We've Got a Dozen Features. Only Two Work.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/weve-got-a-dozen-features-only-two-work/) If you don't focus too much on quality you'll really be impressed with the quantity of features our product has. This week's episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Yaron Levi (@0xL3v1), CISO, Blue Cross Blue Shield of Kansas City. Thanks to this week's podcast sponsor, DivvyCloud. DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what's in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes. On this week's episode Hey, you're a CISO. What's your take on this? What's the value of a vendor-derived security meter? I sat down for a vendor presentation that was chock full of dashboards with meters. Some made sense and others appeared they were derived through some mysterious black box. When do you trust a vendor-derived meter? Can you? If not you, who are they for? Is it possible to ignore the absolute numbers in a vendor-derived formula and value only the changes over time? If you don't trust a vendor-derived meter, what meters do you create for yourself that you do trust? How do you go about discovering new security solutions? Tip of the hat to John Prokap, CISO, HarperCollins for forwarding me this excellent CIO.com article by Yoav Leitersdorf of YL Ventures. How feature rich should a startup product be? In the article, Richard Rushing, CISO, Motorola Mobility talks about the need to trust a startup and the quality of each feature. "It's not enough to just focus on three out of five. All five have to be spot on because I can't miss, which means you can't miss." How does a vendor avoid the classic case of trying to be everything to everybody and really you're serving no one? What's Worse? What's better for the business, compromised security occasionally, or unnecessary overhead that grows over time? Close your eyes and visualize the perfect engagement There's a well-known paradox in the healthcare industry when it comes to working with third party vendors. Because of HIPAA regulations there's a desire to keep information private, but at the same time, what about all these wonderful third party tools. Let them have access to our data. What's the advice for vendors eager to work with a healthcare organization? How should they demonstrate their awareness of this paradox (e.g., scope of responsibilities, efficacy of controls, attestation, accountability)? Why is everyone talking about this now? We recorded this episode on March 30th as we talk about this next topic and that is should companies challenge their employees with a COVID-19 phishing test? Tip of the hat to Louisa Vogelenzang of Kroll who pointed me to this active discussion started by Grant McKechnie, Telstra, who asked this very question. There was a lot of debate. We debate both sides and offer an ultimate recommendation.