BSWEpisode138

From Paul's Security Weekly
Jump to: navigation, search

Recorded July 29, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Matt Alderman
    CEO at Security Weekly, Strategic Advisor, and Wizard of Entrepreneurship
  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .

  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020 and click the register button to register with our discount code!
    • Attend RSA Conference 2020, February 24-28 and join thousands of security professionals, forward-thinking innovators and solution providers for five days of actionable learning, inspiring conversation and breakthrough ideas. Register before January 24 and save $900 on a Full Conference Pass. Save an extra $150 by going to securityweekly.com/rsac2020 and use our code to register!
    • Our next webcast is February 13th with Sri Sundaralingam, Vice President, Product and Solutions Marketing at ExtraHop where we will discuss Cloud Native Network Detection and Response! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.


    Interview: Todd Fitzgerald, CISO SPOTLIGHT, LLC

    Todd Fitzgerald is the Managing Director/CISO/Cybersecurity Leadership Author at CISO SPOTLIGHT, LLC
    Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored 4 books- CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019), Information Security Governance Simplified: From the Boardroom to the Keyboard, ground-breaking CISO Leadership: Essential Principles for Success, E-C Council Certified Chief Information Security Officer Body of Knowledge and contributed to a dozen others. Todd held senior leadership positions at Northern Trust, Grant Thornton International, Ltd, ManpowerGroup, WellPoint (Anthem) Blue Cross Blue Shield/ National Government Services, Zeneca/Syngenta, IMS Health and American Airlines.

    Segment Description:
    His book, the CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

    Segment Resources:
    www.amazon.com/author/toddfitzgerald

    Leadership Articles

    • Leading with Trust - in 2018, more CEOs were fired for ethical lapses than for poor financials or over battles with their board. People evaluate a leader’s trustworthiness on the same dimensions they evaluate a company’s. The more of these dimensions a leader has established trust in, the more power he or she has:
      • Legitimacy
      • Competence
      • Motive
      • Means
      • Impact
    • Portrait of a CISO: Roles and responsibilities - Success in the role of CISO requires security experts to wear many hats. Couple that with changes in compliance regulations and sophisticated cyberthreats, and CISOs are left with a full plate. Here are three informative areas that shed light on the importance of the CISO role, the regulatory guidelines CISOs enforce and the skills necessary to be successful in the position:
      • Evolution of threats expands CISO roles and responsibilities
      • New regulation policies affect CISO compliance oversight
      • CISOs must demonstrate quality communication skills
    • 8 Skills All Leadership Trainings Should Teach Managers - Leadership training is crucial for any management role. Whether you have a large team or just got your first hire, leadership training can help you be the best possible leader. Here are the most important leadership skills you need from any leadership training:
      • Learning Core Leadership Practices
      • Identify Your Leadership Style
      • How to Delegate
      • Motivating a Team
      • Make Good Decisions
      • Managing Conflict
      • Performance Management
      • Digital Leadership Skills
    • What Boards Can Do to Prepare for Crises - According to recent research by the National Association of Corporate Directors, almost half of respondents reported that their focus on known risks was a barrier to understanding and preparing for threats that are hard – or impossible – to predict. Furthermore, fewer than 20 percent of respondents felt confident that management could handle such risks. To help prepare corporate boards, let's translate the COBRA model to the corporate setting:
      • The UK, and other Commonwealth countries, use a Strategic, Tactical, Operational (STO) management structure to manage incidents. Each incident response is allocated one Strategic Commander on the team, one Tactical Commander, and as many Operational Commanders (geographic or thematic) as necessary to fulfill responsibilities. Thus, the strategic members function as the senior management of the response.
      • On the political side are senior elected officials and policy makers, often referred to as the COBRA group.
      • A designated senior, non-elected civil servant on each side in a formal liaison role serves to foster an orderly flow of information between the two.
        • This structure enables political leaders to have input into the handling of the operation while ensuring that they do not try to run it.
        • Conversely, the strategic team members receive valuable information about the political ramifications of their decisions while remaining able to maintain an essential “battle rhythm” to keep pace with unfolding events.
    • Cybersecurity Risk: What does a 'reasonable' posture entail and who says so? - Without an exact definition of what "reasonable" security practices entail, a simpler approach is to evaluate what constitutes a lack of reasonable security. This approach makes it easier for an organization to map data security protection efforts (including privacy and resources) to a known framework.
    • A call to end 'warrant-proof' encryption, but where does privacy protection fit in? - The encryption battle remerges:
      • Deploying encryption practices where the end user is the only one with decryption capabilities is preventing law enforcement from pursuing "communications in transit" and data. "Even with a warrant based on probable cause," encryption is thwarting investigations.
      • Because modern crimes carry heavy digital evidence, "warrant-proof" encryption is a threat to public safety. Encryption is "extinguishing" law enforcement's ability to access and trace evidence in investigations.
      • An individual's "zone of privacy" — person, house, papers and effects — are protected from "unreasonable" investigation. But, the zone of privacy is only possible because the public has a right to access when public safety is in question. Encryption prohibits right of access, morphing devices into "law-free zones."





    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+