Title: Cybersecurity Growth #3 - So You Wanna Be A CISO

Opening

• When You Arrived instrumental as theme song

Welcome to Cybersecurity Growth. A show for aspiring and existing cybersecurity leaders. I’m your host Shawn Valle, Exec Director and CISO of Cybersecurity Growth

Former Chief Security Officer of Rapid7 and former CISO of Tricentis

Musician here on Twitch and elsewhere, MusicBySV (more on that later)

Top News Stories

https://www.techtarget.com/searchsecurity/news/252529487/Experts-applaud-expansion-of-Apples-E2E-encryption

By Arielle Waldman Published: 23 Jan

“Experts applaud expansion of Apple's E2E encryption”

Amidst growing privacy concerns and data breach threats, Apple launched Advanced Data Protection for U.S. customers last month to secure almost all data stored in iCloud.

In December, Apple launched three new data security and authentication tools including iMessage Contact Key Verification, Security Keys for Apple ID and -- most notably -- Advanced Data Protection. The new offering expands Apple's end-to-end encryption (E2EE) protection to the cloud, including device and messages backup, the iCloud drive, notes, photos, voice memos, wallet items and more.

With Apple's encryption expansion, access to most cloud data will now be limited to users. Data recovery can only be achieved through passwords and recovery methods, and not even Apple can decrypt it. More significantly, the data will remain secure even if the cloud is breached, according to Apple.

(Think about LastPass recently. They were breached, all user data was lost. The encrypted stuff SHOULD stay safe even though it was stolen due to good encryption techniques. But LP admitted that fields like the URL was not encrypted and was not considered a secure field. I – and may others – disagree. The URL likely contains session cookie info that can allow an attacker to bypass passwords and MFA to get into a site.

Back to apple..)

...being rolling out to worldwide users in early 2023, the number of E2EE categories rises from 14 to 23

https://www.csoonline.com/article/3686116/recent-legal-developments-bode-well-for-security-researchers-but-challenges-remain.html

By Cynthia Brumfield CSO | JAN 26,

“Recent legal developments bode well for security researchers, but challenges remain”

Security researchers gained greater federal legal protections over the past two years, but US state laws and China’s recently adopted vulnerability disclosure law pose threats.

…Harley Geiger, an attorney with Venable LLP, who serves as counsel in the Privacy and Data Security group. Speaking at Shmoocon 2023, Geiger pointed to three changes in hacker law in 2021 and 2022 that minimize security researchers' risks.

"Over the past couple of years, these developments have changed the sources of greatest legal risk for good faith security research," he said. Specifically in the US, the Computer Fraud and Abuse Act (CFAA), the most controversial law affecting hackers, the Department of Justice's (DOJ’s) charging policy under the CFAA, and the Digital Millennium Copyright Act have evolved in favor of hackers. However, laws at the US state level affecting hackers and China's recently adopted vulnerability disclosure law pose threats to security researchers and counterbalance some of these positive changes.

The CFAA was enacted in 1986… …and was the first US federal law to address hacking.

"The CFAA has been the boogeyman for the community for quite a long time," Geiger said. "It's maybe the most famous anti-hacking law. This is a criminal law and a civil law, and that's important to remember. You can be prosecuted under the CFAA criminally, and you can also be threatened with private lawsuits."

…CFAA prohibits several things, including accessing a computer without authorization and exceeding authorized access to a computer.

In June 2021, the US Supreme Court altered its previous stance on the CFAA. In the Van Buren vs. the US decision, the Court said that if "you are authorized to use a computer for one purpose, and you use it for another, even though it's an unauthorized purpose, that may be a violation of your contract, but it is not a federal hacking crime," Geiger told the attendees. "But you still have to have some authorization to use the computer in the first place," and terms of service can still possibly dictate whether you have authorization.

…in 2022, CFAA rules got better for researchers/hackers… "It is explicit protection for good-faith security research under the nation's chief foremost prosecutor," Geiger said.

Death By Slides

- So You Wanna Be a CISO; Shawn’s CISO/CSO strategy walk-through.

Not a pretty deck. It’s my working slides based on 6 or 7 years of learning.

When the e-Comm company I was working for as SecOps Dir got acquired by a large CRM company :-) , I was assigned a new Sec Systems Director role. I took it upon myself to play mini-CISO (learning from my 3 previous bosses in those roles), and I built a “first 100 days of a CISO playbook”. Then I implemented the playbook to see how it would work.

After a while, I got assigned a new role, responsible for Security of Cloud Identities across two very well-known cloud providers. I made some minor changes to my playbook, and implemented it again.

At that point, I realized that I wanted to take on a CISO/CSO role…so I found a job doing just that, and well, I iterated on my playbook and implemented it again. And again.

And likely will again. So, this is my personal playbook, I do share pieces of it with people/teams who are curious, and now you get to see it.

So, if you are a Manager, Director, VP or CISO, or even in IT or another department getting into manager/leader roles, quite a bit of this isn’t specific to “security”.

Let’s get into it.

What’chu Listening To or Creating

• Getting my music livestream up-and-running, after a 6 months hiatus. Listening to my 800 song playlist, to remember how to play the songs on drums, guitar and singing. …I definitely forgot how to play the drums. You can follow that channel on Twitch at MusicBySV, and YouTube and every social network you can imagine.
• G. Love & Special Sauce. The Things That I Used To Do. Baby’s Got Sauce. Sugar Sweet Mama.

That’s a Wrap

• Concluding topics
• Thank you for listening
• Web address, socials
• I’m Shawn Valle, creator of this show and the music here on Cybersecurity Growth
• Cybersecuritygrowth.com and cybersecuritygrowth.com/blog
• @shawnvalle or @cybersecuritygrowth
• If you like the show, please tell your friends. If you hate it, tell your adversaries. Like/subscribe and leave 5-stars and a review like “great show, I learned something new to help me in my cybersecurity career.”
• This week we covered
• Practical application of the Secure Controls Framework. Picking up from where we left off last week. My takeaway is, if you are dealing with 3 or more security/privacy frameworks, it’s worth investing time into SCF and possibly a tool that uses SCF as an overarching security framework, for all your compliance/security/privacy frameworks. It may save you time, and provides a wholistic framework for just about any control you could imagine. But, it could be overwhelming, if you are just getting started...so, if you are just getting started on your compliance/security/privacy journey, you may want to wait a year or two before you jump into SCF.
• Plans for next week
• [Not sure yet what next week will hold. I’m finishing up a presentation on Security Risk Management, as well as another one on Zero Trust. So, it’ll probably be on one of those topics.]
• Live on Twitch weekly, Fridays at 10:30 AM EST, 7:30 AM PST, 3:30 PM GMT in your pod feeds a few days later.