Providing cybersecurity advisory content to startups to establish an effective cyber program

— Join former ICE and NYSE CISO Jerry Perullo as he explores the opportunities available to tech executives after retirement
Season 3 Episode 1 - The Interim CISO

Joined by fellow Interim CISO veterans Yael Nagler of Yass Partners and Aurobindo Sundaram of RELX, host Jerry Perullo reflects on his experience as the Interim CISO of Silicon Valley Bank and explores the challenges of the role from hiring manager and candidate perspectives. Yael Nagler: Aurobindo Sundaram: 00:16:30 Why hire an Interim CISO? 00:21:00 Is there such a thing as KTLO in the CISO role? 00:30:3

The Risk Acceptance Myth

The notion of "Risk Acceptance" has always challenged me. For the uninitiated, Risk Acceptance is a concept often discussed in cybersecurity leadership when it comes to accountability for cyber debt. The idea is that cybersecurity leaders and other professionals identify risks and recommend mitigating actions that would reduce that risk, but recognize that it is always up to business leadership to weigh the costs and benefits of change and make a final decision. Risk Acceptance has always come u

Cyber Governance: What is Fair to Expect from Board Directors and Management? 3 of 4

Episode 3: Incidents In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Next I moved on to cyber risks in Episode 2 and the idea of a Remediation Agility chart to guide a wide-ranging Board room discussion with a single visual. The next area that deserves a permanent spot on the Board agenda is incidents. Incident awareness a

Overrated? On TPRM, SBOM, Solarwinds, and Supply Chain Security

We've all run to the same side of the boat on supply chain security when it comes to cyber. Rather than chasing the Sisyphean (and antithetical to modern product-development philosophy) task of ensuring our suppliers deliver perfectly secure software, we should be expected to architect and deploy our dependencies with the assumption they will be compromised at some point, minimizing the amount of impact that could have and ensuring we could detect such an issue timely. To expound on it, I'll sa

Encryption is Overrated

Years ago I found myself in one of those awkward elevator pairings where you are unexpectedly face to face with your CEO. It's a particularly awkward spot when you are a CISO, as beyond the usual desperation to sound brilliant that most execs feel in that spot, the CEO these days also feels pressure to demonstrate "tone at the top", "executive buy-in", and "stakeholder oversight" when given the chance. In that particular vignette I doubled down on the awkwardness, as his quick cordial cyber com

Season 2 Episode 1 - Board/CISO Interaction

Returning from 6 months as the interim CISO of Silicon Valley Bank, host Jerry Perullo speaks about Board/CISO interaction on the FS-ISAC Insights podcast. Full video interview at 00:04:35 Being the Interim CISO of SVB through the crisis 00:06:36 The CISO “seat at the table” 00:14:00 Board TRIC 1: Threats 00:17:30 Board TRIC 2: Risks 00:19:30 Board TRIC 3: Incidents 00:21:20 Board TRIC 4: Compliance 00:26:00 CISOs as Board Directors Season 2 Episode 1 - Board/CISO I

Network Egress and Ingress Fundamentals

There is a lot of confusion about network ingress and egress. This isn't limited to junior staff; I've witnessed this many times among software engineers and technology leaders alike. Often only network and firewall engineers really comprehend the topic fully, though this should not be the case. A network connection must begin with an "initiator". This is usually thought of as a "client" in a traditional "client server" model. The client is defined not by their intention, purpose, or operating

Cyber Governance: What is Fair to Expect from Board Directors and Management? 2 of 4

Episode 2: Risks In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Now it's time to move on to cyber risks and what level of detail is appropriate in a Board room. To steer our conversation let's use a Remediation Agility chart. Similar to the Threat Objective portrayal in Episode 1, this visual is meant to sit on the screen

Bad CISO Archetypes

As part of my advisory work, I often help companies find and/or interview security leaders. While I'm a huge fan of screening quizzes, I realized that I should go a step further and help firms understand what I'm trying to detect or avoid during the interview process. In the process of discussing this with some peers, the Bad CISO Archetypes list was born. Look out for these when you are hiring - but more importantly steer your career to avoid becoming one! Chicken Little You don’t want someo

