The "Do What We Tell You" Technique Isn't Working

08/25/20 • 34 min

All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-do-what-we-tell-you-technique-isnt-working/)

We've yelled, we've screamed, we've complained, and we've whined. Those darn users simply don't do what they tell them to do. I guess we're going to have to give empathy a try.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Michelle Valdez (@scauzim), CISO, OneMain Financial.

Thanks to this week’s podcast sponsor, PlexTrac.

PlexTrac is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time.

On this week's episode

Why is everybody talking about this now

Why hasn't COVID spurned more disaster recovery and business continuity planning roles? This is what Stuart Mitchell, a recruiter at Stott and May, noticed. Obviously, he's not getting that much demand. The community says it's assumed already into many roles. I have to think BCP and DR are everyone's responsibility. If that's the case, has BCP and DR planning increased during this time? Why or why not?

How to become CISO

Are two CISOs better than one? Our guest mentioned that her company has split the CISO role. One, the head of tech, reports to the CTO and the other, our guest's role, CISO and head of cyber risk reports to the chief risk officer. How exactly does this work? And what does our guest believe are the pros and cons of splitting the CISO role this way?

What's Worse?!

This time, no matter what the answer, everyone's going to get in trouble.

And now for a little security philosophy

Chad Loder, Habitu8, said, "Us InfoSec experts spend too much time asking 'How do we get users to care more about security?' and not enough time asking 'How do we get security to care more about users?'" So I asked my host and guest that question, and more importantly, how has that learning about users improved their security team and overall security?

First 90 days of a CISO

William Birchett, CIO of Required Team Gear, asked, "When you start, how much do you know of what security posture you've inherited?" We've talked about this before, but I want you to answer in reflection. What were the biggest surprises (positive or negative) between what you knew starting out and what you discovered after 90 days on the job?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-do-what-we-tell-you-technique-isnt-working/)

We've yelled, we've screamed, we've complained, and we've whined. Those darn users simply don't do what they tell them to do. I guess we're going to have to give empathy a try.

Thanks to this week’s podcast sponsor, PlexTrac.

On this week's episode

Why is everybody talking about this now

How to become CISO

What's Worse?!

This time, no matter what the answer, everyone's going to get in trouble.

And now for a little security philosophy

First 90 days of a CISO

Previous Episode

Set It. Forget It. Reset It. Repeat.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/set-it-forget-it-reset-it-repeat/)

As long as you reset it and repeat, everything in cybersecurity is "set it and forget it".

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Brett Conlon (@DecideSecurity), CISO, Edelman Financial Engines.

Check out Tricia Howard's dramatic readings of cold emails.

Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com.

On this week's episode

Why is everybody talking about this now

On LinkedIn and on Twitter, I asked "Is there anything in cybersecurity that's 'set it and forget it'?" There were plenty of funny answers like "Passwords" and the "Off" switch. But there were some interesting answers like whitelists from Brian Haugli of Sidechannel security and ethics from Stephen Gill of Russel Holdings. So many treat security as "set it and forget it" but we know that's a path to insecurity. Regardless, is there ANYTHING in security we can set and forget?

Question for the board

Our guest claims he's got an awesome board. I don't think we've ever heard that on our show. In most cases there's either fear of the board or the CISO doesn't even get direct conversation with the board. I asked our guest what is it about his board that's so awesome and what tips could he give to CISOs to move their board into that territory?

What's Worse?!

Who is going to handle physical assets the worst?

If you haven’t made this mistake, you’re not in security

Alexander Rabke, Splunk, asked, "How should sales people handle situations when, in fact, you are a security company with a security vulnerability (he also talked about a product not working) - what do you tell customers. How do you like to see this handled by the vendor?" I know a first response is to be honest, but they want to hold onto your business. What's a way salespeople could go about doing that?

What do you think of this pitch?

We're not talking vendor pitches in this segment. We're talking candidate pitches. Gary Hayslip, CISO, Softbank Investment Advisers and former guest on this show has an article on Peerlyst, a platform which is unfortunately going away, about finding your first job in security. Hayslip's first tip asks, "What information do you have?" Researching yourself is good advice, but I want to extend that to a question that I think puts you ahead of the pack and ask, "What's your unfair advantage?" It's a question that I heard investor Chris Sacca ask startups and I think it can also apply to individuals applying for jobs. Agree? If so, what are some good unfair advantages from candidates that have put them over the top?

Next Episode

Request a Demo of Our Inability to Post a Demo

All links and images for this episode can be found on CISO Series (https://cisoseries.com/request-a-demo-of-our-inability-to-post-a-demo/)

It's really easy to include "Request a Demo" button on our site. But potential buyers would actually like to just watch a demo on our site. Should we actually expend just a little more effort to record a demo and upload it to our site?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Ross Young, CISO, Caterpillar Financial Services Corporation.

Thanks to our sponsor, Kenna Security.

With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer’s unique environment across infrastructure, applications and IoT.

On this week's episode

Why is everybody talking about this now?

Our guest posted about the 10+ daily product pitches he receives and he suggested that vendors place a product demo on their site. It just so happens, I also posted about this on LinkedIn. I am astonished that not every vendor spends their first marketing dollars on creating a product demo and posting that video. If a security practitioner is interested in a company, how do they begin their research? What do they look for? Do they watch product demo videos? Do they click the "request a demo" button?

First 90 Days of a CISO

Our guest shared a study from PWC that points out what management thinks are the most important roles for a CISO. Eighty four percent considered the ability to educate and collaborate across the business was critical making it the top most skill they look for in a CISO. At the same time, it appears investing in a talent management program for leadership was the least important with only 22 percent responding. What I read from this is management wants you to lead, and get the whole company on board, but do it alone. Plus, they expect you to be a perfect cybersecurity leader out of the box. Is that feasible? Is this why we're having so much burnout of CISOs? It's not just the pressure of protecting, but taking on all leadership responsibilities with no ongoing support?

What's Worse?!

How are you advertising for new hires?

There’s got to be a better way to handle this

Turns out half of employees are cutting corners on security when working from home. This includes using home computers for corporate work, emailing sensitive documents from personal accounts. It's not malicious, but the distractions of work from home life and demands to deliver quickly are forcing employees to take the less secure route. Also, being away from the watchful IT and security gives them the breathing room to be less careful. Tip of the hat to Gina Yacone of Agio for posting this article from ZDnet about Tessian's work from home study. How can security leaders stay in contact with employees so they don't stray?

How CISOs are digesting the latest security news

What makes a security podcast valuable? What elements does a cybersecurity podcast need to have for you to say to yourself, "I'm glad I spent the time listening to that"?