bsw208

Business Security Weekly Episode #208 – March 08, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Security Leadership in Times of Transition – 03:00 PM-03:30 PM

Announcements

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

  • Our next live webcast will be on March 18th at 11am ET where you will learn how to Prepare Linux Hosts for Unexpected Threats! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

In 2020, we interviewed Gerald Beuchelt on Enterprise Security Weekly. At that time, he was the CISO at LogMeIn. Now he’s the CISO at Sprinklr. What’s it like to transition jobs in the middle of a pandemic as the the first CISO of a company? Gerald discusses his transition story and shares his recommendations and lessons learned for other CISOs.

Guest(s)

Gerald Beuchelt

Gerald Beuchelt – Chief Information Security Officer at Sprinklr

@beuchelt

Gerald is the Chief Information Security Officer/Vice President for Sprinklr’s products and corporate assets.

In his prior role as Chief Information Security Officer/Vice President for LogMeIn he was responsible for the security, compliance, and technical privacy of LogMeIn’s products and corporate assets. Before, Gerald was Chief Security Officer for Demandware, a Salesforce Company, responsible for security and acting Chief Privacy Officer and Data Protection Officer for Demandware’s German subsidiary.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

CIO & CSO at Carousel Industries

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

2. Risky Business (With Less Resources), Or: Know the CISO Job Search – 03:30 PM-04:00 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

In the leadership and communications section, Risky business: 3 timeless approaches to reduce security risk in 2021, Why Less Can Be More When It Comes to Cybersecurity, CISO job search: What to look (and look out) for, and more!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

CIO & CSO at Carousel Industries

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

  1. Risky business: 3 timeless approaches to reduce security risk in 2021 – Help Net Security – Steps to reduce security risk in 2021: A summary of the tactical and strategic moves CISOs can make to reduce security risk:

    1. Look to reduce your “haystack” of threat avenues through smart policy enforcement. Consider DNS as a vector – for both attack and detection
    2. Ensure that your cloud adoption strategy is coupled with sound cloud security policy and design
    3. Educate your leadership team. “We aren’t a target” is equivalent to sticking your head in the sand.

  2. Reducing Cybersecurity Risk With Minimal Resources – How do you think about attacking the problem of reducing risk? Short answer: use an enterprise, holistic, Risk-Based Security Strategy (RBSS). Risk is a combination of threat, vulnerability, likelihood and impact/consequences, along with asset values. The main activities needed in what really matters are:

    1. Cyber Education and Awareness Training Program: educate users with periodic training courses, email notes on security topics, posters, frequent phishing exercises, etc.
    2. Tightly manage access controls: use multi-factor authentication (MFA) everywhere, strictly control privileged account management (PAM), monitor access changes (active directory, etc.).
    3. Excel at TVM and cyberhygiene overal: go beyond just patching (yet that must be a top priority!), assess your status in the CIS items 1-6, then fix the gaps.
    4. Data protection approach: endeavor to encrypt everywhere (it’s easiest in the long run), control data and classify it, and use a tailored identity access management. Combine with privacy elements as you can. Get cyberinsurance.
    5. Third-party/vendor risk management: go beyond the paper drill (NDAs, Ts&Cs, SLAs, etc.) and actually have a risk assessment — lack of this causes over half of all data breaches — and start with a detailed questionnaire, then ask what certs they have.
    6. Partner with a managed detection and response (MDR) provider: 24/7 coverage, gain extensive threat intel reach back, enhance your threat hunting, and reduce the alert fatigue of the security folks.

  3. Why Less Can Be More When It Comes to Cybersecurity – Security Boulevard – Organizations frequently end up building complex security stacks thinking that more solutions equate to better security. Unfortunately, while the average CISO can point to anywhere between 35 to 65 different security technologies in their environment, complexity does not mean safety. Instead, overly complicated security stacks can increase vulnerability by hiding critical security weaknesses while simultaneously draining vital organizational resources. Simple can be better:

    1. Overly Complicated Security Stacks Incur a High Cost
    2. A Simplified Approach to Cybersecurity Makes Business Sense
    3. Leveraging OS Native Controls Should Be a Cornerstone of Your Security Posture

  4. Why Do Chief Security Officers Leave Jobs So Often? – In both public and private organizations, chief information security officers have shorter tenures than CIOs. Why do cybersecurity heads so quickly leave jobs — or get forced out? Here a few reasons that CISOs are moving on:

    1. Change in top company or government leadership.
    2. Differences in technology security philosophy, including resources allocated for cybersecurity.
    3. Personality conflicts.

  5. CISO job search: What to look (and look out) for – Sometimes a CISO isn’t really a CISO, or the role does not have the authority or resources it needs. Here’s how those seeking CISO roles can avoid the wrong employer:

    1. Does the role lack C-level status?
    2. A poorly-defined CISO job description
    3. Why are they hiring a CISO?
    4. Who’s on the security team?
    5. What are they paying?

  6. Virginia data protection bill signed into law – The state is the second in the nation to enact a consumer data protection law along the lines of the EU’s GDPR. Here’s what businesses need to know about Virginia’s CDPA:

    1. CDPA mandates how larger companies control or process data
    2. CDPA combines CCPA, CPRA and GDPR
    3. Other states may quickly adopt data protection laws