Episode 07 - Bug Bounties with guest Casey Ellis

Bugcrowd founder Casey Ellis joins #lifeafterCISO to talk about bug bounty programs in the wake of the Joe Sullivan Uber trial. Whether you've been running bounty programs for years or just learned of them last week, this conversation will take you from basics straight into the most interesting and controversial bits. 01:25 The Joe Sullivan Uber trial and its impact on bug bounties 10:30 Clearing Assurance Debt: The initial wave of bounties 15:40 Ostrich Risk Management 22:55 Vulnerability D

Cyber Governance: What is Fair to Expect from Board Directors and Management? 1 of 4

With mounting pressure around cyber literacy in the Boardroom, Directors are looking for specifics around what will be expected of them. Likewise, organizations are wondering what is fair for Directors to expect of management. Drawing on experiences from both sides of the table, following are reasonable expectations that leverage Director talents to establish effective cyber oversight. I'll do this using a mnemonic to guide program governance internally and externally - TRIC: Threats, Risks, In

An open letter to a fresh cybersecurity hire

Congratulations on your first cybersecurity job! Whether you are just entering the workforce or pivoting to a new field, here are some inside tips that may help you succeed. 1. Never say "that isn't my job". The colleagues I've seen advance and realize success in their cyber careers were willing to pitch in and help without regard to job description. This will be magnified if your employer is a smaller company, but the general idea is that companies and cultures are forged by the people who c

Episode 06 - Retire Many Times with guest Sounil Yu

Sounil Yu joins the #lifeafterCISO podcast and shares the idea of "retiring many times". Sounil is the renowned author of the Cyber Defense Matrix and lauded by the CISO community for his ability to step back and view problems in a new light. Host Jerry Perullo and Sounil go on to look at the Equifax breach from a new angle, talk about CISO accountability, and finally offer up their early thoughts on the Twitter whistleblower report. 01:43 Returning to work as a CISO 10:30 Do CISOs spend too m

Episode 05 - Deciding When It's Time to Go with guest Jason Chan

An essential part of moving on from a long tech career is just figuring out when the time is right. Join host Jerry Perullo and retired Netflix CISO Jason Chan for a discussion about picking your time, "Identity Management" after retirement, and the Psychology of Happiness. Links to the material discussed by Jason Chan include: Episode 05 - Deciding When I

Vulnerability management is dead. But GRC is hiring...
Vulnerability Management

I used to have a TVM team. Threat & Vulnerability Management. The individuals in there had the word "Vulnerability" in their titles. It's how a lot of shops roll. TVM seemed to become a default piece of the "build a cyber shop playbook". And if you survey big CISO organizations today, you'll still find a lot of TVM departments. I'm not sure how this came to be, but I can't think any of us ever organically decided that we needed an individual - no less a team - specifically tasked with managing

How much AppSec is too much?

I've been using the term "West Coast CISO" a lot lately. While it feels like CISOs used to be either network/infrastructure CISOs or risk manager CISOs, now the split is having to make room for the CISO heavily focused on code security. The image is one of a CISO born in the cloud, focused on delivering (security) bug-free code, and thus focusing architecturally on CI/CD, change control, and automation, to oversimplify. This emphasis on code is contrasted with network controls and discussion of

The value of the True Positive

As originally published on Vectra's Unfiltered at Cybersecurity is afflicted with the duty of “proving a negative” all the way up to the Board room. We can learn some tricks from incident response and threat intelligence to tackle the art of distinguishing the lucky from the good. When it comes to incident response, it is challenging – but essential – to define criteria for closing an investigation. Enter the true positive. When someone says that they did not see

Episode 04 - The CISO Professor

In this Episode host Jerry Perullo talking about cybersecurity in higher education. A Professor of the Practice in the Georgia Tech School of Cyber Security and Privacy, Perullo thinks aloud on the challenges that have prevented cyber from taking off at the undergraduate level before focusing on specific steps you might take to pursue this career path. 00:00:55 A Brief History of Cyber in Higher Ed 00:03:11 The Archetype Cyber Curriculum 00:08:03 Enter the CISO: t-5 00:13:25 When You Are Rea

