Regular Cyber360+ guest, Olivia Rose discusses leadership and her journey as CISO at Mailchimp. She admits it has not been easy. Six months in the role have taught her that to lead effectively, you need to build a trust relationship with your team.

For Olivia, “the key was showing my own vulnerability.” She let her team know that each one of them – and their individual skills – were needed and valued. This helped not only to build that vital trust, but also bolster motivation and team spirit. She explains, “what gives me comfort in this role is knowing that my team has my back, that my team is functioning and teaming together in the best way possible.”

02:56 — CISO is one of the hardest jobs. Metrics won’t provide comfort or security but a supportive team will.

06:47 — The secret to great leadership is a building a trust relationship with your team. Show your vulnerability, praise them, defend them.

12:23 — Metrics may not make the organization more secure or motivate your team, but you still need them to justify security spend

To hear more about leading as a CISO and motivating your team listen to our podcasts with Jason Haward-Grau and Nina Wyatt.

Privacy: Just Make It Easy

In this episode, host Ashwin Krishnan sits down with longtime friend of the podcast Malcolm Harkins, Chief Security and Trust Officer at Cymatic, and Chris Pierson, CEO of BlackCloak. They discuss the intertwined relationship between security and privacy and how the two need to be balanced. Malcolm explains, “when those two things are out of kilter, it’s like turning two magnets opposite to each other and they polarize.” It is not possible to protect just one area, it must be a multi-pronged approach: privacy, security, identity.

Chris goes on to explain why security and privacy controls cannot be left at work. Executives and their personal devices and digital activity present a soft target for attackers and must be guarded 24 hours per day. He sees three aspects to the management of privacy and security. First, consumers must understand the context of these in managing their digital footprint and identity. Second, they must decide how much they are willing to share. Third is hardest of all, actually executing controls. Unfortunately, we are our own worst enemy: reusing passwords, storing financial data on apps in the cloud, and so much more.

While CCPA has given Californian residents control of their data, opting out has proven so time consuming and laborious as to be discouraging. The sheer volume of data and the number of companies that hold it is daunting and overwhelming. While we may have good intentions about securing and tightening our privacy perimeters, few of us are motivated to do what is necessary. Facebook is a prime example: many disagree with their privacy policies but few have abandoned the platform.

Chris and Malcolm blame the corporations. For too many regulation compliance is just a checkbox. Yet, embedding transparency, ethics, and decency in corporate culture presents a branding opportunity for enterprises. While it may not be a business driver (yet), it could be a huge differentiator. As Chris points out, “there’s a business value, a business sale in trust, in goodwill, in your value of your name and brand.” More and more, consumers are purchasing from companies with principles they share.  The enterprises that are open about the data they have, how they use it and protect it, and crucially make their terms and conditions easy to understand are the ones who will benefit from consumer trust.

01:30 — Corporate cybersecurity doesn’t end when the executive leaves the building.

04:20 — There are three parts to understanding data privacy: context, willingness to share, and execution of controls.

05:25 — Privacy controls and security controls need to work together in harmony.

08:31 — There must be a continuum of privacy controls and security controls across work and home.

09:42 — You can’t tackle just one area, you have to tackle them all together: privacy, security, identity theft, etc.

10:44 — People disagree with how privacy is handled by the big companies — but then don’t do anything about it.

11:30 — People expect the safety systems in their digital life to be as automatic as they are in other areas of life – but they aren’t.

12:50 — It is tough for the average consumer to cope with cybersecurity and cyber hygiene, especially when they cannot trust the security products to fulfill their promises.

16:52 — Regulations are just a checkbox for most companies. Worse, for some they are an process to be cheated.

To hear more on privacy listen to our podcasts Global Differences in Privacy and Regulation with Cat Coode and Is it Time for Consumer’s Technical Bill of Rights with Brian Vecci.

How can companies prepare for, weather, and recover from a breach? In this podcast, Andrea Bonime-Blanc, Founder and CEO of GEC Risk Advisory, offers her best practices for cyber resilience: they begin and end with leadership. She recommends executives build and grow a culture that is cyber resilient, with boards aware of cyber risk and employees practicing cyber hygiene.

