All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our sponsored guest, Matt Radolec, vp, incident response and cloud operations, Varonis.

In this episode:

• Why is retaining cyber talent so hard?

• How can organizations keep an employee from going elsewhere?

• Why do organizations often not prioritize the factors to keep key employees?

Thanks to our podcast sponsor, Varonis

Ready to reduce your risk without taking any? Try Varonis’ free data risk assessment. It takes minutes to set up and in 24 hours you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. Get started for free today.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Joshua Brown, vp and global CISO, H&R Block.

In this episode:

• Why is retaining cyber talent so hard?

• How can organizations keep an employee from going elsewhere?

• Why do organizations often not prioritize the factors to keep key employees?

Thanks to our podcast sponsor, CyberMaxx

CyberMaxx offers MaxxMDR, our next-generation managed detection and response (MDR) solution that helps customers assess, monitor, and manage their cyber risks. MaxxMDR fuels defensive capabilities with insights from offensive security, DFIR, and threat hunting, on top of a technology-agnostic deployment model. We think like an adversary but defend like a guardian.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Alex Green, CISO, Delta Dental.

In this episode:

• Is it true that employees cause as many significant cybersecurity incidents as outside threat actors?

• Does this come down to a lack of awareness or poorly designed security implementation?

• And what can we do to improve this situation?

Thanks to our podcast sponsor, Silk Security

Silk makes it easy for security teams to resolve more critical cyber risks in a fraction of the time. Instead of toiling over spreadsheets, and watching alert backlog graphs go up, Silk helps security teams contextualize, prioritize and collaborate with stakeholders in IT to regain control over their risk posture.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Shawn Bowen, svp and CISO, World Kinect Corporation.

In this episode:

• Is it true that CISOs feel their jobs are harder than ever with higher levels of stress?

• Yet why does research also show that CISO job satisfaction increasing?

• How do we make sense of this contradiction?

Thanks to our podcast sponsor, Silk Security

Silk makes it easy for security teams to resolve more critical cyber risks in a fraction of the time. Instead of toiling over spreadsheets, and watching alert backlog graphs go up, Silk helps security teams contextualize, prioritize and collaborate with stakeholders in IT to regain control over their risk posture.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our sponsored guest, Nadav Lotan, product management team leader, Cisco.

In this episode:

• How can security teams do their jobs without seeming like an impediment to developers?

• Why can this relationship seem oppositional?

• How can both sides work together to better secure software without seeming like a road block?

Thanks to our podcast sponsor, Panoptica, Cisco’s Cloud Application Security Platform

Panoptica, Cisco’s Cloud Application Security solution, provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments. Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility, contextual risk assessments, and actionable remediation insights for all your cloud assets.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Jamil Farshchi, evp and CISO, Equifax.

In this episode:

• Data leaks are hard enough to deal with when caused by threat actors, but how bad is a self-inflicted data leak?

• Why do these types of incidents happen?

• How should an organization assess the risk it introduced?

Thanks to our podcast sponsor, Varonis

Ready to reduce your risk without taking any? Try Varonis’ free data risk assessment. It takes minutes to set up and in 24 hours you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. Get started for free today.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our sponsored guest, Yoav Nathaniel, co-founder and CEO, Silk Security.

In this episode:

• Why does it seem like securing APIs is so hard? Is it just a matter of complexity? 

• Why does it seem like we can’t go a week without hearing reports of a data leak caused by a failure in API security?

• Why do organizations struggle with API security?

Thanks to our podcast sponsor, Silk

Silk makes it easy for security teams to resolve more critical cyber risks in a fraction of the time. Instead of toiling over spreadsheets, and watching alert backlog graphs go up, Silk helps security teams contextualize, prioritize and collaborate with stakeholders in IT to regain control over their risk posture.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our sponsored guest, Jay Trinckes, director of compliance, Thoropass.

In this episode:

• Why do credential stuffing attacks put organizations in such a tricky spot?

• Why is blaming the victim rarely the right move?

• What kind of reasonable expectations can companies have about how much users will do to protect themselves?

Thanks to our podcast sponsor, Thoropass

Still spending time collecting evidence and worrying about breaking free of an infinite audit loop? Relax! We fixed audits. Thoropass provides complete infosec compliance management, continuous monitoring, and security audits through AI-infused software and expert guidance – allowing you to do business with confidence. Learn more at www.thoropass.com.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest Kelly Haydu, vp, infosec, technology, and enterprise applications, CarGurus.

In this episode:

• What other career fields are rife with talent that could successfully transition into our industry?

• What kind of framework do we need to surface a more diverse array of talent?

• Also, what happens when a vendor goes over your head to the CEO?

Thanks to our podcast sponsor, Panoptica, Cisco’s Cloud Application Security Platform

Panoptica, Cisco’s Cloud Application Security solution, provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments. Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility, contextual risk assessments, and actionable remediation insights for all your cloud assets.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Grant Anthony, CISO, Orion Health.

In this episode:

• Why getting buy-in to your security awareness program is so critical?

• Why do so many organizations get it so wrong?

• What framework can we apply to actually build trust with security awareness?

Thanks to our podcast sponsors, Varonis

Ready to reduce your risk without taking any? Try Varonis’ free data risk assessment. It takes minutes to set up and in 24 hours you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. Get started for free today.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Brett Conlon, CISO, American Century Investments. Joining me is our guest, Mical Solomon, CISO, Port Authority of NY and NJ.

In this episode:

• Does the hype around generative AI tools make it seem like these are a totally new technological challenge for cybersecurity?

• Are many of the challenges with securing them the same that we've seen from the rise of SaaS and proliferation of shadow IT?

• What lessons from that transition can we apply to AI?

Thanks to our podcast sponsors, Living Security & KnowBe4

Living Security is the global leader in human risk management. Our HRM platform Unify transforms human risk into proactive defense by quantifying human risk and engaging the workforce with relevant training and communications proven to change human behavior. Living Security is trusted by security-minded organizations, including Mastercard, Verizon, Biogen, AmerisourceBergen, and Hewlett-Packard. Learn more at www.livingsecurity.com.

KnowBe4's SecurityCoach enables real-time security coaching of your users in response to risky behavior. Based on the rules in your existing security software stack, you can configure your real-time coaching campaign to determine the frequency and type of SecurityTip that is sent to users at the moment risky behavior is detected.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Shyama Rose, CISO and head of IT, Affirm.

In this episode:

• What is the impact of burnout to your security team directly?

• Does burnout directly play a role in how an organization can respond to security incidents.?

• All jobs involve dealing with stress, but what should we consider normal in cybersecurity? And when does that stress endanger your security mission?

Thanks to our podcast sponsors, Panoptica, Cisco’s Cloud Application Security Platform

Panoptica, Cisco’s Cloud Application Security solution, provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments. Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility, contextual risk assessments, and actionable remediation insights for all your cloud assets.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Trina Ford, CISO, iHeartMedia.

In this episode:

• Why has the landscape for CISOs seemed particularly perilous in the past year?

• Does there  seem to be more responsibilities with very real legal consequences attached to the role?

• There is a lot of guidance out there for CISO candidates negotiating for a new position, but what can a current CISO do once they are already in the role?

Thanks to our podcast sponsors, Thoropass

Still spending time collecting evidence and worrying about breaking free of an infinite audit loop? Relax! We fixed audits. Thoropass provides complete infosec compliance management, continuous monitoring, and security audits through AI-infused software and expert guidance – allowing you to do business with confidence. Learn more at www.thoropass.com.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Bob Schuetter, CISO, Ashland.

In this episode:

• What should a company do when their name is in the press, but they didn't actually suffer a security incident?

• How much difference is there in responding to a fake data breach versus a real one?

• How would you handle responding to a fake breach claim?

Thanks to our podcast sponsors, Thoropass

Still spending time collecting evidence and worrying about breaking free of an infinite audit loop? Relax! We fixed audits. Thoropass provides complete infosec compliance management, continuous monitoring, and security audits through AI-infused software and expert guidance – allowing you to do business with confidence. Learn more at www.thoropass.com.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Billy Norwood, CISO, FFF Enterprises. Joining us is our guest, Joshua Barons, head of information security at San Diego Zoo Wildlife Alliance.

In this episode:

• Wasn't single sign-on supposed to solve all of our security woes?

• So why are we still seeing everything from phishing to session hijacking with SSO?

• Is this just growing pains for SSO or does this hint at a persistent problem?

Thanks to our podcast sponsors, Praetorian

Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures.  Joining me is our guest this week, Mike Kelley, CISO, EW Scrips.

In this episode:

• Why do a lot of security professionals feel unheard?
• Does this frustration lead to some turning into scolds during a security incident, quick to say "I told you so"?
• How do you manage these security pros when they don't feel heard, both before and during a crisis?

Thanks to our podcast sponsors, Praetorian

Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Richard Ford, CTO, Praetorian.

In this episode:

• Why do many CISOs think adopting new LLM-based tools will make breaches more likely?
• Why the rush to throw money at them?
• How do you go about building a security program that doesn't depend on individuals?

Thanks to our podcast sponsors, Praetorian

Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Suresh Vasudevan, CEO, Sysdig.

In this episode:

• What will the employment landscape look like with Generative AI becoming the next big thing?
• Will we be hiring prompt engineers in a few years?
• Or will it become like putting "search engine proficiency" on your resume?

Thanks to our podcast sponsors, Sysdig

For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and sponsored co-host Jason Sabin, CTO, DigiCert. Joining us is our guest, Alexandra Landegger, executive director of security, Collins Aerospace.

In this episode:

• Are CISOs prepared for the legal surprises that can come in the aftermath of a cyberattack?
• What about the legal fallout that can occur afterward?
• How does a security team work with legal beforehand to address these issues when drawing up incident response?

Thanks to our podcast sponsors, DigiCert

DigiCert is a leading global provider of digital trust, the infrastructure that enables individuals and businesses to have confidence that their digital interactions are secure. DigiCert’s award-winning solutions enable organizations to establish, manage, and extend public and private trust across their digital footprint, securing users, servers, devices, software and content.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Kurt Sauer, CISO, Docusign.

We recorded in front of a live audience at Microsoft’s offices in Mountain View, CA as part of the ISSA-Silicon Valley chapter meeting. Check out all the photos from the event.

