CISO/Security Vendor Relationship Podcast
Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.

Find all images and links for this episode on CISO Series (

Even if you do give "informed" consent, do you really understand what we're doing with your data? Heck, we don't know what we're going to do with it yet, but we sure know we want a lot of it. It's all coming up on this week's episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Francesco Cipollone (@FrankSEC42), head of security architecture and strategy, HSBC Global Banking and Markets.

Thanks to this week's podcast sponsor ExtraHop


Unlike security solutions that focus on signature- and rule-based detection, ExtraHop Reveal(x) helps you rise above the noise of alerts with complete east-west visibility and machine learning for real-time detection of known and unknown threats, plus guided investigations for rapid response. Find and address real threats faster with ExtraHop.

On this week's episode

Should you ignore this security advice?

This is advice you should not ignore. It comes from an article by Jonathan Jaffe, director of information security at where he offered up a great recipe for startup security. We discussed standout tips and were there any disagreements or omissions?

Close your eyes. Breathe in. It's time for a little security philosophy.

Phil Huggins, GoCardless, said, "If we don't know what value is in our data until it has been enriched and analysed can we give informed consent as to its use?"

What's Worse?!

We're concerned with the state of data in this game.

Ask a CISO

Mike Baier, Takeda Pharmaceuticals, asks, "When faced with the scenario of the vendor providing a recent SOC 2 Type 2 report, and then tells you that their internal policies/procedures are considered 'highly confidential' and cannot be shared, what tips would you provide for language that could help cause the vendor to provide the required documentation?"


The 1979 movie When a Stranger Calls gave us that unforgettable horror moment when the police informed Jill that the calls from the stalker were coming from inside the house. Nineteen years earlier, Hitchcock’s Psycho did a similar type of thing with the shower scene. We humans have a real problem when danger pops up in the place we feel safest – our homes. A similar problem happens in corporate IT security. We place a great deal of attention on watching for external hackers, as well as those that seek to dupe our overstressed employees into clicking that spearfishing link. What was it that Edward Hermann’s character, the vampire, said in the Lost Boys? “You have to invite us in.”

But what about internal bad actors? There are those who see great opportunity in accessing, stealing and selling company resources – data – like social security numbers, credit card numbers and medical files.

More on CISO Series.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

OK, what's the risk?

A question from Robert Samuel, CISO, Government of Nova Scotia that I edited somewhat. It's commonly said that the business has the authority for risk-trade off decisions and that security is there just to provide information about the risk and measurement of the risk. I'm going to push this a little. Is this always the case? Do you sometimes disagree with the business or is it your attitude of "I communicated the risk, it's time for me to tap out."

Direct download: CISO_Vendor_07-30-2019_FINAL.mp3
Category:podcast -- posted at: 5:30am PDT

All images and links for this episode can be found on CISO Series (

If you've got lots of critical data, a massive insurance policy, and poor security infrastructure, you might be a perfect candidate to be hit with ransomware. This week and this week only, it's an extortion-free episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Walls (@sean_walls2000), vp, cybersecurity, Eurofins.

Thanks to this week's podcast sponsor Core Security

Core Security

Assigning and managing entitlements rapidly to get employees the access they need is critical, but it can come at the cost of accuracy and security. Core Security’s identity governance and administration (IGA) solutions provide the intelligent, visual context needed to efficiently manage identity related security risks across any enterprise.

On this week's episode

How CISOs are digesting the latest security news

An article in the NYTimes points to a new trend in ransomware that is specifically attacking small governments with weak computer protections and strong insurance policies. Payments from $400-$600K. Lake City, Florida, population 12K paid $460K to extortionists. They got some of their information back but they have been set back years of what will require rescanning of paper documents. Mike, I know your standard philosophy is to not pay the ransom, but after a ransomware attack against the city of Atlanta, the mayor refused to pay $51,000 in extortion demands, and so far it's cost the city $7.2 million. Probably more. These payments by the small cities must be incentivizing more attacks. Does this information change the way you're willing to approach ransomware. What can a small city with zero cybersecurity staff do to create a program to reduce their risk to such a ransomware attack?

Ask a CISO

Bindu Sundaresan, AT&T Consulting Solutions, asks a very simple question, "How is each security initiative supporting the right business outcome?" Do you find yourself selling security into the business this way? If not, would you be more successful selling security to the business if you did do this?

What's Worse?!

We've got a split decision on what information we prefer after a breach.

Listen up, it’s security awareness training time

Jon Sanders, Elevate Security, said, "Security awareness involves A LOT of selling… there’s no cookie cutter approach in security awareness or sales!" Is the reason security training is so tough because so many security people are not born salespeople? I've interviewed many and there's a lot of "just listen to me attitude," which really doesn't work in sales.

Cloud Security Tip, sponsored by OpenVPN

We talk a lot about penetration testing here, given that it remains a staple of proactive IT security. But not everyone feels it’s all it’s cracked up to be. Or should that be, all it’s hacked up to be?” More than one cybersecurity organization points out there are a few flaws in the pen testing concept that make it worth a second look.

