We Take Privacy, Not Our CISO, Seriously

All pictures and links for this episode can be found on CISO Series (https://cisoseries.com/we-take-privacy-not-our-ciso-seriously/) We're looking for the one company brave enough to say they don't care about privacy on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded live on June 6th at The B.O.B. in Grand Rapids, Michigan at the 2019 West Michigan IT Summit, hosted by C3 Technology Advisors. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Allan Alford (@allanalfordinTX), principal consultant at Side Channel Security. Our guest for this special live recording is the former CISO/CSO/CTO of the state of Michigan, Dan Lohrmann (@govcso). David Spark and Allan Alford, co-hosts of Defense in Depth on the CISO Series network, and Dan Lohrmann, former CISO/CSO/CTO for the State of Michigan. Thanks to this week's podcast sponsors C3 Technology Advisors, Fuze, and Assured Data Protection. C3 Technology Advisors is a technology consulting firm that helps midsize to enterprise organizations make better technology buying decisions. With technology quickly changing, let C3 help you shift through all the disruption, noise, and sales pitches to allow you to make better technology buying decisions for your organization. Fuze is the #1 cloud communications and collaboration platform for the enterprise, combining calling, meeting, chatting, and sharing into a single, easy-to-use application. Designed for the way people work, Fuze allows the modern, mobile workforce to seamlessly communicate anytime, anywhere, across any device. Assured Data Protection provides backup and disaster recovery solutions utilizing Rubrik 'as a Service'. They offer 24/7 global support, with expertise that truly sets them apart from other back up and DR service providers. On this week's episode Should you ignore this security advice? Yaron Levi, CISO of Blue Cross Blue Shield of Kansas City posed an interesting question, "Many people in security follow best practice without questioning them but in fact there are many BAD security best practices." Levi asks the LinkedIn community and I also ask our guests, "What do you consider a 'Bad Best Practice?'" How to become a CISO Aaron Weinberg, Kirlin Group, asks, "What would a CIO need to do to switch career tracks to being a CISO?" I'll add why would you want to do that? What's Worse?! We've got two rounds of questions and conflict on at least one of them. I tell ya, CISOs get no respect Brian Krebs of Krebs Security asked, "Why aren't CISOs often not listed on the executive page of a company website?" Krebs looked at the top 100 global companies and only found 5 that had a CISO listed. Of the NASDAQ 50, there were only three listed with a security title. But plenty had chief of human resources or chief marketing officers listed. One argument for the lack of front page visibility for CISOs is that companies value revenue centers over cost centers. Another argument is the reporting structure. That CISOs often report to CIOs. Is that why it's happening, or is it something else? Close your eyes. Breathe in. It's time for a little security philosophy. A question on Quora asks you to participate in this little thought exercise, "If you knew all computers would be erased tomorrow by a worldwide virus, what steps would you take to protect yourself?" It's a little more involved than just unpluging your computer from the Internet. Why is this a bad pitch? I read a cringeworthy bad pitch and our CISOs respond. Listen to the end as I reveal something surprising about this very bad pitch. And now this… I burn through a stack of questions from the audience as we go into a cybersecurity speed round.