CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com.

We're clawing each other's eyes out in the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Darren Death (@darrendeath), VP of InfoSec, CISO, ASRC Federal.

Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available.

On this episode:

How CISOs are digesting the latest security news

A nasty fight between two security vendors becomes public because one of the CEOs decides to expose the other CEO. But did he really? What's really going on? Thanks to Nathan Burke of Axonius for bringing this story to our attention.

Why is everybody talking about this now?

Is calling someone a "blocker" the most weaponized word in the tech industry? How can this be avoided and what are the scenarios this term comes up?

What's Worse?!

We've got a split decision on this week's question on trust.

What's a CISO to do?

Robert Samuel, CISO, Government of Nova Scotia asks our CISOs, "What does success look like?" How do CISOs define success?

Ask a CISO

Where should an SMB, that may have little to no security team, begin building out its security program?

CISO/Security Vendor Relationship Podcast and Series can be found at CISOSeries.com.

A newly proposed provision in the Consumer Data Protection Act (CDPA) could result in jail time for intentional data privacy violations.

We're not scared. We're still peeping into your digital lives on the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Will Ackerly, co-founder and CTO of Virtru.

Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available.

On this episode

Why is everybody talking about this now?

Huge fines and massive jail time for intentional violations of data privacy. Do the new provisions in the CDPA go too far or are they just right?

What's a CISO to do?

Listener Bradley Teer of Armor Cloud Security asks, “What’s the scariest moment or event that's ever happened in your career as a security practitioner?"

What's Worse?!

Two listeners, Rick McElroy of Carbon Black and Jamie Leupold of PreVeil asked the same question for this week's game. It's a question Mike knew was eventually going to be asked.

Please, Enough. No, More.

We talk about data privacy in today's segment. Can we get beyond the discussion of GDPR?

Ask a CISO

On a previous episode we talked about the meager adoption of multi-factor authentication. We concluded that it was still too complicated to use. So what's encryption's excuse? Why isn't encryption available and used by all? How does the security paradigm change if everyone is sending encrypted messages?

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

Tired of deleting pages of vendor pitches? Wouldn't it be more efficient if  you could see them altogether on one screen so you could simply choose which ones to ignore? We're improving vendor non-engagement efficiency in the latest installment of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Chris Castaldo (@charcuteriecoma), sr. director of cybersecurity, 2U.

This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber.

Got feedback? Join the conversation on LinkedIn.

On this episode:

Why is everybody talking about this now?

Six months ago Mike Johnson proposed the idea of "Demos for charities" and it got mixed results, but some people took on the challenge from both the practitioner and the vendor side. See how our guest offered up 45 minutes of his time in exchange for a donation to his favorite charity.

What's a CISO to do?

In light of the most recent Marriott breach, Brian Krebs wrote a great thought piece about our new acceptance of "security" and that is we can't count on companies security our data. How do security professionals communicate that to their team and users and still maintain trust?

What's worse?!

This week's challenge comes from William Birchett, Sr. Manager IT Security at City of Fort Worth. Both options are annoying and we have a split decision on what's worse.

First 90 days of a CISO

Tony Dunham of the Professional Development Academy asks how can InfoSec professionals develop the soft skills needed for leadership prior to being put in the pilot seat?

Ask a CISO

We talk about user-centric design and my co-host has some not-so-nice-words for vendors selling a "single pane of glass" solution.

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

If we let you know that 90 percent of break-ins happen because of a little known threat we happen to mitigate, you'd purchase our product, right? Ignore basic security practices as you listen to the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Yaniv Bar-Dayan, CEO of Vulcan Cyber.

This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber.

On this episode:

Why is everybody talking about this now?

How do you reaffirm that dynamic leadership stance so people aren't just responding to the title, but are actually responding to you and the way you're proving your leadership on a day-to-day basis?

Ask a CISO

Why do we keep recommending "go back to security basics"?

What's Worse?!

In honor of our guest, this one is about vulnerability management.

Please, enough! No, more!

What have we heard enough about on vulnerability management and what would we like to hear a lot more?

Ask a vendor

How do security vendors work differently with enterprises vs. smaller and mid-size companies?

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

We're no longer buying their albums because we've had enough of the "can do no wrong" toxic culture of cybersecurity rock stars. On this episode of the CISO/Security Vendor Relationship Podcast we are elevating the little known indie InfoSec professionals.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is independent analyst, Kelly Shortridge (@swagitda_). Follow her musings at Swagitda.

This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber.

On this episode:

Why is everybody talking about this now?

