SC 111: Tufin Talks Increasing Security and Agility Through Security Policy Orchestration

Enterprise networks grow more complex by the day. With hundreds to thousands of firewall rules, devices and routers across on-premise and hybrid cloud environments, it is difficult to have visibility into the security policy change process.

This complexity, combined with the increasing rate of change, leads to vulnerability in the network. In addition, business owners need to have applications provisioned quickly but have little consideration as to the security implications of their requests.

In this Tufin sponsored podcast, David Cass, the Global Partner, Cloud Security and FSS CISO at IBM, discusses with Sagi Bar-Zvi, Tufin’s Solution Architect for the Americas, the benefits to CISOs of automating security policy orchestration. The two talk about how it delivers agility while verifying change requests – sometimes hundreds per day – will not cause a security breach once made.

Listen Now!

SC 110: Ron Green, Mastercard Executive VP & CISO, Talks New Technologies, What Keeps Him Up at Night and Provides Recommendations to His Peers

Mastercard is a technology company in the global payments industry which operates the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard’s products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more efficient and secure for everyone. 

As Mastercard’s Executive Vice President and CISO, Ron Green is responsible for upholding that mission. In this podcast, Green, a security visionary responsible for both cyber and physical security, speaks with David Cass, Global Partner, Cloud Security and FSS CISO at IBM, about what Mastercard is doing to ensure the promise of security not only today but in the future. Green talks about new technologies and processes, what keeps him up at night, and he provides recommendations to his peers. 

Listen Now!

SC 109: Maxim Integrated Chief Cyber Risk Officer and SentinelOne's CEO Talk Endpoint Security, Automation and Visibility

The endpoint is becoming the new edge of the business. As the doorway to your data, with more and more breaches getting in via the endpoint, it is turning into one of the weakest links for today’s business. It is critical that businesses can detect new, and real threats at the endpoint, and respond to those threats in near real-time.

However, with masses of data being generated and processed, being able to scale and respond effectively is getting harder. As you’ll hear in this SentinelOne sponsored podcast with CEO & Co-founder Tomer Weingarten and Maxim Integrated Chief Cyber Risk Officer Matt Hollcraft,  automation and machine learning are key components in being successful in protecting against today’s malware.

Listen Now!

SC 108: Bay Dynamics CEO Discusses How to Gain Insight in to Security Risks Using User Behavior Analytics

CISOs are increasingly looking to User Behavior Analytics (UBA) as a key security tool to help combat threats by identifying anomalous behavior.

According to the report, CISOs Investigate: UBA, authored by more than a dozen CISOs, by quickly providing actionable intelligence, UBA enables them to potentially reduce loss to their organizations by identifying and thwarting attacks earlier.

Feris Rifai, CEO of Bay Dynamics, a provider of analytics and UBA solutions, says CISOs are realizing that to effectively protect their organization they need to add a UBA component to their security arsenal.

In this sponsored podcast, Rifai and David Cass, the Global Partner, Cloud Security and FSS CISO at IBM, discuss what UBA offers and how it is helping organizations across industries.

Listen Now!

SC 107: CISO David Cass Talks Cloud Adoption and Security 

Enterprises are increasingly adopting cloud strategies. Despite this, adoption has been impacted in some cases due to cybersecurity concerns.

In this podcast, David Cass, the Global Partner, Cloud Security and FSS CISO at IBM reviews the state of cloud adoption and security with Mike Schuricht, Senior Director of Product Management at Bitglass.

The experts discuss how cloud is taking off and that despite security being a key concern, with the right protections and solutions in place, cloud can be highly secure. 

In this Bitglass sponsored podcast, the two touch on critical control areas and what CISOs should take into account when adopting and maintaining a cloud strategy.

Listen Now!


SC 106: Joey Johnson, Premise Health CISO, Discusses Challenges in Securing Distributed, Highly Regulated Environments

Premise Health is a leader in onsite health and wellness programs providing some 600 large employer sponsored employee clinics. With a highly distributed and regulated environment, Joey Johnson is responsible for all cybersecurity and information technology, compliance, audit and vendor risk management. 

Johnson was just named the winner of the prestigious Information Security Executive® of the Year Award in the Southeast. In this podcast, Johnson speaks with David Cass, IBM Cloud & SaaS Global CISO, about Premise Health’s unique business model and how he uses proactive security and risk management to meet challenging security, compliance and audit demands. 

Listen Now!


SC 105: DocuSign CISO Discusses The Human Element of Incident Response

The volume of threats and attacks most security teams face daily can leave them overworked and fatigued, operating in what DocuSign CISO Vanessa Pegueros has identified as level one trauma – a sort of cyber PTSD that can put organizations at risk.

In this podcast, Pegueros talks with David Cass, IBM Cloud & SaaS Global CISO, about her four-part series in Security Current that explores the human element of incident response and how CISOs can identify and resolve trauma in the organization. They also discuss the Board’s role in incident response and why being quick to fire after a breach may not always be the most effective approach.

Listen Now!


SC 104: Marci McCarthy, President & CEO of T.E.N. and Founder of the ISE® Awards, Provides Insights into the Evolution of the CISO Role 

The CISO increasingly has a seat in the boardroom, as the role is becoming more of the rule than the exception in enterprises.

During RSA Conference 2017, Marci McCarthy, President & CEO of T.E.N., sat down with David Cass, Global CISO IBM Cloud & SaaS, to discuss the continuing evolution of the information security industry.

McCarthy founded the prestigious ISE® Awards Program, which has helped elevate the role of security executives, who are recognized by their peers for their contributions and specific security projects. In this podcast, McCarthy provides insights into the profession and talks about the shortage of security personnel, the startup ecosystem and where the industry is headed.

Listen Now!


SC 103: San Diego CISO Gary Hayslip Talks Strategies for Building Executive Buy-in, Security Tech and Leveraging the Cloud

The city of San Diego is a $4 billion business and it doesn’t shut down. As you’ll hear in this discussion between Gary Hayslip, the city’s CISO, and David Cass, Global CISO IBM Cloud and SaaS, San Diego is a smart city which is continuously rolling out new technologies to facilitate 'the business' while bolstering its security.

In this podcast, recorded during the RSA Conference, Hayslip talks about joining the city as its first CISO some three years ago and how he established a five-year-plan which leveraged established frameworks like the National Institute of Standards and Technology (NIST) to increase the security of the city and its 24 networks and 40 departments. The two also discuss ‘cloud first’ initiatives, resilient networks and the role of the CISO, which Hayslip provides practical guidance on with his book “A CISO Desk Reference Guide: A Practical Guide for CISOs.”

Listen Now!


SC 102: Global CISO David Cass Discusses the Proliferating Attack Surface Being Created by Internet of Things Devices with ForeScout’s Commercial CTO Len Rosenberg

There has been an exponential adoption of Internet of Things (IoT) with experts predicting billions of IoT devices coming into use. And with the strategy more often than not being go to market and secure it later, enterprises are increasingly exposed to a variety of attacks.

As you’ll hear in this podcast with David Cass, Global CISO IBM Cloud and SaaS, and Len Rosenberg, ForeScout’s Commercial CTO and VP of Systems Engineering, the IoT is here to stay and security needs to be by design and not an afterthought. They also discuss what CISOs can do today to mitigate their exposure and what they should demand from IoT manufacturers. 

Listen Now!


SC 101: Gartner Research VP Anton Chuvakin Talks New CISOs at RSA, New Technologies and Box Fatigue with Global CISO David Cass

With RSA around the corner and more security vendors than you can count, if you are a new CISO at the conference what should your game plan be? As you’ll hear in this podcast, the sheer number of interesting technologies at their fingertips can potentially overwhelm new CISOs.

David Cass, Global CISO IBM Cloud and SaaS, and Dr. Anton Chuvakin, research VP at Gartner’s Technical Professionals (GTP) Security and Risk Management Strategies team and a speaker at the RSA conference leading sessions on threat intelligence , discuss how RSA is a great place to talk to the vendors and their top product executives and see solutions up close. They also stress that people and process gaps and not a “particular box” are what needs to be addressed first.

As you’ll hear first, Chuvakin also talks about today’s malware, box fatigue, and critical challenges and ways to think about threat vectors in 2017.

Listen Now!


SC 100: Jason Witty, US Bancorp EVP and CISO, Discusses The Benefits of Tokenization with David Cass, Global CISO IBM Cloud & SaaS 

Tokenization is helping render data theft obsolete. Jason Witty, US Bancorp EVP and CISO, is in the midst of completing a multi-year tokenization integration project, for which his team won the recent ISE North America Project of the Year Award in the Financial Services category.  

He discussed the many benefits of tokenization with David Cass, Global CISO IBM Cloud & SaaS, including fraud prevention and the reduction of risk and the attack surface. They discuss how it is a complex process, which is “simple” to implement but difficult to adopt. Witty also touches on the many unintended business benefits.

Listen Now!


SC 99: Gartner Research VP Anton Chuvakin Speaks with Global CISO David Cass on Security Monitoring, SIEM, and UBA 

What specific things should companies look at when it comes to security monitoring in 2017? As you’ll hear in this podcast, a lot of the security problems facing organizations from the late 1990s and early 2000s have yet to be solved.  David Cass, Global CISO IBM Cloud and SaaS, and Dr. Anton Chuvakin, research VP at Gartner’s Technical Professionals (GTP) Security and Risk Management Strategies team, discuss how security executives are still operationally challenged.

