CISO/Security Vendor Relationship Podcast
Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.

All links and images for this episode can be found on CISO Series (

We're playing hard to get on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Al Ghous, head of cloud security at GE Digital.

Thanks to this week's podcast sponsor Carbon Black

Carbon Black

Carbon Black (NASDAQ: CBLK) is a leader in endpoint security dedicated to keeping the world safe from cyberattacks. The company’s big data and analytics platform, the CB Predictive Security Cloud (PSC), consolidates endpoint security and IT operations into an extensible cloud platform that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations.

On this week's episode

Why is everybody talking about this now?

On LinkedIn, Marcus Capone, Partner at Onyx, a physical and cybersecurity firm said, "I laugh when clients balk at prices. They expect champagne but want to pay for Coors Light…" This caused a flurry of discussion of price/value in security. There was an attitude across the board that we're the absolute best and we should be paid that. But as Allan Alford said on Defense in Depth, there's a market for a slightly worse, but way cheaper version of Splunk. Do CISOs want beer-level security solutions?

It’s time to measure the risk

How can startups and large companies get along better? Enterprises are jealous of startup's agility, and startups are eager to get at an enterprises' assets. But startups can be a security nightmare and it's a non-starter if they can't pass the third-party risk management process. With all this frustration, is there any middle ground?

What's Worse?!

We have a common real-world scenario in this week's game.

You're a CISO, what's your take on this?

We have talked in the past about how the term "AI" can mean a lot of things. It can be a simple script or it can be an algorithm that actually learns by itself. Both will do something for you automatically, but the expectations are vastly different. When security vendors tout AI, what would CISOs like to hear so your expectations can be set appropriately?

Understanding security sales

The frustration of the vendor follow up process after a demo. An anonymous listener asks, "We are usually told some sort of next step or asked to follow up in a few weeks." The challenge is they're often left chasing the potential client getting no response. This can go on for months. "Is there a way to make this more productive for all involved?" Should the prospect be blamed? What can be done to improve the process?

Cloud Security Tip sponsored by OpenVPN

Application Programming Interfaces (API’s) are wonderful for customizing and enhancing the cloud experience, but as a common front door, they pose a significant security risk. Regardless how secure a cloud service provider is, their primary role as an interface means APIs will always pose a weakness that can be exploited by hackers.


Direct download: CISO_Vendor_05-24-2019_FINAL.mp3
Category:podcast -- posted at: 9:20pm PDT

Find all images and links for this episode on CISO Series (

We're trying to clean up vendor pitches of unnecessary and outrageous claims so they can sail through to a CISO's inbox. It's our service to cybersecurity community on this week's episode of CISO/Security Vendor Relationship Podcast.

This show was recorded live in front of an audience of CISOs and security vendors at the San Francisco CISO Executive Summit, hosted by Evanta. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Aaron Peck, CISO, Shutterfly.

Thanks to our podcast sponsors ExtraHop and Tenable


Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop.


Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more:

On this week's episode

Why is everybody talking about this now?

Last week I was about to install a popular and approved app in the Google Play store that asked if the app could read, copy, download, and DELETE my contacts. Also last week during Google I/O, Sundar Pichai, Google’s chief executive touted their focus on privacy. This is not the first time we've heard this from Google or Facebook who is going to be facing the largest privacy violation in FTC history. Getting access to our behaviors is how Facebook and Google make their money. What would we like to see, not hear, from either Google or Facebook that convinces us that yes, they are doing something significant and proactive about privacy. Maybe they've already done it.

Why is this a bad pitch?

A Twitter thread asked, "What do vendors say that immediately undermines their credibility?"

There were a lot listed, but the ones I saw repeated multiple times were military grade, next-gen, bank-level encryption, full visibility, 100% effective, and single pane of glass.

We have brought up many of these on our show. And while we understand companies are trying to find a short pithy way to describe their technology, using terms like these can turn a great pitch into an effort to dig out of a hole.

What's Worse?!

We squeeze in two rounds of this game and our guest tries to dodge the question, but I don't let him.

You're a CISO, what's your take on this?

Brian Fricke, CISO at BBVA Compass is eager to hear how to successfully reconcile the cloud-driven CapEx to OpEx budget shift. CFOs don't get any depreciation benefit from OpEx, and Brian believes they'd prefer to see CapEx even if it's double the cost. He's struggling. Our CISOs offer up some advice.

How to become a CISO

Jason Clark, CISO of Netskope, wrote an article on Forbes about security mentorship. Mentors are needed to create more security leaders, CISOs, increase interest in security, and teach the ability to talk to the business. All of it centered around one theme of motivating others. What are ways to teach motivation across all these areas?



Direct download: CISO_Vendor_05-15-2019_FINAL.mp3
Category:podcast -- posted at: 10:31pm PDT

See all links and images for this episode on CISO Series (

We want to put an end to InfoSec negativity, but not at the sacrifice of the soul of the company. We're weighing our options on this week's episode of CISO/Security Vendor Relationship Podcast.

This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Catlett, CISO of Reddit.

Sean Catlett, CISO, Reddit and Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast

Thanks to this week's sponsor, Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and mobile workforce. We allow cybersecurity professionals to easily build, manage and secure their organization’s networks in one unified, multi-tenant, cloud-native platform. Learn more at

On this week's episode

Why is everybody talking about this now?

Helen Patton, CISO at Ohio State University, asked the security community, "What cultural/behavioral influences on Security would you like to see changed?"