We do a health check on where we are in terms of security enabling the business. What have been the greatest strides and where are we falling behind? We reference a post by CISO of Mitel, Allan Alford.

Please, Enough. No, More.

We discuss the phenomenon of cybersecurity rock stars and why their “they can do no wrong” pass is toxic to the industry.

What’s Worse?!

Tip of the hat to Kip Boyle, CEO of Cyber Risk Opportunities for this week’s question.

Ask a CISO

The phenomenon of security buzzwords. When is it actually used to describe a product and when is it used to fill up space in a marketing campaign?

What’s a CISO to do?

We talk about people being the problem in security, but it’s not in the way you think it is.

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

Why is our financial institution sending us an email suggesting we click on a link to log into our account? On this episode of the CISO/Security Vendor Relationship Podcast we educate your customers and your marketing department about suspicious looking emails.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Chenxi Wang, managing general partner, Rain Capital.

Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available.

On this episode

Why is everybody talking about this now?

While many security professionals' eyes roll when they hear the word "blockchain," it is currently the second most popular area of security research, according to IDG. What is it about blockchain that VCs and security professionals find so attractive?

Question for the board

What responsibility does the board bear for educating the C-suite about cybersecurity competency? PwC put together a great list of questions the board should be asking regarding cybersecurity competency.

It's time to play "What's Worse?!"

There's a visual attached to this game. Go ahead and look here and tune in to hear the question.

What's a CISO to do?

Our guest, Chenxi Wang, provided some excellent advice for startups on getting on the diversity train early on. If you don't, you'll find it's incredibly hard to build in diversity with an established and non-diverse team.

And now this...

How do VCs play a crucial role in the relationship between buyers and sellers of security products?

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

Why were we brought to this event? Why can't we leave? I don't think we have enough clues to get out of this vendor meeting. We struggle to remember our safe word in the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Richard Seiersen (@RichardSeiersen), former CISO of LendingClub.

Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity.

Got feedback? Join the conversation on LinkedIn

On this episode:

Opening

We realize that Mike's comment about burning found USB drives was spot on. According to an experiment conducted by Sophos, about 2/3rds of found USB drives were infected.

What's a CISO to do?

You've been invited to a vendor dinner, but you feel trapped. Where can you go?

We discuss what constitutes a good vendor dinner and which ones make you feel trapped? Here's a link to that Onion article I referenced on the show: "‘First Date Going Really Well,’ Thinks Man Who Hasn't Stopped Talking Yet."

Ask a CISO

Are CISOs swayed when a vendor sells themselves as "market leading?" Could it actually be a detractor? What about the array of current clients? Does that have any impact?

What's Worse?!

Mike Johnson says this could be the most even comparison ever!

How a vendor helped me this week

We talked about an article I released last week, "How to Make a Huge Impact in the Security Community with Zero Marketing," which told the story of building thought leadership and industry influence through open source and related contributions, but not marketing.

Ask a CISO

How quickly is risk being created in your environment and how quickly can you reduce it? More importantly, can you measure that? Our guest, Richard Seiersen, author of the upcoming book, "The Metrics Manifesto: Confronting Security With Data" (Wiley 2019), explains.

CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com.

We gear up in HAZMAT suits and get ready for some dangerous USB drive analysis. We're taking all precautions on the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Dean Sysman (@DeanSysman), CEO of Axonius.

Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity.

On this episode:

Opening

We talked about how the history of the Enigma machine speaks volumes to how users react when they're forced to use a way too complicated security solution. They will find ways to simplify even if means weakening the overall security. Learn more from Mark Baldwin, Dr. Enigma.

Why is everyone talking about this now?

I challenged Mike and Dean to this question posed on Quora, "What is the safest way to check the content of a USB stick I found on the ground?"

What's a CISO to do?

Traditionally, CISOs rise through the ranks as security practitioners and slowly learn the business. But what if you're a CISO that never held the title of practitioner, but is very well versed in the business. How is selling to that type of a CISO different?

What's Worse?!

Mike and Dean are challenged with two horrible scenarios in asset management. Both are very risky, it's just one will probably result in a breach faster than the other.

Please, Enough. No, More!

We talk about asset management, and what's shocking is there isn't much to complain about in the "Please, Enough" portion of the segment. The reality is it's all "No, More!"

Ask a CISO

Dennis Leber, CISO for Cabinet for Health and Family Services for the Commonwealth in Kentucky asked if traditional sales pitches for the latest and greatest threat are really detracting companies from dealing with the basics of security.