Chuvakin discusses how the technology landscape is changing but a lot of the challenges with the people themselves actually haven’t changed and the “old problems” haven’t been solved.  In this podcast, he talks to Cass about the essential things organizations should be looking at, including newer technology like User Behavior Analytics (UBA) as well as Data Loss Prevention (DLP) solutions. 

Listen Now!


SC 98: Global CISO David Cass continues his discussion in part two of the series with Chief Security Architect Chris Roberts on Acalvio's threat detection technology

As you’ll hear in part two of the conversation between David Cass, Global CISO IBM Cloud and SaaS, and Chris Roberts, Acalvio Chief Security Architect, threat detection technology is allowing enterprises to identify intruders quickly. In this sponsored podcast you’ll hear how this burgeoning field of cybersecurity is helping enterprises protect their perimeters and internal infrastructure while shortening the time to discovery. 

Listen Now!


SC: 97: Payment Card Processor Monext Discusses Continuous Compliance, Reducing Complexity and Heightening Security 

Ensuring continuous compliance while reducing complexity is essential to bolstering security for many organizations, in particular, those that process credit card data.

In this Tufin-sponsored podcast, IBM’s David Cass talks with Monext’s Laurent Klefstad, Leader for Systems, Network and Telecom, about automated security policy orchestration and how it allows the French company to save time and money by reducing the complexity of its networks and firewalls.

Klefstad explains how Monext’s implementation of the Tufin solution provided Monext continuous compliance and the ability to reduce its firewall rules, of which there were about 3,000, by upwards of 20 percent.  He also talks ROI, staffing implications and business enablement.

Listen Now!


SC 96: David Cass, Global CISO IBM Cloud and SaaS Speaks with Chris Roberts, Acalvio Chief Security Architect, on Threat Deception, the Internet of Things and Technology Innovation

It’s becoming an old adage: it isn’t a matter of if an attacker will infiltrate your network but when.  With that being the case and with research showing that attackers often reside on an enterprise’s network for many months doing reconnaissance and exfiltrating data before being identified what are and can enterprises do? The use of autonomous threat deception technologies to identify an intruder once inside the network is being adopted by enterprises seeking preventive and proactive to technologies.

As you’ll hear in this conversation with David Cass, Global CISO IBM Cloud and SaaS CISO, and Chris Roberts, Acalvio Chief Security Architect there has been a significant evolution in threat detection technology to allow enterprises to identify intruders quickly. In this sponsored podcast you’ll hear how a new dynamic and smart approach to traditional honeypots is helping enterprises by allowing them to immediately detect lateral movement, shortening the time to discovery. 

Listen Now!

SC 95: Matt Hollcraft, Maxim Integrated CISO, Speaks with Dan Schiappa, SVP & GM, Sophos Enduser Security Group on Ransomware, IoT and Hacking as a Business

In this interview Matt Hollcraft, Maxim Integrated CISO, discusses common threat vectors – what is old and what is new – with Dan Schiappa, SVP & GM, Sophos Enduser Security Group. They talk about ransomware, the mobile workforce, Internet of Things and hacking as a business.

In this sponsored podcast, you’ll also hear about approaches that enterprises can take to reduce threats, which are increasingly sophisticated and continuous. 

Listen Now!


SC 94: David Mahon, CSO of CenturyLink, and David Cass, Global CISO IBM Cloud & SaaS, Discuss the Evolution of the CISO and Provide Tips to Current and Aspiring CISOs

In this conversation with Security Current podcast host David Cass, Global CISO IBM Cloud & SaaS, David Mahon, CenturyLink CSO, talks about the evolution of the CISO.

A seasoned security executive, with experience reporting to boards-of-directors, Mahon also provides guidance on how to present to a board. He also gives recommendations to current and aspiring CISOs on how to advance their careers. 

Listen Now!


SC 93: IBM Cloud & SaaS Global CISO  and ADP Vice President & Global Security Architect Discuss the Business and Technology Benefits of User Behavior Analytics (UBA) Tools

The use of user behavior analytics (UBA) is at the forefront of technologies that CISOs are seeking for their security toolkits to help them identify that needle-in-a-haystack.

In this podcast sponsored by Exabeam, IBM’s David Cass talks with ADP’s V.Jay LaRosa about how UBA provides always on threat hunting to detect and thwart cyber attacks.

LaRosa discusses ADP’s selection and implementation of the UBA solution and how his team uses it to quickly and effectively identify potential anomalous behavior. He also talks ROI, staffing and why he wishes he had started sooner. 

Listen Now!


SC 92: David Cass, Global CISO IBM Cloud and SaaS, Speaks with Reuven Harrison, CTO and Co-founder Tufin, on Network Security Policy Automation and Orchestration in the Cloud

In this conversation, CISO David Cass and CTO Reuven Harrison discuss the journey to the cloud. They talk about increasing enterprise cloud adoption and hybrid environments. They also discuss the associated demand for automation of network security policy implementation across these hybrid cloud infrastructures.

In this sponsored podcast, you’ll hear how it is important to maintain business agility while securing applications in these increasingly diverse and complex networks.

You’ll also learn how automation and orchestration help ensure visibility and control across heterogeneous networks. 

Listen Now!


SC 91: John Masserini, CSO MIAX Options, Speaks with Barmak Meftah, President and CEO AlienVault, About Threat Detection and Response 

In this conversation, MIAX Options CSO John Masserini discusses the threat detection and response space with AlienVault President and CEO Barmak Meftah.

An early adopter of threat intelligence, Masserini notes its challenges and asks Meftah what AlienVault is seeing in the market and how threat intelligence is being integrated into companies’ security organizations.

Meftah talks about the need to efficiently aggregate information while noting that it is more important to synthesize the information to ensure it is easily consumable and actionable. He describes AlienVault’s crowdsourcing approach and how it is helping midsized enterpises centralize and simplify their threat detection and response. They were speaking in this sponsored podcast at the Black Hat Conference in Las Vegas earlier this month.

Listen Now!


Intersections IT Security One2One Summit and Security Current Podcast Series

David Cass, Global CISO IBM Cloud & SaaS, and David Rooker, CISO Actian Corp, Talk About the IoT, Ransomware, Phishing and What Can Be Done

In the series brought to you by Security Current and Intersections IT Security ONE2ONE Summit and you will hear CISOs discuss today’s most critical issues in IT Security.

This episode features David Cass, IBM Cloud & SaaS Global CISO, and David Rooker, Actian Corporation CISO, who discuss the most prevalent attack vectors today, from email to ransomware with the Internet of Things (IoT) increasingly becoming a high security issue.

In this podcast you’ll hear about how the IoT brings great benefits while exponentially expanding the opportunity landscape for bad actors. You’ll also hear what Rooker is doing to enable business processes while bolstering security.  They also touch on the need for qualified security personnel and how to find the right candidates.

Listen Now!


SC 90: Part 3: CISO of IBM Cloud & SaaS Speaks with Spirent on Hacking Medical Devices and Automated Cars

In part three of the conversation David Cass, IBM cloud & SaaS global CISO and John Weinschenk, Spirent Communications general manager enterprise and network application discuss the potential hacking of medical devices and automated cars.

In this Spirent-sponsored podcast, Weinschenk explains how they worked with a surgeon to hack a medical device. He also talks about a second hack they conducted on an autonomous car that allowed them to take control of the systems and vehicle itself.

They discuss what needs to be done to secure these Internet of Things (IoT) devices and how manufacturers need to start thinking about how these systems can be exploited.

Listen Now!


SC 89: David Cass, Global CISO IBM Cloud & SaaS, and David Mahon, CSO CenturyLink, Discuss the Most Common Threats Hitting Businesses Today

In this conversation with Security Current podcast host David Cass, Global CISO IBM Cloud & SaaS, David Mahon, CenturyLink Chief Security Officer, discusses what he sees as two of today’s critical security issues and how to tackle them.

Mahon points to phishing and ransomware as the most prevalent types of attacks he is seeing in the industry. The two executives talk about the importance of security awareness training and Mahon provides tactical approaches to reduce the likelihood of a successful breach. They also discuss metrics, ROI and best practices for reporting to the board.

Listen Now!


Intersections IT Security One2One Summit and Security Current Podcast Series

David Cass, Global CISO IBM Cloud & SaaS, and Bill Okula, Executive Officer for the Police Technology Bureau for the Suffolk County Police Department, Discuss Today’s Threats, Security Best Practices and Staffing

In the series brought to you by Security Current and Intersections IT Security ONE2ONE Summit you will hear CISOs discuss today’s most critical issues in IT Security.

This episode features David Cass, IBM Cloud & SaaS Global CISO, and William Okula, Executive Officer Police Technology Bureau at the Suffolk County Police Department, who discuss the most prevalent types of attack in the public sector.

In this podcast you’ll hear in particular about phishing and malware. They also discuss challenges facing security departments in the public sector, staffing and security best practices.

Listen Now!


Intersections IT Security One2One Summit and Security Current Podcast Series

David Cass, CISO IBM Cloud & SaaS, and Richard Seiersen, General Manager Cybersecurity and Privacy GE Healthcare, Discuss Security, Trust and Privacy in Healthcare

In the series brought to you by Security Current and Intersections IT Security ONE2ONE Summit and you will hear CISOs discuss today’s most critical issues in IT Security.