Episode 03 - Angel Investing and Advisory Work

In this episode we are talking about Angel Investing, Advisory Work, and how they are essentially the same thing when you get down to it. Hear some details about evaluating opportunities, structuring "deals", and avoiding mistakes along the way. 00:05:37 Don’t Screw Up - Riding VC Paper, the FAST Agreement, Option Vesting,... 00:21:26 Win - Playing to your Strengths 00:24:11 Diversify - Frequency and Volume to Avoid Black Swans 00:30:17 Conflicts & Disclosure Episode 03 - Angel Investing

Episode 02 - The CISO Board Director

In this episode, host Jerry Perullo explores the opportunities and challenges for retiring tech executives and CISOs in the Board room. Hear about how Boards need business leaders first and specialists second, and what you can do today to groom yourself in that very direction. 01:57 Background 07:45 The Traditional Board Director 09:50 Episode BLUF 10:19 Landing a Seat 14:32 Your Board Profile 16:08 t-3: What You Should do Now 28:40 Recap Episode 02 - The CISO Board Director |

Cybersecurity Governance

To be sustainable, effective, and defensible, a cybersecurity program must begin with governance. Adversarial helps firms establish, operate, and review both internal and external cybersecurity governance programs with an emphasis on engaging non-cyber business leaders and leveraging their strengths. Internal Governance Often overlooked, establishing a cross-functional CyberGov committee is an essential step to involving business leaders in appreciating and setting the cybersecurity mission. A

Cybersecurity Strategy

Even mature, highly-resourced cybersecurity programs can overlook articulating a strategy in the absence of specific regulatory requirements. All organizations are well-served to see cybersecurity as an ongoing process that warrants deliberate, intentional mission setting, regular testing, and consistent reporting. Adversarial Risk Management helps firms of all sizes understand the threat landscape and form a realistic assessment of the likelihood and impact of major threat categories. After th

Risk Management

Cybersecurity risk management is not too complex to articulate and address with specific, actionable measures. Adversarial Risk Management begins by helping firms establish risk management terms and a centralized, tool-agnostic risk register governed by a Risk Assessment Management Procedure (RAMP). In addition to providing a vital artifact to respond to third-party risk management inquiries, regulatory examination, and governance oversight, the RAMP and risk register ensure that findings from a

Episode 01 - The Portfolio Life

In this introductory episode, host Jerry Perullo talks about the range of opportunities available to tech executives after the day job. Perullo leverages his 20 years of experience as the founding CISO of ICE and the New York Stock Exchange to discuss what you can do 3-5 years before leaving your post to get prepared. 00:08:43 Advisory Work 00:13:20 Consulting 00:16:00 Angel Investing 00:25:05 Board Directorship 00:35:12 Entrepreneurship 00:37:06 Teaching 00:39:12 Volunteering Episode

Making Sense of Geographic Network and Travel Restrictions

There is a lot of confusion when it comes to cybersecurity "geo restrictions" on networks, and just as much when it comes to corporate travel protocol. While the topics are distinct, they are often conflated and share enough underpinning facts to discuss together. First, let's talk about geographic network restrictions. We can organize that topic by ingress - or inbound restrictions, and egress - or outbound. INGRESS Ingress geographic network ("geo IP") restrictions apply to restricting wha

IOCs aren't for blocking - they are for control validation
Threat Intelligence

There is a misconception out there that security departments should be ingesting feeds of Indicators of Compromise (IOCs) and loading them into firewalls, endpoint software, and proxy configurations as soon as possible. This perception is amplified by product marketing focused on the task, and it's easy to get caught up in the idea that this is our mission. By the time an IOC has been published in an intelligence report, there is a high likelihood it has been neutralized. Imagine a command & co

Patching is Overrated

Patching became a household term during the Equifax security breach and Congressional hearings. While IT maintenance and hygiene have their place in running a secure environment, over-emphasis can distract limited resources from more important tasks or trigger operational risks. Patches are only relevant when a security vulnerability is known and addressed by a vendor. So whether it is a 0-day vulnerability discovery without a patch yet available or just the unavoidable window between the time