We're just a bunch of immature teenagers who can't seem to control ourselves or our security program. We're definitely exploring new solutions in the latest episode of the CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guests this week is Michael Makstman, CISO of the City and County of San Francisco.

Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity.

Read the full article on CISOseries.com.

This is a bonus episode of the CISO/Security Vendor Relationship Podcast with former guest, Allan Alford, CISO of Mitel, who was also the subject of a story I wrote in September entitled "One CISO's Grand Experiment to to Engage with Security Vendors." At that end of that discussion, Alford and I agreed that I would follow up with him in a month to see how the experiment went. This conversation is that story.

Find the full article here.

Check out more at our site CISOseries.com.

We don't play fair and we're not ashamed to admit it. This week's episode of the podcast is super-sized because it was recorded in front of a live audience at the Silicon Valley Code Camp conference held at PayPal in San Jose.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guests this week for the live show were Ahsan Mir (@ahsanmir), CISO, Autodesk and Geoff Belknap (@geoffbelknap), CSO, Slack.

(from left) Geoff Belknap, CSO, Slack, Mike Johnson, CISO, Lyft, Ahsan Mir, CISO, Autodesk, David Spark, Founder, Spark Media Solutions

Special thanks to our sponsor, Electronic Frontier Foundation. Please support their efforts to protect your digital privacy.

On this super-sized episode of the CISO/Security Vendor Relationship Podcast:

Ask a CISO

Is cybersecurity an IT problem or not? Do non-security executives pigeon-hole the role of security? Is this an unfair assessment? Is it dangerous to only view InfoSec as an IT problem?

Why is everyone talking about this now?

A hot discussion by Jason Clark of Netskope got everyone discussing why CISOs fail. In general, our panel believes it's a situation of poor alignment with the functions and risk profile of the business.

What game best prepares you for a job in InfoSec?

A few years ago I wrote an article entitled, "What 30 Classic Games Can Teach Us About Security," in which security professionals point to video games, board games, gambling games, and sports as great metaphors and training grounds for a life in security. Our panel debates the value of games as InfoSec teaching tools.

"What's Worse?!"

We play two rounds of the game and we get split decisions! The first round touches upon a major pet peeve Mike Johnson has had since our very first episode.

What's a CISO to do?

Security is often seen as a thankless job. It's though the role of the CISO to make sure everyone knows how awesome their security staff is and what they can do for the rest of the business.

What do you think of this pitch?

We critique another pitch and with this one a CISO does a rewrite that hopefully the security vendor will use.

How do CISOs know they're getting a good deal?

Not only do CISOs need to come up with a security program for the company, but they need to understand whether or not they're getting good price for the security tools they purchase. Do CISOs have a method to actually insure they're getting the best price possible? Do they even care?

Our CISOs don't have much confidence they'll receive any support when they hit the 'Send' button on your web form. 

Check out our NEW SITE: CISOseries.com

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Aaron Peck, CISO of Shutterfly.

Special thanks to our sponsor, ConnecTech, producer of intimate custom executive events for IT professionals.

Executives: Register to be notified when one of their events will be coming to your city.

Vendors: Sponsor one of their events to get meetings with executives that are looking for solutions that your company provides.

On this episode of the CISO/Security Vendor Relationship Podcast:

Ask a CISO

What were the turning points that led you to achieve the title of CISO? We've got a shout out to Mike Rothman's book, "The Pragmatic CISO" and the desire to find and solve the toughest most needed security problems.

How a security vendor helped me

CISOs have heard the stories from all the major InfoSec vendors. They're tired of playing second and third fiddler to a vendor's hundreds if not thousands of other clients. While a young startup company, potentially in stealth mode, doesn't necessarily have a track record, they do have eagerness and are willing to make their earliest and first customers extremely happy. This hand-holding-type relationship is very attractive to a CISO.

What's Worse?!

This entry into our weekly game is all about the following two images. There's so much going on in these pictures of a man who has decided to start day trading in public at a local Starbucks. Can you determine what's worse in these two pictures? Our CISOs debate. For more, check out the avid discussion on LinkedIn.

What do you think of this pitch?

Mike delivers probably the most thorough analysis of a vendor pitch I've ever heard on the show.

What's a CISO to do?

Hiring great InfoSec talent is an extreme challenge. Our guest, Aaron Peck, makes an argument for speedy hiring to get value for the company as quickly as possible.

In such a hyper-competitive market for security talent, the natural inclination would be to try everything you can to keep your best employees. Unfortunately, even when you do everything right, your best employees just get up and leave. Can you and should you fight it? Or should you go out of your way to make the exit as smooth as possible for your staff? What's the benefit to you when they do leave?

