Providing cybersecurity advisory content to startups to establish an effective cyber program

— Join former ICE and NYSE CISO Jerry Perullo as he explores the opportunities available to tech executives after retirement
Season 3 Episode 1 - The Interim CISO

Joined by fellow Interim CISO veterans Yael Nagler of Yass Partners and Aurobindo Sundaram of RELX, host Jerry Perullo reflects on his experience as the Interim CISO of Silicon Valley Bank and explores the challenges of the role from hiring manager and candidate perspectives. Yael Nagler: Aurobindo Sundaram: 00:16:30 Why hire an Interim CISO? 00:21:00 Is there such a thing as KTLO in the CISO role? 00:30:3

The Risk Acceptance Myth

The notion of "Risk Acceptance" has always challenged me. For the uninitiated, Risk Acceptance is a concept often discussed in cybersecurity leadership when it comes to accountability for cyber debt. The idea is that cybersecurity leaders and other professionals identify risks and recommend mitigating actions that would reduce that risk, but recognize that it is always up to business leadership to weigh the costs and benefits of change and make a final decision. Risk Acceptance has always come u

Cyber Governance: What is Fair to Expect from Board Directors and Management? 3 of 4

Episode 3: Incidents In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Next I moved on to cyber risks in Episode 2 and the idea of a Remediation Agility chart to guide a wide-ranging Board room discussion with a single visual. The next area that deserves a permanent spot on the Board agenda is incidents. Incident awareness a

Overrated? On TPRM, SBOM, Solarwinds, and Supply Chain Security

We've all run to the same side of the boat on supply chain security when it comes to cyber. Rather than chasing the Sisyphean (and antithetical to modern product-development philosophy) task of ensuring our suppliers deliver perfectly secure software, we should be expected to architect and deploy our dependencies with the assumption they will be compromised at some point, minimizing the amount of impact that could have and ensuring we could detect such an issue timely. To expound on it, I'll sa

Encryption is Overrated

Years ago I found myself in one of those awkward elevator pairings where you are unexpectedly face to face with your CEO. It's a particularly awkward spot when you are a CISO, as beyond the usual desperation to sound brilliant that most execs feel in that spot, the CEO these days also feels pressure to demonstrate "tone at the top", "executive buy-in", and "stakeholder oversight" when given the chance. In that particular vignette I doubled down on the awkwardness, as his quick cordial cyber com

Season 2 Episode 1 - Board/CISO Interaction

Returning from 6 months as the interim CISO of Silicon Valley Bank, host Jerry Perullo speaks about Board/CISO interaction on the FS-ISAC Insights podcast. Full video interview at 00:04:35 Being the Interim CISO of SVB through the crisis 00:06:36 The CISO “seat at the table” 00:14:00 Board TRIC 1: Threats 00:17:30 Board TRIC 2: Risks 00:19:30 Board TRIC 3: Incidents 00:21:20 Board TRIC 4: Compliance 00:26:00 CISOs as Board Directors Season 2 Episode 1 - Board/CISO I

Network Egress and Ingress Fundamentals

There is a lot of confusion about network ingress and egress. This isn't limited to junior staff; I've witnessed this many times among software engineers and technology leaders alike. Often only network and firewall engineers really comprehend the topic fully, though this should not be the case. A network connection must begin with an "initiator". This is usually thought of as a "client" in a traditional "client server" model. The client is defined not by their intention, purpose, or operating

Bad CISO Archetypes

As part of my advisory work, I often help companies find and/or interview security leaders. While I'm a huge fan of screening quizzes, I realized that I should go a step further and help firms understand what I'm trying to detect or avoid during the interview process. In the process of discussing this with some peers, the Bad CISO Archetypes list was born. Look out for these when you are hiring - but more importantly steer your career to avoid becoming one! Chicken Little You don’t want someo

