CISO/Security Vendor Relationship Podcast
Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.

All links and images for this episode can be found on CISO Series (

Think you or your CISO has what it take to shoulder all the tension, risk, and security issues of your organization? You may be a perfect candidate for "Most Stressed Out CISO".

This episode was recorded in person at Zenefits' offices in San Francisco. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Keith McCartney (@kmflgator), CISO, Zenefits.

This image has an empty alt attribute; its file name is KeithMcCartney_MikeJohnson_1.jpg

Keith McCartney, CISO, Zenefits and Mike Johnson, co-host,
CISO/Security Vendor Relationship Podcast

Thanks to this week's podcast sponsor, CyberArk


At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

On this week's episode

There’s got to be a better way to handle this

CISO Stress. We've talked about it before on the show, and now Nominet just released a new study that claims stress levels are increasing.

  • 8% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year (27%).
  • 31% of CISOs said that stress had affected their ability to do their job.
  • Almost all surveyed CISOs (90%) said they’d take a pay cut if it improved their work-life balance.

How could a CISO negotiate better work/life balance upfront and have either of our CISOs done it?

Hey, you're a CISO. What's your take on this?

Gary Hayslip shared this Peerlyst article by Ian Barwise of Morgan Computer Services about the incredible array of OSINT tools. What OSINT tools do our CISOs find most valuable and for what purposes.

What's Worse?!

A little too much agreement on this week's "What's Worse?!"

Here's some surprising research

Why are cloud security positions so much harder to fill? Robert Herjavec of the Herjavec Group posted a number of disturbing hiring statistics. Most notably was one from Cyber Seek that stated jobs requesting public cloud security skills remain open 79 days on average — longer than almost any other IT skills. Why isn't supply meeting demand? Why is it such a difficult security skill to find? And how easy and quickly can you train for it?

Security tip sponsored by ExtraHop

EKANS is the backward spelling of SNAKE. It is also the name of new ransomware code that targets the industrial control systems in oil refineries and power grids. Not only does it extort a ransom, it also has the ability to destroy software components that do things like monitor the status of a pipeline, or similar critical functions in a power grid or utility. A recently documented attack on Bahrain’s national oil company reveals the architecture and deployment of EKANS not to be the work of a hostile nation-state, but of cybercriminals.

The chilling message behind that, of course, is that penetrating and sabotaging critical components of a country’s infrastructure is no longer exclusive to sophisticated national intelligence agencies. Lower level criminal agencies may have motives that are far less predictable and trackable, and when combined with the complexities of an industrial control system, these may have cascading effects beyond the wildest dreams of the instigators themselves.

More from our sponsor ExtraHop.

What do you think of this pitch?

We get a pitch with some suggestions on how best to improve the pitch. We want more pitches!


Direct download: CISO_Vendor_02-25-2020_FINAL.mp3
Category:podcast -- posted at: 5:00am PDT

All links and images for this episode can be found on CISO Series (

Security professionals only think about security one week out of the year, right? So let's drop every single dollar we have budgeted for marketing on the last week of February. Whaddya say?

This episode was recorded in person at Intel's offices in Santa Clara, California. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Tom Garrison (@tommgarrison), vp and gm of client security strategy at Intel (@IntelNews).

David Spark, CISO Series, Tom Garrison, Intel, and Mike Johnson, CISO/Security Vendor Relationship Podcast

David Spark, CISO Series, Tom Garrison, Intel, and Mike Johnson,
CISO/Security Vendor Relationship Podcast.

Thanks to this week's podcast sponsor, Intel.


The globalization of technology has created an environment of complicated supply chains with limited transparency. Intel’s Compute Lifecycle Assurance (CLA) initiative solves this through a range and tools and solutions that deliver assurances of integrity throughout the entire lifetime of a platform --from build to retire.

On this week's episode

There’s got to be a better way to handle this

Next week is RSA and by podcast law we're required to talk about it. We offer up tips on maximizing the following: education, engagement, and follow up.

What’s the return on investment?

On Peerlyst, John Mueller, a security architect with the US Navy, suggested ways to use incident response metrics to help determine whether your cybersecurity program is improving. But as Mueller points out, it's not easy as you could fool yourself into believing you're doing well if you don't valuable discovery tools. We discuss methods to measure improvements in security programs.

What's Worse?!

A really tough one that delivers a split decision.

Please, enough. No, more.

Our topic is trust and hardware manufactures. We discuss what we've heard enough about with trusting hardware manufacturers of tech products, and then we discuss what we'd like to hear a lot more.

Cloud Security Tip sponsored by ExtraHop

The fable of Walt Disney having been cryogenically frozen to be revived in an age where the science to do so existed is just that – a fable. But there is still something to be taken from that when it comes to documents archived on the cloud or consigned to data landfills. Just because encrypted data cannot be easily decrypted by hackers using today’s tools, that doesn’t mean tomorrow’s tools can’t do the job and revive the information stored inside.

When threat actors take it upon themselves to steal data, through hacking, ransomware, or AI, they might, of course be searching for material that is immediately exploitable, such personal data, or data that has immediate value in being returned or unlocked as in the case of ransomware.

But other players are in it for the long game, counting on the fact that the inexorable momentum of progress will lead to a decryption solution in time for stolen archived data to still be of use for future crimes, frauds and deep fakery.

More from our sponsor ExtraHop.

Close your eyes. Breathe in. It’s time for a little security philosophy.

I got back from Tel Aviv where cybersecurity professionals find themselves innovating out of necessity. They're often short on resources. We discuss the kinds of exercises we've tried to help ourselves and our team to think creatively about cybersecurity.