On this episode of the CISO/Security Vendor Relationship Podcast, we discuss:

• 10-second security tip: Vanity metrics aren't going to create a more secure environment.
• Pitching the latest crisis: We've talked endlessly about how CISOs don't respond well to fear pitches. Similarly, salespeople need to understand that CISOs are aware of last week's Facebook hack. Don't bring the news they already know. Provide some insight.
• Selling the latest APT: If it's a new threat, it's sexy. It may make for great news, but focusing on it doesn't necessarily make for good security. Shouldn't you be starting with the boring basics? Can security basics ever be sexy?
• We play "What's Worse?!" Listen up security vendors. You're going to want to pay attention to this one.
• What do you think of this pitch? This week's pitch comes from a CISO. It's not his pitch to us, but a pitch he received. It kind of misses the mark. We explain why.
• Retaining security talent: We discuss the InfoSec manager's role in retaining security talent. How do you form a relationship that all exits or near exits go as smoothly as possible?

This show, like all the previous ones are hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Justin Berman (@justinmberman), CISO of Zenefits.

Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection.

We admit we've posted some rather embarrassing posts on social media. In particular, my co-host, Mike Johnson, talks about a post he initially regretted, but then realized it's what brought all of us together. In fact, it's a post that initiated much of the discussion we're having today about the relationships between CISOs and security vendors.

On this week's episode of the CISO/Security Vendor Relationship Podcast, we discuss:

• A CISO that eagerly wants to talk to security vendors: CISO of Mitel, and former guest, Allan Alford sent a shock through the industry when he said he was going to reserve time to actually speak with security vendors. Why was this announcement such a big deal?
• One CISO and one CTO admit to posts they regret: Turns out posts you wish you didn't write actually shake up the pot so much that they form relations, like the two you hear on this show.
• We play "What's Worse?!" Possibly our toughest round of the game ever. Hint: think security policies.
• What Do You Think of This Pitch? Mike and our guest dissect a pitch from a listener. They advise what should be taken out, and what should be put in its place.
• Ask a CISO: Do CISOs need consultative resellers? When are they valuable? If not now, were they valuable?
• And as always, we've got launch with a great 10-second security tip.

Today's episode is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Mike D. Kail (@mdkail), CTO of Everest.org.

This episode is sponsored by Thinkst, makers of Canary deception devices. Read how much their customers love their product here. We thank Thinkst for sponsoring this episode of the podcast.

With absolutely no irony three white men discuss the value of diversity in cybersecurity in the latest episode of CISO/Security Vendor Relationship Podcast. So before you tell me we're three white men talking about diversity, I'm letting you know ahead of time we're three white men talking about diversity. We have no shame!

On this episode of the CISO/Security Vendor Relationship Podcast, we debate the following:

• Microsoft Office macros still top the malware attack vector charts: After apparently three decades it appears that MS Office macros are still the attack point of choice of malicious hackers. What legacy nonsense are enterprises still holding onto?
• What's the real value of diversity? As I readily admitted, our all white male panel confesses that lack of diversity results in group think and unconscious bias.
• We play a round of "What's Worse?!" This one has to do with budget and there's a split decision! Which one do you think is worse?
• Please, Enough. No, More. (on endpoint security): There is a very long list of stuff Mike and our guest don't want to hear anymore about with regard to endpoint security. And similarly, there's plenty more they do want to hear about. Listen to know what you should be paying attention to regarding endpoint security.
• Does complicating security infrastructure make us safer? What's the right balance of security complexity and simplicity to make your environment safer? If you've got more systems and more security applications in place that means you've got more vectors to exploit.
• Ten second security tip: And as always, we've got a quick security tip so you don't have to listen to more than a minute of the show before you get some value of this podcast.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Tomer Weingarten, CEO, SentinelOne.

Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection.

Catch up on past episodes plus read articles and watch the latest videos from the series at CISOseries.com.

We have an exciting announcement. Our latest version of the podcast is packed with new features and they're riddled with security holes. We know you wanted the features. The security vulnerabilities are just a bonus.