First 90 Days of a CISO

Matt McManus who works in InfoSec at WeWord asks, "What's the ideal information security team make-up and structure?" Sean, you came into Reddit recently as a new CISO. How did you go about determining what you needed for a team?

What's Worse?!

What needs to be protected? The endpoints or the network?

You're a CISO, what's your take on this?

Last year I was chatting with a CEO, and he mentioned one common frustration with a scenario that keeps repeating itself. He will have a truly fantastic meeting with a potential buyer. Absolutely everything goes right, but the moment he asks to engage in a PoC, Proof of Concept, the conversation does an about face and everything falls apart. And vendors have unrealistic expectations of the time it will take a potential buyer to conduct a PoC.

Ask a CISO

With the recent release of the Verizon Data Breach Investigation Report, or DBIR, we brought up a question from Kip Boyle, author of Fire Doesn't Innovate. He asks, "What role do vendors and the media play in determining and prioritizing your cyber risks?"

Cloud Security Tip by Steve Prentice, sponsored by OpenVPN

Whether your data is in transit or at rest, it’s vital to remember that neither state is secure. Data must be protected in both states, and encryption plays a major role in this. In addition to encryption standards for in-transit data such as TLS for email, HTTPS and SSL for websites and the use of a VPN when connecting from public Wi-Fi hotspots (even those that say they are secure), there is symmetric and asymmetric encryption, part of the Advanced Encryption Standard. Symmetric encryption happens when the sender and receiver of a message use a single shared key to encrypt and decrypt the message, which is something most internet traffic uses. Asymmetric encryption uses more CPU power and is harder to encrypt, and is used for secure online exchanges via the Secure Sockets Layer.

But encryption isn’t the end of the story. There must be network security controls to help protect data in transit as well as securing the transmission networks themselves. Proactivity is key here, which means identifying at-risk data, establishing user prompting regulations and automatic encryption for things like files attached to an email message, and taking stock of, and categorizing all types of data to ensure the right level of security is applied to each.

On a human level, Role-Based Access Control (RBAC) ensures different levels of security and permissions, multi factor authentication helps make data a more difficult target, and of course, each company should take ownership of this challenge and not rely on their cloud supplier to do it for them.


Direct download: CISO_Vendor_05-07-2019_FINAL.mp3
Category:podcast -- posted at: 7:20am PDT

Check out all links and images for this episode on CISO Series (

We're not always clear on what vendors should do when selling security products, but when we get a really bad email pitch, we're very clear on what they should not do. We're bedazzled with bad pitch disbelief on this episode of CISO/Security Vendor Relationship Podcast.

Thanks to this week's sponsor, Women in Security and Privacy (WISP)

Women in Security and Privacy (WISP)

Women in Security and Privacy works to advance women in security and privacy. We accomplish this through practical and technical workshops, TANDEM mentorship programs, leadership training, job board postings, Equal Respect speakers bureau, and conference and training scholarships.

On this week's episode

Why is everybody talking about this now?

Facebook is expected to pay somewhere between $3 to $5 billion in FTC fines for violating the 2011 consent decree. They violated user's privacy without giving clear notice or getting clear consent. But, all this financial and reputational damage doesn't seem to do a darn thing to dissuade individuals or investors from Facebook. The site has 2.38 billion active users. It's growing 8% year over year. And after their earnings announcement which mentioned the multi-billion dollar fine, their stock jumped 7%. This doesn't appear to get people to care about security and privacy, So what will?

Hey, you're a CISO, what's your take on this?'

The NSA has announced that no zero day attacks were used in any high profile breach in the last 24 months. Most of the attacks were simple intrusion where they went after users through techniques like phishing or water holing. We talk endlessly on this show about good cyber hygiene, but we have an event coming up, Black Hat, that thrives on showing security professionals the latest attack techniques, which I know are not zero days. But how can security professionals NOT gravitate towards the newest and coolest?

What's Worse?!

Who needs to control the problem? Security or the business unit?

How to become a CISO

Gary Hayslip, CISO of Webroot, and a former guest on Defense in Depth. He wrote an article to his younger self of what he wish he had known when he started in cybersecurity and then becoming a CISO. I'll ask the two of you to do the same exercise. What is something that you now know that there's no way you would have known starting out but would have made your life a lot easier as you took the climb to become a CISO.

Why is this a bad pitch?

We've got a one-two punch on a bad pitch email that uses self-deprecating humor plus an assumption of business relationship. Ouch.

Cloud Security Tip, sponsored by OpenVPN

The importance of developing consistent data protection policies across multiple cloud services
Many IT departments manage multiple clouds to ensure redundancy and avoid vendor lock-in. But diversifying brings along a new set of risks that demand a consistent and constantly reviewed data governance solution.

In general, cloud vendors do not take responsibility for the security of your data. So, your policy must take full responsibility for endpoints, networks and cloud environments. Just a few of the must-haves on this list include limiting user’s permissions to only what they absolutely need, strong security practices including multi-factor authentication and password management, enforcing a uniform set of data loss prevention policies, and building a dynamic inventory of applications by the types of data stored, compliance requirements, and potential threats. Policies should be assigned to groups or roles rather than individual people.

In-house IT people are already busy. Their attention and energies might be best served by working with senior management to establish and maintain Multicloud and data loss prevention policies, while leaving the heavy lifting and day-to-day proactive maintenance to a completely reputable as-a-service cloud security vendor. 

Direct download: CISO_Vendor_05-04-2019_FINAL.mp3
Category:podcast -- posted at: 9:18am PDT