In this episode:

• Is a high profile cyberattack the best time for salespeople to come out of the woodwork asking if the affected CISO would like to see their product, which would have helped prevent the attack?
• Is there any way for a vendor to positively reach out to victims after a cyberattack?
• Also, what could be some effective ways to invest IP with generative AI to create value for the organization?

Thanks to our podcast sponsors, Veza, Sysdig, and SlashNext

75% of breaches happen because of bad permissions. The problem is that you don’t know exactly WHO has access to WHAT data in your environment. For example, roles labeled as “read-only” can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment.

For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.

SlashNext Complete delivers zero-hour protection for how people work today across email, mobile, and browser apps.  With SlashNext’s generative AI to defend against advanced business email compromise, smishing, spear phishing, executive impersonation, and financial fraud, your people are always protected anywhere they work.  Request a demo today.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Arvin Bansal, former CISO for Nissan Americas.

In this episode:

• Why are so many companies unprepared for phone-based social engineering?
• Why do many orgs not give this attack surface the attention it deserves?
• Are we doing enough to support whistleblowers in cybersecurity?

Thanks to our podcast sponsor, Palo Alto Networks

As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Adam Zoller, svp, CISO at Providence. Joining me is our guest Sam Jacques, vp of clinical engineering, McLaren Health Care.

In this episode:

• When should cybersecurity be brought into the discussion when a merger is underway?
• Why is security always going to be an issue in a merger or acquisition?
• If we know it's so important, why does it always feel like we're reinventing the wheel each time?

Thanks to our podcast sponsor, Claroty

Claroty enables varied sectors to protect their cyber-physical systems, known as the Extended IoT. The platform integrates seamlessly, offering comprehensive controls for visibility, risk management, network protection, and more. Trusted by global leaders, Claroty operates in hundreds of organizations worldwide. Headquartered in NYC, it spans Europe, Asia-Pacific, and Latin America.

All links and images for this episode can be found on CISO Series.

In principle, we can generally all agree that security theater is a waste of time for security teams. But the reality is that these are things that look good, so it can be hard to justify to non-technical leadership why you’re eliminating something they see as secure. So how can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Davi Ottenheimer, vp of trust and digital ethics, Inrupt.

Thanks to our podcast sponsor, Sysdig

For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.

In this episode:

• Is security theater a waste of time for security teams?
• Why can it be hard to justify to non-technical leadership why you’re eliminating something they see as secure?
• How can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

All links and images for this episode can be found on CISO Series.

Usually the buck stops with the CEO. But for a CISO, what do you do when a CEO wants to exempt themselves from your security program? Whether it's granting privileged network access or just ignoring protocols, it can put a CISO in a tough spot. So how do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position? 

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and John C. Underwood, VP, information security, Big 5 Sporting Goods. Joining me is our guest, Joshua Scott, Head of Security and IT, Postman.

Thanks to our podcast sponsor, Veza

75% of breaches happen because of bad permissions. The problem is that you don’t know exactly WHO has access to WHAT data in your environment. For example, roles labeled as “read-only” can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment.

In this episode:

• For a CISO, what do you do when a CEO wants to exempt themselves from your security program?
• How do you deal with a leader that thinks they're above the controls you have in place?
• Is it enough to document your disagreement or is there anything else you can do in that position?

All links and images for this episode can be found on CISO Series.

When it comes to security awareness, the advice generally doesn't change. There are a set of best practices that have proven to be effective. So we know what we want to tell people. Communicate it consistently. So how do we relay that information without sounding like a broken record?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us is our sponsored guest, Daniel Krivelevich, CTO for Appsec, Palo Alto Networks.

Thanks to our podcast sponsor, Palo Alto Networks

As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

In this episode:

• What security measures have been the most successful in preventing cyberattacks?
• What do we need to better understand about misconfigurations to better secure the cloud?
• How do we relay this information without sounding like a broken record?

All links and images for this episode can be found on CISO Series.

Organizations know that securing SaaS is vital. But polls consistently show they also know their current security isn’t cutting it. With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our sponsored guest, Rohan Sathe, co-founder and CTO, Nightfall AI.

Thanks to our podcast sponsor, Nightfall

Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection.

In this episode:

• With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses?
• How can we secure new technology without creating new risks?
• If security no longer owns SaaS security, then how can they go about closing these gaps?

All links and images for this episode can be found on CISO Series.

If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Most of the time, these lists include CISOs from the biggest companies, or the ones with the best name recognition. But is that any kind of objective criteria? These lists generally serve the interest of boosting the credibility of the publisher, rather than being based on any kind of rigor. Is there any way to make these lists anything but fluff?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Janet Heins, CISO, iHeartMedia.

Thanks to our podcast sponsor, LimaCharlie

Whether you’re looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie’s SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io.

In this episode:

• If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created?
• Is there any kind of objective criteria?
• Is there any way to make these lists anything but fluff?

All links and images for this episode can be found on CISO Series.

CISOs are common among the Fortune 500. But it remains rare to see them listed in executive leadership. Given that every company says security is of prime importance, why aren’t CISOs named within the top company echelons?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series, and Allan Cockriel, CISO of Shell. Joining us is our special guest, Mary Rose Martinez, CISO, Marathon Petroleum.

Thanks to our podcast sponsor, Censys

Censys is the leading Internet Intelligence Platform for Threat Hunting and Exposure Management. We provide the most comprehensive, accurate, and up-to-date map of the internet, which scans 45x more services than the nearest competitor across the world’s largest certificate database (>10B). Learn more at www.censys.com. 

In this episode:

• Given that every company says security is of prime importance, why aren’t CISOs named within the top company echelons?
• Can you think of a security action that did work at one organization that simply wouldn't work in another because of the culture?
• When it comes to communicating bad news to the board and c-suite, what techniques have worked the best?

All links and images for this episode can be found on CISO Series.

We’ve heard a lot of talk about the security risks with emerging AI technologies. A lot of these center around employees using large language models. But what about the potential benefits of this technology for cybersecurity? Could we eventually see a de facto AI CISO on the job?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Rob Duhart, deputy CISO, Walmart. Joining us is our special guest, Aaron Hughes, CISO, Albertsons.

Thanks to our podcast sponsor, KnowBe4

In this episode:

• What are the potential benefits of A.I. for cybersecurity? Could we eventually see a de facto AI CISO on the job?
• How does neurodiversity improve awareness in your security program?
• Where have you taken advantage of AI for your security program? And specifically so you can do your job better as a CISO, where does AI deliver opportunities?

All links and images for this episode can be found on CISO Series.

In everyday life, it's often clear when to call in the authorities. Someone egging your house might not rise to the occasion, but a break-in gets a call to the cops. It's less clear when it comes to a cyberattack. What constitutes a significant attack and what are the regulatory requirements? Once you make the call, how do they help in your response?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest, David Ring, section chief at FBI, Cyber Division.

Thanks to our podcast sponsor, Hunters

Hunters SOC Platform is a SIEM alternative, delivering data ingestion, built-in and always up-to-date threat detection, and automating correlation and investigation processes to reduce risk, complexity, and cost for security teams. Learn more at hunters.security.

In this episode:

• What constitutes a significant attack and what are the regulatory requirements?
• Once you make the call, how do they help in your response?
• How do you approach "skills-and competency-based" hiring? And are there certain positions for which a 4-year degree is necessary?

All links and images for this episode can be found on CISO Series.

Even before the pandemic, we've been increasingly living in online collaboration apps. So why are organizations still making basic security mistakes with them? Is this a case of shadow IT or do these apps present unique challenges?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Rich Dandliker, chief strategist, Veza.

Thanks to our podcast sponsor, Veza

75% of breaches happen because of bad permissions. The problem is that you don’t know exactly WHO has access to WHAT data in your environment. For example, roles labeled as “read-only” can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. Learn more at Veza.com.

In this episode:

• We've been increasingly living in online collaboration apps. So why are organizations still making basic security mistakes with them?
• Is this a case of shadow IT or do these apps present unique challenges?
• Startups are by nature a risky business, most fail. Why do they?

All links and images for this episode can be found on CISO Series.

Every company deals with off-boarding employees. Yet it feels like many organizations make basic security mistakes in this process. Is it just a case of HR and IT being out of sync, or is this an inevitably leaky process?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest Lorna Koppel, CISO, Tufts University.

Thanks to our podcast sponsor, LimaCharlie

Whether you’re looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie’s SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io.

In this episode:

• What can a vendor do that will actually make a CISO want to respond to a message?
• What are we doing right and wrong when it comes to hardening our environments?
• Do you think organizations are still struggling with hardening their environments and if so, why?

All links and images for this episode can be found on CISO Series.

Security vendors want to engage with CISOs. Yet many choose tactics that seem blatantly insulting. It might seem obvious that asking a CISO if they care about security does nothing to ingratiate yourself, but we still have inboxes full of these types of messages. So what can a vendor do that will actually make a CISO want to respond to a message?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest, Jeff Hudesman, CISO, Pinwheel.

Thanks to our podcast sponsor, Balbix

Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs.

In this episode:

• What can a vendor do that will actually make a CISO want to respond to a message?
• What are we doing right and wrong when it comes to hardening our environments?
• Do you think organizations are still struggling with hardening their environments and if so, why?

All links and images for this episode can be found on CISO Series.

We're seeing increasing recognition that cybersecurity jobs should focus on competency rather than years of experience. But how do you create job posts to encourage that? And how do applicants even show that on a resume?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for the episode is our special guest TC Niedzialkowski‌, CISO, Nextdoor.

Thanks to our podcast sponsor, Reqfast

Stop treating your various intelligence and security functions as if they are separate, unrelated activities and, instead, bring them together with Reqfast. Identify what’s needed, identify areas for improvement, and make data-driven decisions with confidence.

In this episode:

• Are we finally seeing increasing recognition that cybersecurity jobs should focus on competency rather than years of experience?
• How do you create job posts to encourage that?
• How do applicants even show that on a resume?

All links and images for this episode can be found on CISO Series.

For some security problems, it can be tough to know when to try to fix the problem yourself or turn to a vendor. Deciding this shouldn't start with talking to someone that wants to sell you something. But how do you determine when it's time to call in a vendor?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for this episode is our special guest, Katie Ledoux, CISO, Attentive.