On this episode of the CISO/Security Vendor Relationship Podcast, we discuss:

• Cybersecurity burnout: How bad is it? What can be done to mitigate it? And what are the warning signs? All tech professionals have burnout issues, but InfoSec has it toughest because it's very hard for them to get a sense of accomplishment for their work.
• CISO/Security Vendor Relationship Podcast is making an impact in the vendor community: We hear multiple stories from vendors how the advice from Mike and the guests is really changing the way they reach out to security professionals.
• Are you willing to release a product with known security vulnerabilities? What if the customer really demands the new feature next week and they're expecting it, but remediation may take much longer. Do you give the customer what they want, or are there other solutions?
• What's Worse?! We play a round of picking the worse of two evils. This one is all about training your staff.
• We unleash another pitch on the security professionals: Their response will surprise you as will the outcome of this pitch.
• Dumb CISO mistakes: This one actually may not be so dumb. It could actually be good advice when it comes to product testing.
• Ten-second security tip: This one offers up a more holistic view of security that you may have not considered, but definitely should.

Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest is Anne Marie Zettlemoyer, a security strategist and independent researcher who is also on the board of directors for SSH.

Security is suffering from a serious Rodney Dangerfield "I get no respect" problem. What has often been seen as the department of "no" is struggling under that brand image. That's probably because security is often seen as an inhibitor rather than an enabler. If InfoSec wants to fix that perception, it'll be their responsibility to dig themselves out.

Here's what you'll hear on the latest episode of the CISO/Security Vendor Relationship Podcast:

• Nobody thinks security is their friend: How can security rid itself of this highly negative branding? Be problem solvers vs. problem creators.
• Techniques to integrate AppSec into the DevOps process: It comes down to measurement, respecting an engineer's time, and learning from the success of one process and putting it into another. Read more great insight by Chris Steipp of Lyft.
• We play "What's Worse?!" In this episode of the game we question the worst scenario of an encrypted or unencrypted laptop, but with qualifications.
• Uggh, WAFs are NOT magical boxes: In a round of "Please, Enough. No, More." we challenge the way web application firewalls (WAFs) are being sold. WAFs need to be more friendly and flexible. No one believes you if you sell them as magical boxes that stop all attacks.
• How can you be a great customer? We turn the tables from "Ask a CISO" to "Ask a Vendor" and ask what it takes to be a great customer. Vendors would like you to ttop kicking the tires and talk about solving real problems.
• Plus a ten-second security tip: It may be cliche, but if security departments want to be more effective, they should be moving away from blocking to enabling.

Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Zane Lackey (@zanelackey), co-founder and CSO for Signal Sciences and author of the new book from O'Reilly, "Building a Modern Security Program."

Sponsor the Podcast

If you'd like to sponsor the podcast, contact David Spark at Spark Media Solutions.

This is an extra segment we recorded with Dan Glass, former CISO, American Airlines for our last episode. It didn't make it into the last episode, but I thought it was still worthwhile to release as a short bonus mini episode of only four minutes. As always, the show includes myself, David Spark, founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Enjoy.

We spend a good portion of this episode of the CISO/Security Vendor Relationship Podcast mocking unrealistic job listings that ask for too many unnecessary credentials and on top of it aren't willing to pay a fair market rate. Did companies forget that it's a buyers' market right now in security?

On this episode of the podcast we discuss:

• The security semantics of "responsibility" vs. "accountability": Which one drives which behavior? And it is possible to try to compel one to the detriment of the other? See Chad Loder's post for more.
• How do you motivate employees to be concerned about security outside of hammering them with pen tests and fake phishing emails? If it hasn't happened already, those tests to see how secure your environment is may backfire. What can you do to instill secure behavior without testing employees to the point of annoyance?
• What do you think of this pitch? We get a split decision on a pitch of a company that's operating in a new category. Plus, advice on what never to do in a pitch.
• Unrealistic expectations for position descriptions: Job descriptions in the security field seem to be getting longer, with more certification requirements, and lower pay. What's going on and do companies who list these types of jobs realize they're only hurting themselves? In a buyers' market you can't just put out an unrealistic job posting to "see who will respond." It will actually damage your brand.
• Plus, a 10-second security tip (that's a few seconds longer): It's what you should be doing, but probably aren't doing.
• And a visit from the host of The Cyberwire: Dave Bittner, from The Cyberwire, joins us for a discussion about his daily security tech news show and to tell us about the launch of two more security podcasts.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Dan Glass, former CISO (as of just a couple days ago) of American Airlines.

Special thanks to SpyCloud for sponsoring this episode. Learn more about how you can protect employees and customers from account takeover with SpyCloud.

Contributions. Contributions. Contributions.

I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn.

Sponsor the podcast

If you're interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.

We promise to keep your identity private while we discuss the troubles of two-factor authentication.

