The Great Security Debate

This week we are debating modern AI systems, especially the commercial ones on just about everyone's lips when talking about CVs, high school term papers, and interview answers. Large Language Models (LLMs), of which ChatGPT and Bard are two examples, are growing in prominence, but will they disrupt the technology world, or are they nothing more than just another blockchain fizzle? In this episode: Are these even actually "AI" models, or really just very fast processing of large data sets? What should I (and should I not) be putting into LLMs? How does the re-teaching based on data entered impact what you should put into public LLMs? What are some valid use cases for LLMs? Does depending on tools like LLMs (or calculators) bring us further from core understanding of how things work? Or should we be OK with the efficiency it brings? How does copyright fit into the LLM expectation and model, and does the legal licensing of training data dull the shine of LLMs? Are the analyses from LLMs skewed not only by the data they chose to use for training, but also by the userbase that uses that LLM? How are any of the "good practise" security and privacy requirements for LLM different from any other systems? Spoiler alert: not at all. Unrelated to AI, we also talk about what happens to all the "smart" things in your house when the internet goes out? What stops working? Way more than you might think... We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening! Links: Is OpenAI almost bankrupt?: https://www.windowscentral.com/software-apps/chatgpts-fate-hangs-in-the-balance-as-openai-reportedly-edges-closer-to-bankruptcy Maybe not bankrupt, but has business problem: https://www.forbes.com/sites/lutzfinger/2023/08/18/is-openai-going-bankrupt-no-but-ai-models-dont-create-moats/?sh=3c8922845e22 Gartner declares LLMs at the peak of inflated expectations: https://www.gartner.com/en/newsroom/press-releases/2023-08-16-gartner-places-generative-ai-on-the-peak-of-inflated-expectations-on-the-2023-hype-cycle-for-emerging-technologies When ChatGPT goes Bad: https://sloanreview.mit.edu/article/from-chatgpt-to-hackgpt-meeting-the-cybersecurity-threat-of-generative-ai/ https://venturebeat.com/security/how-fraudgpt-presages-the-future-of-weaponized-ai/ The Circle (Movie): https://www.imdb.com/title/tt4287320/ Amazon Sidewalk, and it's privacy issues: https://www.popsci.com/technology/amazon-sidewalks-privacy-concerns/ Idiocracy (Movie): https://www.imdb.com/title/tt0387808/ Moores law is dead: https://www.technologyreview.com/2016/05/13/245938/moores-law-is-dead-now-what/ GM deletes Car Play from future EVs: https://www.theverge.com/2023/4/4/23669523/gm-apple-carplay-android-auto-ev-restrict-access GM announces $130K EV Escalade (without CarPlay): https://www.theverge.com/2023/8/10/23827059/gm-no-carplay-android-auto-escalade-iq Fragile Things (Book): https://amzn.to/47BWWkB

It's been a minute, but we are back with another Great Security Debate! Whether it is compliance, trust, questionnaires, we all sell something to someone and security is core to that process. In this episode, the focus is on how security integrates into the core of each of our businesses or organisations. From being part of strategic planning, the reminder that perfect being the enemy of progress, to the power in being a first mover on security and privacy topics: Compliance vs security: Is it pro forma? Do you check the SOC2 (and other) reports you get from your suppliers? You're not a special snowflake: Why won't more orgs use standard questionnaires on supplier assessments? There are multiple ways to solve a problem, and context is key. The process and environment may mean you don't need a technology control or a specific (prescribed) technology control. "The business" is a term that should never be uttered again by security or technology practitioners and leaders. There is power and business value in governance and transparency in security and privacy; build trust in your brand. We need to move our programs a layer above the specific people. Risk is reduced by living at the process layer. Heroics are not scalable. How can preparing for a triathlon be used to describe adherence to targets that lead to good security (and the brand value that comes with it) Remember that you can't be "SOC2 Certified." And PFMEA is not always the answer to every question. Or is it? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!

Welcome to a very special Great Security Debate. If it is spring, it means that the annual Forrester “Top Recommendations For Your Security Program” report has come out, and we get to visit with one of the authors, Jess Burn. But this year, we get an added extra voice in that of Jess’ Forrester colleague Jeff Pollard. Both Jess and Jeff share a ton of insight on topics from that report and a few others (see the links below for blog posts about most of them) In this episode we cover: How (if) CISOs have been able to become “part of the business” and help colleagues understand that in 2023 security is business. Board reporting by CISOs and CIOs and where/how we succeed and fail. Talent shortages in infosec: a self-created nightmare? Consolidation in times of austerity: right or wrong for security? Huge thanks to Jess and Jeff for joining (find their LinkedIn and Twitter in the links section). Even though Jess is legacy, we are pretty sure that Jeff will be welcomed back in 2024 with open arms. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for Listening! Special Guest: Jessica Burn. Support The Great Security Debate Links: Cybersecurity's Staffing Shortage Is Self-Inflicted Leadership Communication and Speaker Coaching | Speak by Design | United States Build Better Bridges: Introducing Forrester’s BISO Role Profile Announcing Analyst Experience: SOC Analysts Finally Escape The Shackles Of Bad UX The Pay Gap Isn’t The Only Problem For Women In CISO Roles Top Recommendations For Your Security Program, 2023 | Forrester How CISOs Can Navigate The 2023 Downturn Jess Burn | LinkedIn Jeff Pollard | LinkedIn Jess Burn (@Jess_Burn_) / Twitter Jeff Pollard (@jeff_pollard2) / Twitter

