Adversarial

Joined by fellow Interim CISO veterans Yael Nagler of Yass Partners and Aurobindo Sundaram of RELX, host Jerry Perullo reflects on his experience as the Interim CISO of Silicon Valley Bank and explores the challenges of the role from hiring manager and candidate perspectives. Yael Nagler: https://www.linkedin.com/in/yaelnagler/ Aurobindo Sundaram: https://www.linkedin.com/in/aurobindosundaram/ 00:16:30 Why hire an Interim CISO? 00:21:00 Is there such a thing as KTLO in the CISO role? 00:30:3

The notion of "Risk Acceptance" has always challenged me. For the uninitiated, Risk Acceptance is a concept often discussed in cybersecurity leadership when it comes to accountability for cyber debt. The idea is that cybersecurity leaders and other professionals identify risks and recommend mitigating actions that would reduce that risk, but recognize that it is always up to business leadership to weigh the costs and benefits of change and make a final decision. Risk Acceptance has always come u

Episode 3: Incidents In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Next I moved on to cyber risks in Episode 2 and the idea of a Remediation Agility chart to guide a wide-ranging Board room discussion with a single visual. The next area that deserves a permanent spot on the Board agenda is incidents. Incident awareness a

We've all run to the same side of the boat on supply chain security when it comes to cyber. Rather than chasing the Sisyphean (and antithetical to modern product-development philosophy) task of ensuring our suppliers deliver perfectly secure software, we should be expected to architect and deploy our dependencies with the assumption they will be compromised at some point, minimizing the amount of impact that could have and ensuring we could detect such an issue timely. To expound on it, I'll sa

Years ago I found myself in one of those awkward elevator pairings where you are unexpectedly face to face with your CEO. It's a particularly awkward spot when you are a CISO, as beyond the usual desperation to sound brilliant that most execs feel in that spot, the CEO these days also feels pressure to demonstrate "tone at the top", "executive buy-in", and "stakeholder oversight" when given the chance. In that particular vignette I doubled down on the awkwardness, as his quick cordial cyber com

Returning from 6 months as the interim CISO of Silicon Valley Bank, host Jerry Perullo speaks about Board/CISO interaction on the FS-ISAC Insights podcast. Full video interview at fsisac.com/insights 00:04:35 Being the Interim CISO of SVB through the crisis 00:06:36 The CISO “seat at the table” 00:14:00 Board TRIC 1: Threats 00:17:30 Board TRIC 2: Risks 00:19:30 Board TRIC 3: Incidents 00:21:20 Board TRIC 4: Compliance 00:26:00 CISOs as Board Directors Season 2 Episode 1 - Board/CISO I

There is a lot of confusion about network ingress and egress. This isn't limited to junior staff; I've witnessed this many times among software engineers and technology leaders alike. Often only network and firewall engineers really comprehend the topic fully, though this should not be the case. A network connection must begin with an "initiator". This is usually thought of as a "client" in a traditional "client server" model. The client is defined not by their intention, purpose, or operating

Episode 2: Risks In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Now it's time to move on to cyber risks and what level of detail is appropriate in a Board room. To steer our conversation let's use a Remediation Agility chart. Similar to the Threat Objective portrayal in Episode 1, this visual is meant to sit on the screen

As part of my advisory work, I often help companies find and/or interview security leaders. While I'm a huge fan of screening quizzes, I realized that I should go a step further and help firms understand what I'm trying to detect or avoid during the interview process. In the process of discussing this with some peers, the Bad CISO Archetypes list was born. Look out for these when you are hiring - but more importantly steer your career to avoid becoming one! Chicken Little You don’t want someo

Bugcrowd founder Casey Ellis joins #lifeafterCISO to talk about bug bounty programs in the wake of the Joe Sullivan Uber trial. Whether you've been running bounty programs for years or just learned of them last week, this conversation will take you from basics straight into the most interesting and controversial bits. 01:25 The Joe Sullivan Uber trial and its impact on bug bounties 10:30 Clearing Assurance Debt: The initial wave of bounties 15:40 Ostrich Risk Management 22:55 Vulnerability D

With mounting pressure around cyber literacy in the Boardroom, Directors are looking for specifics around what will be expected of them. Likewise, organizations are wondering what is fair for Directors to expect of management. Drawing on experiences from both sides of the table, following are reasonable expectations that leverage Director talents to establish effective cyber oversight. I'll do this using a mnemonic to guide program governance internally and externally - TRIC: Threats, Risks, In

Congratulations on your first cybersecurity job! Whether you are just entering the workforce or pivoting to a new field, here are some inside tips that may help you succeed. 1. Never say "that isn't my job". The colleagues I've seen advance and realize success in their cyber careers were willing to pitch in and help without regard to job description. This will be magnified if your employer is a smaller company, but the general idea is that companies and cultures are forged by the people who c

