CISO Confessions: "It's Not You. It's Me."

Links and images for this episode can be found on CISO Series (https://cisoseries.com/ciso-confessions-its-not-you-its-me-/) Vendors are trying to understand why CISOs are ghosting them and sometimes, it really isn't their fault. CISOs accept the blame on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and joining me is special guest co-host Betsy Bevilacqua (@HEALTHeSECURITY), CISO, Butterfly Network. Our guest will be Matt Southworth (@bronx), CISO of Priceline. This episode was recorded live in WeWork's Times Square location on September 5th, 2019. Here are all the photos. Enormous thanks to WeWork for hosting this event. They're hiring! Contact JJ Agha, vp of information security at WeWork. Also, huge thanks to David Raviv and the NY Information Security Meetup group for partnering with us on this event. Thanks to this week's podcast sponsor Tehama, Tenable, and Devo. Tehama provides secure and compliant virtual desktops on the cloud, and all the IT infrastructure needed for enterprises to connect and grow global and remote teams. Tehama's built-in SOC 2 Type II controls reduce the risk of malware intrusion from endpoint devices, data breaches, and other vulnerabilities.  Learn more at tehama.io. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. SOC teams have been struggling with many of the same issues for years – lack of visibility, too much noise – all while the threat landscape grows more complex. Devo Security Operations is a next-gen cloud SIEM that enables you to gain complete visibility, reduce noise, and focus on the threats that matter most to the business. On this week's episode How are CISOs digesting the latest security news? An article on Bloomberg and an ensuing discussion on LinkedIn pointed out that costs after a breach go beyond fines and lost reputation. It also includes the cost to keep top cybersecurity talent. Salaries for a CISO post-breach can range from $2.5-$6.5 million, that includes stock. What could a security professional show and demonstrate in this time of crisis that they are the one to hire to garner such a salary? Hey, you're a CISO, what's your take on this? Michael Mortensen of Risk Based Security asks a question about when there's considerable dialogue with a prospect, and they go cold. Michael wants to know what causes this? He has theories on sales people being impatient or wrong set of expectations, but he's interested in the CISO's viewpoint. Assuming you have had conversations with a vendor, have you gone cold on their outreach? If so, what was the reason? It's time to play, "What's Worse?!" Two rounds lots of agreement, but plenty of struggle. Why is everybody talking about this now? Cryptography firm Crown Sterling has sued Black Hat for breaching its sponsorship agreement and also suing 10 individuals for orchestrating a disruption of the company's sponsored talk at the conference in which the CEO presented a finding on discovering prime numbers which are key to public-key encryption. The crowd didn't like it and they booed him. You can see a video of one individual yelling, "Get off the stage, you shouldn't be here." Crown Sterling argued that Black Hat was in violation of their sponsorship agreement because they didn't do enough to stop it. At Black Hat and related parties I saw many printed signs about codes of conduct. It doesn't appear anyone had a plan to enforce those rules. What has happened in the security community that some security professionals feel they have the right to shout down a speaker like this? If one of these 10 disruptors was your employee, how would you respond? What's a CISO to do? So much of a job of a CISO is to change behavior. How do CISOs change behavior to a more secure posture? Where should a CISO start? What's the low hanging fruit? It's time for the audience question speed round Our audience has questions, and our CISOs tried to come up with as many answers as possible. Our closing question put my guest co-host in the hot seat.