bsw237

Business Security Weekly Episode #237 – October 25, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Fight Fire With Fire: Proactive CyberSec Strategies for Security Leaders – 03:00 PM-03:30 PM

Sponsored By

sponsor
Visit https://securityweekly.com/fortinet for more information!

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

With today’s expanding attack surface, constantly evolving threat landscape, and growing cyber skills gap, cybersecurity leaders need actionable advice from seasoned peers more than ever. Renee along with a diverse group of accomplished experts in cybersecurity has created a book of collective learnings that brings together years of experience so that anyone in the field can leverage this insight in the face of the cyber threats and “fires” of today and tomorrow. This interview will focus on some of the takeaways and learnings.

Segment Resources:
https://www.barnesandnoble.com/w/fight-fire-with-fire-renee-tarun/1139924071

This segment is sponsored by Fortinet.

Visit https://securityweekly.com/fortinet to learn more about them!

Guest(s)

Renee Tarun

Renee Tarun – Deputy CISO at Fortinet

Renee Tarun is Deputy CISO at Fortinet. Renee has over 20 years’ experience in the cybersecurity and information technology fields with leadership experience in development and engineering, operations, strategy, policy, and portfolio management, across the intelligence community, law enforcement, and private industry. She co-authored the children’s book “Cyber Safe: A Dog’s Guide to Internet Security”. She was also a contributor to the book, “The Digital Big Bang”. Prior to joining Fortinet, she served as Special Assistant to the Director, National Security Agency (NSA), for Cyber and Director of NSA’s Cyber Task Force, in which she advanced NSA’s execution of its cybersecurity and cyber-related missions by overseeing resources; defining and integrating mission capabilities; and shaping agency strategy and national level policy at the White House. Renee is also a board member for the George Mason University Volgenau School of Engineering, creating synergy between the school and the professional community by addressing workforce development demands, industry expectations, and employment trends.

Hosts

BenCarr

Ben Carr

CISO at Qualys

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

2. Board Tips & Tricks, Security Culture, & Zero Trust Myths – 03:30 PM-04:00 PM

Announcements

  • Join us for our next live webcast on November 4th to learn about Pragmatic Steps to Reduce Your Software Supply Chain Risk. Then join us November 11th to learn the key insights and takeaways from the the 2021 OWASP top ten. Visit https://securityweekly.com/webcasts to save your seat! Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand

Description

In the Leadership and Communications section for this week: CISOs: Approach the board with precision, simplicity, Layoffs Taught Me To Never Make 3 Powerful Leadership Mistakes, 6 zero trust myths and misconceptions, & more!

Hosts

BenCarr

Ben Carr

CISO at Qualys

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

Chief Operating Officer at Envision Technologies

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

  1. CISOs: Approach the board with precision, simplicity – All a CISO needs is buy-in, but it’s not guaranteed when presenting security strategies to the C-suite, board or other employees. CISOs need to provide context that illustrates what security wants and portrays clear intention when presenting to the board. CISOs should ask themselves:

    What are you asking for?
    What do you need from the board?

    It is the board’s job to ask questions, not directly tell CISOs what to do. CISOs who can operate and speak at a board level, and seek agreement from their board, can transcend whatever industry they perform security in. The broad principles of cybersecurity are evident in most businesses and industries, especially in the last year and a half.

  2. The dos and don’ts of advocating for cybersecurity in the boardroom – A successful CISO needs:

    – Understanding the makeup of the board.
    – When presenting to the board: preparation is key.

    When presenting to the board, there are some strategies CISOs should avoid while advocating for cybersecurity measures:

    – Don’t get technical.
    – Don’t be too reassuring.
    – Don’t scare the board.

  3. 5 ways to improve the CIO-CISO relationship – Regardless of the reporting structure in your organization, here are five ways you can improve your relationship with the CISO.

    1. Treat the CISO as a peer
    2. Frame discussions around risk
    3. Engage the CISO and security team
    4. Arrange informal and formal interactions
    5. Craft consistent business cases

  4. Biggest cybersecurity issue is ‘culture,’ city CISOs say – A group of local-government cybersecurity leaders agreed Thursday that their organizations’ cultural attitudes pose some of the greatest roadblocks to more secured systems.

    The challenges, they said, include walled-off agencies, employees’ discomfort with mandatory trainings and users’ unease with increasingly standard procedures like multi-factor authentication and single-sign-on protocols. But those mindsets can ease the path for malicious actors seeking to freeze up government networks with ransomware or disrupt critical infrastructure like power and water facilities.

  5. Layoffs Taught Me To Never Make 3 Powerful Leadership Mistakes – Leadership is like chess. Wrong moves can limit future flexibility.

    Lesson 1: Don’t hire if you can’t afford to keep them
    Lesson 2: Do the work yourself to understand what kind of effort & team is required
    Lesson 3: Listen to your team members, make them feel heard, and provide answers

  6. Your Most Passionate Employees May Not Be Your Top Performers – People who work to achieve a sense of personal fulfillment and make the world a better place have been shown to experience stronger work and life satisfaction and feel more successful — but the jury has been out on whether that’s truly the case. The author’s research finds evidence that it’s true, but not because passionate employees are actually better at their jobs or more productive. Instead, it’s because their behaviors — like staying late, or volunteering for projects — signal to managers that they are performing at a high level, even if they aren’t. Managers should watch out for this bias lest they alienate other team members.
  7. Gartner: 8 security trends facing the enterprise – Gartner detailed what its research shows are the top eight trends in security and risk management:

    1. Remote/hybrid work is the new normal
    2. Cyber-security mesh architecture
    3. Security product consolidation
    4. Identity-first security
    5. Machine-identity management
    6. Breach and attack simulation (BAS) tools
    7. Privacy-enhancing computation
    8. Boards are adding cybersecurity

  8. 6 zero trust myths and misconceptions – If you’ve fallen for one of these myths, you may need to rethink your zero trust strategy:

    1. Zero trust solves a technology problem
    2. Zero Trust is a product or set of products
    3. Zero trust means you don’t trust your own employees
    4. Zero trust is difficult to implement
    5. There is only one correct way to begin the zero trust journey
    6. Deploying SASE means I have zero trust