This week, Brian, Erik, and Dan look into the security impacts of last week’s Silicon Valley Bank closure, both from a direct security risk, but also what we can learn about risk from the events leading up to the incident that we can apply to our information security responsibilities. Brian kicks it off with a great description of how Silicon Valley Bank got here (based on what we knew on 12 March 2023 - subject to change as more becomes known after). And from that, we go some of the direct and indirect lessons and implications such as: Fraud attempts amongst a bevvy of legitimate bank account payment change requests from companies. Check from a known source before changing where you pay. Putting all your eggs into one (infosec or financial) basket can be risky. And risk can bring great rewards, or great resentment Evaluating vendors for where they bank as part of third party risk management (or not) Clear insight to tough choices that have to be made to keep small business and startups running - sometimes that’s not “doing every thing of security” Business continuity planning requires a more realistic “yeah that could happen” when doing the review Remember that there is no such thing as no risk, just determining the right balance of (realistic) risk and downtime for your organisation If one vendor goes away suddenly, what happens? What about if 6 go away all at once? Diversity of suppliers vs. focusing on basics in the security stack Along with some strong recommendations (or maybe they are warnings) for our security vendor listeners on how not to use this incident as a sales tool (tl;dr: DON’T!), there are a few correlations to the automotive industry. And check out the book club recommendations in the show notes on our website www.greatsecuritydebate.net, too. Since we recorded another bank, Signature Bank, has also been closed and placed into receivership. On behalf of all of us at Great Security Debate, we wish all those affected either as companies of these banks or their customers good wishes and hope for good news ahead on the recovery of funds. Thanks for listening! Support The Great Security Debate Links: The Demise of Silicon Valley Bank - by Marc Rubinstein All the Devils Are Here: A Novel (Chief Inspector Gamache Novel Book 16) - Kindle edition by Penny, Louise. Mystery, Thriller & Suspense Kindle eBooks @ Amazon.com. Silicon Valley Bank profit squeeze in tech dip attracts short sellers | Financial Post The Tenth Man Rule - Principle Explained The Innovator's Dilemma: The Revolutionary Book That Will Change the Way You Do Business: Christensen, Clayton M.: 8601300047348: Amazon.com: Books — https://amzn.to/3LcZKvT The Innovator's Dilemma: The Revolutionary Book That Will Change the Way You Do Business: Christensen, Clayton M.: 8601300047348: Amazon.com: Books