Sounil Yu joins the #lifeafterCISO podcast and shares the idea of "retiring many times". Sounil is the renowned author of the Cyber Defense Matrix and lauded by the CISO community for his ability to step back and view problems in a new light. Host Jerry Perullo and Sounil go on to look at the Equifax breach from a new angle, talk about CISO accountability, and finally offer up their early thoughts on the Twitter whistleblower report. 01:43 Returning to work as a CISO 10:30 Do CISOs spend too m

An essential part of moving on from a long tech career is just figuring out when the time is right. Join host Jerry Perullo and retired Netflix CISO Jason Chan for a discussion about picking your time, "Identity Management" after retirement, and the Psychology of Happiness. Links to the material discussed by Jason Chan include: https://arthurbrooks.com/podcast_show/the-art-of-happiness-with-arthur-brooks/ https://www.coursera.org/learn/the-science-of-well-being Episode 05 - Deciding When I

I used to have a TVM team. Threat & Vulnerability Management. The individuals in there had the word "Vulnerability" in their titles. It's how a lot of shops roll. TVM seemed to become a default piece of the "build a cyber shop playbook". And if you survey big CISO organizations today, you'll still find a lot of TVM departments. I'm not sure how this came to be, but I can't think any of us ever organically decided that we needed an individual - no less a team - specifically tasked with managing

I've been using the term "West Coast CISO" a lot lately. While it feels like CISOs used to be either network/infrastructure CISOs or risk manager CISOs, now the split is having to make room for the CISO heavily focused on code security. The image is one of a CISO born in the cloud, focused on delivering (security) bug-free code, and thus focusing architecturally on CI/CD, change control, and automation, to oversimplify. This emphasis on code is contrasted with network controls and discussion of

As originally published on Vectra's Unfiltered at https://www.unfilteredcxo.com/ Cybersecurity is afflicted with the duty of “proving a negative” all the way up to the Board room. We can learn some tricks from incident response and threat intelligence to tackle the art of distinguishing the lucky from the good. When it comes to incident response, it is challenging – but essential – to define criteria for closing an investigation. Enter the true positive. When someone says that they did not see

In this Episode host Jerry Perullo talking about cybersecurity in higher education. A Professor of the Practice in the Georgia Tech School of Cyber Security and Privacy, Perullo thinks aloud on the challenges that have prevented cyber from taking off at the undergraduate level before focusing on specific steps you might take to pursue this career path. 00:00:55 A Brief History of Cyber in Higher Ed 00:03:11 The Archetype Cyber Curriculum 00:08:03 Enter the CISO: t-5 00:13:25 When You Are Rea

In this episode we are talking about Angel Investing, Advisory Work, and how they are essentially the same thing when you get down to it. Hear some details about evaluating opportunities, structuring "deals", and avoiding mistakes along the way. 00:05:37 Don’t Screw Up - Riding VC Paper, the FAST Agreement, Option Vesting,... 00:21:26 Win - Playing to your Strengths 00:24:11 Diversify - Frequency and Volume to Avoid Black Swans 00:30:17 Conflicts & Disclosure Episode 03 - Angel Investing

In this episode, host Jerry Perullo explores the opportunities and challenges for retiring tech executives and CISOs in the Board room. Hear about how Boards need business leaders first and specialists second, and what you can do today to groom yourself in that very direction. 01:57 Background 07:45 The Traditional Board Director 09:50 Episode BLUF 10:19 Landing a Seat 14:32 Your Board Profile 16:08 t-3: What You Should do Now 28:40 Recap Episode 02 - The CISO Board Director | RSS.com

To be sustainable, effective, and defensible, a cybersecurity program must begin with governance. Adversarial helps firms establish, operate, and review both internal and external cybersecurity governance programs with an emphasis on engaging non-cyber business leaders and leveraging their strengths. Internal Governance Often overlooked, establishing a cross-functional CyberGov committee is an essential step to involving business leaders in appreciating and setting the cybersecurity mission. A

Even mature, highly-resourced cybersecurity programs can overlook articulating a strategy in the absence of specific regulatory requirements. All organizations are well-served to see cybersecurity as an ongoing process that warrants deliberate, intentional mission setting, regular testing, and consistent reporting. Adversarial Risk Management helps firms of all sizes understand the threat landscape and form a realistic assessment of the likelihood and impact of major threat categories. After th

Cybersecurity risk management is not too complex to articulate and address with specific, actionable measures. Adversarial Risk Management begins by helping firms establish risk management terms and a centralized, tool-agnostic risk register governed by a Risk Assessment Management Procedure (RAMP). In addition to providing a vital artifact to respond to third-party risk management inquiries, regulatory examination, and governance oversight, the RAMP and risk register ensure that findings from a