This episode features David Cass, IBM Cloud & SaaS CISO, and Richard Seierson, GE Healthcare’s General Manager Cybersecurity and Privacy who discuss the different types of attack vectors in healthcare, which as you’ll hear is “As Security as it Gets.”

In this podcast you’ll hear about implantable medical devices or wearables, and the Industrial Internet of Healthcare Things. They also touch on the Seierson’s upcoming book “How to Measure Anything in Cybersecurity Risk,” which explores decision science and in particular quantitative approaches to decision making.

Listen Now!


Intersections IT Security One2One Summit and Security Current Podcast Series

David Cass, CISO IBM Cloud & SaaS, and Jonathon Neel, CISO University of Virginia School of Medicine, Discuss the Changing Threat Landscape in Healthcare

In the series brought to you by Intersections IT Security ONE2ONE Summit and Security Current you will hear CISOs discuss today’s most critical issues in IT Security.

This episode features David Cass, IBM Cloud & SaaS CISO, and Jonathon Neel, University of Virginia School of Medicine CISO who discuss threat sharing with other CISOs, compliance, wearables and how to keep up with technology.

In this podcast you’ll also hear about FISMA and how it may impact the way universities operate in the future. David and Jonathon also touch on the Internet of Things (IoT) and how that impacts application development in the healthcare setting.

Listen Now!


Part 2: CISO of IBM Cloud & SaaS Speaks with Spirent on Risk, Remediation, Testing and Technology

In part two of the conversation David Cass, IBM cloud & SaaS global CISO and John Weinschenk, Spirent Communications general manager enterprise and network application security, discuss managing risk.

In this Spirent sponsored podcast they talk about the need for continuous monitoring and testing to optimize spend to reduce risk. They also touch on the ability to respond quickly to a breach by ensuring strong remediation plans are in place, and discuss the need to diversify technology solutions.

Listen Now!


Part 1: CISO of IBM Speaks with Spirent Communications on IoT, Ransomware and Cloud

CISOs can never reduce risk to zero.  As technology development increases at a lightning speed with the Internet of Things (IoT) bringing more Internet-enabled devices daily and the cloud becoming more pervasive, what can and should be done?

CISO David Cass, IBM Cloud and SaaS, speaks with John Weinschenk, general manager enterprise and network application security at Spirent Communications, about some of the biggest threats facing enterprises as a result of these trends.

Listen to this sponsored podcast as David and John, discuss ransomware, including hacker help desks, and the Internet of Things, including the potential for your refrigerator to attack you. They talk about some of the top things enterprises need to do from patching systems to testing to awareness in order to bolster their defenses.

Listen Now!


Intersections IT Security One2One Summit and Security Current Podcast Series

David Cass, CISO IBM Cloud & SaaS CISO, and James Beeson, CISO GE Capital Americas, Discuss the Changing and Increasingly Destructive Nature of Cyberattacks

In the series brought to you by Intersections IT Security ONE2ONE Summit and Security Current you will hear CISOs discuss today’s most critical issues in IT Security.

This episode features David Cass, IBM Cloud & SaaS CISO, and James Beeson, GE Capital America’s CISO, who discuss how the nature of attacks has fundamentally changed and are becoming more destructive, for example with ransomware, which impacts corporations and individuals.

In this podcast you’ll also hear about organized crime and the traditional bad actors and how it is much easier to recruit because of the economics of it. David and James discuss how cybercrime has become so ‘mainstream’ that support is even offered on malware that easily purchased online. They also talk about what they think needs to be done to help combat today’s increasing attacks.

Listen Now!


Intersections IT Security One2One Summit and Security Current Podcast Series

David Cass, IBM Cloud & SaaS CISO, and David Hahn, Hearst Corporation CISO, Discuss the Biggest Security Challenges Facing Media Corporations

In the series you will hear CISOs discuss today’s most critical issues in IT Security.

The first episode features David Cass, IBM Cloud & SaaS CISO, and David Hahn, Hearst Corporation CISO, who discuss today’s biggest security and associated business problems facing media corporations and how they are  leading to billions of dollars in lost revenue.

In this podcast you’ll hear about malvertising, how it works, the absence of regulations and government intervention, and the Sony breach and its implications. 

Listen Now!


SC 88: CISOs of IBM Cloud & SaaS and Deloitte Touche Tohmatsu Discuss Cybersecurity Convergence

In today’s digital age, there are more connected devices than ever before. A look at the history of the digital universe shows that, like the real universe, it is expanding. From a single device meeting our needs—starting with the PC, then moving to laptops and phones--we seem poised on the brink of a technological “big bang” resulting in an ever-more-diffuse array of gadgets, monitors, appliances, and communications all working in tandem to enhance our personal and professional lives. And with the convergence of technologies more data is being generated than ever.

The question arises as to how then will we secure our networks and data?

As you’ll hear in this interview with David Cass, IBM Cloud & SaaS CISO, who speaks with Dr. J.R. Reagan, Deloitte Touche Tohmatsu Limited CISO, the way enterprises approach security likely may require new ways of thinking. They discuss how security has transformed from managing things to managing data in order to protect the enterprise. Dr. Reagan provides 3 key takeaways for security executives in today’s digital age.

Listen Now!

Read Dr. JR Reagan's article on Cybersecurity Convergence


SC 87: Cloud Security Alliance Talks Challenges, and CISO Trends

Cloud security continues to be a key consideration for CISOs with them weighing in on the pros and cons of whether or not to migrate to the cloud and if so, best practices for migrating.

A recent report issued by the Cloud Security Alliance (CSA), a member-driven organization chartered with promoting the use of best practices, touches on the key concerns facing adoption today. In this podcast recorded at the RSA 2016 Conference with Security Current's Vic Wheatman, CSA Chief Technology Officer Daniele Catteddu discusses the current and future state of the cloud.

Listen Now!


SC 86: Social Media and Cyberterrorism - A Conversation with  Cybercrime Expert Morgan Wright

Morgan Wright is an internationally recognized cybersecurity, cyberterrorism and identity theft expert.

He's testified in front of congress, advised the U.S. State Department and served in law enforcement.  In this conversation with Security Current's Vic Wheatman, Morgan speaks about ISIS-inspired cyber terrorism, ransomware, and social engineering as a tool for enabling spear phishing to steal credentials and corrupt business systems.

Training, policy and philosophy are critical, even before security technologies are implemented.  As you'll hear from Wright: "Think before you click the link."

Listen Now!


SC 85: Security and Network Access Control at Barnabas Healthcare

With vast amounts of personal information and Internet-enabled medical equipment, health care faces unique security requirements. Some are a result of regulatory mandates such as HIPAA while others are because of the critical clinical equipment found in hospitals and doctors offices.  

Gaining visibility into the variety of platforms present while positioning for future needs becomes a challenge.  Technologies such as Network Access Control (NAC) can provide a needed overview into the security environment.  In this podcast with Security Current’s Vic Wheatman, Barnabas Health’s CISO Hussein Syed and Dominic Hart, the health care system’s manager of information security architecture discuss their approach to this complex environment.

Listen Now!


SC 84: Of Encryption and Backdoor Access: A Conversation with a CISO

Encryption is fundamental to business today. But encryption also allows evildoers to plan nefarious criminal or terrorist acts.  Law enforcement, intelligence agencies and political interests have proposed "back doors" to enable them to do their jobs.  Shades of the cryptographic device, The Clipper Chip and the Skipjack algorithm!  Look it up!

CISOs need to work with stakeholders to find the right balance between their responsibilities in protecting sensitive data and cooperation with law enforcement and Homeland Security.  These and other  issues are discussed  in this conversation between Security Current's Vic Wheatman and Greg Schaffer, FirstBank VP and Information Security Officer. 

Listen Now!


Episode 83: Bug Bounty Programs: Trends in Developing Secure Software with SANS John Pescatore

In the push to launch mission critical applications, insecure software often makes it into production. Sometimes hackers find the gaps and exploit vulnerabilities. Now new approaches are leading to continuous vulnerability testing - by ‘hackers.’

Based on crowdsourcing and by offering bug bounties, Secure Systems Development Life Cycle (SDLC) principles are being enhanced and developers' mindsets are being changed.

Code quality improvements resulted and efficiency improved. In this conversation, SANS Institute Director of Emerging Security Trends John Pescatore tells Security Current's Vic Wheatman what some CISOs and application developers have found by moving in this direction.

Listen Now!


Episode 82: Looking at Cybersecurity in the New Year with Roota Almeida, Delta Dental Head of Information Security 

Each year is a new opportunity to use what we've learned in the past in order to address the future and anticipate what the bad actors may do next to breach our information security.

Here, the head of information security at Delta Dental of New Jersey addresses what we can expect as we enter 2016, discusses the role of cyber insurance, warns about how old source code can be exploited and highlights how Identity and Access Management and Managed Security Service Providers can help plan the future state of our information security.

Listen to Delta Dental of New Jersey's Roota Almeida in conversation with Security Current's Vic Wheatman.

Listen Now!

Episode 81: Addressing the Growing Cybersecurity Threat in 2016 with Jason Witty, US Bancorp CISO

The overall cost of cyber crime in 2015 to the world economy as a whole was estimated at a conservative $575 billion, according to research. Breaches are growing in number and sophistication.

According to Jason Witty, Executive Vice President and CISO at US Bancorp, there are five major sources of information security threats and they are continuing to evolve dramatically.