On this episode of the CISO/Security Vendor Relationship Podcast we discuss:

• Why don't more people use two-factor authentication? Does the UX still suck? Why can't we agree on a common model for how to authenticate? Will U2F be the saving grace for 2FA? Story on the debate.
• What are the signs your employees are going rogue? We debate the need to monitor employees this way. Are internal intrusions the same as external? Is monitoring the monitoring devices enough? What are the signs? Discussion on LinkedIn and a recommended book: "Nothing to Hide: The False Tradeoff between Privacy and Security."
• We play a round of "What's Worse?!" It's the game where we determine which is the worst of two really bad practices. In this case, the CISOs have to choose between two unpleasant marketing practices.
• How do CISOs balance compliance and security: The two aren't equal, but compliance is a means to prove that you're doing security right. Our guest hits it out of the park with a very clear explanation and also how to use compliance to better market your company.
• How do CISOs discover new solutions: This might as well be the title of this podcast, but we delve into some unique angles that CISOs are taking as they're avoiding traditional pitches from security vendors. Discussion on LinkedIn.
• Ten-second security tip touting the value of passphrases: See this cartoon for more.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Allan Alford (@AllanAlfordinTX), CISO, Mitel.

Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection.

Contributions. Contributions. Contributions.

I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn.

Sponsor the podcast

If you’re interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.

Just because you have a new salesperson, doesn't mean you have to restart the sales process. If you've been properly entering information into your CRM, you shouldn't have to.

On this episode of the podcast we discuss:

• Are you ready for...Black Hat: Techniques to get the most value out of the conference. We've got some really good post-conference suggestions.
• What do you think of this pitch? We have one of those follow up pitches that just rubs CISOs and security professionals the wrong way.
• It's time to play, "What's Worse?!" Both host and guest agreed on this one. It's possibly the worst of the worst.
• Please, Enough. No, More: We discuss account takeover. What we've heard enough on this subject, and what we'd like to hear a lot more. Make sure to read Lyft's article about fingerprinting fraudulent behavior.
• What's a CISO to do? Beyond blocking and responding, we discuss different tactics for offense and defense against cybercriminals. Which ones are most effective and which ones are ethically and morally wrong?
• It's time for "Ask a Vendor!" Working off the same model as "Ask a CISO," we turn the tables and security professionals ask questions of vendors. This time, we asked about the use/non-use of CRMs.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Ted Ross (@tedross), CEO, SpyCloud.

Special thanks to SpyCloud for sponsoring this episode. Learn more about how you can protect employees and customers from account takeover with SpyCloud.

Contributions. Contributions. Contributions.

I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

• iTunes
• Google Play
• Stitcher
• RSS Feed

Just like so many security products are infused with artificial intelligence, we've also got plenty of meaningless modifiers to describe this podcast.

On this episode we've got:

• First 90 Days of a CISO. How do you assess talent already there, and how do you prioritize the new hires you need?
• Please, Enough! No, More! We delve into the overexposure of AI (artificial intelligence) and machine learning. Are they the same thing? And what do CISOs actually want to hear more about on both of these topics?
• "What's Worse?!" This is a brand new game where I ask the CISOs to determine which of two really bad security practices is worse.
• What Do You Think of This Pitch? We've got another vendor pitch that the CISOs critique.
• Ask a CISO. How are CISOs involved in purchase decisions that are not security related (e.g., cloud, networking, infrastructure).

Special thanks to Signal Sciences for sponsoring this episode. If you're using web application firewalls (WAFs), make sure you read "Three Ways Legacy WAFs Fail" by their head of research, James Wickett.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Dennis Leber (@dennisleber), CISO, Cabinet for Health and Family Services, Commonwealth of Kentucky and the self proclaimed "Most Interesting Man in Information Security."

We Want More of "What's Worse?!"

In this episode, I introduced a new segment, a game called "What's Worse?!" where I introduce two comparably bad security practices and ask the CISOs to debate on which is worse, and why. Fortunately in this episode the CISOs disagreed on both comparisons posed. I'm eager to challenge CISOs with more "What's Worse?!" questions. So if you've got a good one, please contact me here or on LinkedIn.

I'm also interested in:

• “Ask a CISO” questions.
• A vendor pitch you want us to critique.
• A hot security discussion (please provide a link).
• A quick security tip.
• A big industry story and what it means to security professionals.

In all cases, we can mention you and your company name or keep you anonymous. Just let me know which you prefer.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

• iTunes
• Google Play
• Stitcher
• RSS Feed

Sponsor the Podcast

If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.

If I knew more about your current security needs, I'd probably be able to tell you what security product to buy. But that would require me to spend time understanding your needs and this podcast is only 30 minutes long. Instead, we decided to uncover the universal truths of what security product you shouldn't buy.