One suggestion is the interrogation technique of "Five Whys" to get at the root reason of why we make our choices.

Direct download: CISO_Vendor_02-18-2020_FINAL.mp3
Category:podcast -- posted at: 5:30am PDT

All links and images for this episode can be found on CISO Series (

We can all be more secure if we work together as a team to shame those who don't agree with how we approach security.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Chris Hatter, CISO, Nielsen.

On this week's episode

Mike's confused. Let's help him out.

Mike inspired this brand new segment with his question to the LinkedIn community, asking what's the big deal with 5G security? The story I heard about 5G is just sheer volume over unsecured networks. But Mike said, we've been dealing with unsecured networks since 2G and 3G and we dealt with them using Transport Layer Security or TLS, and implementing other services such as multi-factor authentication or MFA. Mike called out to the community to clue him in as to why we should be more concerned with 5G.

Does shaming improve security?

Thanks to Mark Eggleston, CISO, Health Partners Plans for alerting me to Chris Castaldo, CISO of Dataminr, and his post about Rob Chahin's "Single Sign-On or SSO Wall of Shame". Chahin, who is the head of security at Eero, purports that SSO should be a standard feature in applications and websites that allow for secure sign on through third party identity services, such as Google and Okta. Single sign-on is a significant boon for security and management simplicity and Chahin argues that many companies force users to pay dearly to enable SSO.

What's Worse?!

A grand financial decision in this scenario.

Is this the best solution?

According to a recent article in the Wall Street Journal, there is an ever slight trend of CISOs moving away from reporting to the CIO, opting instead to report directly to the CEO. Why is this trend happening? What are the benefits and disadvantages?

Security Tip by Steve Prentice sponsored by ExtraHop


With hacks and breaches becoming all too commonplace and even encrypted data still vulnerable to hackers who can read and copy it, focus is now being placed on Quantum Communication as a potential next option. This is a technique that encodes data into photons of light, each of which can carry multiple copies of ones and zeroes simultaneously, but which collapses into a single one-and-zero if tampered with. Basically, the scrambling of data to an unusable format.

Although Quantum communication has been development for a few years, researchers in China have apparently already outfitted a fleet of drones that will soon be able to communicate upwards to its already launched Quantum satellites and downwards to ground stations while remaining stable in flight.

This paves the way for the field of quantum teleportation, a glamorous term whose uses and actual development are no longer just the realm of science fiction. For data at least.

More from our sponsor ExtraHop.

Close your eyes. Breathe in. It’s time for a little security philosophy.

Simon Goldsmith, adidas, said, "I’ve been having some success in replacing risk with uncertainty. By which I mean not having a threat, vulnerability or impact made tangible creates uncertainty which is next to impossible to factor into any modern decision making process. If I make it tangible, it becomes a risk and I can help you make a better decision. Puts value on turning uncertainty to risk and fights FUD."

Direct download: CISO_Vendor_02-11-2020_FINAL.mp3
Category:podcast -- posted at: 5:30am PDT

All links and images for this episode can be found on CISO Series (

We're pushing just to the edge of irritation on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode was recorded in front of a live audience in Tel Aviv on the eve of the 2020 Cybertech conference. Special thanks to Glilot Capital for hosting this event.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and my special guest co-host, Bobby Ford, global CISO for Unilever. Our guest is John Meakin, veteran financial CISO, and currently CISO for Equiniti.

CISO/Security Vendor Relationship Podcast panel at live audience recording in Tel Aviv

David Spark, producer, CISO Series, Bobby Ford, CISO, Unilver, and John Meakin, CISO, Equiniti.

Thanks to this week's podcast sponsors, Polyrize and Intsights.


As newly adopted SaaS and IaaS services add an additional layer of risk for security teams, Polyrize provides a cloud-centric approach to simplifying the task of protecting user identities and their access across the public cloud by right-sizing their privileges and continuously protecting them through a unified authorization model.


IntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response. To learn more, visit

On this week's episode

How do you go about discovering new security solutions?

In an article on LinkedIn entitled, "Why do CISOs take a vendor meeting?" Dutch Schwartz, of AWS said that they take meetings per a recommendation of their staff, their peers, or they have an explicit problem that they've already researched, or they have known unknowns. Are those the reasons to take a meeting with a security vendor? We discuss what meetings CISOs take, and which ones are the most attractive.

It's time for "Ask a CISO"

Israel is known for a thriving startup community. But what I always see is cross pollination between Israel and Silicon Valley when it comes to startups. We discuss what Israeli startups can learn from Silicon Valley and vice versa.

What's Worse?!

We've got two rounds. One agreement and one split vote.

It’s time to measure the risk

Five years ago I wrote an article for about the greatest myths of cloud security, The first myth was the cloud is inherently insecure. And the other 19 are ones I'm still hearing today. My conclusion for the whole article was if you can overcome these myths about cloud security, you can reduce risk. In this segment we dispel cloud security myths and explain how the cloud helps reduce risk possibly in ways many of us are not aware.

Close your eyes. Breathe in. It’s time for a little security philosophy.

On this podcast we talk a lot about CISOs needing to understand the business. In a thought-provoking post on Peerlyst, Eh-den Biber, a student of information security at Royal Holloway, University of London, noted that the job of cybsecurity is more than that. It's about understanding the flow of business and being present in the individuals' lives and their stories. We discuss the importance of being present in your users' lives.

It's time for the audience question speed round

The audience has questions and our CISOs have answers. We get through a lot really quickly.


Direct download: CISO_Vendor_Tel_Aviv_02-04-2020_FINAL.mp3
Category:podcast -- posted at: 5:30am PDT