Business Security Weekly Episode #189 – September 28, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. State of the Managed Detection & Response Market – 03:00 PM-03:30 PM

Sponsored By

Visit https://securityweekly.com/deepwatch for more information!

Announcements

• Would you like to have all of your favorite Security Weekly content at your fingertips? Do you want to hear from Sam & Andrea when we have upcoming webcasts & technical trainings? Have a question for one of our illustrious hosts, someone from the Security Weekly team, or wish you could “hang” out with the Security Weekly crew & community? Subscribe on your favorite podcast catcher, sign up for our mailing list, and join our Discord Server to stay in the loop on all things Security Weekly! Visit: https://securityweekly.com/subscribe

• It’s official! Security Weekly, in partnership with CyberRisk Alliance, is excited to present Security Weekly Unlocked on December 10, 2020. The inaugural edition of Security Weekly Unlocked also celebrates Security Weekly’s 15th Anniversary. Registration and call for speakers is now open. Visit securityweekly.com/unlocked to submit your speaking session and register for free!

Description

What makes MDR different from MSSP? What makes a good MDR provider? How do you decide to build your own capabilities, hire an MSSP or ally with an MDR?

This segment is sponsored by deepwatch.

Visit https://securityweekly.com/deepwatch to learn more about them!

Guest(s)

Hosts

2. 6 Types of CISO, Habits of Highly Effective CISOs, 10 Key Security Projects – 03:30 PM-04:00 PM

Announcements

• Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

• In our October 22nd technical training, we will provide a first look at a new, free resource that delivers thousands of remedies as a service to bridge the gap between vulnerabilities found, and vulnerabilities fixed! Visit https://securityweekly.com/webcasts to see what we have coming up! Or visit securityweekly.com/ondemand to view our previously recorded webcasts!

Description

In the Leadership and Communications section, 6 types of CISO and the companies they thrive in, What are the habits of highly effective CISOs, Cybersecurity is Not a Four-Letter Word, and more!

Hosts

6 types of CISO and the companies they thrive in – There are six types of CISOs depending on the type of organization they work and their personality type, according to Forrester: 1. Transformational: Often “energized” to dive into a three- to five-year transformational initiative, said Pollard. These individuals tend to enjoy turn-around projects and watching business outcomes unfold. 2. Post-breach: Thrive in turbulence; they take on rebuilding a company’s security organization while mitigation and PR crises play out in the background. These CISOs don’t mind the possibility of becoming “the punching bag” for vendor presentations in the future, said Pollard. 3. Compliance guru: Typically work in highly regulated industries and are fluent in regulatory bodies and acronyms: HIPAA, CCPA, FDA, etc. 4. Tactical/operational: Action-oriented and can sift through technical complications. 5. Steady state: One of Pollard’s favorite types because they usually serve at companies that don’t need immediate transformation. “Maybe the company is OK right now,” he said. 6. Customer-facing/evangelist: Unafraid, and rather enjoys being their company’s spokesperson for cybersecurity. Tech companies often have this kind of CISO because they can appeal to customers with their charisma. What are the habits of highly effective CISOs? – Most effective CISOs constantly initiate discussions on evolving cyber security norms to stay ahead of threats; prioritise keeping their organisation’s decision-makers aware of current and future risks; proactively engage in seeking out and security emerging security technology; implement formal and actionable success plans; and define their organisation’s risk appetite through collaboration with decision-makers. Cybersecurity Is Not A Four-Letter Word – Why we don’t talk about cyber security: 1. We don’t understand fully 2. We can’t see it 3. It’s terrifying 7 Strategies for Better Group Decision-Making – Based on behavioral and decision science research and years of application experience, we have identified seven simple strategies for more effective group decision making: 1. Keep the group small when you need to make an important decision. 2. Choose a heterogenous group over a homogenous one (most of the time). 3. Appoint a strategic dissenter (or even two). 4. Collect opinions independently. 5. Provide a safe space to speak up. 6. Don’t over-rely on experts. 7. Share collective responsibility. Gartner: 10 key security projects through 2021 – If there’s time and resources for more projects, here are Gartner’s top security projects through 2021: 1. Securing the remote workforce 2. Risk-based vulnerability management 3. Platform approach to detection and response 4. Cloud security posture management 5. Simplify cloud access controls 6. DMARC 7. Passwordless authentication 8. Data classification and protection 9. Workforce competencies assessment 10. Security risk assessment automation What security needs to know before diving into SaaS contracts – If employees don’t engage with security red flags, the agreement fails to address the underlying issue: an application outside of a company’s risk appetite.