BSWEpisode138

From Paul's Security Weekly
Jump to: navigation, search

Recorded July 29, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Matt Alderman
    CEO at Security Weekly, Strategic Advisor, and Wizard of Entrepreneurship
  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .

  • Announcements

    • Register for one of our upcoming webcasts with Bryce Shroeder and Barbara Kay of ServiceNow, Kevin O'Brien of GreatHorn, or Steve Laubenstein of Core Security (or all of them!) by going to securityweekly.com -> Click the webcast dropdown & Select Registration! If you have missed any of our previously recorded webcasts, you can find our on-demand library by selecting on-demand from the webcast drop down! If you attend any of our webcasts, you will receive 1 CPE credit per webcast!
    • We're currently running our annual Listener Feedback Survey! Please visit securityweekly.com -> click the survey tab & select "2019 Listener Survey" to submit your responses!
    • The new Security Weekly website is officially live! Visit securityweekly.com to check out all of our new sorting and filtering functionality! Please let us know if you find any issues or have any feedback by sending to website@securityweekly.net
    • Paul will be providing his insights & predictions in the information & cyber security space at a local (ISC)2 RI Chapter Meeting on Monday, November 18th @ Gregg's Restaurant in Providence. If you would like to join us, go to securityweekly.com/isc2ri


    Interview: Todd Fitzgerald, CISO SPOTLIGHT, LLC

    Todd Fitzgerald is the Managing Director/CISO/Cybersecurity Leadership Author at CISO SPOTLIGHT, LLC
    Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored 4 books- CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019), Information Security Governance Simplified: From the Boardroom to the Keyboard, ground-breaking CISO Leadership: Essential Principles for Success, E-C Council Certified Chief Information Security Officer Body of Knowledge and contributed to a dozen others. Todd held senior leadership positions at Northern Trust, Grant Thornton International, Ltd, ManpowerGroup, WellPoint (Anthem) Blue Cross Blue Shield/ National Government Services, Zeneca/Syngenta, IMS Health and American Airlines.

    Segment Description:
    His book, the CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

    Segment Resources:
    www.amazon.com/author/toddfitzgerald

    Leadership Articles

    • Leading with Trust - in 2018, more CEOs were fired for ethical lapses than for poor financials or over battles with their board. People evaluate a leader’s trustworthiness on the same dimensions they evaluate a company’s. The more of these dimensions a leader has established trust in, the more power he or she has:
      • Legitimacy
      • Competence
      • Motive
      • Means
      • Impact
    • Portrait of a CISO: Roles and responsibilities - Success in the role of CISO requires security experts to wear many hats. Couple that with changes in compliance regulations and sophisticated cyberthreats, and CISOs are left with a full plate. Here are three informative areas that shed light on the importance of the CISO role, the regulatory guidelines CISOs enforce and the skills necessary to be successful in the position:
      • Evolution of threats expands CISO roles and responsibilities
      • New regulation policies affect CISO compliance oversight
      • CISOs must demonstrate quality communication skills
    • 8 Skills All Leadership Trainings Should Teach Managers - Leadership training is crucial for any management role. Whether you have a large team or just got your first hire, leadership training can help you be the best possible leader. Here are the most important leadership skills you need from any leadership training:
      • Learning Core Leadership Practices
      • Identify Your Leadership Style
      • How to Delegate
      • Motivating a Team
      • Make Good Decisions
      • Managing Conflict
      • Performance Management
      • Digital Leadership Skills
    • What Boards Can Do to Prepare for Crises - According to recent research by the National Association of Corporate Directors, almost half of respondents reported that their focus on known risks was a barrier to understanding and preparing for threats that are hard – or impossible – to predict. Furthermore, fewer than 20 percent of respondents felt confident that management could handle such risks. To help prepare corporate boards, let's translate the COBRA model to the corporate setting:
      • The UK, and other Commonwealth countries, use a Strategic, Tactical, Operational (STO) management structure to manage incidents. Each incident response is allocated one Strategic Commander on the team, one Tactical Commander, and as many Operational Commanders (geographic or thematic) as necessary to fulfill responsibilities. Thus, the strategic members function as the senior management of the response.
      • On the political side are senior elected officials and policy makers, often referred to as the COBRA group.
      • A designated senior, non-elected civil servant on each side in a formal liaison role serves to foster an orderly flow of information between the two.
        • This structure enables political leaders to have input into the handling of the operation while ensuring that they do not try to run it.
        • Conversely, the strategic team members receive valuable information about the political ramifications of their decisions while remaining able to maintain an essential “battle rhythm” to keep pace with unfolding events.
    • Cybersecurity Risk: What does a 'reasonable' posture entail and who says so? - Without an exact definition of what "reasonable" security practices entail, a simpler approach is to evaluate what constitutes a lack of reasonable security. This approach makes it easier for an organization to map data security protection efforts (including privacy and resources) to a known framework.
    • A call to end 'warrant-proof' encryption, but where does privacy protection fit in? - The encryption battle remerges:
      • Deploying encryption practices where the end user is the only one with decryption capabilities is preventing law enforcement from pursuing "communications in transit" and data. "Even with a warrant based on probable cause," encryption is thwarting investigations.
      • Because modern crimes carry heavy digital evidence, "warrant-proof" encryption is a threat to public safety. Encryption is "extinguishing" law enforcement's ability to access and trace evidence in investigations.
      • An individual's "zone of privacy" — person, house, papers and effects — are protected from "unreasonable" investigation. But, the zone of privacy is only possible because the public has a right to access when public safety is in question. Encryption prohibits right of access, morphing devices into "law-free zones."





    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+