CISOWise

In this week's episode Dr. Crane talks to Mike Wilkes, formerly the CISO at Marvel Comics, about keeping Iron Man safe and digital media security.

Mike is the chief information security officer at Security Scorecard, the global leader in cybersecurity ratings, and the only service with over a million companies continuously rated. Previously he was the CISO at the American society of composers authors and publishers or ASCAP and Marvel entertainment. 

He has built transformed and protected companies such as AQR capital, CME Group, Sony, Macy's as well as other European banks and airlines, a graduate of Stanford University and author of a book for Cisco Press in 2002. He's a featured speaker at technology conferences and is a professor at NYU teaching cybersecurity courses. He's also on the board of trustees for the national jazz museum in Harlem.

This episode was recorded when Mike was the CISO at Security Scorecard, he has since moved on from  this position.

In this episode:

00:00 — Welcome

02:00 — Introductions

02:21 — Data Classification

03:50 — Document Management

05:21 — Marvel Security

06:38 — What Does Marvel Excel At In Information Security

07:55 — Tribal Knowledge For A New CISO

09:29 — Heraclitus

10:23 — Hackers

11:18 — Hacking Story

13:17 — Lessons For CISOs On Hacking And Experimenting

14:40 — Advice For New CISOs Starting a Team

18:52 — Tips For Companies Looking To Improve Security

22:24 — Sign Off

Mike Wilkes:

LinkedIn — https://www.linkedin.com/in/eclectiqus

Links in this episode:

The Security Chaos Engineering Book — https://www.kellyshortridge.com/book.html

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/009-keeping-iron-man-safe-with-mike-wilkes

In this week's episode Dr. Crane talks to Yiannis Pavlosoglou about Resilient Systems.

From supply chain shortages to natural disruptions from changing weather patterns, it seems everything today needs to operate while under some type of duress or attack. But what do CISOs need to know to create resilient systems? And what can we learn from other CISOs who've already gone down this path? 

NIST defines cyber resiliency as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. That's a mouthful, but what does it actually mean to have to build a resilient cyber program to drive the change management necessary to build that type of program, to put in place the governance processes and procedures necessary.

To discuss this and more, who better to talk with cyber resiliency and governance than Yiannis Pavlosoglou. Currently, the Founder and CEO at Kiberna, and most recently, the CISO for UBS in the UK. 

In this episode:

00:00 — Welcome

02:42 — Introductions

03:35 — What Is Resilience?

04:08 — What Works?

05:37 — CISO as a Change Agent for Resiliency

07:07 — Challenges Driving A Resilient Organization Forward

08:47 — Where To Look To Build Resiliency

11:01 — Challenges To Building Resiliency

12:20 — The Role Of The CISO In Leading Cyber Resiliency

16:11 — Tools For Building Resiliency

18:29 — What To Do Once You Have A Set Of Risks To Tackle

19:45 — References

21:14 — Sign Off

Yiannis Pavlosoglou:

LinkedIn — https://uk.linkedin.com/in/yiannisp

Kiberna — https://www.kiberna.com

Links in this episode:

Operation Resilience for UK Financial Bodies — https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper

FCA on Building Operation Resilience — https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience

CERT Resilience Management Model — https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=30375

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/008-resilient-systems-with-yiannis-pavlosoglou

In this week's episode, CISOWise guests such as Mike Wilkes, former CISO for Marvel, Nick Shevelyov, former Chief Security Officer for Silicon Valley Bank, and Tim Brown, CISO of SolarWinds, talk about failure, culture and keeping your sanity in cybersecurity.

In this episode

00:00 — Welcome

02:35 — Alan Levine On His Single Biggest Technology Failure

05:41 — Tim Brown On Advice For CISOs Potentially Facing A Large Incident

07:17 — Yiannis Pavlosoglou On Shortcomings Of No Resilience

09:55 — Mike Wilkes On Having A Social Contract With Your Team

11:12 — Brandon Hines On Example Of A New CISO Misaligned With The Organization

13:52 — Mike Wilkes On How Has Marvel Maintained Security Standards For So Long?

