritydebate.net/subscribe. Please let us know what you think by leaving a comment in the podcast application's rating section or emailing us feedback@greatsecuritydebate.net
Jun 21 2021
1 hr
Episode 23: It DependsEpisode 22: Sidewalks and AirTagsEpisode 21: Why Does My CISO Hate Me?