He identified five high-level classifications that include: insider threats, organized crime, hactivists, terrorists, and nation states.

But as Witty tells Security Current’s Vic Wheatman there is a light at the end of the tunnel. Using security frameworks and taking advantage of new legislation that supports threat information sharing among organizations are some of the most viable approaches to combating the increasingly sophisticated and emerging threats.  Hear about these topics, as well as the growth in business email compromise fraud, in this conversation.

Listen Now!


Episode 80: Hurdling Obstacles to Security Training and Awareness Success

Things happen. Staffers click links they shouldn't. Interlopers enter the workplace, gain access to a vacant desk, log in and steal corporate secrets. 

Technology helps, but end user security awareness training puts people on the front line of defense.  Employees need to recognize that the threats are real. Executives need to see that there is a real return on security training investment, partly due to preventing lost productivity, and that business risks can be significantly reduced. 

In this sponsored podcast, Security Current's Vic Wheatman speaks with Amy Baker, Vice President of Marketing of Wombat Security Technologies, a premier provider of security awareness training.

Listen Now!


Episode 79: Software Defined Perimeters

In a world of three letter acronyms comes yet another -- a new specification from the Cloud Security Alliance. SDP or Software Defined Perimeter.

SDP approaches are meant to create a secure micro segment between the user and a host.

But how are SDPs different from other approaches based on firewall appliances or virtual firewalls? Can SDPs eliminate the need for firewalls? Can they save money? Who provides the technology and what are the advantages?

Security Current's Vic Wheatman speaks with Gartner Research Director Lawrence Pingree about this emerging technology.

Listen Now!


Episode 78: CISO Buying Trends, Approaches and Considerations

With the plethora of information security products and services on the market, how can CISOs prioritize what they truly need? And how can they differentiate from what may be a short-term fad brought to market by earnest but oftentimes aggressive solution providers or a long-term solution? 

The answer lies in stepping back and carefully examining your organization's overall security program from a predict, prevent, detect, protect and respond context to help plan priorities. 

Gartner surveys CISOs bi-annually to determine security buying trends and top of mind concerns.  In this podcast, Security Current's Vic Wheatman speaks with Gartner Research Director Perry Carpenter about the results of the survey and the current state of CISOs when it comes to buying trends.

Listen Now!


Episode 77: Creating and Managing a Security Aware Culture

In both the public and private sector employees are by and large the weakest link when it comes to information security breaches.

Training needs to be more than simply a checkbox on a compliance list. There are various approaches that combine training and technology to ensure employees are security aware.

As you'll hear from Gartner Research Director Perry Carpenter in this conversation with Security Current's Vic Wheatman, training is not a one-time endeavor but needs to be multifaceted and continuous. 

Listen Now!


Episode 76: EU's "Safe Harbor" Provisions Invalid.  So What?  Attorney Lawrence Dietz Explains 

The European Union's (EU) highest court recently found that the "Safe Harbor" provisions allowing data transfers from EU countries to United States' data centers are invalid.

Triggering this finding was a lawsuit motivated, in part, by spy agency access to citizen data in violation of privacy initiatives. Despite this ruling, transatlantic data flows can continue -- assuming other safeguards are in place.

Security Current's Vic Wheatman speaks with Lawrence Dietz, General Counsel for California-based TAL Global to make sense out of this and what it means to CISOs. Dietz is a nationally recognized expert in the areas of cybersecurity, cyber warfare, information security and intellectual property.

Listen Now!


Episode 75: Management Hierarchy and CISO Reporting Roles -- Part 2 with CISO Brian Lozada

What is the optimal structure within an enterprise in terms of CISO reporting? Should a CISO report to the CIO? Or possibly to the CFO? 

In some cases, as you'll hear in part two of Vic Wheatman's interview with CISO Brian Lozada, CISO can stand for Chief Information Scapegoat Officer. Avoiding blame for security incidents requires relationships to ensure that both business and technical concerns are properly addressed. 

Listen Now!


Episode 74: Information Security in Hedge and Private Equity Funds -- Part 1 with CISO Brian Lozada

Information security in hedge funds is new and many hedge funds don't know what cybersecurity is or what is at risk. And there are unique security issues specifically related to hedge funds.

With a high risk/reward mentality, and with high-worth individuals involved, regardless of the technologies implemented, the potential security problems may best addressed presently through ongoing security awareness and education, according to an expert in the space.

Brian Lozada, Director and CISO of Abacus Group, LLC, a solutions provider servicing the segment speaks with Security Current's Vic Wheatman about the state of hedge funds and how they are a 'rich' target for cyber attackers.

Listen Now!


Episode 73: Vetting Security Startups -- Venture Capital Series Part 3

How can CISOs differentiate among "me too" information security startups? What is the role of incubators in helping new companies get started? And how is the NSA considered one of the best "graduate schools" in cybersecurity?

Security Current's Vic Wheatman explores this and other topics with Allegis Capital's Founder and Managing Director Robert Ackerman in part three of our investor series. 

Listen Now!


Episode 72: What Happens When Your Security Vendor is Acquired with Allegis Capital’s Ackerman – Venture Capital Series Part 2

One of the primary exit strategies for security startups is to be acquired. Sometimes that's a good thing, other times, not so much.

Hear about some of the issues associated with acquisitions and where startups added value to a security platform or suite of a larger solution provider.

And get the inside scoop on what Allegis Capital's Founder and Managing Director Robert Ackerman sees as some of the most creative, innovative, and cutting edge information security ideas of today.

In part two of a three-part series, Ackerman discusses exits and technologies he is watching.

Listen Now!


Episode 71: Security Shark Tank Quick Hits Podcast

At the second Security Current Security Shark Tank competition held during Black Hat in Las Vegas, six up and coming cybersecurity providers came face-to-face with some 20 Chief Information Security Officers (CISOs).

The startups were: Dtex Systems, Infocyte, Cymmetria, Datex Inc, Wombat Security and Syncurity.

After each startup's interaction with the Security Sharks, Security Current's Vic Wheatman spoke with the speaker for a quick hit podcast. 

Hear the results in this entertaining and informative podcast.

Listen Now! 


Episode 70: Experience Matters for Security Startups - Venture Capital Series Part 1

The level of venture capital financing has hit new heights with increasing investments in information security. Some venture capitalists (VCs) specialize in finding and funding startups in security, which is a unique segment within technology. 

What does this mean for security startups? And how does an investor's perspective impact Chief Information Security Officers? 

In part one of a three-part series, Security Current's Vic Wheatman speaks with Robert Ackerman, founder and managing director of Allegis Capital about the current state of VC funding and the burgeoning security field. 

Listen Now!


Episode 69: Operational Effectiveness of Security Analytics with Anton Chuvakin

How effective are Security Analytics tools and how do you compare their operational effectiveness?

After spending months researching this subject, Gartner's Dr. Anton Chuvakin says the long and short is that they just don't know how well the tools work as there isn't much data on the operational effectiveness of security analytics.

He points out that for analytics tools, many of the vendors have just 5-10 customers that have some data but it isn't enough. He tells Security Current's Vic Wheatman that a lot of stuff is very anecdotal and we only hear the success stories. So, he says it is hard to say, which type of a tool, model and statistics are working well. Listen to hear what you should do.

Listen Now!


Episode 68: DataStealth from Datex, Inc. - Transforming Sensitive Information Securely

It no longer is if an intruder will gain access to your network, it is just a matter of when they will gain access.

Cybersecurity company Datex, Inc. says employees will make mistakes, user credentials will be compromised, data theft will happen and compliance mandates will not be met.

DataStealth services addresses these and other issues by inspecting network traffic, extracting sensitive information and substituting spurious data for the original information, transforming that information into secure and usable fragments to allow applications to securely do their jobs.

In this sponsored podcast with Security Current's Vic Wheatman, Ross Morley of Datex, Inc. describes how the service works, its benefits and provides real-world use cases.

Listen Now!


Episode 67: Cloud SIEM Doesn't Really Exist - Yet

SIEM stands for Security Information and Event Management. 

SIEM is continuing to grow in usage, but where does it stand in terms of cloud deployments and what is its cloud-based marketshare? 

Gartner's Dr. Anton Chuvakin challenges the idea that one can compute market share for "Cloud SIEM" products because they actually don't quite exist, yet. 

While he acknowledges that there are some "almost" SaaS (Software as a Service) SIEM products and services, true cloud-based SIEM solutions are not available. 

In conversation with Security Current's Vic Wheatman Dr. Chuvakin provides a taxonomy for SIEM and describes the reasons for the definitional differences.  

Listen Now!


Episode 66: Using User Behavior Intelligence To Identify Account Takeovers

Massive database breaches have resulted in millions of user identification and authentication profiles being compromised. Identifying unauthorized attempts to access systems or accounts is a basic requirement for financial institutions, etailers, retailers, healthcare providers and other enterprises.

Knowing the difference between employee and attacker behavior is key to avoiding security alert fatigue and requiring scarce resources to parse the good from the bad access attempts.

Further, collecting information about rogue takeovers for forensic purposes is a good idea. Security Current's Vic Wheatman speaks on these issues and others with Mark Seward, Vice President of Marketing for Exabeam in this sponsored podcast.

Listen Now!


Episode 65: Changing User Behavior Through Security Education

With experts citing employees being compromised by attackers as a primary cause of security breaches, many enterprises are seeking new training methods.