Fair or not, CISOs carry the responsibility for cyber breaches. Consequently, it is important that these often tech-trained professionals expand their skill sets. Andrea believes “CISOs need to be cross-disciplinary,” able to make boards aware of risk and capable of speaking to business executives in terms they will understand.

Once the inevitable has happened what is the best and, crucially, fastest way to recover? Have a crisis management plan, a liaison on the board, and ensure leadership communicates with stakeholders empathetically and effectively. For Andrea, the companies who have recovered most successfully are those with leaders who are “stakeholder savvy, not just shareholder savvy.”

02:06 — How can companies plan to be cyber resilient? Build a cyber-resilient culture inside your company, fold in contractors too.

05:33 — CISOs’ skillsets need to be cross disciplinary.

08:34 — The components you need to respond well to a breach or attack.

12:01 — Good leadership and communication is the differentiator between coping with a breach and not.

For more on the CISO skill set and translating between departments listen to our podcasts with Tammy Moskites and Helen Patton.

Business-Background CISO

Nina Wyatt, SVP and CISO at Sunflower Bank, discusses the challenges and benefits of being a CISO from a business background. Having a business continuity perspective brings in-depth experience and understanding of what’s critical to an organization. The challenges lie in building trust with technologically oriented colleagues. 

She discusses her work with young people, explaining that high school curricula are not keeping pace with the new careers we see evolving and increasing in business, technology and security. She also believes that teaching young people risk assessment skills could help them make better choices for their futures.

Privacy is an important issue for Nina, who believes consumers don’t really understand the consequences of their technological interactions. She suspects many end users like the convenience offered but unwittingly trade more than they receive. While data privacy statutes are state based, electronic data knows no boundaries. It is time for legislation to catch up. Until that happens, businesses will have to find an ethical path forward, and the companies that do will come out on top.

02:13 — How does a business background differ from a technology background for CISOs?

06:31 — We need to mentor our youth so they can see the jobs that aren’t represented in the school syllabus.

08:39 — Business risk assessment teaches valuable tools about consequences. Young people particularly could benefit from learning that.

11:34 — Do consumers understand the consequences of their technological interactions? No.

11:46 — Data breaches are almost a cost benefit to doing business online or shopping, and it’s a balance between that convenience and the consequences associated.

12:57 — Data privacy statutes are state based, but electronic data knows no boundaries.

16:33 — We’re in our fourth industrial revolution. Technological advances are moving fast. Legislation needs to catch up.

18:54 — 2020 will see a more unified approach to not violating public trust. In the end, it’s the businesses that put customers interests first that win.

Listen to our podcasts Dollars or Data with Kristina Podnar for more on data privacy and Battling Cybersecurity’s Bias with Dinah Davis for more on mentoring young people.

Disclaimer: All opinions expressed here are solely the opinion of Nina Wyatt and not the opinion of  her professional associations or Sunflower Bank.

Bill Bonney

The Human Element

Bill Bonney, Cybersecurity Evangelist and Author, joins the podcast to talk about the human element in cybersecurity. He argues that without understanding human motivations and loyalties, security leaders cannot secure their organizations. Education and awareness are key here. If employees feel secure in their personal life, they will have the energy to devote to the organization.

He uses banking and credit cards as an example of how companies have indemnified the individual and allowed us to give up responsibility for risk. The fact remains we are all responsible.

There are many things enterprises can avoid, but it seems a security breach is not one of them. Bill believes CISOs are no longer just responsible for securing the enterprise and its products; they are also responsible for ensuring recovery from that inevitable breach. The era of celebrity breaches has seen boards throw dollars at the problem, but the CISOs Bill has been talking to don’t want more tools, they want their teams educated on the tools they already have. 

As always, education is essential: education in the form of consumer awareness, education of employer and employees, and education of security practitioners so they can mitigate risk to the organization.

02:00 — Humans and their motivations are the hindrance to companies reducing risk.