Pen testing often consists of a small collection of attacks performed within a set time period against a small sample of situations. Some experts doubt the efficacy of testing against a limited field of known vulnerabilities, without knowing what other weaknesses exist in plain sight, or merely invisible to jaded eyes.

More on CISO Series...

What do you think of this pitch?

We have a pitch from Technium in which our CISOs question what exactly are they selling?

Direct download: CISO_Vendor_07-23-19_FINAL.mp3
Category:podcast -- posted at: 6:00am PDT

All links and images for this episode can be found on CISO Series (

We've just fallen in love with our passwords we just want to use them again and again and again. Unfortunately, some companies more interested in security aren't letting us do that. We discuss on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is William Gregorian (@WillGregorian), CISO, Addepar.

Thanks to this week's podcast sponsor Cyberint


The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505's latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries.

How CISOs are digesting the latest security news

Chris Castaldo of 2U and a former guest on the show posted this great story of TripAdvisor invalidating user credentials if a member's email and password were found in publicly leaked data breach databases. Is this a great or bad move by TripAdvisor?

Ask a CISO

On LinkedIn, Chad Loder, CEO, Habitu8 posted an issue about the easy deployment and ubiquity of cloud applications. He argues it's no longer Shadow IT. It's just IT. And securing these cloud tools you don't manage nor know about requires a lot of education. Is Shadow IT inevitable. Should we lose the name? And is education the primary means of securing these services?

It's time to play, "What's Worse?!"

One of the toughest rounds of "What's Worse?!" we've ever had.

Close your eyes. Breathe in. It's time for a little security philosophy.

Mike posed a "What's Worse?!" scenario to the LinkedIn community and got a flurry of response. The question was "Would you rather have amazing, quality cybersecurity incident response in 24 hours or spotty, unreliable response in one hour?" I wanted to know what was Mike's initial response and did anyone say anything in the comments to make him change his mind?

Cloud Security Tip - Sponsored by OpenVPN

For quite a while, IT security experts have been touting the value of two factor authentication (2FA) as a better way to keep data safe than simply using passwords alone. We have even spoken about it here. In its most popular form, 2FA sends a confirmation code to your phone, which you must then enter into the appropriate log-in confirmation window within a short amount of time. This is like having a second key to the safe, like many bank vaults used to have. (more on the site)

It’s time to measure the risk

Chelsea Musante of Akamai asks, "What would you say to someone who thinks their risk for credential abuse / account takeover has decreased because they've implemented MFA (multi-factor authentication)?"

Direct download: CISO_Vendor_07-14-2019_FINAL.mp3
Category:podcast -- posted at: 6:00am PDT

All links and images for this episode can be found at CISO Series (

It's easy to calculate risk if no one ever checks the accuracy of those predictions after the fact. It's all coming up on CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Bob Huber (@bonesrh), CSO, Tenable.


Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more:

On this week's episode

What's the ROI?

Do we analyze how good we are at predicting risk?

Phil Huggins, GoCardless said, "We conduct detailed rigorous risk assessments to support security transformation business cases and identify a series of mitigation actions and then declare success if those actions are completed on time and on budget... We never revisit our risk assessments a year later and see how good we were at predicting risk occurrence. I worry that the avoidance of feedback contributes to the underperformance of security."

Are we looking back and seeing how good we are at analyzing risk?

Close your eyes. Breathe in. It's time for a little security philosophy.

We have evolved from an unchecked "Cloud first" model to a more thoughtful "cloud smart" strategy. Are these just PR slogans apparently implemented by the last two administrations, or is there something to them? Looking ten years ago vs. today, have we really become smarter about implementing cloud technologies? In what way have we made the greatest strides? How are we falling short and where would you like us to be smarter?

What's Worse?!

What would you sacrifice to get all the training you could get?

Please, Enough. No, More.

Our topic is DevSecOps. It's a big one. Mike, what have you heard enough of on the topic of DevSecOps, what would you like to hear a lot more?

What do you think of this pitch?

Shazeb Jiwani of Dialpad forwarded me this pitch from Spanning Cloud Apps. He asks, "how they feel about vendors using an availability issue from a partner (not even a competitor) as a sales pitch."

Cloud Security Tip - Sponsored by OpenVPN

Parkinson’s Law states that “work expands to fill the time available,” and any IT specialist knows this applies equally to data and can be stated as “Data expands to fill the storage available.” 

As cloud service providers – and the cloud itself both continue to expand, the opportunity to transport and store all of your data seems to be a great convenience. But data management requires oversight, control and governance. The more data – and daily data flow –one has, the greater the potential for misuse, redundancy, errors, and costly maintenance. 

More at

Direct download: CISO_Vendor_06-24-2019_FINAL.mp3
Category:podcast -- posted at: 7:34am PDT