CISO/Security Vendor Relationship Podcast
Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.

Direct link for episode on blog (

We note that blackmail has become an option even in cybersecurity sales. It appears some vendors have become so desperate that they've resorted to borderline criminal activity.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Branden Newman, CISO for Adidas.

Thanks to this week's sponsor, Logicgate


LogicGate is an agile GRC process automation platform that combines powerful functionality with an intuitive design to enhance enterprise governance, risk, and compliance programs. With our prebuilt process templates, organizations quickly and efficiently operationalize their GRC activities without requiring support from consultants or corporate IT.

On this week's episode

How CISOs are digesting the latest security news

CNBC published a piece about security vendors being so desperate for meetings with CISOs that they've resorted to blackmail. They see a breach, even if it's not holding any critical or personal data, and they threaten to take it to the press if the CISO doesn't meet with them and/or let them fix it. Has this happened to our CISOs and if so, what did they do?

Why is everybody talking about this now?

We talk about the basics a lot on this show, but I'm getting the sense that the industry is finally taking it seriously. We saw evidence at RSA with 60% of the content being focused on fundamentals. And CISOs at major companies not touting the latest threats, but getting back to basics. We've talked a lot about this issue on the show. How else can the industry turn the focus about getting back to basics?

What's Worse?!

I challenge the CISOs once again on what is probably the shortest What's Worse?! question.

Hey, you're a CISO, what's your take on this?'

The horror of the badge scanner. Chad Loder, CEO of Habitu8, posted that he never uses badge scanners because "There's nothing worse than talking to someone only to have them ask, 'Mind if I scan you?' - it reinforces the idea that the goal of this human interaction is to ensure you're added to a list." The goals of attendees (learning and valuable conversations) are not coinciding with the goals of vendors (more scans for follow up cold calls and marketing). What is the ideal booth experience for a security professional?

BTW, I wrote a book on how to engage at a trade show entitled Three Feet from Seven Figures: One-on-One Engagement Techniques to Qualify More Leads at Trade Shows. Check it out at

Ask a CISO

Jeremiah Grossman, CEO of Bit Discovery, and a former guest, asked this question on Twiter which caused a flurry of discussion: "In InfoSec we often hear, 'Why don’t organizations just do or fix … X?' As a thought exercise, ask the opposite. 'Why should businesses do or fix… X?,' and do so in dollars and cents terms.It’s often surprisingly difficult." Is it possible to calculate this formula?

Direct download: CISO_Vendor_03-24-2019_FINAL.mp3
Category:podcast -- posted at: 8:08pm PDT

Do the biggest tech companies abuse our privacy because they have no competitive incentive to protect it? That debate and more on the latest episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Emilio Escobar (@eaescob), head of information security for Hulu.


Endgame makes military-grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit

On this episode

Why is everybody talking about this now?

Why can't security vendors get CRM right? One week after RSA I have received cold phone calls and emails from companies for which I"m already engaging with multiple people at said company, some I've actually interviewed their CEOs, actually worked for the company, and/or they've sponsored this very podcast. Other industries use their CRM. Why does it appear en masse the cybersecurity industry is failing at basic CRM?

How CISOs are digesting the latest security news

Massachusetts Senator Elizabeth Warren wrote an opinion piece on Medium saying that if elected President her administration would seek to breakup Amazon, Facebook, and Google. She cited them as monopolies squashing innovation and competition and damaging our privacy for their profit. She said, "With fewer competitors entering the market, the big tech companies do not have to compete as aggressively in key areas like protecting our privacy."

What's Worse!?

What's the best kind of CISO to have?

What's a CISO to do?

Last year at Black Hat I produced a video where I asked attendees, "Should DevOps and security be in couples counseling?" Everyone said yes. Are security leaders taking on the role of couples counselor as they try to get security and DevOps working together?

What do you think of this pitch?

We've got two pitches for the show and the second one has a response that veers into insulting.