In this episode of the CISO/Security Vendor Relationship podcast, we uncover failed CISO product purchases plus:

• Do temporary dips in hacker attacks change your security posture?
• What CISOs LOVE to see in their inbox. For this week, we're talking about their favorite reports.
• What metrics are CISOs following? And what are the metrics CISOs use to determine those metrics? Oh, and are there any metrics CISOs should ignore?
• Our CISOs digest a vendor pitch.
• And for "Ask a CISO," we question the value of case studies in print or video form.
• And as always, we launch the show with a 10-second security tip!

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Randall (Fritz) Frietzsche (@frietzche), CISO, Denver Health, Denver ISSA distinguished fellow, and teaches at Harvard University.

We Want Your Input and Critiques

For every episode we want input from listeners!

Please contact me here or on LinkedIn and send me the following:

• “Ask a CISO” question.
• A vendor pitch you want us to critique.
• A hot security discussion (please provide a link).
• A quick security tip.
• A big industry story and what it means to security professionals.

In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

• iTunes
• Google Play
• Stitcher
• RSS Feed

Sponsor the Podcast

If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.

We're fed up with vendors who think they can detect any breach, but we're not fed up with breach detection.

On this week's episode:

• Are millennials excited or not excited about working in security? Supposedly, nine percent of all millennials are interested in a job of security. Is that good news/bad news/misrepresented news? (Read the story)
• Haroon Meer's amazingly open story of the money Thinkst spent at RSA 2018. Was it worth it? Great advice for anyone else sponsoring a big tech conference. (Read the story)
• Are you sponsoring Black Hat or another big tech conference? Pick up my book, Three Feet from Seven Figures: One-on-One Engagement Techniques to Qualify More Leads at Trade Shows.
• We talk about breach detection and the use of deception devices.
• When a breach happens, should you or shouldn't you blame the victim?
• How should security sales managers pump up their team for sales? Is letting people know that they're the only ones to fix their customers' problems the right tactic?

This episode is sponsored by Thinkst, makers of Canary deception devices. Read how much their customers love their product here.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Haroon Meer (@haroonmeer), founder and researcher of Thinkst.

We Want Your Input and Critiques

For every episode we want input from listeners!

Please contact me here or on LinkedIn and send me the following:

• “Ask a CISO” question.
• A vendor pitch you want us to critique.
• A hot security discussion (please provide a link).
• A quick security tip.
• A big industry story and what it means to security professionals.

In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

• iTunes
• Google Play
• Stitcher
• RSS Feed

Sponsor the Podcast

If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.

Are you managing your passwords the same today as you did five years ago? On this episode of the CISO/Security Vendor Relationship podcast, we discuss the changing landscape of what we once thought were best practices, but aren't anymore.

On this episode:

• Which CEOs are more fatalistic about inevitability of cyber attacks
• Explaining cyber risks to the board
• Reappropriating the word "hacker." My cartoon that spurned a debate and Rick McElroy of Carbon Black's discussion on LinkedIn.
• What we're no longer advising you do with your passwords.
• Do cold calls and emails ever work?
• What are CISO's biggest organizational roadblocks?
• All that and a ten-second security tip.

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Maxime Rousseau (@maxrousseau), CISO, Personal Capital.

We Want Your Input and Critiques

For every episode we want input from listeners!

Please contact me here or on LinkedIn and send me the following:

• “Ask a CISO” question.
• A vendor pitch you want us to critique.
• A hot security discussion (please provide a link).
• A quick security tip.
• A big industry story and what it means to security professionals.

In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

• iTunes
• Google Play
• Stitcher
• RSS Feed

Sponsor the Podcast

If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.

Want to get under a CISO's skin? Ask them if they have a concern for security in their environment. It's like asking a chef if they're concerned about preparing food. In this week's episode of the CISO/Security Vendor Relationship Podcast we learn how the following:

• Dumbest mistakes you can make as a CISO
• What to do on day 1 when you're a CISO
• Why is everyone talking about this now? Questioning a CISO's job interests.
• Please, Enough. No, More on GDPR.
• We critique a vendor pitch.
• And "Ask a CISO."

As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Richard Greenberg (@ragreenberg), CISO, LA County Department of Health Services as well as chapter presidents of ISSA and OWASP in Los Angeles.

This episode is sponsored by Signal Sciences. We thank them for their support.

We Want Your Input and Critiques

For every episode we want input from listeners!

Please contact me here or on LinkedIn and send me the following:

• “Ask a CISO” question.
• A vendor pitch you want us to critique.
• A hot security discussion (please provide a link).
• A quick security tip.
• A big industry story and what it means to security professionals.