15:30 — Nick Shevelyov On Advice To A New CISO Dealing With Greater Responsibilities

17:26 — Brent Maher On What Works In Engaging Business Units With Strategy

19:13 — Joe Robinson On Not Taking Business Decisions Personally

20:11 — Outro

Alan Levine:

LinkedIn — https://www.linkedin.com/in/alan-levine-43a226a

CISO Street — https://www.cisostreet.com/alan-levine/

Tim Brown:

Orange Matter — https://orangematter.solarwinds.com/author/tim-brown/

LinkedIn — https://www.linkedin.com/in/tim-brown-93639a1/

Yiannis Pavlosoglou:

LinkedIn — https://uk.linkedin.com/in/yiannisp

Kiberna — https://www.kiberna.com

Mike Wilkes:

LinkedIn — https://www.linkedin.com/in/eclectiqus

Brandon Hines:

LinkedIn — https://www.linkedin.com/in/brandonjhines

Nick Shevelyov:

Website — https://www.nickshevelyov.com/

Cyber War... And Peace — https://www.nickshevelyov.com/the-book

Brent Maher:

LinkedIn — https://www.linkedin.com/in/ciso-brentmaher

Joe Robinson:

High Peaks Solutions — https://highpeakssolutions.com/

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/007-failure-culture-and-keeping-your-sanity-in-cybersecurity

In this week's episode Dr. Crane talks to Brandon Hines about building your cybersecurity team and culture, from your first to your hundredth hire.

Brandon Hines, the vice president of security at Dimensional Fund Advisors, has spent over 14 years establishing and growing a cybersecurity program and continues as a senior leader. Brandon has deep experience in hiring and then managing an effective cybersecurity team.

In this episode:

00:00 — Welcome

01:33 — Your First Hire

02:53 — Brandon's Method for Hiring

04:27 — Mistakes And Red Flags In Hiring

05:28 — The Importance Of Training

08:25 — Gaining Insights From Business Units

10:38 — Assessments

11:58 — Weighing Consistency In Assessments With Diversity Of Assessments

12:52 — The Value Of A Security Framework In Maintaining Consistent Assessments

14:08 — What To Look For When Hiring A Third Party For Assessments

16:24 — Dangers Of A “Brittle” Third Party Assessment

19:03 — Sign Off

Brandon Hines:

LinkedIn — https://www.linkedin.com/in/brandonjhines

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/006-your-first-100-hires-with-brandon-hines

In this week's episode Dr Crane talks to Brent Maher, former CISO Johnson Financial Group, about the human element of phishing and communicating value to stakeholders. 

This episode was recorded when Brent was CISO of Johnson Financial Group. He is now the Chief Technology Officer.

In this episode:

00:00 — Welcome

01:14 — Introductions

01:18 — What Works? What Doesn't?

02:28 — Successes In Mitigating Phishing

03:41 — The Human Element Of A Phishing Program

06:20 — Getting Approval For A Phishing Program From Executives

08:32 — Challenges In Implementing A Phishing Program

11:24 — Sign Off

Brent Maher:

LinkedIn — https://www.linkedin.com/in/ciso-brentmaher

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/005-developing-a-phishing-awareness-program-with-brent-maher

In this week's episode Dr. Crane talks to Alan Levine about his experience building a cybersecurity program, what he got right, what he would do differently, and why being a CISO is hard.

Alan is the former CISO for two Fortune 500 companies, Alcoa and Arconic, with over 35 years of experience leading global cybersecurity programs.  He is also a founding board instructor at the Carnegie Mellon CISO program where he lectures to current and rising CISOs on stories from the trenches.

In this episode:

00:00 — Welcome

01:26 — Introductions

01:29 — Surprises When Building A Cybersecurity Program

03:22 — Dealing With An Audit As A New CISO

04:47 — No Credit For Successes, Credit For Failure

06:05 — Making Friends And Allies

07:56 — Effective Actions And Controls

10:04 — User Awareness and BYOD

13:10 — Building Trust With Your Users

15:53 — The Most Misunderstood Part Of Being A CISO

19:50 — Sign Off

Alan Levine:

LinkedIn — https://www.linkedin.com/in/alan-levine-43a226a

CISO Street — https://www.cisostreet.com/alan-levine/

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/004-being-a-ciso-is-hard-with-alan-levine

In this week's episode Dr. Crane speaks to Joe Robinson about why he thinks CISOs should report to the CIO, and design considerations for organizational structure. The discussion covers topics such as who is responsible for vulnerability management and building trust as a CISO.

Joe is the founder and CEO of High Peaks Solutions, a cybersecurity venture focused on helping clients develop real insights and enhance their security programs to prepare for the ever-growing number of cybersecurity threats.

He also previously was the executive vice president and director of information, technology, and operations for Fifth Third Bank where he led the information technology, cybersecurity, data management, and bank operations divisions.