Direct download: CISO_Vendor_03-17-2019_FINAL.mp3
Category:podcast -- posted at: 4:58pm PDT

Since no one ever checks a research study's methodology, why not just make up all the numbers? You're in the risk analysis business, right? Chances are very good they'll never check and research studies are a great way to get free press.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), CISO of FOX.

Thanks to this week's sponsors, Axonius and New Context.

New Context

New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business.


Huge congrats to Axonius for their two big wins at RSA this year. They were named Rookie Security Company of the Year by SC Media and they also won top prize at RSA’s Innovation Sandbox. They’ve been touted as the company trying to solve the least sexy part of cybersecurity, asset management. Go to Axonius’ site to learn more.

On this episode

Ask a CISO

It’s been reported many times, that the average life of a CISO is 18 months and Mike Johnson lasted 18 months at Lyft. At the time of Mike’s departure so many people were forwarding me articles regarding the stress level of CISOs, most notably around Nominet’s study that claimed that about 1 in 5 CISOs turn to alcohol or self-medicating. With two CISOs on the panel we discuss if this was the most high-pressured job they had and would you be eager and willing to jump back into the CISO role again.

Why is everybody talking about this now?

Couple weeks ago I wrote an article entitled “30 Security Behaviors that Set Off a CISO’s BS Detector.” There was quite a response from the community to this. Now that we’ve just finished RSA, did our CISOs see or hear anything that set off their BS detectors.

What’s Worse?!

We play two rounds of “What’s Worse?!” Both rounds are cases of employees putting security in very compromising positions.

What’s a CISO to do?

When we talk about security we’re often talking about protecting customer and employee data. While all companies have intellectual property they need to protect, at FOX, Melody Hildebrandt is having to deal with some very high profile individual assets that are of interest to many hackers. What are the factors a CISO must consider, that most security people probably aren’t thinking about, when you’re trying to secure a single media asset that’s worth hundreds of millions of dollars?

What do you think of this pitch?

After you hear this pitch, every security professional may be out of a job. Tip of the hat to Christopher Stealey of Barclays for providing this pitch he received.

You’re a CISO, what’s your take on this?

Ameer Shihadeh of Varonis asks a question of trying to overcome the objection from a security professional that they don’t have any security initiatives or projects.

And now this…

We field questions from our audience for the CISOs.

Direct download: CISO_Vendor_Live_03-06-2019_FINAL.mp3
Category:podcast -- posted at: 8:37pm PDT

We eschew those cybersecurity firms touting claims of artificial intelligence for our organic conversation-based approach to podcasting.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Mike Wiacek (@Mikewiacek), co-founder and CSO for Chronicle.

Thanks to this week's sponsor, Chronicle

Chronicle - Backstory

Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself.

On this episode

What's a CISO to do?

As we brace for RSA this week, we expect most companies on the floor will be touting some form of artificial intelligence or machine learning. CISOs are no longer even slightly moved by those terms. What should vendors be saying? And what should a savvy security shopper demand to know about a company's AI or ML?

Why is everybody talking about this now?

Allan Alford, CISO of Mitel, and my co-host on the other CISO Series podcast, Defense in Depth, created a very funny "Cybersecurity Startup Name & Mission Generator!" chart that got a lot of response. We've seen a lot of these name generators, but this one seemed creepily too real. We discuss InfoSec company names and how not to let your eyes glaze over as you walk the trade show floor.

What's Worse?!

How do you feel when big security companies acquire smaller security companies?

Please, enough. No, more.

This week's topic is "threat hunting." We talk about what we've heard enough of on "threat hunting," and what we'd like to hear a lot more.

What's a CISO to do?

A great challenge question from an anonymous source: "My users learned security from the evening news. Now I can't see their traffic due to their VPN tunnel and they are using programs that delete evidence to be more secure." What's a CISO to do?

Direct download: CISO_Vendor_03-01-2019_FINAL.mp3
Category:podcast -- posted at: 8:26am PDT