Great Security Debate

Welcome to the Great Security Debate! In this episode, experts take on a multifaceted discussion about the intricacies of technology and cybersecurity. The debate navigates through the recent incident involving CrowdStrike and Microsoft, dissecting the layers of technology, processes, and the roles of different entities in maintaining security. Emphasizing the lessons learned, the debate also explores the challenges of disaster recovery, business continuity, and balancing risk in an increasingly complex digital landscape. Tune in as the hosts delve into the ramifications of over-consolidation, the implications of vendor lock-in, and the importance of maintaining a culture of quality and robust testing.

00:00 Introduction to the Great Security Debate

00:37 Layers of Technology and Finger Pointing

01:23 Disaster Recovery and Business Continuity

02:34 Market Leaders and Single Points of Failure

08:25 The Complexity of Software and Manufacturing Analogies

14:27 Kernel Access and Security Implications

23:29 BitLocker Keys and Recovery Challenges

28:05 Daily Text File Sharing

28:21 Transitioning BitLocker Management

28:45 Risk Profiles and Encryption Decisions

31:47 Team Collaboration and Lessons Learned

33:38 CrowdStrike Incident Analysis

36:18 The Importance of Response and Culture

44:10 Balancing Speed and Safety in Software

51:41 Closing Remarks and Future Plans

This episode of 'The Great Security Debate' delves into the complexities surrounding cyber insurance, discussing its impact on minimising business risks and ensuring compliance. Erik, Brian, and Dan talk about how connected systems and automation increase risks and integrates AI reliance concerns.

Insurance policies, force majeure, and government regulations get some quality discussion and debate time, revealing fears and misconceptions about standardised security controls vs. adaptive security practices. And last up: the practicality and pitfalls of self-insurance, government intervention, and the need for standardised security terminology.

Show Links:

• CISA Secure by Design Pledge | CISA
• CISA Releases Guidance on Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: (SMBs) | CISA
• The 118th Congress is the third oldest since 1789
• Book - The End of the World Is Just the Beginning
• Supreme Court’s ‘Chevron’ ruling means changes for writing laws - Roll Call
• Insurers Warn Standardizing Cyber Policies Could Limit Future Coverage
• Cyberattacks Disrupt Car Sales by Dealers in U.S. and Canada

Help support the podcast: https://ko-fi.com/distillingsecurity

Thanks for listening! We have got some exciting changes ahead including ways to support the podcast, some big announcements, new shows and conversations, and more! Thanks for listening!

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Thanks for listening!

00:00 Introduction to the Great Security Debate

00:30 The Role of Cyber Insurance

01:49 Manual Processes and Business Continuity

03:09 Manufacturing and Supply Chain Challenges

06:11 Insurance Policies and Cybersecurity

08:00 Standardization and Government Involvement

19:14 The Complexity of Cyber Warfare

22:35 Globalization and Cybersecurity

30:33 Leadership vs. Boss Mentality

33:53 The Role of Communication in Crisis

36:51 The Cost of Compliance

40:30 Global Cybersecurity Challenges

44:22 The Complexity of Online Trust

47:56 Insurance and Cybersecurity

53:07 The Future of Cyber Insurance

01:00:15 Conclusion and Final Thoughts

In this episode of the Great Security Debate, Brian, Erik, and Dan dive into the latest trends in ransomware including an uptick in attacks against the hypervisor. Speaking of VMWare, we also "discuss" the way that Broadcom has handled the VMWare acquisition and why it both make sense (to them) and doesn't (to many customers).

The debate also heads into the impact of AI in cyber threats, and compare strategies for mitigating risk, such as prioritising vulnerabilities and understanding the attack landscape.

Additionally, the conversation shifts to business practices in tech acquisitions and the potential future disruptions in the market and importance of balancing security measures with user experience, and the need for adaptive, short-term security roadmaps to stay ahead in an ever-changing environment.

And break the big news about an upcoming Distilling Security in-person meet-up in Michigan in July!

Help support the podcast: https://ko-fi.com/distillingsecurity

Show Notes:

episode-links

• Broadcom execs say VMware price, subscription complaints are unwarranted  | Ars Technica
• What happened with AI Overviews and next steps
• Book - Titan: The Life of John D. Rockefeller, Sr.

Thanks for listening! We have got some exciting changes ahead including ways to support the podcast, some big announcements, new shows and conversations, and more! Thanks for listening!

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Sorry about the audio on this one. We have got the tech back on track for the next episode. I promise!

Join the Great Security Debate as Brian, Erik, and Dan delve into 'pig slaughtering,' a scam involving rapport building to swindle victims out of money.