Episode 07 - Bug Bounties with guest Casey Ellis

Bugcrowd founder Casey Ellis joins #lifeafterCISO to talk about bug bounty programs in the wake of the Joe Sullivan Uber trial. Whether you've been running bounty programs for years or just learned of them last week, this conversation will take you from basics straight into the most interesting and controversial bits. 01:25 The Joe Sullivan Uber trial and its impact on bug bounties 10:30 Clearing Assurance Debt: The initial wave of bounties 15:40 Ostrich Risk Management 22:55 Vulnerability D

Cyber Governance: What is Fair to Expect from Board Directors and Management? 1 of 4

With mounting pressure around cyber literacy in the Boardroom, Directors are looking for specifics around what will be expected of them. Likewise, organizations are wondering what is fair for Directors to expect of management. Drawing on experiences from both sides of the table, following are reasonable expectations that leverage Director talents to establish effective cyber oversight. I'll do this using a mnemonic to guide program governance internally and externally - TRIC: Threats, Risks, In

Episode 05 - Deciding When It's Time to Go with guest Jason Chan

An essential part of moving on from a long tech career is just figuring out when the time is right. Join host Jerry Perullo and retired Netflix CISO Jason Chan for a discussion about picking your time, "Identity Management" after retirement, and the Psychology of Happiness. Links to the material discussed by Jason Chan include: Episode 05 - Deciding When I

Vulnerability management is dead. But GRC is hiring...

I used to have a TVM team. Threat & Vulnerability Management. The individuals in there had the word "Vulnerability" in their titles. It's how a lot of shops roll. TVM seemed to become a default piece of the "build a cyber shop playbook". And if you survey big CISO organizations today, you'll still find a lot of TVM departments. I'm not sure how this came to be, but I can't think any of us ever organically decided that we needed an individual - no less a team - specifically tasked with managing

How much AppSec is too much?

I've been using the term "West Coast CISO" a lot lately. While it feels like CISOs used to be either network/infrastructure CISOs or risk manager CISOs, now the split is having to make room for the CISO heavily focused on code security. The image is one of a CISO born in the cloud, focused on delivering (security) bug-free code, and thus focusing architecturally on CI/CD, change control, and automation, to oversimplify. This emphasis on code is contrasted with network controls and discussion of

Episode 03 - Angel Investing and Advisory Work

In this episode we are talking about Angel Investing, Advisory Work, and how they are essentially the same thing when you get down to it. Hear some details about evaluating opportunities, structuring "deals", and avoiding mistakes along the way. 00:05:37 Don’t Screw Up - Riding VC Paper, the FAST Agreement, Option Vesting,... 00:21:26 Win - Playing to your Strengths 00:24:11 Diversify - Frequency and Volume to Avoid Black Swans 00:30:17 Conflicts & Disclosure Episode 03 - Angel Investing

Episode 02 - The CISO Board Director

In this episode, host Jerry Perullo explores the opportunities and challenges for retiring tech executives and CISOs in the Board room. Hear about how Boards need business leaders first and specialists second, and what you can do today to groom yourself in that very direction. 01:57 Background 07:45 The Traditional Board Director 09:50 Episode BLUF 10:19 Landing a Seat 14:32 Your Board Profile 16:08 t-3: What You Should do Now 28:40 Recap Episode 02 - The CISO Board Director |

Episode 01 - The Portfolio Life

In this introductory episode, host Jerry Perullo talks about the range of opportunities available to tech executives after the day job. Perullo leverages his 20 years of experience as the founding CISO of ICE and the New York Stock Exchange to discuss what you can do 3-5 years before leaving your post to get prepared. 00:08:43 Advisory Work 00:13:20 Consulting 00:16:00 Angel Investing 00:25:05 Board Directorship 00:35:12 Entrepreneurship 00:37:06 Teaching 00:39:12 Volunteering Episode

The CISO's Guide to Early-Stage Investing

Below are some things I learned as a CISO making angel investments into cybersecurity startups. I’m not a professional investor or financial advisor, and I’m avoiding discussions on whether you should pursue private investing or how to pick winners. My focus in this article is on the types of investments, customs, and definitions a CISO focused on cybersecurity startups is likely to see around 2021+, and helping you understand the terms you will hear if you decide to get involved. Basics Delib