The Great Security Debate Book Club is in FULL force this week as we talk about life after you’ve gotten the job in information security and are looking for the growth and promotion that come as you grow your career. Check out the show notes on our website www.greatsecuritydebate.net/48 to get links to all the books, articles, and references we discuss up through the show. A mere appetiser sized sampling of the topics we cover in this hour include: What does it mean to “return to normal” in work in 2023? How do you grow in your role once you are in the Infosec field? The “old-man” perspective on entitlement in growing within jobs What approaches work (and don’t work) when asking for promotions, raises, new roles, within your organisation Conversely, how to approach getting responsibilities added with out getting additional compensation Using the word “I” vs “We” when talking about a job and your team What to consider the factors and risks outside the office when looking at role and organisational growth The importance of knowing the difference between what you want to say vs how it will be received when read by the recipient What do you do when you find yourself as (or think you are) the smartest person in the room? What resources can people use to get ready for their next growth step at work? How can networking and mentoring be valuable to find the next position? Since it came up a few times in the show, remember that not every securty career path ends with becoming a CISO, or nor should we expect that everyone in infosec wants to become a CISO! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening! Support The Great Security Debate Links: High-Earning Men Are Cutting Back on Their Working Hours - WSJ Census: Michigan's population drops again for 2nd consecutive year 5 Whys - Getting to the Root of a Problem Quickly Little Giants: 10 Hispanic Women Who Made History: Calderon, Raynelda A., Donna, Wiscombe: 9781733139229: Amazon.com: Books Amazon.com: True North, Emerging Leader Edition: Leading Authentically in Today's Workplace eBook : Clayton, Zach, George, Bill, Gergen, David: Kindle Store Amazon.com : never split the difference book Amazon.com: Never Split the Difference: Negotiating As If Your Life Depended On It eBook : Voss, Chris, Raz, Tahl: Kindle Store Michigan becomes 14th state to mandate personal finance education Amazon.com: Crucial Conversations Tools for Talking When Stakes Are High, Second Edition eBook : Patterson, Kerry, Grenny, Joseph, McMillan, Ron, Switzler, Al: Kindle Store Amazon.com: Crucial Confrontations: Tools for Talking About Broken Promises, Violated Expectations, and Bad Behavior (Audible Audio Edition): Kerry Patterson, Joseph Grenny, Ron McMillan, Al Switzler, Barrett Whitener, McGraw Hill-Ascent Audio: Books Amazon.com: Slumdog Millionaire [Blu-ray] : Boyle, Danny, Patel, Dev, Pinto, Freida, Khan, Irrfan, Kapoor, Anil, Shukla, Saurabh, Zutshi, Raj, Talwar, Jeneva, Aggarwal, Sunil, Ismail, Azharuddin Mohammed, Khedekar, Ayush Mahesh: Movies & TV Amazon.com: Quiz Show : Ralph Fiennes, John Turturro, Hank Azaria, Rob Morrow, David Paymer, Allan Rich, Paul Scofield, Christopher McDonald, Johann Carlo, Mira Sorvino, Elizabeth Wilson, Griffin Dunne, Timothy Busfield, Martin Scorsese, Barry Levinson, Robert Redford, Paul Attanasio: Movies & TV MentorCore – Growth and Development at your Fingertips MentorCore Slack — Join the Slack Michigan Council of Women in Technology Foundation / Michigan council of women in technology foundation

Insurance for information security is changing. Recently some reports came out that there were moves by insurance companies to leave the cybersecurity insurance market - that it was uninsurable. Dan, Brian, and Erik discuss on this week's Great Security Debate: What happens now that cybersecurity insurance is built into contracts and requirements by customers doing business with other companies? Are the carveouts such that it’s easier to just pay and not inform insurance that you want them to pay for the incident? Does having “easy” insurance give too many orgs a pass on having to actually improve their security control sets? How do insurance “formularies” make companies less secure by not letting them buy the newer, better technologies? Conversely, how does the formulary of products help prevent from buying junk tech that calls itself “security”? How does the threat of nonpayment of expenses and losses by insurance companies after the fact affect organisational security decisions for or against the formulary? How is relying on insurance to determine tech standards the same as the EU demanding all chargers be USB-C? Does insurance go away altogether? Do we want it to go away? What is the law of the horse and how does it apply to insurance in information security? Can shifting downstream supplier risk into insurance really work to reduce risk? Is security a cost centre, a cost of doing business, or a potential profit centre for orgs? Should we shift from insurance mandate to “figure it out” How does the conscious decision not to patch because the patch causes worse issues affect the insurance coverage? How can we balance the expectation with our technology suppliers to maintain support longer, especially on IOT or high-cost, long life devices? Can a move toward clear, yet broad expectations on controls be enough to meet security expectations for insurance without prescriptive formularies of technology and process? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening! Support The Great Security Debate Links: Large Insurer Says Cyber Attacks Are Becoming 'Uninsurable' 3 Times Businesses Were Denied Cyber Insurance Payouts. | Managed IT USB-type C to become EU's common charger by end of 2024 | News | European Parliament Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations Arlo Is Ending Support For Its Old Cameras & Customers Aren't Happy CISA’s Jen Easterly: Tech Companies Should Deploy Software Offerings That Are "Secure by Design"