Spun out of Carnegie Mellon University, Wombat Security takes what it says is a different approach that applies learning science principles. Gone are traditional classrooms and videos, replaced by an interactive more engaging approach based on research on how people best learn new things.

In this sponsored podcast, Security Current's Vic Wheatman speaks with Joe Ferrara, President and CEO of Wombat Security about how his company's training programs are improving the security posture of today's enterprises. 

Listen Now!


Episode 64: Overcoming Silos Between Security and Privacy

For organizations to achieve maximum privacy and security the two need to go hand-in-hand but unfortunately they are often siloed within organizations. So how are organizations evolving to incorporate privacy, risk and compliance to address information security requirements? 

Finding the balance between holding what may be sensitive information about individuals and partners among others with regulations and laws protecting that information has become critical. 

Security Current's Vic Wheatman speaks with internationally-acclaimed, Professor Daniel Solove of the George Washington Law School, and CEO and Founder of training company TeachPrivacy about these issues and a groundbreaking conference being held in October 2015 that bridges the silos between privacy and security.

Listen Now!


Episode 63: Gartner's Anton Chuvakin on the Failure of Security Policies

Many security policies are aspirations, doomed to fail because they are unrealistic. Not only can they be unachievable, but may in fact encourage people to disregard policies because, after all, "we can't really do that." 

Further, enterprises may not be able to collect on cyber insurance policy payouts because they didn't meet their own, internal standards. These and other issues surrounding information security policies are discussed in this conversation between Security Current's Vic Wheatman and Gartner's Dr. Anton Chuvakin.

Listen Now!


Episode 62: Augmenting the Past with Network Forensics

Most "new" security technologies use functions and features developed years ago. Network Forensics applies machine learning, automating detection functions via machine-based analytics to decode and visualize relevant metadata.

Accordingly, Network Forensics represents an evolutionary trend in security. Who is providing these tools and capabilities? Gartner Research Director Lawrence Pingree answers the questions in this interview with Security Current's Vic Wheatman.

Listen Now!


Episode 61: A CISO's Deep Thoughts

In this interview with an information security officer who prefers to remain anonymous we discuss the definitions of security intelligence, what it takes to be a CISO and the toughest part about heading up security at an enterprise. 

He also discusses how network complexity grows as new systems are built on top of existing infrastructure leading to potential problems. The interview, conducted by Security Current's Vic Wheatman, was recorded at the RSA Conference.

Listen Now!


Episode 60: The Role of the CISO with Daniel Conroy, Synchrony Financial

As the news of breaches across multiple sectors continues the role of the Chief Information Security Officers has never been more important.

The CISO is not only responsible for protecting the organization they are tasked with enabling the business. And with the CISO speaking in both business and technical languages, they are quickly gaining visibility with the Board of Directors that needs to understand, and to provide resources for, enterprise security.

In this podcast, Daniel Conroy, the CISO of Synchrony Financial, a leading financial institution, speaks with Security Current's Vic Wheatman about the role, the definition of security intelligence and what keeps him up at night.

Listen Now!


Episode 59: Breach Detection and Compensating Controls

It isn't a matter of if your organization will be infected with malware but rather a matter of when. Based on that premise, Seculert designed a cloud service to quickly and automatically identify the machines connected to bad actors on the Internet. By knowing which equipment if compromised, desktop support staff can quickly replace or wipe the offending machine.

In this sponsored podcast, Security Current's Vic Wheatman speaks with Richard Greene, Seculert's President of Field Operations about the compensating controls the company provides, and why unsubscribing from spam may not be such a good idea.

Listen Now!


Episode 58: A CISO Talks Security in Healthcare

Healthcare providers have some of the most complicated environments with a multitude of systems, users and regulatory mandates. And often, according Barnabas Health CISO Hussein Syed, this leads to one of the biggest challenges, which is a misunderstood environment. 

There are concerns over Personally Identifiable Information (PII), as well as maintaining compliance with Payment Card Industry (PCI) mandates as healthcare providers generally take credit cards. 

Further, because of the growing Internet of Medical Things with various equipment now networked, data leakage becomes a greater concern. And compounding this is are third party providers, from doctors to billing companies, working with healthcare providers, making security even more difficult. 

As you'll hear from Hussein Syed during this conversation with Security Current's Vic Wheatman while at RSA it is a balancing act to provide access while ensuring security. They speak about these and other issues.

Listen Now!


Episode 57: A CISO Reviews RSA 2015: Patricia Titus

RSA Conference 2015 was bigger than ever with hundreds of startups promoting their wares. One segment that caught the attention of CISOs was what is being dubbed as next generation endpoint security.

As you'll hear, new approaches to endpoint security may allow enterprises to turn off legacy anti-virus, anti-worm and other traditional protections. And what does security intelligence means to a CISO?

Security Current's Vic Wheatman speaks with Patricia Titus about these and other issues including the toughest part of being a CISO.

Listen Now!


Episode 56: The State of Cyber Security: Implications for 2015

A surprising number of organizations are expecting a cyber attack. Despite this it is getting harder to fill cyber security jobs.

ISACA, an independent, nonprofit global association that develops and promotes the adoption of globally accepted practices for information security, in collaboration with the RSA Conference published a survey titled: The State of Cyber Security: Implications for 2015.

The survey found that while boards of directors are now including cyber security on their agendas security still isn't where it should be. The survey also revealed that despite organization's anticipating attacks there is a lack of sufficiently trained talent available to fill security positions.

According to Eddie Schwartz, who chairs ISACA's Cyber Security Task Force, only about 25 percent of applicants had the requisite skills to fill open security positions. Schwartz told Security Current's Vic Wheatman about the survey, and security certifications ISACA is rolling out to meet the growing need for skilled cyber security professionals.

The free study is available here

Listen Now!


Episode 55: Next Generation Endpoint Protection

Is there room for yet another endpoint protection product in a market crowded with alternatives?

SentinelOne says there is and that they are reinventing endpoint protection with an aim to replace antivirus within the enterprise. In this sponsored podcast SentinelOne explains its approach to protecting against advanced persistent threats (APTs) and zero-day attacks while also providing forensics. 

Tomer Weingarten, co-founder and CEO of SentinelOne, explains to Security Current's Vic Wheatman just how the startup combines behavior detection with cloud intelligence and whitelisting to block, detect and predict attacks.

Listen Now!


Episode 54: Gartner Analyst on the Bus - Security Budgets Up as Staffing Down

The percentage of the IT budget allocated to security is increasing. In fact, it is growing at a faster rate than the overall IT budget.

But what about staffing? Security departments have too many consoles to manage, and have too many false positives to consider. I

n this podcast recorded on one of the shuttle buses at RSA, Security Current's Vic Wheatman speaks with Greg Young, Vice President and Research Director for Gartner, who offers specific advice for both CISOs and the vendors who sell to them, about these trends.More than 90 percent of enterprise security problems are reportedly caused by malicious email.

Listen Now!


Episode 53: The New Perimeter is Around the Cloud: CYREN Annual Report Details Latest Threats

Some 2.5 billion emails containing malware were sent in 2014. Malware URLs are on the rise. Phishing URLs are on the rise. And according to CYREN's 2015 Cyber Threats Yearbook it doesn't appear that attackers will be letting up any time soon.

The CYREN report, which analyzed 5 trillion Internet transactions, found that while high-profile breaches like Home Depot and Sony made headlines, attackers have set their sights on enterprises of all sizes and notoriety. No organization is immune. It also found that BYOD, consumer grade products, are creating new vulnerabilities in the enterprise. 

Knowing the threat sources and how armies of botnet machines are being spawned to spread malware is key to building effective defensive strategies. 

In this sponsored podcast, Security Current's Vic Wheatman speaks with Lior Kohavi, CYREN's Chief Technology Officer. They discuss the reports findings and how cloud-based security solutions are being use to predict and subsequently mitigate against attacks.

Listen Now!

Read the complimentary CYREN Cyber Threat Yearbook


Episode 52: Protecting Against Email Attacks

More than 90 percent of enterprise security problems are reportedly caused by malicious email.

The number of corporate phishing attacks is growing. It isn’t a matter of if an employee will click on that malicious email or voicemail but just a matter of when.

Blocking, detecting and responding to phishing, spear phishing and other email-based attacks is now a fundamental enterprise security requirement.  

And looming large on the horizon are attacks launched via social media. In fact, according to security vendor Proofpoint 1 out of every 5 large enterprise brands on Twitter last year did not actually belong to the brand.

In this sponsored podcast Security Current’s Vic Wheatman speaks Kevin Epstein, Vice President of Advanced Security and Governance with Proofpoint about combatting today’s advanced targeted attacks.

Listen Now!


Episode 51: Tempered Networks: Addressing TCP/IP Vulnerabilities

2015 has been dubbed the year of the security start-up and competition has never been greater. How do CISOs who are responsible for the security of their enterprises identify cutting edge technologies?  And how do the start-ups rise above the tide? 

Security Current launched its inaugural High Stakes competition during the 2015 RSA Conference. The invitation-only High Stakes offered CISOs the opportunity to hear from today's cutting edge security start-ups. 

One sponsor of the event waas Tempered Networks. Led by Jeff Hussey, Tempered Networks co-founder and CEO, the Seattle-based company aims to address a fundamental security vulnerability in TCP/IP to ensure secure connectivity for business critical information and infrastructure. A serial entrepreneur with a focus on security, Hussey previously founded F5.

