We’re busting out the Cyber Defense Matrix to see what we’ll never be able to achieve with our security program.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Sounil Yu (@sounilyu), former chief security scientist for Bank of America and creator of the Cyber Defense Matrix.

David Spark, producer, CISO Series, Sounil Yu, creator, Cyber Defense Matrix, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast

Thanks to this week’s podcast sponsor, Zix

Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Why is everybody talking about this now?

Mike asked the LinkedIn community, “What’s bad security advice that needs to die?” We had an entire episode of Defense in Depth on this very topic called “Bad Best Practices.” The post got nearly 300 responses, so it’s obviously something many people are passionate about. Is there a general theme to bad security advice?

The great CISO challenge

Sounil Yu is the creator of a very simple problem-to-solution chart for security professionals called the Cyber Defense Matrix. This simple chart allows a cyber professional to see how their tools, processes, and people are mapped to all different levels of security protection. We discuss the purpose of the matrix and all the real world applications.

“What’s Worse?!”

We have a real world “What’s Worse?!” scenario and Mike and Sounil compete to see if they answered the way the real world scenario actually played out.



Hey, you’re a CISO, what’s your take on this?

Last week on Defense in Depth we talked about a discussion initiated by Christophe Foulon of ConQuest Federal on cyber resiliency. Some people argued that it should be a security professional’s primary focus because its action is in line with the interests of the business. Should a cyber professional shift their focus to resiliency over security? Would that facilitate better alignment with the business?

Exploitable weaknesses measured in decades. Not a comforting thought. But this is a reality that exists in at least two major IT ecosystems. The first is Microsoft and the second is firmware. Teams belonging to Google’s Project Zero have found exploitable security flaws affecting all versions of Windows going back to Windows XP – which presents a logistical nightmare for admins the world over.



Sarah Zatko, Chief Scientist at the Cyber Independent Testing Lab spoke recently at Red Hat and DEF CON in Las Vegas about deficiencies in the security of firmware, including those from companies that manufacture the world’s best-known routers.



There appears to be major disconnects between the finders of these flaws and companies that manufacture the software and firmware that contain them. These include long delays before reviewing discovered flaws, systemic failures in the manufacturing process, and the direct application of one set of design rules to a brand new product lines such as Internet of Things.



In Zatko’s words, in the software and firmware security process, nobody is trying.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Ask a CISO

Thanks to Chris Castaldo, CISO at Dataminr, for this post on new research from the firm Marsh and Microsoft. According to the study, half of the respondents didn’t consider cyber risk when adopting new tech. A full 11 percent did no due diligence to actually evaluate the risk a new technology may introduce.

Does it take that much effort to understand the basic risks of introducing a new technology? What are some first level research efforts that should be done with any new tech consideration or adoption?