All links and images for this episode can be found on CISO Series.

In principle, we can generally all agree that security theater is a waste of time for security teams. But the reality is that these are things that look good, so it can be hard to justify to non-technical leadership why you’re eliminating something they see as secure. So how can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Davi Ottenheimer, vp of trust and digital ethics, Inrupt.

Thanks to our podcast sponsor, Sysdig

For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.

In this episode:

• Is security theater a waste of time for security teams?
• Why can it be hard to justify to non-technical leadership why you’re eliminating something they see as secure?
• How can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

All links and images for this episode can be found on CISO Series.

Usually the buck stops with the CEO. But for a CISO, what do you do when a CEO wants to exempt themselves from your security program? Whether it's granting privileged network access or just ignoring protocols, it can put a CISO in a tough spot. So how do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position? 

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and John C. Underwood, VP, information security, Big 5 Sporting Goods. Joining me is our guest, Joshua Scott, Head of Security and IT, Postman.

Thanks to our podcast sponsor, Veza

75% of breaches happen because of bad permissions. The problem is that you don’t know exactly WHO has access to WHAT data in your environment. For example, roles labeled as “read-only” can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment.

In this episode:

• For a CISO, what do you do when a CEO wants to exempt themselves from your security program?
• How do you deal with a leader that thinks they're above the controls you have in place?
• Is it enough to document your disagreement or is there anything else you can do in that position?

All links and images for this episode can be found on CISO Series.

When it comes to security awareness, the advice generally doesn't change. There are a set of best practices that have proven to be effective. So we know what we want to tell people. Communicate it consistently. So how do we relay that information without sounding like a broken record?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us is our sponsored guest, Daniel Krivelevich, CTO for Appsec, Palo Alto Networks.

Thanks to our podcast sponsor, Palo Alto Networks

As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

In this episode:

• What security measures have been the most successful in preventing cyberattacks?
• What do we need to better understand about misconfigurations to better secure the cloud?
• How do we relay this information without sounding like a broken record?

All links and images for this episode can be found on CISO Series.

Organizations know that securing SaaS is vital. But polls consistently show they also know their current security isn’t cutting it. With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our sponsored guest, Rohan Sathe, co-founder and CTO, Nightfall AI.

Thanks to our podcast sponsor, Nightfall

Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection.

In this episode:

• With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses?
• How can we secure new technology without creating new risks?
• If security no longer owns SaaS security, then how can they go about closing these gaps?

All links and images for this episode can be found on CISO Series.

If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Most of the time, these lists include CISOs from the biggest companies, or the ones with the best name recognition. But is that any kind of objective criteria? These lists generally serve the interest of boosting the credibility of the publisher, rather than being based on any kind of rigor. Is there any way to make these lists anything but fluff?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Janet Heins, CISO, iHeartMedia.

Thanks to our podcast sponsor, LimaCharlie

Whether you’re looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie’s SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io.

In this episode:

• If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created?
• Is there any kind of objective criteria?
• Is there any way to make these lists anything but fluff?