All links and images for this episode can be found on CISO Series (https://cisoseries.com/great-security-program-too-bad-we-cant-implement-it/)

Security theory only goes so far. If you want your security program to work, everyone has to do their part.

This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our sponsored guest is Scott McCormick, CISO, Reciprocity.

Thanks to this week's podcast sponsor, Reciprocity.

ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com.

On this week's episode

How CISOs are digesting the latest security news

The Wall Street Journal has a story about cybersecurity budgets during the COVID-19 crisis. Many companies are dealing with budget cuts across the board. One issue mentioned was that the first items to go from the cybersecurity budget would probably be big projects that require a lot of integration. So as to avoid getting left on the cutting room floor, what would be your advice to vendors on how better to situate themselves, prepare, and prove to potential buyers that they can help with the ease of that integration? Also, for those security leaders, how do they best show compassion to the rest of the business and don't just fight for their slice of the budget pie?

It’s time for “Ask a CISO”

On reddit, countvonruckus states and then asks, "It's great to see CISOs giving back through mentorship. As a younger professional looking to become a CISO someday, it can be difficult to get a minute of a senior leader's time even for critical work decisions. How should someone looking to find a mentor or to benefit from the mentorship of a particular leader go about asking in a respectful but effective way? Is there anything a mentee can do to provide value in exchange that will make it more worthwhile for mentors?"

It's time to play, "What's Worse?!"

Two "What's Worse?!" scenarios nobody likes but many have faced especially now.

Please, Enough. No, More.

Operationalizing GRC. What have you heard enough about operationalizing GRC, and what would you like to hear a lot more?

Looking down the security roadmap

On Quora, the question was asked, "Do cloud providers implement governance, risk management and compliance (GRC) well?" I didn't know how one would define "well" and what we should expect from cloud providers to help with GRC efforts. This harkens back to our last segment, because we would hope that cloud providers could actually help us operationalize GRC. What are cloud providers doing to help in GRC efforts?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-promoted-the-competition-and-still-won/)

If you're having a problem getting people to discover your space, then maybe you have to do a better job promoting the space even when it involves the competition.

This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Zohar Rozenberg, former head of cyber department in the Israel Defense Force, and current CSO of Elron Electronic Industries.

Thanks to this week's podcast sponsor, Reciprocity.

ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com.

On this week's episode

Why is everybody talking about this now?

On this podcast we have sponsored guest episodes in which we dedicate a segment of the show for the sponsor to talk about their category. I was just given the heads up by a listener that a competitor of one of our sponsored guests, actually promoted that episode via an email marketing campaign. I asked the community why they thought that happened. Did the company know they were promoting a direct competitor's solution, or were they of the philosophy of let's promote the space. The more people who know about this problem that benefits the entire industry and in turn that helps our competitor and us. Most people on LinkedIn agreed with the latter and actually thought it was a savvy marketing move possibly demonstrating that the competitor was confident with their product.

It’s time for “Ask a CISO”

Tip of the hat to Sounil Yu, CISO in residence at YL Ventures for bringing up Mike's comment in a Slack channel of your frustration with cybersecurity startups who end up having an "us too" attitude towards creating the next cybersecurity solution. It seemed their only credentials was a successful exit, but not presenting a unique solution to an actual problem. You claimed a criteria that you would only meet with a founder who had a committed idea to a product. But how do you differentiate between an "also ran" and a unique solution?

What's Worse?!

One of our most challenging debates ever

Close your eyes. Breathe in. It’s time for a little security philosophy

On our CISO Series Video Chat, Bob Henderson of Intelligence Services Group asked, "Has measuring risk itself become a risk? Since risk is primarily arbitrary depending on who defines the risk wouldn’t the solutions be arbitrary and thus add complexity and uncertainty. Which are contributors to risk."

Let's dig a little deeper

What are the intrinsic training elements of Israel's elite 8200 that results in so many of the graduates going on to become cybersecurity entrepreneurs? What if anything can other organizations, military units or schools learn from this?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/three-years-experience-required-for-sub-entry-level-positions/)

Our motto for hiring: We never give up on our unreasonable expectations.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Brandon Traffanstedt, global director of systems engineering, CyberArk.

