-
How to CISO, Volume 1: The First 91 Days
Just want to download the eBook? Head over to How to CISO, Volume 1: The First 91 Days! It seems to be a rite of passage for all CISOs to, at some point in their career, write down their advice for other CISOs starting a new job, whether they are a first-time or veteran CISO.…
Security Talks
-
This talk delves into the intersection between security–helping make wiser risk choices–and leadership–getting more done with a lower energy cost. It draws on the lessons of the Six Leadership Disciplines and Humans are Awesome at Risk Management talks, providing a handful of examples of specific leadership skills to practice. The 24 skills in the matrix…
-
Summary Everybody sells, right? Wrong. Unless you’re taking an order and retiring your quota, you don’t sell – instead, you market. If you’re selling to a CISO, you need to understand the organizational dynamics that surround a CISO’s decision-making process. This talk walks through nine critical questions that CISOs need to understand the answers to…
-
How do you know what to invest in next, or whether the time and energy that you’re spending on a security technology or program is a good investment? Learn how veteran CSOs think about security investments, and develop your own rubric for evaluating where to best make your next security improvement.
-
How do you design defenses against DDoS? And how do you think about them from a policy perspective?
-
How do humans make risk decisions, and are they good, bad, or something else?
-
How do the grand challenges of the future look like the grand challenges of the past?
-
What does a Zero Trust journey look like? Explore how we migrated Akamai to a zero trust network access model, before that was even a phrase people knew.
Security Panels
-
Lenovo Late Night I.T: Cybersecurity: Trust No One
Join Baratunde Thurston, Tim Brown, and Andy Ellis as they demistify security.
-
Cyberweek 2021: Navigating the CISO-Vendor relationship
The panel discusses the do’s and don’ts of engagements between CSOs and early-stage startups, the concerns around long integration cycles, the value in quick implementations, and the need to show value quickly.
-
Cyberweek 2021: YL Ventures & Scale Fireside Chat
YL Ventures and Scale Venture Partners hosted a Cyber Week 2021 Fireside chat where Wendy Nather, Sounil Yu, Ryan Gurney, and Ariel Tseitlin discussed the cyber industry challenges and trends. They talked about the burning challenges and the basics that CSOs are still struggling with, and how ransomware attacks undermine our ability to recover. Other…
Security Blog
-
Nine Years After: From Aurora to Zero Trust
How the first documented nation-state cyberattack is changing security today.It’s January 12, 2010. In a blog post, Google publicly discloses that it has been the victims of a targeted attack originating in China. The attack resulted in the theft of intellectual property, but the attackers didn’t stop with Google — they targeted at least 20 different…
-
Composing Defences
In the realm of information security, terms like “defence in depth” and “layered defences” are often used superficially. However, it’s crucial to delve into their evolution and reconsider defensive architectures in a network-centric world. Understanding how defences integrate, stack, or present choices to adversaries is vital for creating effective and cohesive security measures. Approaches such…
-
A Perimeter of One
In the era of graphite-and-paper enterprises, control over information assets was tangible. With the introduction of computers, the security mindset remained rooted in physical perimeters, failing to adapt to the untrustworthiness of interconnected systems. As smartphones and laptops become extensions of users, the modern enterprise must shift to a model where trust is not implicitly…
-
Zombie Vivification
The state of cybersecurity is worsening, with breaches becoming commonplace and vulnerabilities increasing in number. However, this trend is a reflection of our pace of innovation and development in networked technologies. Startups, akin to zombies, operate in a high-risk environment and make daring choices for survival. We inherit the cybersecurity risks born out of these…
-
The Future of The Internet — and how to secure it
In a world where the Internet was once limited to a select few, security concerns were nonexistent. However, today’s reality is far from that. High-profile vulnerabilities like Heartbleed and Shellshock have exposed the flaws in the web’s security infrastructure. HTTPS, while offering some protection, still faces numerous vulnerabilities that adversaries can exploit. Trusting certificate authorities…
-
Dancing Poodles
The POODLE attack, a chosen-plaintext attack, exposes vulnerabilities in SSLv3 block ciphers, compromising encrypted session data. This highlights the need to transition to TLS. Additionally, the SSL/TLS version selection fallback mechanism poses risks of protocol downgrades, but TLS Signaling Cipher Suite Value (SCSV) provides a solution to prevent such attacks.
-
The Brittleness of the SSL/TLS Certificate System
The Heartbleed vulnerability highlighted the limitations of the current certificate revocation process. Revocation models like certificate revocation lists (CRLs) and online certificate status protocol (OCSP) face scalability and performance challenges. One alternative is DANE (DNSSEC Assertion of Named Entities), which places trust in DNSSEC instead of the CA hierarchy. The current system does not meet…
-
Closing the Skills Gap
Recruiters often misunderstand the “skills gap,” confusing it with their own difficulties in writing accurate job descriptions. Security professionals should focus on bridging the gap between security and the business, helping decision-makers understand the risks involved. Thinking systematically, problem-solving, effective communication, and kindness are vital skills in the field. Certification alone does not guarantee mastery;…
-
Whither HSMs (in the cloud)
Hardware Security Modules (HSMs) are widely used to protect cryptographic material and handle cryptographic functions. However, when it comes to protecting SSL certificates in the cloud, it is essential to consider the specific goals and adversaries. While HSMs can inhibit key copying, they may have limitations in distributed data centers where the API remains exposed…
-
Assessment of the BREACH vulnerability
The BREACH vulnerability exploits HTTP-level compression to extract secret information from SSL-enabled websites. Applications that echo user-injected data, contain static secrets, and use HTTP compression are vulnerable. Disabling compression and altering response dynamics can help mitigate the risk, but there are performance and feasibility considerations. Evaluating cipher usage, rate-limiting requests, and modifying chunked encoding are…
Security Podcasts
-
Cloud Security Reinvented: Jeremy Turner
https://open.spotify.com/episode/47RkcLAiY8RfT5glaFhAsJ Key insights from this episode featuring Jeremy Turner, Deputy CISO at Paidy:⚡ Security without passwords. “In a market like Japan, things are quite different. Thinking out of the box is probably the most critical skill we need. When we think about the consumer experience, they don’t have to deal with [passwords], and that really does…
-
Stir in a Little Merger and Acquisition, and Voilà, You’re a Target
https://cisoseries.com/stir-in-a-little-merger-and-acquisition-and-voila-youre-a-target/ There is a lot unknown before, during, and after a merger and that can make employees very susceptible to phishing attacks. But, at the same time, the due diligence that goes into an M&A can often open up signs of previous or active compromise, noted Rich Mason of Critical Infrastructure.What does a proposed merger…
-
Cloud Security Reinvented: Jay Thoden van Velzen
https://open.spotify.com/episode/2wmxzrpQspD3wKXzWvN6Gp 💡 Name: Jay Thoden van Velzen💡 What he does: Strategic Advisor to the CSO at SAP.💡 Noteworthy: SAP is one of the world’s leading producers of software for the management of business processes and a company on a mission to help the world run better and improve people’s lives.