Cybersecurity for Investor Relations and Corporate Governance

In addition to new rulemaking and interpretive guidance on cybersecurity from the SEC, public companies are seeing their cybersecurity disclosures and assertions weighed directly by investors, ratings agencies, and insurance providers - not to mention prospective customers. Investors and analysts are capturing cybersecurity maturity alongside other Environmental, Social, and Governance (ESG) priorities, and agencies are performing algorithmic reviews of public filings to score companies on their

Cybersecurity in the Three Lines Model

Since 2010, the Three Lines of Defense model has been widely adopted as an authoritative framework for operational and financial enterprise risk management across the globe. The model was not intended to dictate new positions and roles within an organization per se, but to evaluate existing structures to ensure sufficient coverage and independence to provide effective risk management. Even if you are not evaluated against the model today, it is a useful framework to gauge the maturity of your or

The CISO's Guide to Early-Stage Investing
Angel Investing

Below are some things I learned as a CISO making angel investments into cybersecurity startups. I’m not a professional investor or financial advisor, and I’m avoiding discussions on whether you should pursue private investing or how to pick winners. My focus in this article is on the types of investments, customs, and definitions a CISO focused on cybersecurity startups is likely to see around 2021+, and helping you understand the terms you will hear if you decide to get involved. Basics Delib

It's not the 2FA.. it's the 1TP!!!

Multifactor authentication (MFA / 2FA) is arguably the most powerful security control deployed over the past 20 years. But it dawned on me that it isn't multi that's really getting it done. It's the fact that one of those factors has been a one-time-password (OTP or 1TP) in a token or app that changes every 60 seconds. The unwritten math about MFA is that a single factor is difficult to compromise, and thus two of them = difficult^2. But in reality our static credentials have become easy thanks

Quick trick to assess your vulnerability to SIM swapping

I listened to an NPR story on SMS SIM swapping on my drive in this morning. This is a pretty well-documented threat vector whereby adversaries port your phone number over to their device at a key moment in an authentication hack so they can intercept a one-time verification code and impersonate you. The way it usually plays out, the intercepted code plays a part in "recovering" a "lost" password for your email account, which they then use to "recover" more passwords for more important accounts,

Briefing Your Board on Cybersecurity part 3/3: Board Committees - Metrics and Materials

Cybersecurity is arguably the most concerning topic across corporate board rooms these days, with Directors clamoring for data not just on risk, but on general education around this new and complex subject. This collection of tips mirrors a talk I gave at the FS-ISAC annual summit in April 2018 and I hope follow CISOs, security practitioners, corporate governance professionals and corporate Directors may find it helpful. Episode 1 introduced core Corporate Governance concepts for Security Profe

Briefing Your Board on Cybersecurity part 2/3: Full Board Meetings

Cybersecurity is arguably the most concerning topic across corporate board rooms these days, with Directors clamoring for data not just on risk, but on general education around this new and complex subject. This collection of tips mirrors a talk I gave at the FS-ISAC annual summit in April 2018 and I hope follow CISOs, security practitioners, corporate governance professionals and corporate Directors may find it helpful. Episode 1 introduced core Corporate Governance concepts for Security Profe

Briefing Your Board on Cybersecurity Part 1/3: Corporate Governance 101 for Security Professionals

Cybersecurity is undeniably one of the most concerning topics in corporate board rooms today. Directors are looking not only for assurance around the obvious risks, but for general education around this new and complex subject. Clarity is sought around what is expected of Directors, how exposed a firm is to the latest breach on the news, how management assesses cybersecurity risk, and how a firm's program stacks up in independent reviews. A knock-on effect of this is a raft of questions among CI

What are they after? A threat-based approach to cybersecurity risk management

I'm pleased to be a part of the publication of a substantial Cybersecurity Guide for Directors and Officers announced yesterday. I hope you will visit and enjoy the entire book and more. Following is my contribution (Chapter 27): What are they after? A threat-based approach to cybersecurity risk management Intercontinental Exchange & New York Stock Exchange - Jerry Perullo, CISO Given finite resources and the ongoing threat of the “next big hack,” cybersecurity is