Thanks to this week's podcast sponsor, CyberArk.

At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

Are we making the situation better or worse?

On LinkedIn, Gabriel Friedlander of Wizer asked, "Should we be doing home risk assessments?" Could we create bigger problems if we do that? Gabriel's post generated a debate on what actions can significantly reduce risk. Is there value in a home risk assessment and if so, what's it going to reveal?

It’s time for “Ask a CISO”

On reddit, crossfire14 asks, "Why are helpdesk roles requiring 2-3 years experience? I thought they were entry level friendly? Im trying to start at lower positions to work my way into infosec yet I cant seem to qualify for any helpdesk roles because of exp?" I looked and actually these entry level positions are often asking for 3-5 years experience. Is this required? If not, what IS required for an entry level help desk role and what's the best way to show that?

"What's Worse?!"

Two horrible company debilitating options that have happened in real life. How would you survive either one?

Please, Enough. No, More

Our topic is Privileged Access Management, or PAM. What have Mike and Brandon heard enough about with PAM, and what would they like to hear a lot more?

The great CISO challenge

Outsider attacks, insider attacks, your assets, networks, people, and controls - what DOESN'T always change in security? If we assume that consistency is synonymous with simplicity, is it always an uphill battle to try to keep security simple especially if we're expanding into new services and cloud environments? Could this be why the foundations are still a struggle for everyone?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/look-freshmen-cisos-get-ready-to-pounce/)

What could possibly be a better way to welcome newly hired CISOs to the security community than with a shiny new sales pitch?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Wayne Reynolds, CISO, Toyota Financial Savings Bank.

Thanks to this week's podcast sponsor, AppOmni.

AppOmni is the leading provider of SaaS security and management platform for the enterprise. AppOmni provides unprecedented data access visibility, management and security of SaaS, enabling organizations to secure mission-critical and sensitive data. With AppOmni, organizations can automatically and continuously enforce rules for data access, data sharing and third-party applications.

On this week's episode

Why is everyone talking about this now?

Our guest, Wayne Reynolds posted the good news about his new CISO role. While he got the expected kudos, he also got lots of sales emails. In the short conversation we had in preparation for this episode, six pitches came in. He counted 731 vendor pitches in just five days. Given the situation, we have all seen an uptick in pitches, across all industries, not just cybersecurity. Vendors want to make some type of connection. If they weren't pitching, what would be a more acceptable outreach?

It’s time for “Ask a CISO”

What can security startups do to prepare for and prove to prospects that their solution won't slow down operations? Thanks to John Prokap, CISO, HarperCollins for pointing me to this great article on CIO.com by Yoav Leitersdorf of YL Ventures on mistakes security startups make. One concern was on the issue of startups losing this specific focus.

From the article, Peter Bodine, AllegisCyber Capital said, "I cannot stress how much of a difference productivity makes to the CISOs we consult with. So, as an investor, our attention is immediately piqued when we learn that a POC took fewer resources than a regular POC, because it often means that they developed their process early enough with a customer satisfaction person. We really don't see that very often, but when we have, we've written a check almost right on the spot, just because they take so much sand out of the gears and make it so much easier for a yes decision to occur.”

"What's Worse?!"

Do you want to be the one to reveal the cybersecurity incident or do you want somebody else to reveal it?

What's a CISO to do?

In the world of DevOps I'm constantly seeing the desire for developers to be security aware. But the point of DevOps is to be aggressively competitive. That's something I often don't see security people understanding or literally being aware of. Nicolas Valcarcel of NextRoll gave me heads up on a post by Mike Sherma of Square about having dev champions on the security team to advocate for the software engineering experience and design principles. Is this a good idea, and if so how would it be rolled out and what would be the benefits?

How to become a CISO

Prior to the unfortunate COVID-19 crisis we at the CISO Series were planning on hosting our very own one-day event to train security leaders. That event will happen eventually, but right now it's on hold. The whole idea is we were going to have a group of CISOs training a group of wannabe CISOs to be CISOs. Wayne is a strident mentor for wannabe CISO. At any time he's got 4 or 5 security professionals you're mentoring. We discuss the core skills security professionals are lacking to become CISOs, and what mentorship does to help you get those skills.