In this episode:

00:00 — Intro

02:03 — Should The CISO Be Under The CIO

03:21 — The First And Second Line

04:29 — The Role Of CISO In The First And Second Lines

05:56 — Organization Of Security Leaders Along Lines

07:29 — What Works And What Doesn't When Organizing Along First And Second Lines

09:16 — Ownership Of Responsibilities And Resources

10:58 — Communication And Relationships Between CISOs and Technology Teams

13:21 — Reporting To A Board Of Directors

15:30 — Building A Program For Reporting To The Board

16:26 — What Works In Building Trust As A CISO

18:27 — Common Mistakes In Building Trust And Relationships

19:17 — Getting From "No" To "Yes And Here's How"

21:28 — Sign Off

Joe Robinson:

High Peaks Solutions — https://highpeakssolutions.com/

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/003-the-view-from-the-cio-with-joe-robinson

In this week's episode Dr. Crane speaks with Mark Morrison about understanding and communicating with business units when implementing a security program, and managing a workforce in the face of shortages.

Mark is the senior vice president and chief security officer at the Options Clearing Corporation. Previously, Mark was the chief information security officer with State Street Bank. Mark has had a long and distinguished career in the Defense Department and intelligence community serving in multiple cybersecurity leadership roles.

In this episode:

01:32 — Introductions

01:36 — What Works In Driving Security Initiatives?

03:08 — Successes In Resiliency And Being Proactive

04:12 — Organizations Falling Behind On Being Proactive

04:50 — Challenges In Understanding Critical Business Processes And Elements

07:03 — Determining Return On Investment Of Security

08:08 — Communication With Business Units When Implementing New Controls?

08:41 — Overreach In Security Affecting Business Processes

10:13 — Resiliency And Planning For Attacks

13:00 — Cybersecurity Workforce Shortage

15:10 — How Do You Ensure Your Cybersecurity Program Is Adequately Staffed?

16:32 — Successes In Cybersecurity Drawing Workforce From Military

17:42 — Sign Off

Mark Morrison:

The OCC — https://www.theocc.com/Company-Information/Executives/Mark-Morrison

Links in this episode:

US Cyber Command — https://www.cybercom.mil/

The SEI — https://sei.cmu.edu/

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/002-establishing-your-cyber-program-with-mark-morrison

In this week's episode Dr. Crane talks to Tim Brown, the CISO of SolarWinds about the Sunburst malware intrusion, how it affected him and his company, the changes he made, and how Tim stayed on as CISO after the intrusion.

SolarWinds shot to national prominence due to the Sunburst malware intrusion, first discovered by FireEye in 2020.

This incident resulted in the first stand-up of a cyber unified coordination group, with the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence, to coordinate a whole of government response to this incident.

The Atlantic council said that Sunburst was a significant moment for cloud computing security and the attack raised concerns about the existing threat model that major cloud service providers use. Now imagine being the cybersecurity leader at the organization identified in this intrusion that affected thousands of customers.

That was the situation Tim found himself in, in late 2020. He joins me here today to share his experience and wisdom in dealing with one of the most significant cybersecurity incidents in recent memory.

In this episode:

00:00 — Highlight Clip

02:07 — Introductions

02:54 — Sunburst Incident Overview

05:55 — Difficulties Of Handling An Incident During The Holidays

07:05 — How Tim Stayed As CISO

09:06 — Pivoting From Internal To External Facing CISO

11:16 — Organization Reporting Obligations

12:58 — Finding Help For A Large Incident

14:16 — Reaching Out To National Defenders

15:56 — Cooperating With CISA For Messaging

16:47 — Lessons And Improvements Going Forward

18:58 — Validating A Digital Supply Chain

20:55 — Assume Breach Before And After

21:24 — Sign Off

Tim Brown:

Orange Matter — https://orangematter.solarwinds.com/author/tim-brown/

LinkedIn — https://www.linkedin.com/in/tim-brown-93639a1/

Links in this episode:

SolarWinds RSA Presentation —  https://www.youtube.com/watch?v=7DHb1gzF5o4

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/001-tim-brown-on-sunburst

In this teaser episode Dr Earl Crane talks to Tim Brown, CISO of SolarWinds about the recent Sunburst malware intrusion and the security-by-design philosophy.

SolarWinds, shot to national prominence due to the Sunburst malware intrusion. It resulted in a coordinated whole of government response to this significant cybersecurity incident.

As stated by CISA, an advanced persistent threat actor was responsible for compromising the SolarWinds Orion supply chain as well as widespread abuse of commonly used authentication mechanisms. Throughout the attack, the Sunburst intruders maintained significantly high levels of operational security to avoid discovery. The Sunburst malware landed in its prospective targets and waited patiently for two weeks before initiating any activity.

Now imagine being the cybersecurity leader at the organization identified by name in this intrusion that affected thousands of customers. That was the situation Tim found himself in, in late 2020. He joins me here today to share his experience and wisdom in dealing with one of the most significant cybersecurity incidents in recent memory.