Thanks to our podcast sponsor, Palo Alto Networks

As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

In this episode:

• Why do many organizations have a problem relating quantification to something meaningful to the business?
• Is there a way to understand risks on a continuum that will make relating these to business a little more manageable?
• What are the questions security professionals should be asking themselves?

All links and images for this episode can be found on CISO Series.

Shifting Left is so five years ago. Advice and best practices are great, but context is king. Is there a mixture of best practices AND doing what's right for your business that's actually practical?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us for the episode is our sponsored guest Gaurav Banga, CEO, Balbix.

Thanks to our podcast sponsor, Balbix

Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs.

In this episode:

• What are your most successful tactics when talking to the boardroom?
• Is there a mixture of best practices AND doing what's right for your business that's actually practical?
• What have you heard enough with automation and what would you like to hear a lot more?

All links and images for this episode can be found on CISO Series.

There are so many third party vendors we want to work with, but uggh, their security and privacy is so troublesome. Is it only the security department's job to vet these partners or should everyone have a responsibility of keeping tabs on third party security?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Phil Beyer, former head of security, Etsy.

Thanks to our podcast sponsor, Balbix

Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs.

In this episode:

• There are many third party vendors that CISOs & practitioners want to work with, but why is their security and privacy so troublesome?
• Is it only the security department's job to vet these partners or should everyone have a responsibility of keeping tabs on third party security?
• What can frontline employees do to manage third-party risk?

All links and images for this episode can be found on CISO Series.

Do you know what security categories were created this year? I have no idea. Do you know which ones were deleted? I don't think any. Is category growth designed to make more money for the industry? Does it help customers build a better security strategy? It seems like a necessary evil that just confuses customers. The number of categories never decreases or replaces old categories.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our sponsored guest is Maxime Lamothe-Brassard (@_maximelb), CEO and co-founder at LimaCharlie.

Thanks to our podcast sponsor, LimaCharlie

LimaCharlie is inviting you for the unveiling of the SecOps Cloud Platform during a two-hour LinkedIn Live event on Wednesday, July 19th, starting at 10:00am PST. 

For every registrant, LimaCharlie will be donating $5 to the Internet Archive. Register for the event at limacharlie.io or on the LimaCharlie LinkedIn page.

In this episode: 

• Do you know what security categories were created this year? Do you know which ones were deleted?
• Is category growth designed to make more money for the industry?
• Does it help customers build a better security strategy?

All links and images for this episode can be found on CISO Series.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Jesse Whaley, CISO, Amtrak. Our guest was Paul Branley, CISO, TSB Bank.

We recorded this episode in front of a live audience in Tel Aviv as part of Team8’s CISO Summit 2023. CISO Series is honored to have been invited to record our show at the event.

Thanks to our podcast sponsor, Team8

Team8 is a global venture group that builds and invests in early stage companies focused on digital transformation: cybersecurity, data, fintech and digital health. Its strong expertise in cyber is the backbone of Team8’s CISO Village - a community of hundreds of CISOs who enjoy access to thought leadership, networking events, and partner with Team8 to support its company building process.

In this episode:

• Why should you NEVER boast about how good your security is?
• When upskilling your staff, how do you identify the knowledge that must be learned? Who will learn it? Who will provide it?
• What does this do to your current security if people are spending time teaching and learning?

All links and images for this episode can be found on CISO Series.

Troy Hunt's new site, "Dumb Password Rules," demonstrates yet another slice of security theater. Rules designed to make the creator believe they're making the business more secure, but appear to do nothing more than create unnecessary roadblocks and confusion.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Dave Hannigan (@davidhannigan), CISO, Nubank.

Thanks to our podcast sponsor, Reqfast

Stop treating your various intelligence and security functions as if they are separate, unrelated activities and, instead, bring them together with Reqfast. Identify what’s needed, identify areas for improvement, and make data-driven decisions with confidence.

In this episode:

• Are dumb password rules the result of security theater or limitations of old technology?
• What really causes lack of sleep and burnout among IT and Security leaders?
• Why are we still struggling with cybersecurity hiring?

This week’s episode was recorded in front of a live audience at the Colorado Convention Center in Denver as we kicked off the Rocky Mountain Information Security Conference (RMISC). See the blog post for this episode here.

Joining me, David Spark (@dspark), producer of CISO Series, on stage was my guest co-host, Jay Wilson, CISO for Insurity. Our guest is Michelle Wilson, CISO, Movement Mortgage.

HUGE thanks to our sponsor, Trend Micro

The stakes are high for cybersecurity decision makers as the threat landscape and attack surface continue to evolve. Explore Trend Micro’s CISO Resource Center for research-driven strategic insights and best practices to help leaders better understand, communicate, and minimize cyber risk across the enterprise. Learn more.

All links and images for this episode can be found on CISO Series.

Why does it seem that the only time we hear about a company’s concern about security and privacy is after they’re compromised. It is only at that moment they feel compelled to let us know that they’re taking this situation very seriously because as we’ve ll heard before “security and privacy are very important to us.”

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Andrea Bergamini, CISO, Orbia.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

In this episode: 

• Why does it seem that the only time we hear about a company’s concern about security and privacy is after they’re compromised?
• Is it only because at that moment they feel compelled to let us know that they’re taking this situation very seriously?
• How do you get things going before you have a massive breach?

All links and images for this episode can be found on CISO Series.

There is a long history of security professionals complaining about the insecurity of new technologies. When new technologies take off, they rarely have lots of great security built in. The populace never comes around and says, "Security is right. We should stop using this thing we love." The popular technology ALWAYS wins.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Rinki Sethi (@rinkisethi), vp and CISO, BILL.

Thanks to our podcast sponsor, OffSec

With a Learn Enterprise plan, your employees get unlimited access to over 1,500 videos, 2,000 practical exercises, and more than 800 hands-on labs. The library is updated regularly with training content and modules defensive and offensive job role-specific content, from foundational to advanced. Google, Vmware, Microsoft all trust OffSec.

In this episode:

• Is it a coincidence that there is a long history of security professionals complaining about the insecurity of new technologies?
• When new technologies take off, why do they rarely have lots of great security built in?
• How does a cyber aware c-suite/board make better decisions that help a CISO and the business?

All links and images for this episode can be found on CISO Series.

When cybersecurity needs to cut budget, first move is to look where you have redundancy. That way you're not actually reducing the security effort. But after that, the CFO needs to know what are the most important areas of the business to protect. Where will they be willing to take on more risk? Because, with less security, the chances of failure increase.

This show was recorded in front of a live audience in New Orleans as part of the BSidesNOLA 2023 reboot conference. The episode features me, David Spark (@dspark), host and producer of CISO Series. My guest co-host is my former co-host, Allan Alford (@allanalfordintx), CISO for Precedent and host of The Cyber Ranch Podcast. Our guest is Mike Woods, corporate CISO for GE.

Thanks to our podcast sponsors: Conveyor, Nightfall AI, Rapid7

Love security questionnaires? Then you’re going to hate Conveyor: the end-to-end trust platform built to eliminate questionnaires.
Infosec teams reduce the volume of questionnaires with a customer-facing trust portal and for any remaining questionnaires, our GPT-Questionnaire Eliminator response tool or white-glove questionnaire completion service will knock them off your to-do list. www.conveyor.com

Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection.

Rapid7 is the only connected, cloud to on-prem cybersecurity partner with unlimited incident response, unlimited automated workflows, unlimited vulnerability management, unlimited app security, you get the idea. Add it up – with Rapid7’s decades of practitioner-first problem solving – and there’s unlimited opportunity for you. See for yourself at Rapid7.com/ciso-series.

In this episode: 

• We always say, “trust but verify,” but how do you actually verify?
• When it comes to cut budget, make sure you’re already in the mind of the CFO.
• What’s the difference between a good cybersecurity professional and a great one?

All links and images for this episode can be found on CISO Series.

As children, we don't dream of becoming a CISO, but yet we still have them. What is it a security professional can learn or even show, to demonstrate that they're getting ready for the position of a CISO?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Our guest is Paul Connelly, former CISO, HCA Healthcare.

Thanks to our podcast sponsor, Nightfall

Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection.

In this episode:

• What is it a security professional can learn or even show, to demonstrate that they're getting ready for the position of a CISO?
• How to tell that you are NOT CISO material?
• What don't CISOs know about physical security that they should know before they get into big trouble?

All links and images for this episode can be found on CISO Series.

It seems anything that's added to a business, like a new app or a third party vendor, just adds more risk. Risk definitely piles up faster than CISOs can reduce it.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Kurt Sauer (@kurtsauer), CISO, DocuSign (when we recorded the show, Kurt was the vp of security for Workday).

Thanks to our podcast sponsor, Stairwell

The standard cybersecurity blueprint is a roadmap for attackers to test and engineer attacks. With Inception, organizations can operate out of sight, out of band, and out of time. Collect, search, and analyze every file in your environment – from malware and supply chain vulnerabilities to unique, low-prevalence files and beyond.
Learn about Inception.

In this episode: 

• Does it seem like anything that's added to a business, like a new app or a third party vendor, just adds more risk?
• Does risk pile up faster than CISOs can reduce it?
• How do you avoid creating new risks when you add new applications, or even just update applications?

All links and images for this episode can be found on CISO Series.

This show was recorded in front of a live audience in New York City!

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series, and a special guest host, Aaron Zollman, CISO & vp, platform engineering, Cedar. Our guest is Colin Ahern, chief cyber officer for the State of New York.

Thanks to our podcast sponsor, OpenVPN, SlashNext & Votiro

Take the cost and complexity out of secure networking with OpenVPN. Whether you choose our cloud-delivered or self-hosted solution, subscriptions are based on concurrent connections, so you pay for what you actually use. Start today with free connections, no credit card required, and scale to paid when you’re ready.

SlashNext, a leader in SaaS-based Integrated Cloud Messaging Security across email, web, and mobile has the industry’s first artificial intelligence solution, HumanAI, that uses generative AI to defend against advanced business email compromise (BEC), supply chain attacks, executive impersonation, and financial fraud. Request a demo today.

No matter what technology or training you provide, humans are still the greatest risk to your security. Votiro’s API-centric product sanitizes every file before it hits the endpoint, so the files that your employees open are safe. This happens in milliseconds, so the business stays safe and never slows down.