Welcome to the year-end 2022 episode of The Great Security Debate. In this hour, Brian, Erik, and Dan cover myriad ways hiring processes are failing job seekers and hiring organisations. It all kicked off with the impersonal nature of automated 1-way video interviews. It quickly jumped into the myriad of other ways we can do better on both sides, including (but not limited to): Do video interviews encourage fraud? Multiple jobs for one person? A fake version of you applying for a job? Why are hiring managers and HR using video interviews? Are there legitimate reasons? Does the lack of ability to assess the candidate’s response to the interviewer’s response makes the interview less effective? What is the impression left when a candidate is immediately rejected based on analytics and matching, not human interaction? What’s the value of using your network around a broken applicant system? What do we lose by only depending on our networks for hiring? How do these recorded methods exclude introverts and others that may not be camera comfortable in their presentation skills? Can and should there be roles for people at higher levels that don’t include people management? Is “AI” (term used in quotes on purpose) really the antithesis of diversity or inclusion? How is connecting people to others and helping them expand their networks better than sending resumes to people you know? In times of cash crunch, will hiring come from experienced people having been let go from roles, or hiring entry-level and ups killing them? You’ll also get a few mentions of Buzzword Bingo; the shocking revelation that Brian works for a vendor; and Dan goes on a tirade about new software that does recording and analysis in Zoom meetings with and without permission. It’s another great debate! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening! Support The Great Security Debate Links: Our Love-Hate Relationship With Security Certifications Cyber Certifications - The Self Licking Ice Cream Cone of Misery The Great Security Debate Episode 45: Live From the Big House The Great Security Debate Episode 43: New Team, Who Dis? Michigan Council of Women in Technology Foundation / Michigan council of women in technology foundation Quiet: The Power of Introverts in a World That Can't Stop Talking: Cain, Susan: 9780307352156: Amazon.com: Books Check Out How Tesla's In-Cabin Camera Analyses Your Face Evil Call Recording Software: Rated #1 By Sales Pros | Gong David Franco | LinkedIn Living & Learning Enrichment Center Alexa, how did Amazon’s voice assistant rack up a $10bn loss? | John Naughton | The Guardian

Recorded on Saturday 29 October 2022, at the tailgate before the University of Michigan vs Michigan State University (American) football game, Brian, Erik and Dan chat about the news of the day, with more than a few correlations back to football. There was an upcoming OpenSSL vulnerability hitting the world this week. How would Software Bill of Materials (SBOM) make the response easier? A reminder of our dependence on the stability and security of some very core tools (like OpenSSL) to run our businesses. Mot to mention the fact that such tools are often within the libraries we use and don’t even realise it’s there. Similarities between football and security in the need to adjust based on what the other team shows signs of throwing at you, and further based on what they actually bring to the line. How repeatable process and inventory help make the response to these vulnerability disclosures less like a firedrill and more like standard ops. Did you know that credit ratings are being affected by information security posture and breach response? Same thing with M&A and investment valuation… if you’re not as mature in security and privacy you may see a discount taken on your value! How transparent should we be with the peer companies and the public world about our security posture (like incident response plans, and security controls in place)? And if you’re curious, you can find out what team Dan (the lifelong Badger) was supporting in the game. Congratulations to the University of Michigan in later winning this game, and to both teams for keeping the rivalry alive and spicy. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening! Support The Great Security Debate

This week’s debate comes amid a combo platter of increased analytics leading to near-immediate contact when visiting a product’s website, along with more clarity from enforcement bodies about how they will approach their respective privacy legislation. One such fine was the Sephora CCPA matter in which California Attorney General levied a $1.2M fine on the company ([https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement]) Listen in to hear Dan, Brian and Erik talk about: Are privacy and shareholder value at odds? How does protecting the privacy of the consumer help shareholder value? A reminder that security and privacy can serve as a business differentiator How to deal with the reputation of a company being set by misleading headlines (and people not reading the actual article/detail)? Does better privacy practices in companies lead to reduced data for sale on the illicit market? Does just “saying no to data collection” by companies make for a better privacy posture? How long should (vs. how long do) you hold onto data? How will companies be judged in the future by how they manage data today? Are ads themselves the source of all our problems? Why does the push for more advertising to reduce costs increases the push for more data collection? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening! Support The Great Security Debate Links: Sephora Hit with $1.2M Fine in First CCPA Enforcement - CompliancePoint Patagonia Founder Gives Away the Company to Fight Climate Change - The New York Times RMISC - Rocky Mountain Information Security Conference 500 million LinkedIn users' data is for sale on a hacker site | CNN Business Uber breached by hacker in cybersecurity incident - The Washington Post 'Astonishing.' Morgan Stanley hard drives holding sensitive client data got auctioned off online | CNN Business Business Roundtable Why is Cybersecurity Important to ESG 'Anonymised' data can never be totally anonymous, says study | Data protection | The Guardian YouTube showing up to 10 unskippable ads on a video Amazon's Alexa may have witnessed alleged Florida murder, authorities say The Athletic adds ads; readers are not pleased - Poynter Amazon says 'Thursday Night Football' NFL stream draws record Prime signups Daniel Ayala on Twitter: "Spoiler alert: the “not interested” button on @youtube is as useful at honing the recommendations as the placebo thermostat that they put in your office to when you used to go to an office. https://t.co/yg7T9fEhid" / Twitter

