This Security Control Is So Good We Don’t Even Have to Turn It On (LIVE in Clearwater, FL)

#1674148: This Security Control Is So Good We Don’t Even Have to Turn It On (LIVE in Clearwater, FL)

Description:	Full Transcript Intro 0:00.000 [Rich Stroffolino] If you’ve ever wanted to cut through the fluff and get real answers about a security solution, we’ve got the podcast for you. Security You Should Know is our new 15-minute show, where two security leaders ask the questions you actually care about, straight from the vendors themselves. No sales pitches, just the insights you need to solve your problems. Listen now at CISOseries.com or wherever you get your podcasts. [Voiceover] Biggest mistake I ever made in security. Go! [Jim Bowie] Letting my parents convince me to help them recover files off their hard drive. [Laughter] [Voiceover] It’s time to begin the CISO Series Podcast, recorded in front of a live audience in Clearwater, Florida. [Applause] [David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And yes, we are live in Florida, in Clearwater, Florida, for the Convene Conference. I don’t believe there’s actually a town named Convene. Is there one, Christina? [Christina Shannon] No, not last time I checked. [David Spark] No, there is not. There is not a town like that. That right there is the voice of my guest co-host for today’s episode. It is Christina Shannon, the CIO of KIK Consumer Products. Let’s hear it for Christina. [Applause] [Christina Shannon] Thanks for having me. [David Spark] All right. Well, we love having you here. All right. We’re available at CISOseries.com, if you didn’t already know that. And our sponsors, let’s hear it for our sponsors. I believe the gold sponsors of this event, Proofpoint, Cofense, and KnowBe4. You’ll be learning more about all of them, those of you in the room, and those of you listening to the recording, a little bit later in the show. All right. Here’s one quick announcement I do want to make. I want to tell you about this, Christina, because I don’t know if you know the details on this. But when this episode releases, we will have officially launched publicly our brand-new show, but we have soft launched it now. So, those of you in the room can actually see this, but it’s a brand-new show called Security You Should Know. Sound like a good topic? It is a takeoff on a very popular other podcast that has a similar name. But this came as a result of interviewing both vendors and CISOs and about what they want in terms of when they engage or a CISO talks to a vendor. So, let me ask you, when you are looking for a solution, what’s your best sort of route of finding a solution for a category? Like you don’t know anything about the category, and you’re trying to learn and look for a proper product. How do you go about doing that? [Christina Shannon] Gartner, social media, phoning a friend. [Laughter] [David Spark] Phoning a friend. [Christina Shannon] Yes. [David Spark] Now, let me ask you, of those three, which one do you lean on the most, would you say? [Christina Shannon] Probably phoning a friend first. [David Spark] Phoning. Now that we hear a lot. We hear the phone a friend a lot. And that was kind of the idea behind this because the problem with phoning a friend is if they’re all using the same product, you’re kind of in an echo chamber. Alan Alford, a former co-host of mine, explained that. So, the point of Security You Should Know is we have vendors on, and they’re interviewed by two CISOs, and they ask some questions. They’re interested CISOs in the category, and they ask some questions relevant to their product. So, the idea is it’s kind of like phoning a friend in that you’re hearing from other CISOs what they think about the product. So, that kind of in line. But you would only look at the episode and say, “Oh, this is a category,” because it would be titled whatever the category is. It’d be you would only listen if you were interested in that category. [Christina Shannon] That sounds like a great way to find, I mean to speed up the time and efficiency and effectiveness for identifying solutions that solve real world problems. [David Spark] And to make it even more attractive, we keep it short. They’re less than 15 minutes. All right. Let’s bring in our guest. Let’s bring in our guest right now. No more of the plugging of our brand-new show. You in the room can go check it out before really anybody else knows. It’s available on our site. You’ll have to go under the Shows menu to check it out because we kind of hid it a little bit. But let me introduce our guests. Both of the people on stage have been on our show before, so I know they’re going to deliver for you. Not too much pressure. To my far left is the CISO for Tampa General Hospital, Jim Bowie. Let’s hear it for him. [Applause] [Jim Bowie] Thank you. It’s good to be here. Pay attention. It’s security awareness training time. 4:23.996 [David Spark] You’re never done with security awareness training. Everyone in this room knows that. You wouldn’t have a job if you were, for that matter. So, we all know that annual training for compliance just does not cut it. It’s a constant process. But Santosh Kamane of Rivedix argued it requires long term planning, and he suggested picking out different themes and exercises at the start of the year to build a cumulative effect. I’m going to start with you, Christina, on this. Is this an effective strategy? And if so, what would be in a long-term plan? Like what are the different stages we’re looking at? [Christina Shannon] Yeah, I mean, if you decide to get fit, you’re not going to the gym one time, right? We all know that. So, I think any type of program that involves continuous learning, continuous training, that’s going to ensure that your organization, that your teams, that they understand how to act just in time when there is a threat. I really like the idea of using different topics, different themes. I think the way to approach that or a really good way to approach that would be to look at where are the high-risk areas in an organization, where do the crown jewels live, and what’s the risk exposure to those? And then targeting those groups to do continuous testing, maybe on a quarterly or a monthly basis, depending upon the threat. [David Spark] That’s a good point. It’s not just about your audience you’re trying to train. It’s what you’re also trying to protect at the same time. You’ve got to kind of marry them together. All right. What would you add to that? And I’m assuming you would agree to that theory? [Jim Bowie] I do. I do agree with it. The only thing I would add to it, and it’s the stuff I’ve seen here today, is you’ve got to make it engaging and you’ve got to make it personal to them. So, it’s the same threat – it’s going to sound silly – but it’s the same threat surface at their home with your corporation because the attackers are going for their home first. So, what we’ve done or what I’ve seen success with is if you say, “I’m going to protect you…how to be safe at home,” they’ll carry those habits over to work, and you should have a much higher success rate and more engagement in your training. [David Spark] All right. So, let me talk about 100-level to 400-level sort of training because we’re actually getting some pretty cool 400-level training. I’m thinking like the stuff we just saw from Perry Carpenter over at KnowBe4 with these deep fakes was pretty impressive, and your general populace really has not seen this or the depth of how it is handled. Give me an idea. What are you talking when you’re training the people low level to high level? What are the things you’re looking at? [Christina Shannon] When you’re training people low level to high level, you mean like the skill level, right? [David Spark] Yeah. The skill level. Like barely know what security awareness is to I’ve been learning a lot, I’m very savvy, I’m maybe a security champion, but I want to know the latest greatest, like what I should be aware of. Kind of like what we’re seeing here today. [Christina Shannon] [Laughter] Well, if it’s anyone in my family, I’m probably going to come up with something that is non-technical jargon that they can relate with. If it’s my dad, I might try to think of something that conceptually can tie to drinking beer and watching football, right? [Laughter] [David Spark] Wait, does your dad work for KIK Consumer Products? [Christina Shannon] No, he doesn’t. [Laughter] [David Spark] So, we’re more concerned about your staff. [Christina Shannon] Yeah. But from the staff standpoint, it’d be if the gentleman in Perry’s previous speaking, I think his name was Vivek, he had said, “Where’s your GitHub? Can I download it for the GitHub?” There’s some people on the team that you need to do something like that with, right? You need to let them get their hands on it, like on the product that you have, that’s doing security awareness training. And then if they’re businesspeople, I would look at who can be the champion, right? How can you tie the risk to what they care about and the business risk and then have them champion security awareness with you? Read rest in the link
More info:	https://cisoseries.com/security-control-is-so-good-we-dont-even-have-to-turn-it-on/

