From Paul's Security Weekly
Jump to: navigation, search

Recorded July 29, 2019 at G-Unit Studios in Rhode Island!

Episode Audio


  • Matt Alderman
    CEO at Security Weekly, Strategic Advisor, and Wizard of Entrepreneurship
  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .

  • Announcements

    • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Stephen Smith and Jeff Braucher of LogRhythm by going to If you have missed any of our previously recorded webcasts, you can find our on-demand library at

    • So many of the big East Coast cybersecurity tradeshows take place in crowded cities like Boston and New York, where parking is a nightmare and will cost you an arm and a leg. However, this year's Compass Cybersecurity Symposium is being held at Twin River Casino in Lincoln, RI, just 15 minutes outside of Providence! The venue has plenty of free and easy parking. Speakers include social engineering expert Chris Hadnagy and Security Weekly podcast founder Paul Asadoorian. Use the discount code "SW2019" to save $20 on registration!

    • Security Weekly will be at Hacker Halted in Atlanta, GA this October 10th-11th! EC-Council is offering our listeners a $100 discount to attend the two day conference. Use discount code HH19SW when you register or go to and register there! Make sure you checkout the keynote (Paul Asadoorian) and Mr. Jeff Man's talk as well!

    • We need your help in a survey we are running for research purposes for an upcoming webcast. How mature is your process automation for your various security capabilities? Please visit to submit your responses to our 5 Stages of Automation Maturity Survey! We'll share the results in a webcast in November!

    Interview: Todd Fitzgerald, CISO SPOTLIGHT, LLC

    Todd Fitzgerald is the Managing Director/CISO/Cybersecurity Leadership Author at CISO SPOTLIGHT, LLC
    Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored 4 books- CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019), Information Security Governance Simplified: From the Boardroom to the Keyboard, ground-breaking CISO Leadership: Essential Principles for Success, E-C Council Certified Chief Information Security Officer Body of Knowledge and contributed to a dozen others. Todd held senior leadership positions at Northern Trust, Grant Thornton International, Ltd, ManpowerGroup, WellPoint (Anthem) Blue Cross Blue Shield/ National Government Services, Zeneca/Syngenta, IMS Health and American Airlines.

    Segment Description:
    His book, the CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

    Segment Resources:

    Leadership Articles

    • Leading with Trust - in 2018, more CEOs were fired for ethical lapses than for poor financials or over battles with their board. People evaluate a leader’s trustworthiness on the same dimensions they evaluate a company’s. The more of these dimensions a leader has established trust in, the more power he or she has:
      • Legitimacy
      • Competence
      • Motive
      • Means
      • Impact
    • Portrait of a CISO: Roles and responsibilities - Success in the role of CISO requires security experts to wear many hats. Couple that with changes in compliance regulations and sophisticated cyberthreats, and CISOs are left with a full plate. Here are three informative areas that shed light on the importance of the CISO role, the regulatory guidelines CISOs enforce and the skills necessary to be successful in the position:
      • Evolution of threats expands CISO roles and responsibilities
      • New regulation policies affect CISO compliance oversight
      • CISOs must demonstrate quality communication skills
    • 8 Skills All Leadership Trainings Should Teach Managers - Leadership training is crucial for any management role. Whether you have a large team or just got your first hire, leadership training can help you be the best possible leader. Here are the most important leadership skills you need from any leadership training:
      • Learning Core Leadership Practices
      • Identify Your Leadership Style
      • How to Delegate
      • Motivating a Team
      • Make Good Decisions
      • Managing Conflict
      • Performance Management
      • Digital Leadership Skills
    • What Boards Can Do to Prepare for Crises - According to recent research by the National Association of Corporate Directors, almost half of respondents reported that their focus on known risks was a barrier to understanding and preparing for threats that are hard – or impossible – to predict. Furthermore, fewer than 20 percent of respondents felt confident that management could handle such risks. To help prepare corporate boards, let's translate the COBRA model to the corporate setting:
      • The UK, and other Commonwealth countries, use a Strategic, Tactical, Operational (STO) management structure to manage incidents. Each incident response is allocated one Strategic Commander on the team, one Tactical Commander, and as many Operational Commanders (geographic or thematic) as necessary to fulfill responsibilities. Thus, the strategic members function as the senior management of the response.
      • On the political side are senior elected officials and policy makers, often referred to as the COBRA group.
      • A designated senior, non-elected civil servant on each side in a formal liaison role serves to foster an orderly flow of information between the two.
        • This structure enables political leaders to have input into the handling of the operation while ensuring that they do not try to run it.
        • Conversely, the strategic team members receive valuable information about the political ramifications of their decisions while remaining able to maintain an essential “battle rhythm” to keep pace with unfolding events.
    • Cybersecurity Risk: What does a 'reasonable' posture entail and who says so? - Without an exact definition of what "reasonable" security practices entail, a simpler approach is to evaluate what constitutes a lack of reasonable security. This approach makes it easier for an organization to map data security protection efforts (including privacy and resources) to a known framework.
    • A call to end 'warrant-proof' encryption, but where does privacy protection fit in? - The encryption battle remerges:
      • Deploying encryption practices where the end user is the only one with decryption capabilities is preventing law enforcement from pursuing "communications in transit" and data. "Even with a warrant based on probable cause," encryption is thwarting investigations.
      • Because modern crimes carry heavy digital evidence, "warrant-proof" encryption is a threat to public safety. Encryption is "extinguishing" law enforcement's ability to access and trace evidence in investigations.
      • An individual's "zone of privacy" — person, house, papers and effects — are protected from "unreasonable" investigation. But, the zone of privacy is only possible because the public has a right to access when public safety is in question. Encryption prohibits right of access, morphing devices into "law-free zones."

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+