We've all seen it (or been it): a new boss arrives at the company and quickly thereafter a bunch of their old colleagues get hired. It feels like they are getting the band back together at the new place. What does that say to the organisation about that leader? What does doing the opposite (pausing, growing from within) say differently? Brian, Dan and Erik discuss, debate and dissect this from a few angles, including some of the following: The power of threes: Three paths when you come in as a new leader: bring your own, nurture within, hire all new. And the three arcs of a company - startup/scrappy , growth/maturation, steady/run. Two critical skills we wish we were taught in school and earlier in work: communications and public speaking The impacts on culture on leadership and how they approach the staffing question, and how you bring people in will be the biggest impact on the culture of the organisation How can metrics hide the actual performance of the team? Are the CISO retention numbers as bad as the urban myth ? Are CISOs staying longer than we think they are? What organisational situations drive leaders to resort to bringing in the people they know and trust vs. Trusting those already there? How does growth by acquisition change the way we approach the listening and staffing of our teams and supporting our organisations? Approaches to finding people to provide new perspectives, without having already worked with them directly? How does geographic culture affect the decision on how to staff your team as a new leader in an organisation? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening! Support The Great Security Debate Links: The Great Security Debate Episode 40: What Got You Here Won’t (Necessarily) Get You There Steve Jobs Last Words – Jessica Peng Amazon.com: Power Moves: Lessons from Davos (Audible Audio Edition): Adam Grant, Adam Grant, Audible Originals: Audible Books & Originals Amazon.com: Small Giants: Companies That Choose to Be Great Instead of Big: 9781591840930: Burlingham, Bo: Books Zingerman's Community of Businesses - inside the center of the gastro-deli universe Warren Buffett - Only when the tide goes out do you... 2022 Global Chief Information Security Officer (CISO) Survey | Insights | Heidrick & Struggles The Future Of The CISO — Six Types Of Security Leaders How Listening Will Transform Your Leadership

Are we getting subscription overload? The move to more and more subscriptions are good for those selling, but are they good for those buying, too? Do subscriptions that are offset by other non-cash costs (e.g. data collection, advertising) make the subscription fatigue less? How does that fit into the securty product world? What are the risks of making security technology only for those that can't afford it? Why are the ad-supported versions more heavily marketed than the no-ad versions? How do subscriptions encourage continuous development of software and features? What about innovation? What's a feature that is persistent and what can be revoked or shifted into a different subscription tier (take a look at Slack's recent move to make the free tier way less useful and encourage the need to move to a paid tier) Do the combinatoric vastness of features that can go on and off based on the subscriptions you buy introduce unnecessary or unsafe risk of not working well together in specific combos? What are the legalities of jailbreaking your software rather than paying to activate it by subscription? How does doing so affect liability and effectiveness of the product? We also talk about some things unrelated to subscriptions (and cars), too! What is needed to adapt your communications (and subscription sales pitch) to VC/PE vs. the CIO/CISO at a company? East coast vs. west coast? Etc. Tips for job candidates on where to look for public info on what a company thinks is important from security and risk (hint: it's SEC filings like the 8-K and 10-K!) Tune in to delight as Dan rants in Yiddish, and then mess up the name of some of the most popular movies of our time. Enjoy seeing (or hearing) Erik get on a soapbox stumping for Sig Sigma. Binge on Brian talking about automotive manufacturing (who knew) and for once not be broadcasting from a "train station". Support The Great Security Debate Links: Crossing the Chasm, 3rd Edition: Marketing and Selling Disruptive Products to Mainstream Customers (Collins Business Essentials): Moore, Geoffrey A.: 9780062353948: Amazon.com: Books This Is How They Tell Me the World Ends: The Cyberweapons Arms Race - Kindle edition by Perlroth, Nicole. Politics & Social Sciences Kindle eBooks @ Amazon.com.

It's the dog days of summer here in the northern hemisphere, and we have some episodes to make the hot, muggy days go by faster (or the drive up to the cabin in the woods to escape it all). This week Dan, Brian and Erik talk about what it takes to be a Virtual or Fractional CISO. Does someone that calls themselves one need to have had in-house CISO experience to do the job? Or do the fresh perspectives of someone that doesn't come with history benefit the organisation in a different way? Risks, challenges, and talking to Boards of Directors definitely have a strong place in the debate (and we hit on all of them) We will be back with more episodes through August and then back to our usual bi-weekly pace as we hit the autumn. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. If you're watching on YouTube, we are very sorry for the video sync issues this week! The sound is great, but one of our hosts does a very poor Milli Vanilli impression. We are writing up the root cause analysis documents and issuing CAPAs to keep it from happening agai Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening! Support The Great Security Debate Links: Sonny 🇨🇦❄️⚓ on Twitter: "WTF is this ??? #CyberSecurity #InfoSec https://t.co/DLHivTJ9Qw" / Twitter This Is How They Tell Me the World Ends: The Cyberweapons Arms Race: Perlroth, Nicole: 9781635576054: Amazon.com: Books Sajay Rai — Securely Yours LLCSecurely Yours LLC Sajay Rai CPA, CISSP, CISM | LinkedIn Amazon - Extreme Ownership: How U.S. Navy SEALs Lead and Win: Willink, Jocko, Babin, Leif: 9781250067050: Books CISO MindMap 2022: What do InfoSec Professionals really do?Rafeeq Rehman | Cyber | Automation | Digital

