All links and images for this episode can be found on CISO Series (https://cisoseries.com/facebook-personality-quiz-asks-whats-your-favorite-password/)

What's your favorite combination of letters, numbers, and symbols you like to use to log onto your favorite app or financial institution? Let us know and we'll see if it matches any of your friends!

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Lakshmi Hanspal (@lakshmihanspal), CISO, Box.

Thanks to this week's podcast sponsor, CyberArk.

At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

On this week's episode

Why is everybody talking about this now?

On AskNetSec on reddit, user u/L7nx asks, "How do you handle alert fatigue?" Many vendors out there listening want to scream, "We've got a single pane of glass solution!"

On reddit, Kamwind commented that it's not so much managing the output, but rather the input and false positives. "What are you doing to tune those rules and IOCs (indicators of compromise) to reflect your network vs accepting them from whatever vendor you're getting them from."

Is alert fatigue a real thing and what can be done to manage input and output?

It's security awareness training time

There's a meme resurfacing that pokes fun at Facebook personality quizzes that ask seemingly innocuous questions such as "What's Your Favorite Band?" and "What's Your Favorite Teacher's Name?" In the meme, the answers to each question are just one word of the sentence, "Stop giving people your personal info to guess your passwords and security questions." We've talked about training programs that rely on fear. Humor seems rather effective here, but heck, I don't know. Does humor in security training work? Does fear? What tone have you seen actually foster behavioral change?

What's Worse?!

Do you likeable or useful vendors? Sometimes they're not both.

Here's some surprising research

The Verizon DBIR is out. Mike's favorite. There's a ton to unpack as there always is, but for this segment I just want to visit one item in this report and that's configuration errors. From a quote by Larry Dignan on ZDNet: "Errors definitely win the award for best supporting action this year. They are now equally as common as social breaches and more common than malware... hacking remains higher, and that is due to credential theft and use." I get the sense that second to black hat hackers, we're our own worst enemy. One argument for the increase in cloud breaches is because security researchers and others are discovering exposed storage in the cloud. Could it be just poor training of cloud security? Or poorly maintained cloud providers?

Vendors have questions. Our CISOs have answers

Landon Winkelvoss of Nisos asks, "What do your good vendors do on an ongoing basis (quarterly, monthly, weekly, etc) that make renewals easier around budget season? How often should they do it? What metrics and impacts to the business should they document and present that make this relatable to people outside of security such as the CFO?"