In this sponsored podcast with Security Current's Vic Wheatman, Hussey discusses how his company's approach differs from other solutions, such as firewalls and encrypted links, and why the CISOs should select Tempered Networks to secure their environments.

Episode 50: Security Analytics: Buy or Build

How big a market is Security Analytics? If you ask our guest, Gartner Research VP Dr. Anton Chuvakin you'll hear that there actually is no specific or defined market called Security Analytics. He says that while there are technology providers offering products or services so labeled they all do somewhat different things in different ways. 

There are vendors who look at packets, others that look at logs or roles and those that look at malware among other things and they all carry a label of analytics but according to Dr. Chuvakin the fact that all of the vendors do different things in different ways indicates that there is no market that you can just go to and buy a security analytics product. 

Organizations need to self define what they want to analyze and then assemble the required pieces and perhaps integrate with a Security Information and Event Management (SIEM) system, which in some cases is essential for aspects of security analytics to work.

In any case, the buy versus build discussion becomes much more than binary. Dr. Chuvakin explores this largely undefined territory with Security Current's Vic Wheatman.


Episode 49: A Five Time CISO on Attacks, Security Personnel Shortages, and More

Five-time CISO Jeff Klaben, who is currently at a Silicon Valley think tank and also is an adjunct professor, says there is a shortage of skilled security professionals, especially at the management level, to combat an increasingly complex enterprise attack surface.

Klaben was exploring the connection between cyber security education, threat intelligence and incident response. He told Security Current's Vic Wheatman that the aim was to create actionable intelligence but the question remained, "how do we prepare folks to leverage these tools and capabilities?"

He said education and particularly mentoring within an organization would be integral to a successful security program and encouraged CISOs to mentor up and coming security professionals within. Klaben also called on CISOs to work with security start-up vendors to, at the very minimum, provide them feedback so as to ensure they are developing cutting edge technologies. 

He was speaking at the Security Innovation Network's (SINET) Conference at the Computer History Museum in Mountain View California.


Episode 48: Automotive Security and the Car of the Future

Imagine a future when cars are no longer controlled by the driver.

With automatically controlled cars coming "just around the corner" and with more automation features being introduced there are concerns that vehicles might be vulnerable to security attacks.

But advancements in connectivity and automation need to keep pace with market needs. Automation may be able to make a dent in the 33 thousand annual road fatalities.

So what should be the relative roles of government and industry? Should the automobile companies collaborate on security and are they doing it already?

Security Current's Vic Wheatman spoke with Dr. Peter Sweatman, Director of the University of Michigan's Transportation Research Institute, about the self-driving car. The podcast was recorded at SINET, the Security Innovation Network's recent conference in Mountain View, California.


Episode 47: Cloud Security Monitoring, Cloud Access Security Brokers and MSSPs

Monitoring new cloud environments for adequate security is challenging, particularly when trying to determine which approach might be best.

Most Managed Security Service Providers (MSSPs), while "out there" in someone else's data center, are not operating from the cloud and are not necessarily the right choice for monitoring the security of cloud instances.

Organizations have a responsibility to manage the relationship when MSSPs are used or money could be wasted.

Emerging between the enterprise and the cloud are Cloud Access Security Brokers or CASBs. These topics are explored in this discussion between Security Current's Vic Wheatman and Gartner Research Vice President Dr. Anton Chuvakin.

Episode 46: Addressing a Critical Vulnerability Management Problem

Scanning a network, devices or applications for security vulnerabilities may not tell the whole story or even tell the true story. IP addresses and host names are a moving target, constantly changing. This leads to frustration and potentially remediation of the wrong assets while broken assets may remain unevaluated and vulnerable. And the problem is worse as organizations use cloud environments. 

In this sponsored podcast, Security Current's Vic Wheatman speaks with security expert Tom Desot, CIO of Digital Defense Inc., who talks about the problem and offers ways to mitigate.

Some research suggests that 97 percent of organizations are already compromised, according to former Gartner analyst Eric Ouellet. And according to Oullet the hackers are smarter and more persistent than ever, often having a better understanding of an organization's particular computing environment better than its owners.

Recorded on the streets of San Francisco with Security Current's Vic Wheatman, Ouellet who is currently VP of Strategy for Bay Dynamics says that hackers will find a way to get inside an organization's network even if it takes a long time. There is only so much you can do to protect your environment, Ouellet adds and points to credit card companies use of anomalous behaviors as where the industry needs to head to mitigate attacks. 


Episode 44: FBI Views on Cybersecurity and Information Sharing

The recent US Presidential Directive along with White House statements on cybersecurity have brought new energy to law enforcement approaches against cybercrime. 

Sharing threat data within the public and private partnership is becoming increasingly important as work continues to mitigate security breaches.

In this podcast, Security Current's Vic Wheatman speaks with FBI Assistant Special Agent in Charge for San Francisco Cyber Division Malcolm K. Palmore about the evolution of cyber threats, cyber terrorism, and industrial espionage and the FBI's focus.


Episode 43: The City of San Diego's CISO Talks Security & Innovation

You wouldn't think that innovation and city government go hand in hand but in The City of San Diego that is precisely the case. 

In this conversation with Vic Wheatman, the city's CISO Gary Hayslip discusses how the City of San Diego embraces cutting edge technology, working with early stage security startups. At the same time he is dealing with legacy systems that are "duct taped" to newer applications in an environment that is increasingly using cloud services to cope with its security requirements. 

With 41 departments and 400 applications under their purview, Hayslip talks about how by their very nature they are under constant threat.  He relays his top three security issues that keep him up at night and how he has developed programs to attract and retain talented security professionals.


Episode 42: Emerging Deception Techniques, Technologies and Tools

There's a desire to "get back" at infrastructure attackers through offensive deception techniques. Products are just emerging designed to lead the bad guys into worthless, time-wasting activities to minimize the damage they can cause. But there are risks to existing business processes and partner relationships, suggesting a cautionary approach.

Security Current's Vic Wheatman speaks with Lawrence Pingree, Research Director at Gartner, Inc. about this new class of tools for cyberspace defense.


Episode 41: Aviation Security: Who's Looking Out for Us?

The aviation industry is a pillar of critical infrastructure and the industry is very complicated. It has cargo, passenger, military and leisure components with an overlay of complex communications systems. 

Networks connect all of the information yet airlines and their networks are independent. There are potential vulnerabilities that can be exploited by people intending to do harm. 

What agencies are responsible for securing air travel? Security Current's Vic Wheatman speaks with attorney Lawrence Dietz, General Counsel and Managing Director of Information Security at TAL Corporation talks about who is responsible for aviation security from a cyber perspective.


Episode 40: A Small Company Takes on the Devil Inside the Beltway (the FTC)

LabMD processes medical specimens. One day, a security services company emailed them advising that its patented searching software, which looks for problems caused by peer-to-peer applications, found a file with sensitive information.

The security company offered its services at $475 an hour in what was interpreted as a shakedown. LabMD refused to play and refused to pay, choosing to mitigate the problem themselves. 

The security company turned over its finding to the Federal Trade Commission (FTC) leading to a multi-year, resource-draining battle by LabMD to try prove that they did nothing wrong. 

Security Current's Vic Wheatman spoke with LabMD's CEO Mike Daugherty, author of The Devil Inside the Beltway: The Shocking Expose of the US Government's Surveillance and Overreach into Cybersecurity, Medicine and Small Business. Daugherty talks about taking on a government bureaucracy over matters of principle. 

Also, read Security Current's Richard Stiennon's review of Daugherty's book.


Episode 39: Legal  Issues with BYOD Security

With Bring Your Own Device (BYOD) increasing in the workplace, the question arises of employer and employee rights governing the use of these employee-owned tablets, laptops, smartphones and other personal devices. What are the rights when these devices are used for work-related activities?

How do you balance productivity and the protection of corporate intellectual property? How does labor law factor into the discussion?

securitycurrent's Vic Wheatman speaks with Lawrence Dietz, General Counsel and Managing Director of Information Security at TAL Global Corporation on these issues. 


Episode 38: Where are the New Security Professionals Coming From?

There is a shortage of operational security professionals, with approximately 100,000 open positions seeking technically qualified people. Supporting education in STEM, sourcing ex-military and promoting people from the ranks of general information technology are some of the ways the market is working to fill the gap.

securitycurrent's Vic Wheatman speaks with John Pescatore, securitycurrent's Ask Mr. Security Answer Person and the SANS Institute Director of Emerging Security Trends about the pressing nature of the problem. 


Episode 37: How History Impacts Security Around the World

It takes a village to build a secure world. Privacy and security are intertwined. But approaches in America are subtly different than approaches taken in Europe. For Americans infrastructure security is paramount while Europeans are focused on privacy.

Do terrorists win if you don't buy a firewall? What is the role of Fear, Uncertainty and Doubt (FUD)? securitycurrent's Vic Wheatman speaks with Johannes Lintzen of Germany-based Utimaco about the different ways information security has evolved around the world. 


Episode 36: Securing the API Economy: A CISO Tutorial

With the increase in APIs, and in particular usage with REST-based architecture, developers need to rethink how they secure them. So what should CISOs know about securely developing new mobile, Internet of Things (IoT) or cloud-based applications?

There are multiple security components to consider including new authentication mechanisms, link protection and hardening systems against vulnerabilities.

securitycurrent's Vic Wheatman speaks with Roberto Medrano, Executive Vice President for SOA Software, about this emerging space. 


