#3 - So You Wanna Be A CISO

Title: Cybersecurity Growth #3 - So You Wanna Be A CISOOpeningWhen You Arrived instrumental as theme song Welcome to Cybersecurity Growth. A show for aspiring and existing cybersecurity leaders. I’m your host Shawn Valle, Exec Director and CISO of Cybersecurity GrowthFormer Chief Security Officer of Rapid7 and former CISO of TricentisMusician here on Twitch and elsewhere, MusicBySV (more on that later)Top News Storieshttps://www.techtarget.com/searchsecurity/news/252529487/Experts-applaud-expansion-of-Apples-E2E-encryptionBy Arielle Waldman Published: 23 Jan“Experts applaud expansion of Apple's E2E encryption”Amidst growing privacy concerns and data breach threats, Apple launched Advanced Data Protection for U.S. customers last month to secure almost all data stored in iCloud.In December, Apple launched three new data security and authentication tools including iMessage Contact Key Verification, Security Keys for Apple ID and -- most notably -- Advanced Data Protection. The new offering expands Apple's end-to-end encryption (E2EE) protection to the cloud, including device and messages backup, the iCloud drive, notes, photos, voice memos, wallet items and more.With Apple's encryption expansion, access to most cloud data will now be limited to users. Data recovery can only be achieved through passwords and recovery methods, and not even Apple can decrypt it. More significantly, the data will remain secure even if the cloud is breached, according to Apple.(Think about LastPass recently. They were breached, all user data was lost. The encrypted stuff SHOULD stay safe even though it was stolen due to good encryption techniques. But LP admitted that fields like the URL was not encrypted and was not considered a secure field. I – and may others – disagree. The URL likely contains session cookie info that can allow an attacker to bypass passwords and MFA to get into a site.Back to apple..)...being rolling out to worldwide users in early 2023, the number of E2EE categories rises from 14 to 23https://www.csoonline.com/article/3686116/recent-legal-developments-bode-well-for-security-researchers-but-challenges-remain.htmlBy Cynthia Brumfield CSO | JAN 26,“Recent legal developments bode well for security researchers, but challenges remain”Security researchers gained greater federal legal protections over the past two years, but US state laws and China’s recently adopted vulnerability disclosure law pose threats.…Harley Geiger, an attorney with Venable LLP, who serves as counsel in the Privacy and Data Security group. Speaking at Shmoocon 2023, Geiger pointed to three changes in hacker law in 2021 and 2022 that minimize security researchers' risks."Over the past couple of years, these developments have changed the sources of greatest legal risk for good faith security research," he said. Specifically in the US, the Computer Fraud and Abuse Act (CFAA), the most controversial law affecting hackers, the Department of Justice's (DOJ’s) charging policy under the CFAA, and the Digital Millennium Copyright Act have evolved in favor of hackers. However, laws at the US state level affecting hackers and China's recently adopted vulnerability disclosure law pose threats to security researchers and counterbalance some of these positive changes.The CFAA was enacted in 1986… …and was the first US federal law to...