In all cases, we can or can’t mention you and your company name or keep you anonymous. Just let me know what you want.

Listen and Subscribe to the CISO/Security Vendor Relationship Podcast

So many ways to connect and listen to the podcast.

• iTunes
• Google Play
• Stitcher
• RSS Feed

Sponsor the Podcast

If your company would like to sponsor this podcast, please contact David Spark at http://www.sparkmediasolutions.com/contact/Spark Media Solutions.

Did Katy Perry provide sound security advice, or didn’t she? You’ll have to listen to the latest episode of the CISO/Security Vendor Relationship Podcast to find out. In this episode:

• A Third of UK Organizations Have Sacked Employees for Data Breach Negligence
• Younger Employees Identified as ‘Main Culprits’ of Security Breaches
• Who has your CEO’s credentials? – by Robert Herjavec, one of the sharks on “Shark Tank”
• NEW Segment: Please, Enough. No, More. This week we talk about identity management
• What do you think of this pitch? A pitch from Cobalt
• Ask a CISO. How many tools in your suite? Are you worried about integration?

  As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Richard Rushing (@secrich), CISO, Motorola Mobility. The written content for this podcast was first published on Security Boulevard.

On this week’s episode of the CISO/Security Vendor Relationship podcast we ask, “What good is a security alert if there’s no actionable item?” As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Wendy Nather (@wendynather), director, advisory CISOs, Duo Security.   On this episode, you’ll learn:

• Flex your incident response muscles.
• Does your cybersecurity policy change around high-profile events?
• What’s the definition of cybersecurity and why do so many people care?
• How a security vendor helped me a long time ago, but Mike thought about them this week.
• A couple of vendors submit their pitches for a critique. One is confusing and one is almost perfect.
• And a couple of “Ask a CISO” questions.

  The written content for this podcast was first published on Security Boulevard.

Don’t bother trying to craft a potentially clever, funny and adorable email that you hope will tickle a security practitioner; it’s simply not going to work. When it comes to security pitches, practitioners just want the facts. While humor is appreciated, a cold email pitch is not the time to showcase your creative writing skills. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions  and Mike Johnson, CISO, Lyft. Our guest this week is Jeremiah Grossman (@jeremiahg), CEO, Bit Discovery.   On this week’s CISO/Security Vendor Relationship podcast, You’ll discover that InfoSec truism and:

• 10-second security tip (do you have these security controls in place?).
• The correct pronunciation of CISO (and whether anyone cares).
• Consumers and activists issuing lawsuits in the name of GDPR and why that’s a good thing for the future of GDPR.
• The increasing cost of breaches.
• A new method to get a security practitioner’s time (Is the idea so crazy it will work? Or do we just need more crazy ideas?).
• How a security vendor helped me this week.

  The written content for this podcast was first published on Security Boulevard.

After tackling some dodgy audio issues, we have released the second episode of the CISO/Security Vendor Relationship podcast with our guest Kip Boyle (@KipBoyle), CEO of Cyber Risk Opportunities. Subscribe to Kip’s podcast. As always, the show is hosted by myself, David Spark (@dspark), Founder, Spark Media Solutions and Mike Johnson, CISO, Lyft.   In this episode, “Security Vendors Buy Their First Pack of Condoms”:

• 10-second security tip.
• Amazon Alexa hacked or just a failure of the technology?
• Does rebooting your router help or is it just security theater?
• Will automation replace entry-level SOC jobs and if so, how do we bring in new security talent?
• How security vendors helped me this week.
• Security vendors padding their pitches.
• Mitigating new risks or getting back to security basics?

  The written content for this podcast was first published on Security Boulevard. Creative Commons photo attribution to Peter Rivera.

I’m proud and excited to announce the launch of the CISO/Security Vendor Relationship Podcast based on the series of articles and videos I produced that examine the relationship between security buyers and sellers. That series was heavily inspired by the writings, posts and insane engagement that Mike Johnson, CISO of Lyft, continues to drive on LinkedIn. And what’s even more awesome, Mike agreed to be my co-host! For our first episode, Mike and I invite Dwayne Melançon (@ThatDwayne), CTO, Innovyze.   In this episode we have:

• 10-second security tips.
• Tidal claims “breach” when they’re accused of faking streaming numbers
• Google Chrome switches its “secured” website alert to one of “not secured”
• Juro introduces a privacy policy that anyone can read.
• How security vendors helped me this week
• How to improve your pitch
• And ASK a CISO

The written content for this podcast was first published on Security Boulevard.