Dan, Brian and Erik look at how the past informs our security future, and how things we have done in the past may not get us where we need to be in the future. Join us for a live podcast recording with live audience Q&A, direct from the MCWT Executive Connection Summit. In the live recording we covered a flurry of topics focused on changing ourselves, refreshing ourselves and renewing ourselves including: The barriers to entry to get into the security field Experience vs. education requirements in security hiring Changes afoot in hiring appetite as recession looms Reporting requirements by public companies on breach or security events Security beyond just confidentiality Improvements that can be made to the hiring process And lots more! Huge thanks to the wonderful team at the Michigan Council on Women in Technology (https://mcwt.org) for asking us to be part of this great event bringing the Michigan technology community together to build connections. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening! Support The Great Security Debate Links: The Infinite Game: Sinek, Simon: 9780735213500: Books - Amazon Amazon.com: Leaders Eat Last Deluxe: Why Some Teams Pull Together and Others Don't eBook : Sinek, Simon: Kindle Store (4) Post | Feed | LinkedIn Bio-IT World Conference & Expo 2022 In Person & Virtual Jess Burn · Forrester Apple, Google and Microsoft team up on passwordless logins | TechCrunch SEC.gov | SEC Proposes Rule to Provide Transparency in the Securities Lending Market Future Crimes: Inside the Digital Underground and the Battle for Our Connected World: Goodman, Marc: 9780804171458: Books CISO MindMap 2022 - RecommendationsRafeeq Rehman | Cyber | Automation | Digital

This week on The Great Security Debate we have arrived at one of our favourite episodes of the year (and what is and will be an annual thing!) when Forrester Senior Analyst, Jess Burn, returns to the show to share this years recommendations for security programs. An overarching theme of the report is to use the captital that the CISO has acquired over the past few years and build out your program to where it needs to be. AKA, “strike while the iron is hot” More detailed topics including: Career paths and changes in comp methodology for security teams need to change Security Awareness needs adjustment for work for anywhere Minimum viable security - it’s definitely not just “barely secure” And a reminder that Dan, Brian and Erik will be doing a live episode of the podcast at the upcoming Michigan Women in Technology ExecutiveManagement Conference on May 5 in Novi, Michigan. Tickets for the whole conference are now available (https://MCWT.org) and the agenda for the day is great. See you there If you want to listen to Jess’s previous episode, check out Episode 20, “It All Comes Down To Relaltionships.” https://www.greatsecuritydebate.net/20 You can find Jess on LinkedIn (https://www.linkedin.com/in/jessburn), Twitter (https://twitter.com/jess_burn_) and at the Forrester blog (https://go.forrester.com/blogs/author/jess_burn/). Thanks for joining us, Jess! And thanks to you for listening and watching. Special Guest: Jessica Burn. Support The Great Security Debate Links: Forrester's 2022 Top Recommendations For Your Security Program The Return Of The Forrester Wave™: Cybersecurity Incident Response Services Starlink fought off Russian jamming attack faster than the military could

The Great Security Debate rolls on, this week looking at how governments, regulations and business values are and will shape the security posture of enterprises. Is attribution worth pursuing to the end? How can state and federal law enforcement help figure out who and what happened after an incident? Fast (agile) vs good (quality) vs cheap (cost) Are you chasing the right metrics in your organisation? Do they encourage the right behaviour? Is regulation required to make good security a greater market force? What will the regulations emerging in the US focus on? The “what”, the “why”, the “how”, or the “who”? How will they change when and how companies report material breaches? How does attribution of attack correlate to insurance coverage? How do IR firms fit into the equation? Erik, Dan and Brian also announce that the podcast is going LIVE and On the road. On May 5, Great Security Debate will be recording a live episode at the MCWT Executive Connection Summit in Novi, Michigan! More info and registration details are at https://mcwt.wildapricot.org/event-4630370. Ticket sales begin on 18 April 2022. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening! Support The Great Security Debate Links: Homepage | CISA SEC.gov | SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies Senate passes cybersecurity bill amid fears of Russian cyberattacks | The Hill Cutting Edge Cybersecurity Event Experience - FutureCon Events Court denies SolarWinds bid to throw out breach lawsuit About the Data Management & Sharing Policies | Data Sharing MCWT Foundation - Executive Connection Summit Forrester's 2022 Top Recommendations For Your Security Program Buffalo Wild Wings Partners With MGM, Will Encourage Sports Betting in Restaurants | The Action Network Data Management and Sharing Policy | Data Sharing The Great Security Debate Episode 20: It All Comes Down to Relationships (Guest Debater: Jessica Burn)

