
We’re Releasing Security Studies of Made Up Numbers
03/12/19 • 42 min
Since no one ever checks a research study's methodology, why not just make up all the numbers? You're in the risk analysis business, right? Chances are very good they'll never check and research studies are a great way to get free press.
This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), CISO of FOX.
Thanks to this week's sponsors, Axonius and New Context.
New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business.
Huge congrats to Axonius for their two big wins at RSA this year. They were named Rookie Security Company of the Year by SC Media and they also won top prize at RSA’s Innovation Sandbox. They’ve been touted as the company trying to solve the least sexy part of cybersecurity, asset management. Go to Axonius’ site to learn more.
On this episode
Ask a CISOIt’s been reported many times, that the average life of a CISO is 18 months and Mike Johnson lasted 18 months at Lyft. At the time of Mike’s departure so many people were forwarding me articles regarding the stress level of CISOs, most notably around Nominet’s study that claimed that about 1 in 5 CISOs turn to alcohol or self-medicating. With two CISOs on the panel we discuss if this was the most high-pressured job they had and would you be eager and willing to jump back into the CISO role again.
Why is everybody talking about this now?Couple weeks ago I wrote an article entitled “30 Security Behaviors that Set Off a CISO’s BS Detector.” There was quite a response from the community to this. Now that we’ve just finished RSA, did our CISOs see or hear anything that set off their BS detectors.
What’s Worse?!We play two rounds of “What’s Worse?!” Both rounds are cases of employees putting security in very compromising positions.
What’s a CISO to do?When we talk about security we’re often talking about protecting customer and employee data. While all companies have intellectual property they need to protect, at FOX, Melody Hildebrandt is having to deal with some very high profile individual assets that are of interest to many hackers. What are the factors a CISO must consider, that most security people probably aren’t thinking about, when you’re trying to secure a single media asset that’s worth hundreds of millions of dollars?
What do you think of this pitch?After you hear this pitch, every security professional may be out of a job. Tip of the hat to Christopher Stealey of Barclays for providing this pitch he received.
You’re a CISO, what’s your take on this?Ameer Shihadeh of Varonis asks a question of trying to overcome the objection from a security professional that they don’t have any security initiatives or projects.
And now this...We field questions from our audience for the CISOs.
Since no one ever checks a research study's methodology, why not just make up all the numbers? You're in the risk analysis business, right? Chances are very good they'll never check and research studies are a great way to get free press.
This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), CISO of FOX.
Thanks to this week's sponsors, Axonius and New Context.
New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business.
Huge congrats to Axonius for their two big wins at RSA this year. They were named Rookie Security Company of the Year by SC Media and they also won top prize at RSA’s Innovation Sandbox. They’ve been touted as the company trying to solve the least sexy part of cybersecurity, asset management. Go to Axonius’ site to learn more.
On this episode
Ask a CISOIt’s been reported many times, that the average life of a CISO is 18 months and Mike Johnson lasted 18 months at Lyft. At the time of Mike’s departure so many people were forwarding me articles regarding the stress level of CISOs, most notably around Nominet’s study that claimed that about 1 in 5 CISOs turn to alcohol or self-medicating. With two CISOs on the panel we discuss if this was the most high-pressured job they had and would you be eager and willing to jump back into the CISO role again.
Why is everybody talking about this now?Couple weeks ago I wrote an article entitled “30 Security Behaviors that Set Off a CISO’s BS Detector.” There was quite a response from the community to this. Now that we’ve just finished RSA, did our CISOs see or hear anything that set off their BS detectors.
What’s Worse?!We play two rounds of “What’s Worse?!” Both rounds are cases of employees putting security in very compromising positions.
What’s a CISO to do?When we talk about security we’re often talking about protecting customer and employee data. While all companies have intellectual property they need to protect, at FOX, Melody Hildebrandt is having to deal with some very high profile individual assets that are of interest to many hackers. What are the factors a CISO must consider, that most security people probably aren’t thinking about, when you’re trying to secure a single media asset that’s worth hundreds of millions of dollars?
What do you think of this pitch?After you hear this pitch, every security professional may be out of a job. Tip of the hat to Christopher Stealey of Barclays for providing this pitch he received.
You’re a CISO, what’s your take on this?Ameer Shihadeh of Varonis asks a question of trying to overcome the objection from a security professional that they don’t have any security initiatives or projects.
And now this...We field questions from our audience for the CISOs.
Previous Episode

A Pesticide-Free Podcast Made with 'All Natural' Intelligence
We eschew those cybersecurity firms touting claims of artificial intelligence for our organic conversation-based approach to podcasting.
This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Mike Wiacek (@Mikewiacek), co-founder and CSO for Chronicle.
Thanks to this week's sponsor, Chronicle
Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself.
On this episode
What's a CISO to do?As we brace for RSA this week, we expect most companies on the floor will be touting some form of artificial intelligence or machine learning. CISOs are no longer even slightly moved by those terms. What should vendors be saying? And what should a savvy security shopper demand to know about a company's AI or ML?
Why is everybody talking about this now?Allan Alford, CISO of Mitel, and my co-host on the other CISO Series podcast, Defense in Depth, created a very funny "Cybersecurity Startup Name & Mission Generator!" chart that got a lot of response. We've seen a lot of these name generators, but this one seemed creepily too real. We discuss InfoSec company names and how not to let your eyes glaze over as you walk the trade show floor.
What's Worse?!How do you feel when big security companies acquire smaller security companies?
Please, enough. No, more.This week's topic is "threat hunting." We talk about what we've heard enough of on "threat hunting," and what we'd like to hear a lot more.
What's a CISO to do?A great challenge question from an anonymous source: "My users learned security from the evening news. Now I can't see their traffic due to their VPN tunnel and they are using programs that delete evidence to be more secure." What's a CISO to do?
Next Episode

When Abusing Our Privacy, Does Size Matter?
Do the biggest tech companies abuse our privacy because they have no competitive incentive to protect it? That debate and more on the latest episode of CISO/Security Vendor Relationship Podcast.
This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Emilio Escobar (@eaescob), head of information security for Hulu.
Endgame makes military-grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com.
On this episode
Why is everybody talking about this now?Why can't security vendors get CRM right? One week after RSA I have received cold phone calls and emails from companies for which I"m already engaging with multiple people at said company, some I've actually interviewed their CEOs, actually worked for the company, and/or they've sponsored this very podcast. Other industries use their CRM. Why does it appear en masse the cybersecurity industry is failing at basic CRM?
How CISOs are digesting the latest security newsMassachusetts Senator Elizabeth Warren wrote an opinion piece on Medium saying that if elected President her administration would seek to breakup Amazon, Facebook, and Google. She cited them as monopolies squashing innovation and competition and damaging our privacy for their profit. She said, "With fewer competitors entering the market, the big tech companies do not have to compete as aggressively in key areas like protecting our privacy."
What's Worse!?What's the best kind of CISO to have?
What's a CISO to do?Last year at Black Hat I produced a video where I asked attendees, "Should DevOps and security be in couples counseling?" Everyone said yes. Are security leaders taking on the role of couples counselor as they try to get security and DevOps working together?
What do you think of this pitch?We've got two pitches for the show and the second one has a response that veers into insulting.
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/ciso-series-podcast-168734/were-releasing-security-studies-of-made-up-numbers-9191706"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to we’re releasing security studies of made up numbers on goodpods" style="width: 225px" /> </a>
Copy