In this introductory episode, host Jerry Perullo talks about the range of opportunities available to tech executives after the day job. Perullo leverages his 20 years of experience as the founding CISO of ICE and the New York Stock Exchange to discuss what you can do 3-5 years before leaving your post to get prepared. 00:08:43 Advisory Work 00:13:20 Consulting 00:16:00 Angel Investing 00:25:05 Board Directorship 00:35:12 Entrepreneurship 00:37:06 Teaching 00:39:12 Volunteering Episode

There is a lot of confusion when it comes to cybersecurity "geo restrictions" on networks, and just as much when it comes to corporate travel protocol. While the topics are distinct, they are often conflated and share enough underpinning facts to discuss together. First, let's talk about geographic network restrictions. We can organize that topic by ingress - or inbound restrictions, and egress - or outbound. INGRESS Ingress geographic network ("geo IP") restrictions apply to restricting wha

There is a misconception out there that security departments should be ingesting feeds of Indicators of Compromise (IOCs) and loading them into firewalls, endpoint software, and proxy configurations as soon as possible. This perception is amplified by product marketing focused on the task, and it's easy to get caught up in the idea that this is our mission. By the time an IOC has been published in an intelligence report, there is a high likelihood it has been neutralized. Imagine a command & co

Patching became a household term during the Equifax security breach and Congressional hearings. While IT maintenance and hygiene have their place in running a secure environment, over-emphasis can distract limited resources from more important tasks or trigger operational risks. Patches are only relevant when a security vulnerability is known and addressed by a vendor. So whether it is a 0-day vulnerability discovery without a patch yet available or just the unavoidable window between the time

In addition to new rulemaking and interpretive guidance on cybersecurity from the SEC, public companies are seeing their cybersecurity disclosures and assertions weighed directly by investors, ratings agencies, and insurance providers - not to mention prospective customers. Investors and analysts are capturing cybersecurity maturity alongside other Environmental, Social, and Governance (ESG) priorities, and agencies are performing algorithmic reviews of public filings to score companies on their

Since 2010, the Three Lines of Defense model has been widely adopted as an authoritative framework for operational and financial enterprise risk management across the globe. The model was not intended to dictate new positions and roles within an organization per se, but to evaluate existing structures to ensure sufficient coverage and independence to provide effective risk management. Even if you are not evaluated against the model today, it is a useful framework to gauge the maturity of your or

Below are some things I learned as a CISO making angel investments into cybersecurity startups. I’m not a professional investor or financial advisor, and I’m avoiding discussions on whether you should pursue private investing or how to pick winners. My focus in this article is on the types of investments, customs, and definitions a CISO focused on cybersecurity startups is likely to see around 2021+, and helping you understand the terms you will hear if you decide to get involved. Basics Delib

Multifactor authentication (MFA / 2FA) is arguably the most powerful security control deployed over the past 20 years. But it dawned on me that it isn't multi that's really getting it done. It's the fact that one of those factors has been a one-time-password (OTP or 1TP) in a token or app that changes every 60 seconds. The unwritten math about MFA is that a single factor is difficult to compromise, and thus two of them = difficult^2. But in reality our static credentials have become easy thanks

I listened to an NPR story on SMS SIM swapping on my drive in this morning. This is a pretty well-documented threat vector whereby adversaries port your phone number over to their device at a key moment in an authentication hack so they can intercept a one-time verification code and impersonate you. The way it usually plays out, the intercepted code plays a part in "recovering" a "lost" password for your email account, which they then use to "recover" more passwords for more important accounts,

Cybersecurity is arguably the most concerning topic across corporate board rooms these days, with Directors clamoring for data not just on risk, but on general education around this new and complex subject. This collection of tips mirrors a talk I gave at the FS-ISAC annual summit in April 2018 and I hope follow CISOs, security practitioners, corporate governance professionals and corporate Directors may find it helpful. Episode 1 introduced core Corporate Governance concepts for Security Profe

Cybersecurity is undeniably one of the most concerning topics in corporate board rooms today. Directors are looking not only for assurance around the obvious risks, but for general education around this new and complex subject. Clarity is sought around what is expected of Directors, how exposed a firm is to the latest breach on the news, how management assesses cybersecurity risk, and how a firm's program stacks up in independent reviews. A knock-on effect of this is a raft of questions among CI

I'm pleased to be a part of the publication of a substantial Cybersecurity Guide for Directors and Officers announced yesterday. I hope you will visit www.securityroundtable.org and enjoy the entire book and more. Following is my contribution (Chapter 27): What are they after? A threat-based approach to cybersecurity risk management Intercontinental Exchange & New York Stock Exchange - Jerry Perullo, CISO Given finite resources and the ongoing threat of the “next big hack,” cybersecurity is