Recently, Brian, Dan and Erik had the great fortune to do a live version of the podcast at the monthly meeting of the SIM Detroit Chapter (https://chapter.simnet.org/detroit/home). At the close of that discussion, the comment was raised as to whether or not security should be used as a competitive advantage by businesses. The topic seemed perfect for The Great Security Debate, so here we are. In this episode, we cover: Can security be used as a business differentiator? SHOULD security be used as a business differentiator? If security is added too deeply into the sales cycle does it incentivise the wrong behaviours just to make a sale? How can we quantify the value of security in the purchasing process when it is not easily attributable to direct cost saving or value? How do closed systems compare to open systems with regard to security? How does the rise of customer trust as a key organisational focus indicate the use of security as a business differentiator? Do the fears that using security as a differentiator means that the collaborative nature and history of security will disappear? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening! Support The Great Security Debate Links: SEC Proposes Cybersecurity Rules for Public Companies TISAX: Information security for the automotive industry | TÜV SÜD Failure mode and effects analysis - Wikipedia Bridgestone Americas confirms ransomware attack, LockBit leaks data Quantitative Information Risk Management | The FAIR Institute Dawn of the Code War: America's Battle Against Russia, China, and the Rising Global Cyber Threat: Carlin, John P.: 9781541773837: Amazon.com: Books Saudi Aramco facing $50 million cyber extortion over leaked data Leaked Conti files reveal life inside ransomware gang • The Register KOJIMA INDUSTRIES CORPORATION Company Profile | TOYOTA, AICHI, Japan | Competitors, Financials & Contacts - Dun & Bradstreet Higher Education Community Vendor Assessment Toolkit | EDUCAUSE Home Page – CORL Technologies Home – Cyturus Financial Services Information Sharing and Analysis Center Auto-ISAC Summit 2021 – Auto-ISAC The SSO Wall of Shame | A list of vendors that treat single sign-on as a luxury feature, not a core security requirement.

Current global events have led to increased focus on technology security. In this week's episode we debate to what extent this does or will confirm the rise of the information security roles within organisations. Our thoughts and good wishes go out to the people of Ukraine. Do current events confirm that the rise of the CISO organisation was warranted? How do CISOs sleep at night considering everything going on? How to reply to the question “what else should we be doing?” Are the attacks the primary objective or are they a smokescreen? How does the game of chess tie into to information security practises? What is the CISOs role in reducing FUD (fear, uncertainty, doubt)? Will current information it pay for acts of war? Does it raise our collective stature? Why is humility so important in the information security world? The underlying message is that while it is late in the process now to do all the steps to protect your organisation, it’s never too late to get started! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening! Support The Great Security Debate Links: HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine - SentinelOne The Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIRED Amazon.com: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers eBook : Greenberg, Andy: Kindle Store Elon Musk says SpaceX's internet service is available in Ukraine Destructive Malware Targeting Organizations in Ukraine | CISA Morris worm - Wikipedia Amazon.com: Dawn of the Code War: America's Battle Against Russia, China, and the Rising Global Cyber Threat eBook : Carlin, John P., Graff, Garrett M.: Kindle Store Moonlight Maze - Wikipedia New Shadow Brokers 0-day subscription forces high-risk gamble on whitehats | Ars Technica An NSA-derived ransomware worm is shutting down computers worldwide | Ars Technica FIRST - Improving Security Together Conti ransomware group announces support for Russian invasion of Ukraine, threatens retaliation Maersk says global IT breakdown caused by cyber attack | Reuters GitHub - Netflix/chaosmonkey: Chaos Monkey is a resiliency tool that helps applications tolerate random instance failures.

This week’s episode was sparked by a recent TechCrunch article https://techcrunch.com/2022/02/01/free-agent-series-a/ asking whether tech workers should have agents to negotiate their salaries. We took up the debate on this and a few adjacent topics including: The Great Resignation’s impact on working habits Should security practitioners and leaders be represented by “agents” to negotiate better compensation for roles? What are the ways that formal agents exacerbate bias and increase the gaps between levels? The importance of networks for getting advice to help you be your own “agent” Is it the Great Resignation or the Great Realisation? How do ethics and values play into staff’s desire to go to or stay at a company? At different levels in one’s career who can help be your agent of change?
We should not be afraid to talk about our salaries and numbers And yes, those are Pączki on Brian’s hat. If you are not sure what this about, take a look at the video version on our YouTube channel https://www.youtube.com/watch?v=CAYRL1flZic We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening! Support The Great Security Debate Links: TechCrunch Who Is Driving the Great Resignation? The Great Resignation looks more like The Great Renegotiation : Planet Money : NPR Business Roundtable Redefines the Purpose of a Corporation to Promote ‘An Economy That Serves All Americans’ | Business Roundtable The Infinite Game: Sinek, Simon: 9780735213500: Amazon.com: Books Scott Boras How to Negotiate the Tech Salary You Deserve – The New Stack Amazon.com: Lego Movie 70819 Bad Cop Car Chase : Toys & Games Amazon.com: Kitchen Confidential: Adventures in the Culinary Underbelly eBook : Bourdain, Anthony: Kindle Store MentorCore – Growth and Development at your Fingertips Home | CSA Google to work with Ford on Detroit research hub - ABC News Fun Fact | Undeniably Dairy - YouTube

