What About Third-Party Risk? A CISO’s Questions for the SEC
In this episode of The New CISO, Steve is joined by guest Dan Creed, CISO at Allegiant.Dan first discovered his love for computers as a teenager. He has since then channeled his skills into a career in security leadership, where he balances his technical expertise with business acumen and storytelling. Today, he shares his thoughts on supply chain risk and the SEC’s new changes to cyber security guidelines. Listen to the episode to learn more about the importance of coding, coping with stress, and his critiques of the SEC.Listen to Steve and Dan discuss how reporting protects shareholders and the new stakes for CISOs :Meet Dan (1:30)Today’s guest, Dan Creed, is the CISO for Allegiant, a travel company.Dan discovered how to take over his school’s television channel in high school, which stemmed from his friend getting dumped. Dan and his friend used the cable TV channel to post some unflattering messages about his friend’s ex.Although Dan was rightfully punished at the time, he was allowed to take over the school’s computer lab, and his career journey began.Maintaining Excitement (7:02)Dan maintains his excitement for technology by keeping up with all the changes in the industry, like changes in coding. If you love learning and learn fast, you will have a rewarding and lasting career in cyber security.An Important Role (13:23)Steve presses Dan on the importance of Absec. Dan reveals that Absec is related to code and that the most essential security aspect is code.If you are in a customer-facing role, you need to be able to install software on other people’s machines and make sure their vulnerabilities are shielded.Coping Mechanisms (16:45)Dan copes with workplace and personal stress by understanding that humans are imperfect and make mistakes. There’s risk in everything we do, so keeping a balanced perspective is critical when mitigating potential cybersecurity issues. Ultimately, the stress in the security industry is building as the stakes grow, so finding ways to cope is necessary.SOAR Review (19:27)Steve asks Dan about his opinion on the automation software SOAR. He thinks it has its place, but finding people who can automate themselves is better. People need to use the right tool for the job.Building a Response Playbook (21:58)Dan shares the first thing to automate when building a response playbook for the first time. First things first, make sure you can monitor strange behavior. Starting there allows you to work on the more complex procedures.His Driving Force (26:16)Dan reflects on his reasons for finishing his degree later in life. He wanted to learn how to “speak business,” in addition to his computer skills, which drove him to complete his undergraduate degree and MBA.Choosing One (31:02)Steve presses Dan on which one to choose if you could only pick one: storytelling or culture. Dan says it depends on the person and what they are good at.If you look at what’s more important, it would be building work culture first and seeing how your team reacts to phishing and annual security training.What is Material? (33:23)Dan and Steve discuss how reports influence the stakeholders and what they invest in. Dan is critical of how the SEC changed the cyber security guidelines, partly because they are poorly organized and confusing.There are good things, but more context is needed to determine materiality. These guidelines also do not factor in how to deal with third-party risk and supply-chain issues. Reporting Issues (41:23)The SEC has intended to help shareholders with these guidelines so that they can protect the share