Description:

Full Transcript
Intro

0:00.000

[Rich Stroffolino] If you’ve ever wanted to cut through the fluff and get real answers about a security solution, we’ve got the podcast for you. Security You Should Know is our new 15-minute show, where two security leaders ask the questions you actually care about, straight from the vendors themselves. No sales pitches, just the insights you need to solve your problems. Listen now at CISOseries.com or wherever you get your podcasts.

[Voiceover] Biggest mistake I ever made in security. Go!

[Jim Bowie] Letting my parents convince me to help them recover files off their hard drive.

[Laughter]

[Voiceover] It’s time to begin the CISO Series Podcast, recorded in front of a live audience in Clearwater, Florida.

[Applause]

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And yes, we are live in Florida, in Clearwater, Florida, for the Convene Conference. I don’t believe there’s actually a town named Convene. Is there one, Christina?

[Christina Shannon] No, not last time I checked.

[David Spark] No, there is not. There is not a town like that. That right there is the voice of my guest co-host for today’s episode. It is Christina Shannon, the CIO of KIK Consumer Products. Let’s hear it for Christina.

[Applause]

[Christina Shannon] Thanks for having me.

[David Spark] All right. Well, we love having you here. All right. We’re available at CISOseries.com, if you didn’t already know that. And our sponsors, let’s hear it for our sponsors. I believe the gold sponsors of this event, Proofpoint, Cofense, and KnowBe4. You’ll be learning more about all of them, those of you in the room, and those of you listening to the recording, a little bit later in the show. All right.

Here’s one quick announcement I do want to make. I want to tell you about this, Christina, because I don’t know if you know the details on this. But when this episode releases, we will have officially launched publicly our brand-new show, but we have soft launched it now. So, those of you in the room can actually see this, but it’s a brand-new show called Security You Should Know. Sound like a good topic? It is a takeoff on a very popular other podcast that has a similar name. But this came as a result of interviewing both vendors and CISOs and about what they want in terms of when they engage or a CISO talks to a vendor. So, let me ask you, when you are looking for a solution, what’s your best sort of route of finding a solution for a category? Like you don’t know anything about the category, and you’re trying to learn and look for a proper product. How do you go about doing that?

[Christina Shannon] Gartner, social media, phoning a friend. [Laughter]

[David Spark] Phoning a friend.

[Christina Shannon] Yes.

[David Spark] Now, let me ask you, of those three, which one do you lean on the most, would you say?

[Christina Shannon] Probably phoning a friend first.