We got a message from a listener asking for some discussion about putting the data first and securing it with that mind - the inside out, rather than looking at the perimeter and infrastructure and working back toward the data - outside in. And since we love our listeners and your feedback, we took the chance to cover this topic in depth. In the process we also covered: Data Loss Prevention - Is it possible to improve this without the painful data classification, startup work or culture change? When doing data analysis for attacks (or fraud) you have to account for the fraud already baked in the normal you know today We can’t meaningfully count on IP address for geography…thanks to security asking for more use of VPNs The pros and cons and risks to ponder when securing data in on premise vs. cloud/SaaS arrangements When is the right time to establish a security team in a growing company? And how bad will the data sprawl be when they arrive? Will the CTO/CIO and the CISO merge into a single role? Will the CIO report to the CISO eventually? It depends, of course, on the people and the organisation Controls today may not be the controls we need for tomorrow We try to secure things, but there’s also important value in good use of data to improve a business Sunk cost fallacy and Security: when to burn it all down and start over Audit is the best friend of the CISO: a new set of eyes and accountability partner makes all the difference Dan also goes on a small tirade over the way security professionals use the term “the business” as something distinct from the security team that is absolutely part of the business itself. Enjoy that soapbox moment. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening! Support The Great Security Debate Links: The Security of Cloud Services and SaaS in 2021 – Part 1 – Secratic The Great Security Debate Episode 33: Log4Jelly of the Month Club The Future Of The CISO — Six Types Of Security Leaders Amazon.com: Rocket Fuel: The One Essential Combination That Will Get You More of What You Want from Your Business: 9781942952312: Wickman, Gino, Winters, Mark C.: Books The Sunk Cost Fallacy - The Decision Lab Amazon.com: The Infinite Game eBook : Sinek, Simon: Kindle Store The Innovator's Dilemma: The Revolutionary Book That Will Change the Way You Do Business: Christensen, Clayton M.: 8601300047348: Amazon.com: Books How Emotionally Intelligent People Use the 'Emergency Exit Rule' to Win Almost Every Argument Why CIOs Should Report to CISOs

Some say that Log4J is the gift that keeps on giving, much like the Jelly of the Month Club. After the initial surge of discussion a couple weeks ago there were mitigations, a vaccine and multiple iterations of official patches to keep the issue at bay and the new ones that cropped up afterwards. Brian, Dan and Erik discuss the log4j vulnerability as it relates to enterprise systems, supportability, balancing the risk of patching and the ways that open-source software are used within the enterprise. Join us this week as we cover: The Log4J vulnerability and saga in a nutshell The pros and cons of waiting to patch until there's a stable one vs. patching again with each iteration and risk my system's stability The critical need for system and application (and library) inventory and keeping up to date How best to react when the media and public discussion picks up on a vulnerability and causes a stir The challenges in the flurry of email and surveys from and to SaaS and service providers about their state on the vulnerability of the day What is the cost of "free" when it comes to running (and maintaining) open source software like Log4j How to make sure procurement departments are not just involved but include the risks of procurement decisions into the process Are the external capability assessments like SOC2 able to move beyond perfunctory review by those asking for them We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Support The Great Security Debate Links: UPDATED: Cybereason Log4Shell Vaccine Offers Permanent Mitigation Option for Log4j Vulnerabilities (CVE-2021-44228 and CVE-2021-45046) log4j-affected-db/SOFTWARE-LIST.md at develop · cisagov/log4j-affected-db · GitHub A Log4J Vulnerability Has Set the Internet 'On Fire' | WIRED Alibaba Employee First Spotted Log4j Software Flaw but Now the Company Is in Hot Water With Beijing - WSJ Meltdown and Spectre Hackers launch over 840,000 attacks through Log4J flaw | Ars Technica 5 Whys: The Ultimate Root Cause Analysis Tool NSO Group spyware used to hack at least nine US officials’ phones – report | Surveillance | The Guardian The internet runs on free open-source software. Who pays to fix it? | MIT Technology Review Perfunctory Definition & Meaning - Merriam-Webster