In this episode:

• If you hired someone today, how would you know in 3 months time that they were the right fit?
• Do you have any other questions you've heard from candidates that you think are better?
• What doesn't the government currently know about cloud providers that they should know?

All links and images for this episode can be found on CISO Series.

Turns out cybersecurity professionals lie on their resumes. They add degrees and certifications they don't have. They omit degrees for fear of looking overqualified. And sometimes, they flat out invent jobs. But given the responses as to why people do it, it's because they're trying to get by the unnecessary barriers of cybersecurity hiring. Does that make the lying justified?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is David Nolan, vp, enterprise risk & CISO, Aaron's.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

In this episode: 

• Do some cybersecurity professionals really lie on their resumes?
• Is this because they're trying to get by the unnecessary barriers of cybersecurity hiring?
• Does that make the lying justified?

All links and images for this episode can be found on CISO Series.

Companies want to hire security professionals who know everything. Eager professionals who want all those skills are screaming please hire me and train me. But unlike the military which can turn a teenager into a soldier in 16 weeks, corporations in dire of cybersecurity help have little to no means to train. They're just hoping they'll show up perfect and ready to fight in a digital war.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Joe Lowis, CISO, CDC.

Thanks to our podcast sponsor, Cyolo

Too many critical assets and systems remain exposed because traditional secure access solutions are not able to protect the high-risk access scenarios and legacy applications that keep business operations running. With its trustless zero-trust access solution, Cyolo gives organizations the visibility and access control they need to secure every connection.

In this episode:

• Is it realistic for companies to hire security professionals who know everything?
• Do companies realize that there are professionals who want all those skills and are eager to learn?
• Why isn’t there more emphasis on providing training like how the military trains all new recruits?

All links and images for this episode can be found on CISO Series.

Given the ease of sharing data, our sensitive information is going more places that we want it. We have means to secure data, but you really can't do that if you don't know where your data actually is.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Brian Vecci (@BrianTheVecci), field CTO, Varonis.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. 

Discover more at www.varonis.com/cisoseries.

In this episode:

• What exactly is “dark data”? Are we creating more problems for ourselves by holding onto dark data?
• What is this generated yet unused data? Is this the same as ROT data or redundant, obsolete, trivial data?
• How can it be discovered and classified?

All links and images for this episode can be found on CISO Series.

No department is immune to budget cuts. When the budget cuts come in, where can security look first to save money? Mike Johnson said, "An expensive tool that doesn't mitigate risk should be at the top of the chopping block."

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Almog Apirion (@almogap), CEO and cofounder, Cyolo.

Thanks to our podcast sponsor, Cyolo

Too many critical assets and systems remain exposed because traditional secure access solutions are not able to protect the high-risk access scenarios and legacy applications that keep business operations running. With its trustless zero-trust access solution, Cyolo gives organizations the visibility and access control they need to secure every connection.

In this episode:

• When the budget cuts come in, where can security look first to save money? 
• Where has change management gotten easier and more difficult for you over the years?
• And how do you engage with your team and affected users about making a change that works best for the business?

All links and images for this episode can be found on CISO Series.

Is chaos engineering the secret sauce to creating a resilient organization? Purposefully disrupt your architecture to allow for early discovery of weak points. Can we take it even further to company environment, beyond even a tabletop exercise? How far can we test our limits while still allowing the business to operate?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Mike Wiacek, CEO, Stairwell.

Thanks to our podcast sponsor, Stairwell

The standard cybersecurity blueprint is a roadmap for attackers to test and engineer attacks. With Inception, organizations can operate out of sight, out of band, and out of time. Collect, search, and analyze every file in your environment – from malware and supply chain vulnerabilities to unique, low-prevalence files and beyond.
Learn about Inception.

In this episode:

• Is chaos engineering the secret sauce to creating a resilient organization? 
• Purposefully disrupt your architecture to allow for early discovery of weak points. Can we take it even further to company environment, beyond even a tabletop exercise?
• How far can we test our limits while still allowing the business to operate?

All links and images for this episode can be found on CISO Series.

In order to get any work done we try to shut out all possible distractions. That includes messaging apps. But those people who want to connect become annoyed that they can't reach you.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Howard Holton, CTO, GigaOm.

Thanks to our podcast sponsor, Cyolo

Too many critical assets and systems remain exposed because traditional secure access solutions are not able to protect the high-risk access scenarios and legacy applications that keep business operations running. With its trustless zero-trust access solution, Cyolo gives organizations the visibility and access control they need to secure every connection.

In this episode:

• In order to get any work done, why do we try to shut out all possible distractions, including messaging apps? 
• What happens when those people who want to connect become annoyed that they can't reach you?
• Who are the true innovators in cybersecurity? Is it the attackers or the defenders?

All links and images for this episode can be found on CISO Series.

What happens to your team after the layoffs? Your overextended team now realizes they're going to have to pick up the slack for those who left. How do you shift responsibilities in such a situation? Does anything fall away? Because you can't still operate at the same level. How do you adjust while maintaining morale and not burning out those who are there?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Dan Walsh, CISO, VillageMD. Our guest is Nick Vigier, CISO, Talend.

Thanks to our podcast sponsor, Sentra

Sentra’s Data Security Posture Management Solution not only discovers and classifies cloud data, but ensures it always has the proper security posture. No matter where the data is moved or copied, Sentra can identify the type of data, who has access to it, and how it’s meant to be secured.

In this episode: 

• What happens to your team after the layoffs?
• Your overextended team now realizes they're going to have to pick up the slack for those who left. How do you shift responsibilities in such a situation?
• How do you adjust while maintaining morale and not burning out those who are there?

All links and images for this episode can be found on CISO Series.

Future cybersecurity talent is frustrated. The industry demand for cybersecurity professionals is huge, but the openings for green cyber people eager to get into the field are few. They want professional training, and they want the hiring companies to provide the training. Problem is not enough companies have training programs in place and as a result they can only hire experienced cyber talent, shutting out those who want to get in.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Matt Radolec, sr. director incident response and cloud operations, Varonis.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

In this episode: 

• The industry demand for cybersecurity professionals is huge, so why are the openings for green cyber people eager to get into the field so few?
• Should more hiring companies provide the training?
• Is the problem that not enough companies have training programs in place?

All links and images for this episode can be found on CISO Series.

I don't need another vendor to find my problems. Finding my problems has not been the issue. That's the easy part. Fixing them with the staff I have is definitely "the problem." Vulnerability management must include ways to remediate, quickly.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is John C. Underwood, vp, information security, Big 5 Sporting Goods.

Thanks to our podcast sponsor, Pentera

Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale.

In this episode: 

• Do you need another vendor to find your problems when finding your problems has not been the issue?
• Or is actually fixing them with your staff "the problem"?
• Do you think vendors are finally moving away from offering "just" visibility and giving proactive advice and some cases automation to fix it?

All links and images for this episode can be found on CISO Series.

It's pretty darn easy to just utter the words "we're 100% secure." Pulling that off seems universally impossible, but some organizations are adamant about certain types of safety so they aim for 100%.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Yoav Regev (@yoav_regev), CEO, Sentra.

Thanks to our podcast sponsor, Sentra

Sentra’s Data Security Posture Management Solution not only discovers and classifies cloud data, but ensures it always has the proper security posture. No matter where the data is moved or copied, Sentra can identify the type of data, who has access to it, and how it’s meant to be secured.

In this episode: 

What does it take to have a successful security program?
What are the things to focus on when speaking with executives?
How do you stay innovative as a security professional and have new fresh perspectives?

All links and images for this episode can be found on CISO Series.

A CISO calls on security vendors to stop the spamming and cold calling. Are these annoyances the direct result the way salespeople are measured? Is that what drives the desperation and bad behavior?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Dmitriy Sokolovskiy, CISO, Avid.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

In this episode:

• What NEW ways could salespeople be measured that would encourage good behavior with CISOs?
• There's still this desire to draw a linear path to sales, but how often does it cleanly play out that way?
• Are integrators, MSSPs, and resellers leveling the playing field for cybersecurity vendors?

All links and images for this episode can be found on CISO Series.

We are all very easily distracted, and adversaries know that. So they'll try any little trick to make us not pay attention, look away, or do what we're not supposed to do all in an effort to break our human defenses.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Shaun Marion, CISO, McDonald's.

Thanks to our podcast sponsor, Sentra

Sentra’s Data Security Posture Management Solution not only discovers and classifies cloud data, but ensures it always has the proper security posture. No matter where the data is moved or copied, Sentra can identify the type of data, who has access to it, and how it’s meant to be secured.

In this episode:

• Do you have a “security hive” and what does it do for you?
• What are the active behaviors you're deploying to reduce the stress in your life as a CISO and how are you doing it for your team, and all staff as well? ?
• Could volunteering help with burnout and recruitment?

All links and images for this episode can be found on CISO Series.

For those security practitioners who leave a job to go work for a security vendor, please stop calling it "going to the dark side."

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Jason Mar-Tang, director of sales engineering, Pentera.

Thanks to our podcast sponsor, Pentera

Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale.

In this episode:

• Why do we call security practitioners who leave a job to go work for a security vendor, "going to the dark side?"
• Do security professionals say this because once they go work for a vendor their motivation shifts from protecting to sales?
• Over the years what other small steps have we seen that have made improvements in the vendor/practitioner divide?

All links and images for this episode can be found on CISO Series.

Tabletop exercises are critical procedures to learn how everyone will react during an actual attack. Panic is usually the first response, so why don't we do that when we're playing our pretend game of getting our business compromised by a nefarious hacker?

This week's episode of CISO Series Podcast was recorded in front of a live audience in Clearwater, Florida for the Convene conference produced by the National Cybersecurity Alliance (AKA StaySafeOnline.org). Joining me on stage for the recording was my guest co-host, Hadas Cassorla, CISO, M1 and our guest, Kathleen Mullin (@kate944032), CISO, Cancer Treatment Centers of America.

Thanks to our podcast sponsors, Cofense, KnowBe4 & Terranova

Cofense is the only company to combine a global network of 32 million people reporting phish with advanced AI-based automation to stop phishing attacks. Our global phishing defense centers work 24/7 to support more than 2,000 enterprise customers, providing the technology and insights needed to identify & block threats.

KnowBe4 is the world’s largest integrated Security Awareness Training and Simulated Phishing platform. KnowBe4 helps organizations manage the ongoing problem of social engineering through a comprehensive new-school awareness training approach. Tens of thousands of organizations worldwide use KnowBe4’s platform to mobilize their end users as a last line of defense.