[David Spark] Phoning. Now that we hear a lot. We hear the phone a friend a lot. And that was kind of the idea behind this because the problem with phoning a friend is if they’re all using the same product, you’re kind of in an echo chamber. Alan Alford, a former co-host of mine, explained that. So, the point of Security You Should Know is we have vendors on, and they’re interviewed by two CISOs, and they ask some questions. They’re interested CISOs in the category, and they ask some questions relevant to their product. So, the idea is it’s kind of like phoning a friend in that you’re hearing from other CISOs what they think about the product. So, that kind of in line. But you would only look at the episode and say, “Oh, this is a category,” because it would be titled whatever the category is. It’d be you would only listen if you were interested in that category.

[Christina Shannon] That sounds like a great way to find, I mean to speed up the time and efficiency and effectiveness for identifying solutions that solve real world problems.

[David Spark] And to make it even more attractive, we keep it short. They’re less than 15 minutes. All right. Let’s bring in our guest. Let’s bring in our guest right now. No more of the plugging of our brand-new show. You in the room can go check it out before really anybody else knows. It’s available on our site. You’ll have to go under the Shows menu to check it out because we kind of hid it a little bit. But let me introduce our guests. Both of the people on stage have been on our show before, so I know they’re going to deliver for you. Not too much pressure. To my far left is the CISO for Tampa General Hospital, Jim Bowie. Let’s hear it for him.

[Applause]

[Jim Bowie] Thank you. It’s good to be here.

Pay attention. It’s security awareness training time.

4:23.996

[David Spark] You’re never done with security awareness training. Everyone in this room knows that. You wouldn’t have a job if you were, for that matter. So, we all know that annual training for compliance just does not cut it. It’s a constant process. But Santosh Kamane of Rivedix argued it requires long term planning, and he suggested picking out different themes and exercises at the start of the year to build a cumulative effect. I’m going to start with you, Christina, on this. Is this an effective strategy? And if so, what would be in a long-term plan? Like what are the different stages we’re looking at?

[Christina Shannon] Yeah, I mean, if you decide to get fit, you’re not going to the gym one time, right? We all know that. So, I think any type of program that involves continuous learning, continuous training, that’s going to ensure that your organization, that your teams, that they understand how to act just in time when there is a threat. I really like the idea of using different topics, different themes. I think the way to approach that or a really good way to approach that would be to look at where are the high-risk areas in an organization, where do the crown jewels live, and what’s the risk exposure to those? And then targeting those groups to do continuous testing, maybe on a quarterly or a monthly basis, depending upon the threat.

[David Spark] That’s a good point. It’s not just about your audience you’re trying to train. It’s what you’re also trying to protect at the same time. You’ve got to kind of marry them together. All right. What would you add to that? And I’m assuming you would agree to that theory?

[Jim Bowie] I do. I do agree with it. The only thing I would add to it, and it’s the stuff I’ve seen here today, is you’ve got to make it engaging and you’ve got to make it personal to them. So, it’s the same threat – it’s going to sound silly – but it’s the same threat surface at their home with your corporation because the attackers are going for their home first. So, what we’ve done or what I’ve seen success with is if you say, “I’m going to protect you…how to be safe at home,” they’ll carry those habits over to work, and you should have a much higher success rate and more engagement in your training.

[David Spark] All right. So, let me talk about 100-level to 400-level sort of training because we’re actually getting some pretty cool 400-level training. I’m thinking like the stuff we just saw from Perry Carpenter over at KnowBe4 with these deep fakes was pretty impressive, and your general populace really has not seen this or the depth of how it is handled. Give me an idea. What are you talking when you’re training the people low level to high level? What are the things you’re looking at?

[Christina Shannon] When you’re training people low level to high level, you mean like the skill level, right?

[David Spark] Yeah. The skill level. Like barely know what security awareness is to I’ve been learning a lot, I’m very savvy, I’m maybe a security champion, but I want to know the latest greatest, like what I should be aware of. Kind of like what we’re seeing here today.

[Christina Shannon] [Laughter] Well, if it’s anyone in my family, I’m probably going to come up with something that is non-technical jargon that they can relate with. If it’s my dad, I might try to think of something that conceptually can tie to drinking beer and watching football, right? [Laughter]

[David Spark] Wait, does your dad work for KIK Consumer Products?

[Christina Shannon] No, he doesn’t. [Laughter]

[David Spark] So, we’re more concerned about your staff.

[Christina Shannon] Yeah. But from the staff standpoint, it’d be if the gentleman in Perry’s previous speaking, I think his name was Vivek, he had said, “Where’s your GitHub? Can I download it for the GitHub?” There’s some people on the team that you need to do something like that with, right? You need to let them get their hands on it, like on the product that you have, that’s doing security awareness training. And then if they’re businesspeople, I would look at who can be the champion, right? How can you tie the risk to what they care about and the business risk and then have them champion security awareness with you?

Read rest in the link

More info:

https://cisoseries.com/security-control-is-so-good-we-dont-even-have-to-turn-it-on/

Date added	April 2, 2025, 1:54 a.m.
Source	CISO Series
Subjects	PodCasts / Webcast / Webinar / eSummit / Virtual Event etc. Security Management/Strategic Security/ROI/ROSI