Images and links for this episode can be found at CISO Series (https://cisoseries.com/worst-question-award-goes-to-how-secure-are-we/)

We've got better ways to determine the overall quality of your security posture than asking this unanswerable question. It's all coming up on CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Helen Patton (@osucisohelen), CISO, Ohio State University.

Thanks to this week's podcast sponsor Trend Micro.

On this week's episode

Why is everyone talking about this now?

Jamil Fashchi, CISO, Equifax, "In speaking with a CEO the other day, I was asked, 'As someone who isn’t technical, what questions should I ask to determine if my security team is effective?'" This caused a flurry of discussion. What's your advice, and do you agree it's a lot better question than "How secure are we?"

Hey, you're a CISO, what's your take on this?

One issue that comes up a lot in cybersecurity is the lack of diversity. We have discussed the value of diversity, in that it avoids "one think" and brings in the critical need of different viewpoints. The problem is we're often attracted to people like us, and we ask for referrals which if you hired people like you is probably going to deliver more people like you. We focus this discussion on actionable tips that CISOs can take to bring in a diverse workforce.

What's Worse?!

What's it like to work with the business and their acceptance or lack of acceptance of risk?

First 90 days of a CISO

Steve Luczynski, just became CISO of T-Rex Corporation. In the past the CIO has handled both IT and security at the company.

"Now with a CISO onboard, the struggle is figuring out who does what with the expected reluctance by the CIO to let go of certain things and trust me, the new CISO to maintain the same standards. For example, I wanted to change our password policy when I first showed up to match the new NIST guidance of not changing based on a set time period. There was disagreement and it did not change even when I showed the NIST verbiage," said Luczynski.

How should Steve deal with such disagreements?

Ask a CISO

For a while, FUD (fear, uncertainty, and doubt) worked on the average person, to get them to install basic security measures, like an anti-virus. But it appears that's all changed. The cause could be apathy. When there's so many breaches happening the average person feels powerless. Are we marketing cyber-awareness wrong to non-security people? What would get them to be true advocates?

The Pre-nup. It’s a difficult thing for most people to talk about in their personal lives, but it’s something that should always be considered when setting up a relationship with a cloud service provider. Not all business relationships last, and if your organization needs to move its data to another provider, it’s not like packing up your furniture and saying goodbye to your half of the dog.