04:28 — Banking is a great example of the transfer of risk responsibility from the individual to the institution.

06:48 — Teaching people secure habits for their personal life means they will be more secure at work. 

10:39 — People are the largest dynamic in the people-process-technology triad for how to secure any enterprise. 

12:03 — There is a growing trend towards understanding the motivation of the individual.

14:28 — The CISO role is not just understanding how to protect the enterprise and its products, but also knowing how to recover from the inevitable breach.

16:17 — Metrics and behavior: it’s all about the human element.

18:26 — Companies need to persuade consumers that they can be trusted with our data. To do that they must be transparent.

For more on the human element in cybersecurity listen to this podcast episode with Malcolm Harkins and for more on transparency listen to this podcast with Taylor Lehmann.

In his first podcast of 2020, Taylor Lehmann talks about vendor transparency, marketing messaging, and doing the basics. Given recent tensions with Iran, people have been asking how to combat retaliatory cyber attacks from a nation state. Taylor’s answer is the same things you should have been doing all along, the basics: multi-factor authentication, patching, data backup, and network segmentation and isolation. He points out these four security protocols can help stop attacks from script kiddies all the way up to nation states.

He moves on to talk about leveraging his CISO network when it comes to solving problems and getting product advice. Interestingly, Taylor recommends talking to your existing vendors too, as they are likely to have extensive research on their competitors.

Advice for those vendors? Transparency earns trust, and that needs to begin with the marketing message. Taylor argues that the FUD tactic is tired and worn out. Instead he would love to see a triple-pronged approach. Marketing should start with clear claims and real data to support the effectiveness of the product. Sales teams should repeat that message by giving an accurate picture of the product and educating their consumers on it. Finally, vendor engineers should be available to troubleshoot alongside the customer. That, Taylor contends, would be a true test of a vendor’s transparency and willingness to work with their customers.

02:06 — Four basic security protocols can help foil most cyber attacks from script kiddies to nation states.

07:46 — Embracing FUD. One CISO’s gambit to use it as a motivator for discovering and evaluating new products.

09:19 — Where should CISOs turn for product advice?

12:51 — Software development is just an amalgamation of bad code.

13:42 — Transparency breeds trust and that begins with a vendor’s marketing message.

14:33 — Sales teams should be looking to educate consumers, not chasing the dollar.

14:59 — The true test of an organization’s willingness to work with you is if they pull their engineering teams out to help you.

To hear more about the basics listen to our January 2020 podcast with Jason Haward-Grau or you can find more of our podcasts with Taylor here.

In his first Cyber360+ podcast for the year, PAS CISO Jason Haward-Grau discusses his prediction for 2020: multi-vector attacks will become the new normal. Appropriately for a January podcast, Jason underlines the importance of covering the basics – not glamorous but essential – and offers his thoughts on the challenge of keeping a security team motivated.

Digitization and 5G will bring enormous benefits to OT but also huge challenges. Jason believes the conversations should start early and that security should be baked in at the beginning. Crucial to all of these efforts will be getting the board to understand that a cyber attack is inevitable. It is a CISO’s job to educate them and the best way to do so is to ignore the traditional FUD gambit and instead provide real world correlated examples. In Jason’s opinion, it will be an organization’s ability to respond to and respond from an attack that will determine its survival.

02:47 — Prediction for 2020: multi-vector attacks on industrial infrastructure will become the new normal. 

03:49 — Every industry faces different challenges but all CISOs need to be doing the same thing: the basics.

05:18 — The basics are not glamorous or exciting,  so how do you keep your team motivated and engaged?

07:17 — Digitization brings huge benefits but also huge challenges – not least the lack of a physical network – how do you secure it?

10:35 — Detection is no longer king. Speed of recovery will determine an enterprise’s successful cyber attack survival.

13:44 — CISOs must educate the board that cyber attacks are inevitable. The ability to respond and recover is most important.

17:26 — Don’t use FUD, do use examples. It’s a business conversation about the ability to operate.

For more on 5G listen to Jason’s previous podcast and for more on cyber attacks check out Peter Liebert’s podcast.