Episode 35: A Secure Internet of Things Communications Ecosystem

As the Internet of Things (IoT) evolves security is often an afterthought. One of the greatest challenges facing IoT project teams is ensuring the communications links are secure.

securitycurrent's Vic Wheatman speaks with PubNub CEO Todd Greene on the challenges of securing the IoT. Greene outlines use cases where enterprises as diverse as Coca Cola, Nike, McDonalds and Dodge are using secure data communications for a variety of IoT applications.

The podcast was recorded at the Internet of Things Expo produced by Sys-Con Events in Santa Clara, California.


Episode 34: PKI and Securing the Internet of Things

Whatever happened to public key infrastructure (PKI)? Despite rumors of its demise, PKI is not dead! However, it has essentially disappeared into the applications, processes and products it is now protecting.

The current iteration of PKI is being used to protect devices on the IoT. securitycurrent's Vic Wheatman speaks with Johannes Lintzen, a security expert at Utimaco, about the evolution of PKI in a world where IP is everything. 

This podcast was recorded at the Internet of Things Expo produced by Sys-Con Events in November in Santa Clara, California. 


Episode 33: Smart Carpets and Cheney's Heart - A CISOs Look at the Security of Things

How does a CISO approach the special security and privacy issues involved in a medical setting as the Internet of Things moves forward?

Jeff Misrahi, CISO of AdvantageCare Physicians, a multi-specialty physician practice delivering comprehensive, community-based care throughout the New York metropolitan area, discusses this topic with securitycurrent's Vic Wheatman.

Misrahi also describes best practices on transmitting data,  wireless devices, how security should ideally be approached in a distributed enterprise and where he fits in the organizational structure.

Episode 32: Information Sharing Among Security Executives Part Two of Our Interview with the First CISO, Steve Katz formerly of Citigroup

Who should the CISO report to in the organization? How can CISOs who are at competing organizations share information security without tension? And what is the relationship between risk, compliance and information security? 

In part two of our interview with Steve Katz, recognized as the first CISO, Vic Wheatman discusses these and other issues. 

Episode 31: An Interview with the First CISO, Steve Katz Formerly of Citigroup

Steve Katz, credited with being the first Chief Information Security Officer (CISO), sets the record straight on that honorific. He talks about what it was like being the first CISO, jesting that he slept like a baby, getting up every two hours and crying. 

In the first of a two part interview, Katz tells securitycurrent's Vic Wheatman how he sees the role of CISO. He suggests a new title for it and proposes a process whereby business units would be required - in writing - to accept responsibility should they take risks that the CISO advises against.

Katz now advises Deloitte in security and privacy and heads up Security Risk Solutions LLC. 

Episode 30: Securing Embedded Systems on the Internet of Things

Embedded systems, the Internet of Things and security. What do these things have in common?

Once in use industrial, medical, avionics and other systems typically don't get upgraded, but they need to operate in a safe and trusted manner. But in the world of the Internet of Things where new, creative offerings are quickly hitting the market, security often is just an afterthought. 

securitycurrent's Vic Wheatman speaks with Senior Technical Marketing Engineer Roman Romaniuk of Winder River, a provider a of secure operating systems that are also in use on the planet Mars, as you'll in hear in this podcast. The podcast was conducted at the Gigaom Structure Connect conference in San Francisco.

Episode 29: Overcoming Security Silos

The drumbeat of breaches -- Home Depot, Target, Jimmy John's and the list goes one -- continues almost daily. Why is this the case? It doesn't appear to be a lack of security investment or governance.

As you'll hear from one former Gartner analyst who has 'gone over to the dark side,' a key problem is that individual security functions largely exist in isolated silos. Eric Ouellet, who is now VP of Strategy at Bay Dynamics, says this approach leads to data overload for security analysts causing fatigue and subsequently inadequate responses to attacks.

Ouellet tells securitycurrent's Vic Wheatman that traditional approaches have flaws and generally lack the correlation of threat information from one silo to the rest, which would support holistic responses.

Episode 28: Threat Intelligence. What is It? How is it Used?

Threat Intelligence is more than just a list of bad actors' IP addresses. The best sources of threat intelligence tend to be the more mature and 'enlightened' providers who employ a substantial number of security analysts who can evaluate the nature of the threats.

In fact, some are able to drill down not only to specific groups of threat actors or countries that may be after an organization but to the specific people who may be out to get them as well. But how do most organizations use this information and what kind of threat intelligence would help you the most? 

It is often law enforcement that finds evidence of a security breach first. Being able to respond effectively to breaches can reflect on an organization's reputation. 

securitycurrent's Vic Wheatman discusses these topics with Gartner Research Vice President Dr. Anton Chuvakin.

Episode 27: Data Loss Prevention Use Cases

Data Loss Prevention (DLP) solutions help keep private data private. Using various rules based on certain policies, sensitive information can be prevented from being exfiltrated.

But CISOs are walking a fine line. They must be careful not to inhibit user and business processes lest there be dire business consequences.

securitycurrent's Vic Wheatman speaks with ex-Gartner analyst Eric Ouellet, who is now Vice President of Strategy at Bay Dynamics, about how DLP actually works and where it can be used.

Episode 26: History of Malware and How Privacy Gets No Respect

Malware in its various forms has been around since the start of the computing age, but one platform remains more susceptible to evil code than others with more than 1 million new unique virus  signatures discovered each and every day, according to F-Secure.

Also according to F-Secure's Threat Strategist David Perry, it is "primarily a Windows world attribute." However, the concerns are shifting with the proliferation of mobile. And just as the Internet offers little native security, it also does not respect privacy.

In this entertaining and humorous exchanged recorded at Black Hat, securitycurrent's Vic Wheatman and David Perry discuss these and other issues.

Episode 25: Security Incident Response and the Lack of Sleep

It is often law enforcement that finds evidence of a security breach first. Being able to respond effectively to breaches can reflect on an organization's reputation. 

There is always malware running somewhere. Some enterprises have Security Response Teams, but many do not. If it is a one-man shop should they be a 'doer' or a 'coordinator?' If it is a large team, how should it be structured? What is the role of third parties and can open source tools be used? 

securitycurrent's Vic Wheatman speaks with Gartner Research Vice President Dr. Anton Chuvakin on this business critical issue.

Episode 24: Do Honeypots Still Have Value in Network Security?

Honeypots, used to detect cyber attacks, have been around information security for a long time.

The non-profit Honeynet Project is dedicated to investigating the latest attacks and working to improve the utility of honeypots in today's changing network environment.

In this podcast Vic Wheatman speaks with Gartner VP of Research Dr. Anton Chuvakin about this sticky issue. They look at the benefits of Low-interaction honeypots, which simulate only the services frequently requested by attackers, versus High-interaction honeypots that imitate the activities of the production systems that host a variety of services


Episode 23: Raytheon's Perspective on Commercial Information Security Projects

Why should a commercial entity consider a defense contractor for security projects? Answering the question is Edward Hammersla, President of Raytheon's Trusted Computer Solutions, Inc.

Hammersla provides perspective on the role of trusted operating systems, the ways of protecting data in a highly sensitive bring your own device (BYOD) environment and the appeal of using the term "cyber" in describing today's approaches to information security.  

Hammersla was speaking with securitycurrent's Vic Wheatman. 


Episode 22: Attack Intelligence, Big Data and the X-Ray Machine that Could Hack

Black Hat Series

There are a multitude of threat data sources used by Intrusion Prevention Systems (IPS) and anti-malware products to strengthen enterprise protections. Differentiating in this competitive almost commodity service market is a matter of numbers.

securitycurrent's Vic Wheatman speaks with Jeff Harrell, Sr. Director of Product Marketing for Norse, a threat intelligence company that offers an appliance it says is designed to detect and defend against attacks from "darknets" as well as other Internet-based attacks.

They talk about this saturated market and Harrell discusses the x-ray machine that was used to verify the validity of stolen credit cards.


Episode 21: Yale New Haven Health System -- A Real-World Case Study

With an increase in cyber attacks across industries, and in particular healthcare with medical-related identity theft accounting for 43 percent of all identity thefts reported in the United States last year according to the Identity Theft Resource Center, managing risk has never been more pressing for organizations.

With risk growing daily and the consequences -- both in terms of data loss, patient and employee confidence and potential fines -- looming large, one healthcare organization that takes cyber security seriously is Yale New Haven Health System.

Steve Bartolotta, who heads the health system's information security and risk management program talks about the challenges facing organizations today across verticals and what measures he recommends taking. 

In this podcast with securitycurrent's Vic Wheatman, Bartolotta talks about the actual tools he uses to support Yale New Haven's risk management system and what he has gained. Or you can read about it too by clicking here.



Episode 20: Securing the Branch Location and Remote Sites

Hackers continue to go after the easiest target -- the branch or remote office be it a gas station, retail store, bank branch, local health clinic or the like.

Armed with the knowledge that organizations are increasingly distributed and most organizations' budgets are allocated to headquarters, a branch or remote office often provides an easy access point for attackers.

Vic Wheatman speaks at Black Hat with Dave Porcello, CTO and founder of Pwnie Express on what kinds of attack the organization should actually be concerned about.

Is it the advanced persistent threat or is it that unknown rogue access point? As you'll hear from Porcello, your organization may have unbelievable security 99 percent of the time but it's that one computer, or air conditioning duct, that often opens the door.