The discussion explores the intersections of security awareness, blockchain technology, and the ethical implications of digital tracking tools like chain analysis. Featuring real-world cases, including child exploitation traced through blockchain, and the broader debate on privacy versus legality in technology use. Are public blockchain transactions truly private?

And how can we balance innovative tech with ethical concerns? Tune in to hear all about it

Help support the podcast: https://ko-fi.com/distillingsecurity

Show Notes:

• Movie: Oppenheimer
• Adobe has built a deepfake tool, but it doesn’t know what to do with it - The Verge
• Movie: Defending Your Life
• Microsoft Edge May Import Your Chrome Tabs Without Your Consent
• Adobe content analysis FAQ
• How the Federal Government Buys Our Cell Phone Location Data
• Public By Default - Stories Found in Venmo Comments
• Chainalaysis
• Book: Tracers in the Dark
• Pig Butchering Scams: Last Week Tonight with John Oliver
• 7 Months Inside an Online Scam Labor Camp

Thanks for listening!

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Join Dan, Brian, and Erik in the latest episode of The Great Security Debate as they explore the impact and implications of the movie 'Leave the World Behind.' Delving into cyber security, societal impacts of technology, and philosophical elements, this discussion touches upon vulnerability management, risk management, and the effect of constant connectivity on modern life. Tune in to hear not only their analysis of the film but also personal reflections on communication, societal changes, and practical steps for improving individual security resilience. This episode also marks the exciting announcement of the Great Security Debate becoming a part of the Distilling Security network. Don't miss out!

Help support the podcast: https://ko-fi.com/distillingsecurity

Show Notes:

episode-links

• Distilling Security – Consumable security, privacy, and compliance
• Hackers Remotely Kill a Jeep on the Highway—With Me in It | WIRED
• August 2023 Data Incident | U-M Public Affairs
• Recent power outages in Ann Arbor have multiple causes, DTE Energy says
• Watch Leave the World Behind | Netflix Official Site

Editor note: This episode was recorded in the final days of 2023... but was lost to technology demons until now. One of those demons made it necessary to show the Zoom screen rather than our usual edited video cast. Sorry for the inconvenience and pain on your eyes.

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

It's an "all rounder" episode of The Great Security Debate. Brian watched a movie, Erik watched an advertisement, and Dan was overtly cynical. Just another day in the podcast booth for these three.

A variety pack of topics ranging from recent security attacks, to AI in technology, to automotive manufacturing (go figure), to privacy, to sponsorship and vendor models at live events, and more.

Links to everything we talked about are available in the show notes.

Thanks for listening and welcome to 2024! We have got some exciting changes ahead this year including ways to support the podcast, some big announcements, new shows and conversations, and more! Thanks for listening!

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

It's not easy to sell things. It's even harder to sell to security practitioners and leaders. The Great Security Debate this week covers some angles in security tools (and selling those tools to security teams) that have taken their toll on the trust that needs to exist between those who buy and those who make the products that we use. From the software providers to the VAR (resellers) in the middle to the people and techniques used to market and sell the solutions. Some of the key topics of the discussion include:

• The challenges of security tool consolidation by non-security vendors
• Security is not a lock-in tool, and security is not an upsell tool
• Pushing changes to products without telling the customers before they happen or letting those customers have control over the change (and if they take it or not)
• Security Selling with VARs & Deal Registration
• What are the motivators when a product is recommended to you
• You can still buy direct (and why you might want to)
• The challenge of selling into the SMB
• The power of the “vouch” that flies in the face of some sales methods
• The importance of being genuine in sales communications (aka knock off the programmatic drip campaigns that pretend to be personal)

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Thanks for listening!

This week we are debating modern AI systems, especially the commercial ones on just about everyone's lips when talking about CVs, high school term papers, and interview answers.

Large Language Models (LLMs), of which ChatGPT and Bard are two examples, are growing in prominence, but will they disrupt the technology world, or are they nothing more than just another blockchain fizzle?

In this episode:

• Are these even actually "AI" models, or really just very fast processing of large data sets?
• What should I (and should I not) be putting into LLMs? How does the re-teaching based on data entered impact what you should put into public LLMs?
• What are some valid use cases for LLMs?
• Does depending on tools like LLMs (or calculators) bring us further from core understanding of how things work? Or should we be OK with the efficiency it brings?
• How does copyright fit into the LLM expectation and model, and does the legal licensing of training data dull the shine of LLMs?
• Are the analyses from LLMs skewed not only by the data they chose to use for training, but also by the userbase that uses that LLM?
• How are any of the "good practise" security and privacy requirements for LLM different from any other systems? Spoiler alert: not at all.

Unrelated to AI, we also talk about what happens to all the "smart" things in your house when the internet goes out? What stops working? Way more than you might think...