In our first episode of 2020, Jimmy Sanders, Head of Information Security at Netflix joins the podcast to talk about Netflix’s unique culture of “freedom and responsibility” and what that means for the information security team.

He covers the evolution of cloud security from the perspective of an organization that was an early AWS customer and cautions that security remains the responsibility of the customer, not the vendor.

AI, ML, Big Data and all those other buzzwords are just that for Jimmy. He is less interested in how vendor products work and more interested in their efficacy. When vetting and implementing new products he recommends using trusted relationships and standing on the shoulders of those who have already implemented that product. Moving out of our silos and into these sorts of collaborations and partnerships is one of Jimmy’s hopes for cybersecurity in 2020.

01:31 — Netflix culture what “freedom and responsibility” means for information security.

03:26 — What Netflix needs in a security team: open-minded people who can handle a lot of data.

05:29 — Most young people don’t realize a career in cybersecurity exists.

07:49 — AI, ML, Big Data, whatever you use – just make sure your product works. It’s the efficacy that counts.

09:52 — How can CISOs measure risk? It’s all a question of appetite.

12:32 — Cloud is evolving and more stable, but cloud security is still not the responsibility of the vendor.

14:58 — Collaboration is the best way to approach security. Leverage every trusted relationship.

17:33 — Hopes for 2020: limiting the scope of breaches, more partnerships to drive security forward.

If you’d like to hear more about CISO community relationships check out our podcasts with Peter Liebert and Helen Patton.

Digital Policy Consultant Kristina Podnar joins Ashwin to talk about consumer digital privacy. They discuss whether we are tiring of “free” applications and ponder the fair dollar price instead of paying in data. Kristina wonders if we are really aware of how much data is being collected about us with and without our knowledge and believes that end users really need education in this area. 

Ashwin asks if we are seeing a movement around digital awareness. Sadly not, but Kristina is seeing a bigger shift in the U.S. towards citizens’ rejection of federal and local government digital supervision. While in the EU, the opposite is true with citizens trusting governments more than they trust private sector business. 

While regulations continue to play an important part in monitoring and controlling digital privacy rights, ultimately it will be consumer spending, or refusal to spend, that prompts companies to become more transparent.

01:25 — Are we tiring of “free” apps? If so, what’s a fair dollar trade for data?

03:26 — How much do we understand about what data is being collected about us?

06:28 — End users need educating on the data that is being collected about them.

08:45 — No-one has taken advantage of the opportunity to use data to sell to consumers in a hyper-personalized fashion.

10:48 — Are we seeing a movement around digital awareness? Sadly not.

12:12 — The EU has much higher citizen-government trust levels. 

15:25 — Regulations are important but consumer spending power is where the buck will stop.

If you enjoyed hearing about digital policy you can find Kristina’s other podcasts here.

Jason Haward-Grau, CISO at PAS, returns to the podcast to talk about the often overlooked I for integrity in the CIA security triad. The emphasis on confidentiality has been driven by legislation and the emphasis on availability has been driven by business outcomes, but integrity is less well understood.

Attackers have turned their attention to infrastructure and Jason points out this can have deadly consequences. The drive to be competitive is presenting new challenges for security teams and attack vectors for hackers.

In predicting trends for 2020, Jason sees more targeted attacks as inevitable and says the security industry must prepare, prepare, prepare and focus on response and recovery. He sees the accelerated regulation continuing. Finally, he’d love to see OT and IT manage a closer more communicative relationship.

01:06 — The I in the CIA triad is often overlooked. 

04:15 — Integrity is crucial in OT processes. It protects lives.

06:53 — Attackers have turned their attention to infrastructure and that can have deadly consequences.

08:57 — The drive to be competitive and reduce costs is presenting new challenges for security teams and attack vectors for hackers.

13:32 — What should we be focusing on in 2020?

If you’d like to hear more about IT and OT listen to our third podcast with Jason, or if you’re looking for more predictions for 2020, check out last week’s podcast with Malcolm Harkins and Peter Liebert.