Get free phishing benchmarking data to drive effective behavior change and grow your organization's security-aware culture with the latest edition of the Phishing Benchmark Global Report! Taken from this year's Gone Phishing Tournament, this report gives security and risk management leaders the insight they need to strengthen data protection. More at terranovasecurity.com.

In this episode:

• Where do you see tabletops coming apart and being ineffective and what are the core elements that truly make them succeed?
  
• Have you ever seen a real incident play out where you can point to the tabletop as the reason you were able to handle the incident?
  
• Are people the safety net for your security controls OR should security controls the safety net for your people?

All links and images for this episode can be found on CISO Series.

Everyone's favorite meeting is a short meeting. But does anyone want a fun or entertaining meeting? Or is that a bad idea?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jeremy Embalabala, CISO, HUB International.

Thanks to our podcast sponsor, SlashNext

With today’s transition to hybrid working, phishing attacks are becoming more prevalent than ever. Mobile phishing and credential harvesting are exploding and affecting business reputations, finances and most importantly, data loss. With new methods of phishing attacks appearing year over year, enterprises need more robust phishing protection to better protect this expanding attack surface and companies’ most valuable assets. Check out the report.

In this episode:

• Everyone's favorite meeting is a short meeting. But does anyone want a fun or entertaining meeting? Or is that a bad idea?
• How do we make our security teams more productive?
• The cost of getting and paying for cybersecurity insurance is so darn high. Would it be worth it to just self-insure?

All links and images for this episode can be found on CISO Series.

What happens when you want to adhere to more secure behavior, but the tool you're using forces you to be less secure, solely because they didn't architect in more stringent security when they created the program.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Terrance Cooley, CISO, Air Force JADC2 R&D Center.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

In this episode:

• What is the worst security behavior you've seen from an IT vendor?
• Are you applying talent-to-value recruiting techniques to reduce corporate risk?
• What are your predictions for the evolution of cyber threats?

All links and images for this episode can be found on CISO Series.

There is a lot unknown before, during, and after a merger and that can make employees very susceptible to phishing attacks. But, at the same time, the due diligence that goes into an M&A can often open up signs of previous or active compromise, noted Rich Mason of Critical Infrastructure.

What does a proposed merger do to a security program?"

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Nicole Ford (@nicoledgray), global vp and CISO, Rockwell Automation.

Thanks to our podcast sponsor, Pentera

Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale.

In this episode:

• As a security leader, how does your security posture change when you know given your assets you are a specific target vs. just an opportunity?
• Could similar critical infrastructure agencies be grouped together and therefore share cybersecurity resources?
• What does a proposed merger do to a security program?

All links and images for this episode can be found on CISO Series.

"Does anyone else feel like the security field is attracting a lot of low-quality people and hurting our reputation," asked a redditor on the cybersecurity subreddit who remembers a time when security personnel were seen as highly experienced technologists. But now they believe people view cybersecurity as an easy tech job to break into for easy money.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Stephen Cicirelli, CISO, American Bureau of Shipping.

Thanks to our podcast sponsor, Stairwell

The standard cybersecurity blueprint is a roadmap for attackers to test and engineer attacks. With Inception, organizations can operate out of sight, out of band, and out of time. Collect, search, and analyze every file in your environment – from malware and supply chain vulnerabilities to unique, low-prevalence files and beyond.

Learn about Inception.

In this episode:

• Does anyone else feel like the security field is attracting a lot of low-quality people and hurting our reputation?
  
• Do people view cybersecurity as an easy tech job to break into for easy money?
  
• With all this talk of needing more cyber talent, are we attracting quality or just quantity?

All links and images for this episode can be found on CISO Series.

It appears our security awareness training is working, up to a point. Most people are well aware of the need for secure passwords, but they don't actually create secure passwords.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Patrick Harr, CEO, SlashNext.

Thanks to our podcast sponsor, SlashNext

With today’s transition to hybrid working, phishing attacks are becoming more prevalent than ever. Mobile phishing and credential harvesting are exploding and affecting business reputations, finances and most importantly, data loss. With new methods of phishing attacks appearing year over year, enterprises need more robust phishing protection to better protect this expanding attack surface and companies’ most valuable assets. Check out the report.

In this episode:

• Why does it seem like our security awareness training is only working up to a certain point?
• Most people are well aware of the need for secure passwords, but why don't they actually create secure passwords?
• Is it true that, “people are not the weakest link, they're just the top attack vector?”

All links and images for this episode can be found on CISO Series.

It appears we're not providing security awareness training fast enough. That's because hackers are specifically targeting brand new employees who don't yet know the company's procedures. Illicit hackers are discovering they're far easier to phish.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Gene Spafford (@therealspaf), Professor, Purdue University.

Gene's book available for pre-order Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us.

25th anniversary of CERIAS

Thanks to our podcast sponsor, Lacework

Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization’s AWS, Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at lacework.com/cisoseries.

In this episode:

• Is cybersecurity awareness a long term marketing effort?
  
• Where are we making progress with the general populous when it comes to improving the human aspect of cybersecurity?
  
• How difficult and how long can it take to discover what a company's crown jewels are, and what needs to be done?

All links and images for this episode can be found on CISO Series.

That headline is not a joke. An actual job listing on LinkedIn requested just that. We're all hoping this was an error. Regardless, the community response to it was truly overwhelming, speaking much to the frustration of green and junior cybersecurity job seekers who are truly looking for entry level jobs. 

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Bryan Willett, CISO, Lexmark.

Thanks to our podcast sponsor, AuditBoard

CrossComply is AuditBoard’s award-winning security compliance solution that allows organizations to build trust and scale their security compliance program with a connected risk platform that unifies SOC 2, ISO 2700x, NIST, CMMC, PCI DSS, and more across your organization.

In this episode:

• Why do some job listing seem to have unrealistic requirements for entry level job-seekers? Who needs 15+ years experience in practically anything?
  
• What is the value of security operations if you’re not detecting and dealing with incidents?
  
• What do you think cybersecurity awareness month should accomplish?

All links and images for this episode can be found on CISO Series.

CISOs and other security leaders have a lot of stress. But so do other C-level employees. Why does a CISO's stress seem that much more powerful? Is it that their job is still in constant development, or is the "C" in their name just in title, but not authority?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Aman Sirohi (@amangolf), CISO, People.ai.

Thanks to our podcast sponsor, AuditBoard

CrossComply is AuditBoard’s award-winning security compliance solution that allows organizations to build trust and scale their security compliance program with a connected risk platform that unifies SOC 2, ISO 2700x, NIST, CMMC, PCI DSS, and more across your organization.

In this episode:

• Why does a CISO's stress seem that much more powerful?
  
• Is it that their job is still in constant development, or is the "C" in their name just in title, but not authority?
  
• What part of the supply chain security effort is truly building trust in your supplier and having ongoing reassurances that that trust is being maintained?

All links and images for this episode can be found on CISO Series.

"The biggest threat to national security is that many of the most vital systems on the planet CURRENTLY run on outdated and insecure software," said Robert Slaughter of Defense Unicorns on LinkedIn. That's at the core of the third-party security issue.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Richard Marcus, vp, InfoSec, AuditBoard.

Thanks to our podcast sponsor, AuditBoard

CrossComply is AuditBoard’s award-winning security compliance solution that allows organizations to build trust and scale their security compliance program with a connected risk platform that unifies SOC 2, ISO 2700x, NIST, CMMC, PCI DSS, and more across your organization.

In this episode:

• How big of a problem is outdated software in our industry? Is insecurity just the result of a lack of efficient process?
  
• How much does a company’s transparency before, during, and after a breach tell us about their corporate character?
  
• What's the behavior after a breach you want to see that reaffirms your commitment to doing business with a vendor?

All links and images for this episode can be found on CISO Series

Security leaders will often ask challenging or potentially gotcha questions as barometers to see if you can handle a specific job. They're looking not necessarily for a specific answer, but rather a kind of answer and they're also looking to make sure you don't answer the question a specific way. Don't get caught in the trap.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Quincy Castro, CISO, Redis.

Thanks to our podcast sponsor, Okta

Auth0 is the leading provider of customer identity solutions. Watch Jameeka Aaaron, CISO for Auth0, explain how to balance security with friction to create a safe authentication experience without compromising on privacy.

In this episode:

• What parts of cybersecurity can you comfortably outsource? What parts of cybersecurity do you want to outsource, but can't?
  
• One of the major arguments for outsourcing is "Finding cyber talent is really tough." Do you agree with that rationale to outsource?
  
• When building a security program for a startup, how do you establish scope and requirements?

All links and images for this episode can be found on CISO Series

If you know a difficult concept very well and you're incapable of explaining it simply to others who don't understand it, it's known as the "curse of knowledge." It is for this reason far too many talented cybersecurity professionals struggle to educate others.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Okey Obudulu (@okeyobudulu), CISO, Skillsoft.

Thanks to our podcast sponsor, Trend Micro

Trend Micro Cloud One, a security services platform for cloud builders, delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Discover your dynamic attack surface, assess your risk, and respond with the right security at the right time. Discover more!

In this episode:

• How important is knowing the crown jewels in your security program? Wouldn't a "crown jewel"-focused security program be myopic?
  
• Have you been guilty of "curse of knowledge" when you tried to explain something and what did you do to improve?
  
• How often does a security leader come into a program and have the sense they're starting out at square one?
  

All links and images for this episode can be found on CISO Series

CISOs say stress and burnout are their top personal risks. Breaches, increased regulations, and the tech talent shortage are all contributors to the stress. Sure would be nice for the CISO and the rest of the team to look at a chart that showed the CISO's stress level in real time.

This week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and special guest co-host Shawn Bowen (@SMbowen), CISO, World Fuel Services. Our guest is Meredith Harper (@mrhciso), svp, CISO, Synchrony.

This episode was recorded in front of a live audience in Chicago at The City Hall nightclub for the opening night of Evanta's Global CISO Executive Summit.

Thanks to our podcast sponsor, Cisco

Cisco Secure delivers a streamlined, customer-centric approach to security that ensures it’s easy to deploy, manage, and use. We help 100 percent of the Fortune 100 companies secure work – wherever it happens – with the broadest, most integrated platform. Learn more at cisco.com/go/secure.