Listen Now!



Episode 19: "Backoff" Point of Sales Malware, Ransomware, and More

Purpose-built, specialized malware dubbed "Backoff" is being found in point-of-sales (POS) systems. At the time of discovery, the malware, which is gathering magnetic strip information, keyed data and more, had low to zero percent anti-virus detection rates. 

That meant that fully updated anti-virus engines on fully patched computers could not identify malware as malicious, according to the National Cybersecurity and Communications Integration Center (NCCIC), US Secret Service (USSS), Financial Sector Information and Sharing and Analysis Center (FS-ISAC), and Trustwave SpiderLabs.

Meanwhile, exploit kits enabling ransomware are holding data hostage. These business models for criminals are proving to be very lucrative. securitycurrent's Vic Wheatman spoke at Black Hat with Karl Sigler, Manager SpiderLabs Threat Intelligence at Trustwave, on "Backoff" and the latest findings from Trustwave's Global Security Report.

Listen Now!



Episode 18: The Bad Guys Get Smarter 

IBM's Security Systems X-Force recommends that a shift takes place from focusing on protecting the perimeter to  securing applications.

The X-Force publishes a Threat Quarterly Report that analyzes security breaches and methods used by the bad guys. Based on over one million data points, the report found that Java, SQL injections, cross-site scripting and authentication problems remain challenges for developers and recommends they adopt Secure Lifecycle Development to reduce system vulnerabilities.

At Black Hat in Las Vegas, securitycurrent's Vic Wheatman spoke with Michael Hamelin, IBM's Lead X-Force Security Architect on today's most prevalent forms of attack and what should be done.

Listen Now!


Episode 17: Sex Tapes, Cloud and Security

A recent movie, "Sex Tape," shows what happens when a private video goes "up into the cloud" for everyone to see. 

A memorable refrain from one of the characters is "Nobody Understands the Cloud."

In this sponsored podcast, securitycurrent's Vic Wheatman speaks with cloud expert JD Sherry of Trend Micro about the controls and protective services organizations should implement to protect their cloud-based applications.

Listen Now!


Episode 16: Is Big Data Analytics for Security Mainstream?

Security analysts and experts often talk about big data security analytics as a burgeoning space. Is that the really the case?

What is the reality behind big data analytics for security? Is it mainstream? Does a security analytics market even exist? 

securitycurrent's Aimee Rhodes speaks with Gartner Research Vice President Anton Chuvakin who researched big data security analytics to find out what it is good for, where it is heading, who is using it, who isn't using it and who should be using it. 

Listen Now!


Episode 15: From UserID and Password to Digital ID 

Many consumer-facing e-commerce implementations depend on 1960s technology to identify and authenticate customers. SecureKey is bringing authentication down to the device and chip level in order to combat fraud. It also is working to share digital IDs across an Identity Federation.

securitycurrent's Vic Wheatman speaks with SecureKey's CEO Charles Walton about these timely issues.

Listen Now!


Episode 14: The Flavors of Intelligence.

What are intelligence aware security controls? Intelligence sharing domains? Shared response infrastructures?  Are they just information security buzz words or do they have actionable meaning? 

securitycurrent's Vic Wheatman speaks with Gartner Research Director Lawrence Pingree about these concepts and their usefulness as part of an information security program.

Listen Now!


Episode 13: Voltage Spies Secure Email.

From email to texting and other forms of social media, the need for protected communications underscores the requirement to continue encrypted messaging development. 

Despite legacy and current solutions on this matter, academic and private research continues in an effort to apply encryption to solving new business problems in numerous contexts. 

securitycurrent's Vic Wheatman speaks with Voltage's Chief Technology Officer Terrence Spies about the continuing evolution of secure messaging. 

Listen Now!


Episode 12: PCI DSS Version 3: What's New?

Does the Payment Card Industry Data Security Standard (PCI DSS), now in its 3rd version, actually increase safeguards required to be taken by enterprises to ensure customer data?

According to the PCI Security Standards Council, PCI DSS is a comprehensive standard "intended to help organizations proactively protect customer account data."

But with the continuous news of breaches, is it successful? Is being compliant for an audit, essentially a snapshot in time, enough or has the latest version succeeded in bolstering security over the long haul?

securitycurrent's Aimee Rhodes speaks with Gartner Research Vice President Anton Chuvakin, who has spoken with the Standards Council, on the changes in the latest version, how the standard has made real progress in fostering security and what to look forward to in the future with mobile processing.

Listen Now!


Episode 11: Security Tools in the Cloud.

What are use cases for security tools for protecting information in the cloud?

What organizational changes can trigger an enterprise to adopt additional cloud-based protection?

We are increasingly seeing a growth in cloud security providers offering tools to protect information and retain control.

securitycurrent's Vic Wheatman speaks with CipherCloud's Chief Trust Officer Bob West about what we can expect to see in the growing field of cloud security.

Listen Now!


Episode 10: Security Entrepreneurs Forum 2014; Bridging the Gap Between the Federal Government and Private Industry.

The Security Innovation Network (SINET) this week held its annual IT Security Entrepreneurs Forum in Silicon Valley. 

There, connections were made among early stage security companies, investors, lawyers, regulators, educators and others.

securitycurrent's Vic Wheatman spoke with SINET Chairman and Founder Robert Rodriguez who talks about the goals of the conference, gives its flavor and looks at the role emerging companies take in combatting proliferating security threats.

Listen Now!


Episode 9: The Value of Data Virtualization in Threat Intelligence.

How valuable is data visualization in spotting patterns on attacks on individuals, institutions or locations? 

Understanding what is going on in this realm can help organizations protect themselves against organized cyber criminals, rogue intelligence agencies (or not so rogue possibly), and malevolent nation states. 

securitycurrent's Victor Wheatman speaks with Mike Horn, Co-founder and CEO of NetCitadel, a security incident response vendor about this and other issues.

Listen Now!


Episode 8: The Ability to See All the Things: Vulnerability Assessment and Pentesting. 

What security vulnerabilities are you not seeing in your remote facilities or branch offices? Are you the next Target?

Dubbed a hack-in-the-box, Pwnie Express leverages the same open source tools used by hackers to provide enterprises visibility and the ability to assess vulnerabilities across their networks, both wired and wireless. 

securitycurrent's Victor Wheatman speaks with Pwnie Express CEO Paul Paget on the importance of consistent vulnerability assessment and penetration testing across the enterprise. 

Listen Now!


Episode 7: Tokenization. What is it?

How does tokenization compare to encryption and format preserving encryption?

Are there performance issues regarding its use? Is it standardized so one solution can exchange tokens with a different implementation?

securitycurrent's Victor Wheatman speaks with Voltage CTO Terrence Spies who urges enterprises to look at their infrastructures, take inventories of what pieces of data they are storing and could be breached, and then catalogue them as they are potential candidates for tokenization.

Listen Now!


Episode 6: Security and the Internet of (Every)Thing.

How are data and communications going to be protected as CPUs and Near Field Communications chips become less expensive and are embedded into the Internet of (Every)Thing?

What are some leading indicators and social media trends that will drive the need? 

securitycurrent's Victor Wheatman speaks with Internet of Things (IoT) and mobile application security provider Mocana CEO James Isaacs, and their newly appointed Senior Vice President of Marketing and Corporate Development John Aisien.

Listen Now!


Episode 5: Threat Intelligence.

What is it? Who provides it? What should an enterprise do with it? 

securitycurrent's Victor Wheatman speaks with Spire Security's Pete Lindstrom on this central topic in information security.

Listen Now!


Episode 4: Defensive cloud and virtualization. 

A survey conducted by cloud security automation provider Hytrust found that consumers believe corporations don't really care about protecting consumer data. Yet, companies are increasingly moving to the cloud causing a concentration of risk.

securitycurrent's Victor Wheatman speaks with Hytrusts Co-founder and President Eric Chiu about improving trust and what comes after cloud. 

Listen Now!


Episode 3: Security from the top.

What do c-level executives of an organization need to know about security given recent trends? Join Trend Micro's JD Sherry, VP of Technology and Solutions and Rik Ferguson, VP of Security Research as they talk about third party risk, PCI compliance, cyber insurance and the Dark Web with securitycurrent's Victor Wheatman.

Listen Now!


Episode 2: Symantec's CyberWar Games 2014.

Victor Wheatman speaks with Enterprise Management Associates Research Director for the Security and Risk Management Group David Monahan and Forrester Research Principal Analyst for Security Risk Professionals Edward S. Ferrara on Symantec's CyberWar Games 2014. 

Some 40 of Symantec's best and brightest attacked a mock bank both logically and physically. Wheatman, Monahan and Ferrara, who were briefed on the exercise, discuss the general state of security across banks, give examples of attacks and the reveal the aim of the hackers.

Listen Now!


Episode 1: The NSA and RSA.

Victor Wheatman speaks with Gartner analyst Lawrence Pingree on the NSA and RSA and calls by some members of the security community to boycott the upcoming security conference. 

It began with a Reuters story from Joe Menn: "Exclusive: Secret contract tied NSA and security industry pioneer." The report disclosed that RSA, the crypto pioneer and security products vendor, had allegedly accepted a secret $10 million payment from the NSA in order to incorporate a backdoor in to their BSafe crypto suite.

Hear their take. 

Listen Now!

About Security Current | Privacy Policy | Subscribe to our newsletter