We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Thanks for listening!

Links:

Is OpenAI almost bankrupt?: https://www.windowscentral.com/software-apps/chatgpts-fate-hangs-in-the-balance-as-openai-reportedly-edges-closer-to-bankruptcy

Maybe not bankrupt, but has business problem: https://www.forbes.com/sites/lutzfinger/2023/08/18/is-openai-going-bankrupt-no-but-ai-models-dont-create-moats/?sh=3c8922845e22

Gartner declares LLMs at the peak of inflated expectations: https://www.gartner.com/en/newsroom/press-releases/2023-08-16-gartner-places-generative-ai-on-the-peak-of-inflated-expectations-on-the-2023-hype-cycle-for-emerging-technologies

When ChatGPT goes Bad: https://sloanreview.mit.edu/article/from-chatgpt-to-hackgpt-meeting-the-cybersecurity-threat-of-generative-ai/

https://venturebeat.com/security/how-fraudgpt-presages-the-future-of-weaponized-ai/

The Circle (Movie): https://www.imdb.com/title/tt4287320/

Amazon Sidewalk, and it's privacy issues: https://www.popsci.com/technology/amazon-sidewalks-privacy-concerns/

Idiocracy (Movie): https://www.imdb.com/title/tt0387808/

Moores law is dead: https://www.technologyreview.com/2016/05/13/245938/moores-law-is-dead-now-what/

GM deletes Car Play from future EVs: https://www.theverge.com/2023/4/4/23669523/gm-apple-carplay-android-auto-ev-restrict-access

GM announces $130K EV Escalade (without CarPlay): https://www.theverge.com/2023/8/10/23827059/gm-no-carplay-android-auto-escalade-iq

Fragile Things (Book): https://amzn.to/47BWWkB

It's been a minute, but we are back with another Great Security Debate!

Whether it is compliance, trust, questionnaires, we all sell something to someone and security is core to that process.

In this episode, the focus is on how security integrates into the core of each of our businesses or organisations. From being part of strategic planning, the reminder that perfect being the enemy of progress, to the power in being a first mover on security and privacy topics:

• Compliance vs security: Is it pro forma? Do you check the SOC2 (and other) reports you get from your suppliers?
• You're not a special snowflake: Why won't more orgs use standard questionnaires on supplier assessments?
• There are multiple ways to solve a problem, and context is key. The process and environment may mean you don't need a technology control or a specific (prescribed) technology control.
• "The business" is a term that should never be uttered again by security or technology practitioners and leaders.
• There is power and business value in governance and transparency in security and privacy; build trust in your brand.
• We need to move our programs a layer above the specific people. Risk is reduced by living at the process layer. Heroics are not scalable.
• How can preparing for a triathlon be used to describe adherence to targets that lead to good security (and the brand value that comes with it)

Remember that you can't be "SOC2 Certified." And PFMEA is not always the answer to every question. Or is it?

We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Thanks for listening!

Welcome to a very special Great Security Debate. If it is spring, it means that the annual Forrester “Top Recommendations For Your Security Program” report has come out, and we get to visit with one of the authors, Jess Burn. But this year, we get an added extra voice in that of Jess’ Forrester colleague Jeff Pollard. Both Jess and Jeff share a ton of insight on topics from that report and a few others (see the links below for blog posts about most of them)

In this episode we cover:

• How (if) CISOs have been able to become “part of the business” and help colleagues understand that in 2023 security is business.
• Board reporting by CISOs and CIOs and where/how we succeed and fail.
• Talent shortages in infosec: a self-created nightmare?
• Consolidation in times of austerity: right or wrong for security?

Huge thanks to Jess and Jeff for joining (find their LinkedIn and Twitter in the links section). Even though Jess is legacy, we are pretty sure that Jeff will be welcomed back in 2024 with open arms.

We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Thanks for Listening!

Special Guest: Jessica Burn.

Support The Great Security Debate

Links:

• Cybersecurity's Staffing Shortage Is Self-Inflicted
• Leadership Communication and Speaker Coaching | Speak by Design | United States
• Build Better Bridges: Introducing Forrester’s BISO Role Profile
• Announcing Analyst Experience: SOC Analysts Finally Escape The Shackles Of Bad UX
• The Pay Gap Isn’t The Only Problem For Women In CISO Roles
• Top Recommendations For Your Security Program, 2023 | Forrester
• How CISOs Can Navigate The 2023 Downturn
• Jess Burn | LinkedIn
• Jeff Pollard | LinkedIn
• Jess Burn (@Jess_Burn_) / Twitter
• Jeff Pollard (@jeff_pollard2) / Twitter