Welcome to Episode 06 of "Secrets of AppSec Champions," titled "Working With Your CISO," featuring host Chris Lindsey and guest Yaron Levi, the Chief Information Security Officer (CISO) at Dolby Labs.

In this episode, Yaron Levi, with over 15 years of experience in various security functions, provides insights into the multifaceted role of a CISO. He discusses the relatively young profession, highlighting its diverse structures and responsibilities which include enabling businesses while managing risk and regulatory compliance.

The conversation delves into foundational aspects of security programs, such as governance, risk, compliance, and the importance of maintaining a robust defense posture. Yaron underscores the necessity for continuous learning and collaboration within the security field and emphasizes that the CISO's role is more about enabling safe business operations rather than strictly enforcing rules.

One of the key discussions revolves around the commonality of security threats, the significance of basic security measures, and how a substantial number of breaches stem from simple vulnerabilities like exposed credentials and misconfigurations. Yaron also emphasizes the importance of integrating security education for software developers and engaging software architects in mentoring roles.

The episode sheds light on the productive nature of bug bounty programs and responsible disclosure platforms for vulnerability testing. Yaron advocates for encouraging young individuals to engage in ethical hacking through structured channels.

The episode also touches on AI's impact on software development and security, reiterating a balanced approach to leveraging new technologies safely. The importance of simulations and tabletop exercises to prepare for security incidents is discussed, with example scenarios like ransomware attacks being used to test and improve response times.

Finally, Yaron stresses the importance of communication, especially in remote environments, urging employees to over-communicate any security concerns. He shares his experience of starting his role during the pandemic and highlights the significance of building trust remotely.

Chris Lindsey wraps up the episode by thanking Yaron Levi for his valuable insights and encourages listeners to subscribe, rate, and review the podcast to stay updated on future episodes.

00:00 Striving for 'Good Enough' in Business

06:01 Intentional Outreach and Security Measures: A Reminder

07:49 The Crucial Role of CISO in Cybersecurity and Software Development

12:49 Security: When, Not If

14:08 Prioritizing Cybersecurity Fundamentals: Key Threats Remain

19:50 The Minecraft Generation: Using Energy for Pen Testing

21:52 Building Bug Bounty Environment and Tabletop Exercises

25:36 Learning from a Ransomware Event Mishap

27:38 Challenges to Standardizing the CISO Role

33:15 Reframing the Role of Security: Protection Over Punishment

Additional information:
This episode has been provided by Mend.io

Chris Lindsey's LinkedIn account: https://www.linkedin.com/in/chris-lindsey-39b3915/
AppSecHive Public Community: https://www.linkedin.com/company/appsec-hive

In the episode "Reactive to Proactive" of the podcast Secrets of AppSec Champions, host Chris Lindsey engages with Shashank Balasubramanian, the Head of Application Security at Tripadvisor. Shashank has been managing the application security program at Tripadvisor for over four years, during which he has overseen the transition from a reactive to a proactive security approach. The conversation delves into the distinct characteristics of reactive vs. proactive security programs, highlighting the importance of integrating security measures early in the development process and fostering strong relationships between security teams and developers.

They discuss the significance of implementing the right security tools, such as Software Composition Analysis (SCA) tools, to address third-party vulnerabilities effectively and integrating these tools into the CI/CD pipeline. Shashank emphasizes the value of building a security-aware culture within the development teams through regular training and the establishment of a Security Champion program. These champions, who are trained in security best practices, help scale the security team's efforts by embedding themselves within various development teams, facilitating a proactive approach to security.

The episode also touches on the importance of executive engagement and effective communication regarding the security landscape. By providing detailed reports and metrics to executives, security teams can ensure there is a clear understanding of the program's ROI and reduce the likelihood of surprise incidents. This high-level visibility and proactive security posture ultimately lead to a more robust and efficient security program, enabling the organization to address vulnerabilities before they become significant issues. The conversation sheds light on practical strategies and tools that can help security professionals transition from reactive to proactive security measures, fostering a more secure and resilient organization.

Additional Links:
This podcast has been provided by: Mend.io

Chris Lindsey's LinkedIn account for daily content: https://www.linkedin.com/in/chris-lindsey-39b3915/
AppSecHive - Public community that Chris Lindsey runs: https://www.linkedin.com/company/appsec-hive

In this episode of "Secrets of AppSec Champions" titled "Security Champions," host Chris Lindsey engages with Jigar Shah, an executive global director in the IT identity, access, and application security space, to explore the critical importance of cybersecurity in our increasingly digital and interconnected world. The episode underscores the heightened awareness of security issues among both technical and non-technical individuals. Jigar emphasizes the necessity of ingraining a robust security culture within organizations, stressing the roles of training, resource allocation, and clearly defined responsibilities for security champions. Meanwhile, Chris discusses the initial challenges in launching security programs and highlights the importance of integrating influencers into security teams with transparent communication.

The conversation extends to framing security as an investment rather than a cost, aiming to break down silos between security and development teams. Jigar and Chris both emphasize that with the rise of AI technology, there is an increasing need for integration, collaboration, and healthy debate to drive innovation. Effective communication, continuous training, and development support are deemed essential for empowering security champions within a company. They also discuss ways to incentivize security roles through financial rewards, public recognition, and by bringing dispersed teams together, ensuring that security remains a priority even over product releases. Leaders are called upon to educate and hold teams accountable for the risks and business outcomes associated with inadequate security practices.

The episode concludes with insights into the framework and governance required to run successful security champion programs, emphasizing the need for clear objectives and monitoring. Jigar advocates for influencing without authority by fostering cross-functional meetings and executive buy-in to elevate cybersecurity awareness. Chris suggests recruiting volunteers with a strong desire to learn for the security champion program and underscores the importance of executive support and selecting champions with good technical and communication skills. The episode wraps up with a call-to-action for listeners to subscribe, leave ratings and reviews, and Chris's closing remarks on cultivating a culture where security is everyone's responsibility.

Topics and Time Stamps:
00:00 Enabling Business Success through IT Leadership

05:34 The Role of Executive Buy-In in Program Success

08:46 Effective Strategies for Recruiting Security Champions

11:06 Encouraging Cybersecurity Awareness and Engagement in Organizations

16:54 Advancing Careers Through Specialized Database Work

18:50 Developing Organizational Culture and Empowering Influencers

24:02 Maximizing Business Value Through IT Department Management

27:07 Incentivizing Dispersed Teams: Building Unity

28:57 The Importance of Reward and Recognition for Motivation

31:52 Leadership Responsibility in Educating Peers on Risks

37:14 Promoting a Culture of Shared Responsibility in Security Leadership

38:22 Maximizing Appsec Champions: Subscriptions, Ratings, and Discovery

For more amazing application security information, please visit the following LinkedIn communities:
https://www.linkedin.com/in/chris-lindsey-39b3915/
https://www.linkedin.com/company/appsec-hive