In this episode:

• What do you think companies can do to alleviate this pressure and help a CISO better succeed?
• Why is there such a significant disconnect between companies’ increased commitment to diversity and inclusion and the day-to-day experiences of women of color?
• How can enterprise security maintain visibility into, and control over who and what is accessing their data?

All links and images for this episode can be found on CISO Series

For some reason, the ABCs of sales ("Always Be Closing") in the world of cybersecurity sales has translated into "Always Be Creepy." Eagerness to make just a connection, forget closing, has turned into extremely forward approaches that would make anyone feel uncomfortable.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and my guests will be Steve Tran, CSO, Democratic National Committee and Matt Crouse, CISO, Taco Bell. It was recorded in front of a live audience in Santa Monica as part of the ISSA-LA Information Security Summit XII.

Thanks to our podcast sponsor, Ostrich Cyber-Risk

Ostrich Cyber-Risk “Birdseye” is a unified qualitative and quantitative cyber risk management application that allows you to quickly assess, prioritize and quantify your organization’s financial and operational risks in real-time, in one place. Benchmarked against industry-standards (NIST, CIS, ISO), Birdseye simulates risk scenarios, continuously tracks roadmap progress, and creates shareable reports.

In this episode:

• What do security leaders do when they can't push through security initiatives they know should be done?
  
• Is this a real concern for CISOs, and if so, how does a CISO handle their staff when best efforts get thwarted?
  
• What's your advice for new CISOs when dealing with unsolicited sales emails from security vendors? Do they just ignore it all? Should they filter it out?

All links and images for this episode can be found on CISO Series

After every breach, you hear the same mantra from the attacked company: "We take security and privacy seriously." It's lost all its meaning. But what if you truly ARE serious about how you handle security and privacy? Should you say "seriously" twice?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Geoff Belknap (@geoffbelknap), CISO, LinkedIn and co-host of Defense in Depth. It was recorded in front of a live audience at Microsoft's Silicon Valley Campus in Mountain View, California as part of a regular ISSA-SV and ISSA-SF meeting.

Check out all the fantastic photos from the event here.

Thanks to our podcast sponsor, SafeBreach and Noname Security

SafeBreach provides continuous security control validation powered by our breach and attack simulation (BAS) platform.
We enable security leaders to proactively prioritize remediation efforts and drive ROI quickly by consolidating technology costs around what truly enhances your security posture.
Real-world attacks. Real-time results.

Prevent API attacks in real-time with automated AI and ML-based detection from Noname Security. Monitor API traffic for data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks. Integrate with your existing IT workflow management system like Jira, ServiceNow, or Slack for seamless remediation. Learn more at nonamesecurity.com/runtime-protection

In this episode:

• If you truly ARE serious about how you handle security and privacy, should you say "seriously" twice?
  
• Given the immense complexity not just on integration but also training, are we going to see more consolidation of point solutions into suites?
  
• When would it make sense for a company to completely dump their security team and completely outsource it? And if you were to outsource it, what the heck would that look like?

All links and images for this episode can be found on CISO Series

There are vendors that CISOs can't look away from. Who are they and what did they do to get so much attention from CISOs?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Saša Zdjelar, svp, security assurance, Salesforce.

Thanks to our podcast sponsor, Sysdig

Sysdig is driving the standard for cloud and container security. With Sysdig, teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance. Customers get a single view of risk from source to run, with no blind spots, no guesswork, no black boxes.

In this episode:

• What’s a great approach from a security vendor?
  
• What techniques do CISOs deploy to cut through the marketing noise?
  
• Can you think of vendors that were so good that you couldn't ignore them. What made them achieve that status?

All links and images for this episode can be found on CISO Series

If you want to build a successful cybersecurity team, you need to be diverse, mostly in thought. But that diversity in thought usually is the result of people with diverse backgrounds who have had different experiences and have solved problems differently. It's actually really hard to hire a diverse team because what you want to do is simply hire people who look, talk, and sound like you. People who come from the same background as you. While that may work for building friends, it's not necessarily the best solution when building a team to secure your company.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is George Finney (@wellawaresecure), CISO, Southern Methodist University and author of “Well Aware: The Nine Cybersecurity Habits to Protect Your Future” and "Project Zero Trust."

Thanks to our podcast sponsor, Feroot

Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Our automated, client-side, data protection capabilities increase web application visibility, facilitate threat analysis, and detect and protect from client-side attacks, such as Magecart, XSS, e-skimming, and other threats focused on front-end web applications.

In this episode:

• What are the personality types you need on your staff?
  
• Can you be a vCISO if you're not a CISO first. And if you're a vCISO without ever being a CISO, are you just a cybersecurity consultant?
  
• Also, what are some creative uses of honeypots most users don't consider?
  

All links and images for this episode can be found on CISO Series

What are signs your team is getting burnt out? It's not an imbalance of work and family, it's feeling you're having no impact. That you're working your tail off and nothing is getting accomplished. This happens often in cybersecurity.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sara-Michele Lazarus, vp/head of trust and security, Stavvy.

Thanks to our podcast sponsor, Sysdig

Sysdig is driving the standard for cloud and container security. With Sysdig, teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance. Customers get a single view of risk from source to run, with no blind spots, no guesswork, no black boxes.

In this episode:

• What are signs your team is getting burnt out?
• What's the most valuable skill in a cybersecurity analyst?
• Why are we seeing so many zero day exploits right now?

All links and images for this episode can be found on CISO Series

Uggh, just saying "zero trust" sends shivvers down security professionals' spines. The term is fraught with so many misnomers. The most important is who are you going to trust to actually help you build that darn zero trust program? Are you going to look at a vendor that's consolidated solutions and has built programs like this repeatedly or are you going to look for the best solutions yourself and try to figure out how best to piece it together to create that "zero trust" program?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is David Chow, global chief technology strategy officer, Trend Micro.

Thanks to our podcast sponsor, Trend Micro

Trend Micro Cloud One, a security services platform for cloud builders, delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Discover your dynamic attack surface, assess your risk, and respond with the right security at the right time. Discover more!

In this episode:

• Why is the term “zero trust” fraught with so many misnomers?
  
• Is there such a thing as privacy anymore? Do you agree with the term “good enough”, and if so what is a "good enough" factor, what does it entail, and what should we expect from that?
  
• Where has the United States done the most to improve national cybersecurity?
  

All links and images for this episode can be found on CISO Series.

You want an awesome job in cybersecurity, and you want to ask the right questions. What are the right answers, and which ones are red flags that should cause you to run?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Renee Guttman, former CISO, Campbell's, Coca-Cola, and Time Warner.

Thanks to our podcast sponsor, Okta

Auth0 is the leading provider of customer identity solutions. Watch Jameeka Aaaron, CISO for Auth0, explain how to balance security with friction to create a safe authentication experience without compromising on privacy.

In this episode:

• When interviewing, what are the right answers, and which ones are red flags that should cause you to run?
• Has the cloud just created a bigger security problem that's creeped up on us? 
• Are legacy systems just a ticking time bomb or have you seen success in managing them?

All links and images for this episode can be found on CISO Series

Are RSA and other big conferences worth it? It seems that fewer CISOs are actually walk the floor at these big trade shows. The really big meetings are happening outside of the conference. Why would CISOs attend these big conferences with airfares costing over $1000 and hotel rooms costing $500 to $800 a night? Are the customers and vendors getting priced out?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jessica Ferguson, CISO, DocuSign.

Thanks to our podcast sponsor, SlashNext

SlashNext protects the modern workforce from phishing and human hacking across all digital channels. SlashNext Complete™ utilizes our patented AI SEER™ technology to detect zero-hour phishing threats by performing dynamic run-time analysis on billions of URLs a day through virtual browsers and machine learning. Take advantage of SlashNext's phishing defense services for email, browser, mobile, and API.

In this episode:

• Are big conferences like RSA worth it? What's the value of the trade show floor at RSA?
  
• Why would CISOs attend these big conferences with airfares costing over $1000 and hotel rooms costing $500 to $800 a night?
  
• Are the customers and vendors getting priced out?
  

All links and images for this episode can be found on CISO Series

Security professionals should turn in the cyber hero mentality for the "sidekick" role. Many cybersecurity leaders believe they need to save the company from all the stupid users who can't protect themselves. The reality is security professionals should lose the saviour mentality for a supporting role where they're running alongside different business units trying to find a way to make their process run smoother and more secure.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our wponsored guest Clyde Williamson, product management, innovations, Protegrity.

Thanks to our podcast sponsor, Protegrity

Protegrity empowers intelligence-driven organizations to use data to drive innovation with secure analytics and artificial intelligence, without fear of violating compliance or jeopardizing privacy. To make this vision a reality, we protect sensitive data anywhere and everywhere to create secure data agility that aligns with the speed of modern business.

In this episode:

• Is it OK if users see security as heroes but security professionals shouldn't see themselves that way?
• What have you heard enough about when it comes to data protection, and what would you like to hear a lot more?
• How can we best create a cyber risk balance sheet?

All links and images for this episode can be found on CISO Series

Just the words "zero trust" often causes security professionals to shiver. In general, CISOs are on board with the concepts of "zero trust," we just think they're uncomfortable with how it's being used for branding and marketing efforts.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is David Cross (@mrdbcross), SVP/CISO for Oracle SaaS Cloud.

Thanks to our podcast sponsor, Protegrity

Protegrity empowers intelligence-driven organizations to use data to drive innovation with secure analytics and artificial intelligence, without fear of violating compliance or jeopardizing privacy. To make this vision a reality, we protect sensitive data anywhere and everywhere to create secure data agility that aligns with the speed of modern business.

In this episode:

• Should certifications be a requirement on your job listings?
• Are the SIEMs failing or do the users not know how to configure them? Or is it both?
• Why do security professionals treat the term "zero trust" so negatively? How should vendors approach zero trust and how should the C-suite understand it?

All links and images for this episode can be found on CISO Series

You can make the right decision given the information you have, but everything is a risk, so there are times those good decisions are going to result in not the result you were hoping for. In essence, plenty of good decisions result in poor outcomes.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Aviv Grafi, founder and CTO, Votiro and winner of season one of Capture the CISO.

In this episode:

• We welcome the winner of “Capture The CISO!” How did they prepare in terms of making the demo and for appearing on the show? And what advice would they give for contestants in season 2?
  
• What do employers look for or ask in an interview that would lead them to hire and promote someone into a CISO role in their company?
  
• How can cybersecurity professionals improve their decision making over time?
  

All links and images for this episode can be found on CISO Series

We explore the world of dishonesty in cybersecurity. Practitioners know that marketers will stretch the truth, but how far are we willing to let that go? Isn't this industry built on trust? Can cybersecurity continue to thrive if we can't trust each other?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Anna Belak (@aabelak), director of thought leadership, Sysdig.

Thanks to our podcast sponsor, Sysdig

Sysdig is driving the standard for cloud and container security. With Sysdig, teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance. Customers get a single view of risk from source to run, with no blind spots, no guesswork, no black boxes.

In this episode:

• What are the questions a CISO should be able to answer?
  
• How much dishonesty do you find in cybersecurity?
  
• How does one LEAD a cloud migration?
  
• What are some lies about machine learning that everyone needs to be aware of?
  

All links and images for this episode can be found on CISO Series

What can you do when your data keeps passing through different third party applications? Your data is being accessed and manipulated by more people, more applications, and more security policies that may not be aligned with your security policies. It seems once it leaves your environment, it's out of your control.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Elliot Lewis (@ElliotDLewis), CEO, Keyavi.

Thanks to our podcast sponsor, Keyavi

Myth: Data can’t protect itself. Fact: Now it does! You control where your data goes in the world, who can access it and when. On any device. Anytime. Anywhere. FOREVER. Learn more at Keyavi.com.

In this episode:

• Can the US government, through regulation, shift the tide of never-ending cybersecurity failures?
  
• Your network was just hit with ransomware. What do you do in your environment?
  
• What should we be discussing more of when it comes to protecting data in the supply chain?
  
• What's the biggest security flaw you've seen in every environment you've ever worked?
  

All links and images for this episode can be found on CISO Series

If they can find flaws, security professionals are quick to label it as bad security behavior. But often, what is marked as "bad" may have problems, but when looked at from a reducing risk perspective it's actually a very good security behavior.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Carla Sweeney, vp information security, Red Ventures.

Thanks to our podcast sponsor, Protegrity

Protegrity empowers intelligence-driven organizations to use data to drive innovation with secure analytics and artificial intelligence, without fear of violating compliance or jeopardizing privacy. To make this vision a reality, we protect sensitive data anywhere and everywhere to create secure data agility that aligns with the speed of modern business.

In this episode:

• Is a CISO really an architect of choices, for themselves and the other business leaders?
  
• Why and how can controls impose friction or drag on business velocity?
  
• What are the types of questions you ask when you're referencing a resume and what are some examples of really impressive responses?
  
• What are some things that get a bad rap, but are actually quite secure?
  

All links and images for this episode can be found on CISO Series

Getting someone to purchase gift cards is a popular vector for theft. Given that the gift card theft technique is so well known, many online sites have put up additional barriers to purchasing gift cards. Trying to buy them legitimately has become increasingly difficult.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Ariel Weintrab (@securitymermaid), CISO, MassMutual.

Thanks to our podcast sponsor, PlexTrac

PlexTrac is a powerful, yet simple, cybersecurity platform that centralizes all security assessments, pentest reports, audit findings, and vulnerabilities. PlexTrac transforms the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize analytics, and collaborate on remediation in real-time.

Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the perfect platform for CISOs!

In this episode:

• What areas should we focus on improving the security user experience for non-security people?
  
• Does it get easier at the top? What factors do you think result in the workload being tougher or easier for a CISO?
  
• How can radical transparency help and where can it backfire?
  
• What can we do to avoid poisoned systems and how can we tell if our systems have been poisoned?
  

All links and images for this episode can be found on CISO Series

Should you monitor your staff? I mean reallymonitor them. Some bosses are installing screen grabbing and click tracking software to monitor employees and by most estimates employees hate it so much that half of them would quit if their supervisors installed monitoring software on their computers. But in some cases an employee's behavior may lend themselves to being monitored.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Ian Hassard (@ihassard), director of product management, Okta.

Thanks to our podcast sponsor, Okta

Auth0 is the leading provider of customer identity solutions. Watch Jameeka Aaaron, CISO for Auth0, explain how to balance security with friction to create a safe authentication experience without compromising on privacy.

In this episode:

• What are the real world positive impacts that result on the business in terms of risk reduction, product development, and prevention?
  
• What are some alternatives to address the authentication problem?
  
• What have you heard enough about with authentication, and what would you like to hear a lot more about?
  
• To what level should you and shouldn't you monitor your staff? What cases do you feel you would have to install monitoring software?
  

All links and images for this episode can be found on CISO Series

Next time you're annoyed by a security vendor's pitch, instead of firing back at them at what an idiot they are, or complaining about it on social media, why not see if you can find a friendly manager at the vendor company and explain what happened so they can actually address the problem appropriately?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Rob Suarez, CISO, BD.

Thanks to our podcast sponsor, Trend Micro

Trend Micro Cloud One, a security services platform for cloud builders, delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Discover your dynamic attack surface, assess your risk, and respond with the right security at the right time. Discover more!

In this episode:

• Where could we possibly draw the line of what can be known to the public, but at the same time not offering insight to the attackers?
  
• We examine what makes medical establishments an attractive target. Why are medical records valuable and outside of havoc is there any other purpose of tampering with medical devices?
  
• How do you use industry-specific threat information to make better security decisions?
  
• Why do some cybersecurity companies succeed and others fail?
  

All links and images for this episode can be found on CISO Series

I have no idea what I need to spend to demonstrate our security program is working. What's it going to take? Or maybe I need just others on my team to just validate that they truly do care about security.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is John McClure (@johnmcclure00), CISO, Sinclair Broadcast Group.

Thanks to our podcast sponsor, Keyavi

Data that protects itself?  Now it does! We made data so smart it can think for itself. Secure itself. Stay continually aware of its surroundings. Control where, when and who is allowed access. And automatically report back to its owner. This changes the entire cybersecurity paradigm. Learn how.

In this episode:

• What’s your best indicator that your security program is actually improving?
  
• We examine certifications and separate myth from reality for those trying to get into cybersecurity and also for more seasoned professionals?
  
• What security flaw often gets overlooked?
  
• How does one go about asking for a team building budget for a remote team?
  

All links and images for this episode can be found on CISO Series

How dangerous is it for a cybersecurity professional to pull a G-d complex with the email server just because they didn't like the way one salesperson behaved?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Jadee Hanson (@jadeehanson), CIO/CISO, Code42.

Thanks to our podcast sponsor, Code42.

As the Insider Risk Management leader, Code42 helps security professionals protect corporate data and reduce insider risk while fostering an open and collaborative culture for employees. For security practitioners, it means speed to detection and response. For companies, it means a collaborative workforce that is productive and a business that is secure. Visit http://Code42.com/showme to learn more.

In this episode:

• Is it alright to block a vendor because one salesperson is persistent and annoying?
  
• How can one go about creating a cybersecurity report card?
  
• Is it just inevitable that your staff is going to eventually violate policies?
  
• How to determine a delicate balance between a complete non-tolerance policy versus complete tolerance?
  

All links and images for this episode can be found on CISO Series

What if we could convince management that security is not a cost center, but a means to actually make and save money for the business? The concept isn't so completely outrageous. Companies are using privacy and security as differentiators, and certain security tools such as single sign on, password managers, and passwordless reduce operational costs in support tickets.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Mary Gardner, CISO, The Greenbrier Companies.

Thanks to our podcast sponsor, Buchanan Technologies

Short staffed and overworked IT groups can be overwhelmed by the massive scope of a comprehensive cybersecurity program. Buchanan Technologies makes the complex simple with our twenty-four by seven, customized, vetted strategies that identify risks, detect threats, implement security controls, and protect the confidentiality, availability, and integrity of your data. Discover more.

In this episode:

What are areas we should focus on improving the security user experience for non-security people?
We ask if CISOs have it easier than their middle managers.
We think about the factors that result in the workload being tougher or easier for a CISO.
And we examine how we can protect our machine learning algorithms and AI from absorbing poisoned data.

To see the blog post and read the transcript, head over to CISO Series.

We don't celebrate quitting. Maybe we should. When should you do it when you don't have another offer?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Hadas Cassorla, CISO, M1.

On this episode:

• When a "good" security control is actually bad for business.
• A "how to" engage with a CISO during a presentation meeting.
• Losing your passion for cybersecurity. What next?
• Building a budget for remote team building.

HUGE thanks to our sponsor, Keyavi

Data that protects itself?  Now it does! We made data so smart it can think for itself. Secure itself. Stay continually aware of its surroundings. Control where, when and who is allowed access. And automatically report back to its owner. This changes the entire cybersecurity paradigm. Learn how.

I have talked to vendors who get all excited about Gartner opening up a new category for them. All I can think is uggh, something new to confuse the security marketplace. I know there's a need to label products in categories to simplify sales. But the complexity is driving buyers nuts.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is RJ Friedman, CISO, Buchanan Technologies.

Thanks to our podcast sponsor, Buchanan Technologies

Short staffed and overworked IT groups can be overwhelmed by the massive scope of a comprehensive cybersecurity program. Buchanan Technologies makes the complex simple with our twenty-four by seven, customized, vetted strategies that identify risks, detect threats, implement security controls, and protect the confidentiality, availability, and integrity of your data. Discover more.

In this episode: 

• Do we need another industry-produced acronym?
• How can a vendor better demonstrate they can become a partner?
• With the list of security “minimum requirements” constantly growing, do you believe more and more organizations are falling below the security poverty line?
• And we ask how best to reduce the amount of false positives?
  

All links and images for this episode can be found on CISO Series

Are bad security policies of yesteryear just because we didn't know any better at the time, or were they some bozos idea of legitimate security yet the rest of us knew it was just security theater?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Dr. Diane M Janosek (@dm_janosek), deputy director of compliance, NSA and senior legal advisor for Women in Cybersecurity.

Thanks to our podcast sponsor, Code42

As the Insider Risk Management leader, Code42 helps security professionals protect corporate data and reduce insider risk while fostering an open and collaborative culture for employees. For security practitioners, it means speed to detection and response. For companies, it means a collaborative workforce that is productive and a business that is secure. Visit http://Code42.com/showme to learn more.

In this episode:

• We highlight obsolete security policies to steer clear of.
• We examine security in space and how can others who are not directly involved in these industries create some type of positive impact?
• And we ask how we can improve inclusion by decrypting the lack of diversity in our industry.

All links and images for this episode can be found on CISO Series

Legacy tech can often be the anchor that prevents an organization from growing. Put the issue of dealing with legacy tech long enough and the problem could get bigger than the business itself.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is TJ Mann (@teejaymann), CISO, Children's Mercy Kansas City.

Thanks to our podcast sponsor, CYREBRO

Ninety percent of post mortems show that the high cost of damage from a cyberattack was avoidable, but no one knew in time to stop it. CYREBRO's SOC Platform is your cybersecurity central command, integrating all your security events with 24/7 strategic monitoring, proactive threat intelligence, and rapid incident response. More from CYREBRO.

In this episode:

• How legacy technology impedes business agility?
• Are we doing anything better to deal with legacy technology
• Is there anything that can be done at the purchase point to understand how you'll sunset equipment and technology
• And we ask whether or not our industry is willing to take the time and effort to hire and train the talent they so desperately want and need.
  

All links and images for this episode can be found on CISO Series

People violate cybersecurity policies at a rate of one out of every 20 job tasks. It's just a matter of time before all your employees are in violation.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Bruce Schneier (@schneierblog), chief of security architecture, Inrupt and fellow and lecturer and Harvard Kennedy School.

Thanks to our podcast sponsor, PlexTrac

PlexTrac is a powerful, yet simple, cybersecurity platform that centralizes all security assessments, pentest reports, audit findings, and vulnerabilities. PlexTrac transforms the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize analytics, and collaborate on remediation in real-time.

Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the perfect platform for CISOs!

In this episode:

• Special tips for new CISOs just starting out and trying to establish their position.
• We examine where there are market forces fighting the most against achieving societal values in the digital space?
• What are signs that we're moving in the right direction of developing a digital social contract?
• And we ask, is "employees violating security policies" the top issue that needs to be resolved?
  

All links and images for this episode can be found on CISO Series

A young woman is killing it in her first cybersecurity job out of college. Management is so thrilled with her that they want to give her a promotion. Problem is the promotion reveals a lot of other innerworkings that don't speak well of the company's culture.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Davi Ottenheimer (@daviottenheimer), vp trust and digital ethics, Inrupt.

Thanks to our podcast sponsor, Code42

As the Insider Risk Management leader, Code42 helps security professionals protect corporate data and reduce insider risk while fostering an open and collaborative culture for employees. For security practitioners, it means speed to detection and response. For companies, it means a collaborative workforce that is productive and a business that is secure. Visit http://Code42.com/showme to learn more.

In this episode:

• A student has some serious privacy concerns when they learn that "all data is being monitored and anonymously collected."
• We examine how we can break from the Internet Oligarchs who appear to be consuming, selling, and using so much of our data.
• How GDPR can benefit organizations to stay ahead of the competition.
• A young recruit facing imposter syndrome after receiving a promotion with added responsibilities.
  

All links and images for this episode can be found on CISO Series

First job out of college and you get the cybersecurity job of your dreams... and nightmares. It's just too much, and you definitely don't have the experience to handle it all.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Rick Doten (@rick_doten), CISO, Carolina Complete Health.

Check out Rick's Youtube channel with the CIS Critical Security Control videos.

Thanks to our podcast sponsor, Kenna Security

Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most.

In this episode:

• We look at the #1 job according to a U.S. News & World Report. Hint: It’s Information Security Analyst.
• We examine the possibility & practicality of running a security program entirely based upon free and open-source software.
• We break down how to help brand new recruits on the ground as they start their careers in cybersecurity.
  

"No business wants more security, they want less risk," said a redditor on the cybersecurity subreddit. Executives seem to not care about cybersecurity because they're not talking in those terms. They talk in terms of managing risk. It's the InfoSec professional's job to do the translation.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Tom Doughty, vp and CISO, Prudential Financial.

Thanks to our podcast sponsor, CYREBRO

Ninety percnet of post mortems show that the high cost of damage from a cyberattack was avoidable, but no one knew in time to stop it. CYREBRO's SOC Platform is your cybersecurity central command, integrating all your security events with 24/7 strategic monitoring, proactive threat intelligence, and rapid incident response. More from CYREBRO.

In this episode:

• How do you discuss cybersecurity with executives who don’t care about cybersecurity?
• Does cybersecurity insurance help motivate better cybersecurity awareness?
• Why are we still struggling with cybersecurity hiring?
• What does a great day in information security look like?

All links and images for this episode can be found on CISO Series

A CISO hears about your company's product from some other CISOs. Eager to find more information like a video demo they could watch on their own, they visit your site. They can't find anything except a prominently placed "Request a Demo" button. Fearing the marketing and salespeople who will hound them if they fill out the information, they just bail.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Jim Routh (@jmrouth1), former CISO for MassMutual and CVS/Aetna.

Thanks to our podcast sponsor, Buchanan Technologies

Short staffed and overworked IT groups can be overwhelmed by the massive scope of a comprehensive cybersecurity program. Buchanan Technologies makes the complex simple with our twenty-four by seven, customized, vetted strategies that identify risks, detect threats, implement security controls, and protect the confidentiality, availability, and integrity of your data. Discover more.

In this episode:

• Why do vendors put the product demo videos behind gated walls?
• Tips for improving cybersecurity awareness within a large organization.
• The annoying pains of the vendor ecosystem.
• What are some really bad cybersecurity practices that need to be corrected right away?
  

All links and images for this episode can be found on CISO Series

The web is awash with sites claiming they know what the security trends will be for 2022. All of them were filled with quotes from security experts at different vendors who "surprise" we're saying the big trend is what their product can fix. One publication, eWEEK, had probably the only logical set of trends and they look a lot like what happened in 2021.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Ori Arbel, CTO, CYREBRO.

Thanks to our podcast sponsor, CYREBRO

Ninety percent of post mortems show that the high cost of damage from a cyberattack was avoidable, but no one knew in time to stop it. CYREBRO's SOC Platform is your cybersecurity central command, integrating all your security events with 24/7 strategic monitoring, proactive threat intelligence, and rapid incident response. More from CYREBRO.

In this episode:

• How should you be handling your security operations center (SOC)?
• Tips for improving your incident response planning.
• What are the cloud security trends of 2022?

All links and images for this episode can be found on CISO Series

Are security conferences really helpful in advising you on making your business more secure, or are they just adding more worries to your plate that aren't actually going to be threats your business is going to have to face?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Jason Witty, CSO, USAA.

Thanks to our podcast sponsor, CyCognito

By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network.

In this episode:

• What is the board’s risk appetite?
• Is attending conferences helpful?
• What can security vendors do to help with board-level communications?

All links and images for this episode can be found on CISO Series

Our entire network launched because of the irritation CISOs had with vendors could have stopped some breach that happened to another company. Then the chest pounding subsided, and we thought we were making an impact, until Log4j appeared...

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Tim Rohrbaugh, CISO, JetBlue.

Thanks to our sponsor, CyCognito

By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network.

In this episode:

• Questionable vendor marketing tactics
• Developing your threat intelligence
• Valuable skills that hiring managers look for

All links and images for this episode can be found on CISO Series

The trick to getting the attention of CISOs is to create an awesome company. Focus on that and the attention will follow.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Katie Stebbins (@ktlgs), board president, Global Epic.

Thanks to our podcast sponsor, Kenna Security

Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most.

In this episode:

• So, how do you become so awesome that you can't be  ignored?
• What happens when you expand your view of the purpose of security metrics?
• Is it possible to have a Digital Geneva Convention?

All links and images for this episode can be found on CISO Series

If you're up against Google, Facebook, or Apple for hiring talent, chances are pretty good that your company is not going to match their pay and benefits. So if they're the bar for salary and benefits, your business' offerings will inevitably be subpar. So how do you build your employer brand to contend in areas where you're deficient in areas you can't compete?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Dan DeCloss (@wh33lhouse), CEO, PlexTrac.

Thanks to our podcast sponsor, PlexTrac

In this episode:

• When setting up defenses against MITRE ATT&CK mappings, how much is enough?
• What are you doing to build your employer brand and attract cyber talent to your business?
• How should you review your pentest results?

All links and images for this episode can be found on CISO Series

Every organization has an Acceptable Use Policy (AUP) for their computers and network. Nobody reads it and everybody violates it. How the heck do you enforce or discipline people who violate your company's AUP?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Matt Radolec, senior director, incident response and cloud operations, Varonis.

Thanks to our podcast sponsor, Varonis

On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to “Zero Trust.” Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries.

In this episode:

• Why do tabletop exercises fail?
• How should we deal with AUPs that do not get read?
• Is cyber resiliency an overused term?
• How valuable are visual detection techniques?

All links and images for this episode can be found on CISO Series

Yikes, this security hole one concerned student found in the school's network is going to require one heck of a pep rally to fix.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Dave Stirling, CISO, Zions Bancorporation.

Thanks to our podcast sponsor, Varonis

On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to “Zero Trust.” Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries.

In this episode:

• Should the CISO position be seen as an organization in itself?
• Is the current data loss prevention (DLP) model outdated?
• How can an MSSP show its value?
• What should a high school student do if they see that their school has horrible security practices?

All links and images for this episode can be found on CISO Series

If we had such a great conversation at the conference, why don't you want to respond to my emails?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Julie Tsai (@446688), cybersecurity leader.

Thanks to our podcast sponsor, Varonis

What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn’t stand a chance. Get a free risk assessment.

In this episode:

• Is there a "right" management structure for cybersecurity?
• Are there tools you can put in place to keep your DevOps program in check?
• What are the questions to ask during an interview that reveal how a company handles and prioritizes cybersecurity?
• How can we improve CISO / vendor relations?

All links and images for this episode can be found on CISO Series

Winning at vulnerability management is not a numbers game. It's a tactical exercise of what matters most in your environment. Surprisingly, experts tell us close to two thirds of your vulnerabilities can and should be ignored. Why and which ones are those?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Ed Bellis (@ebellis), co-founder and CTO, Kenna Security (now a part of Cisco).

Thanks to our podcast sponsor, Kenna Security

Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most.

 In this episode:

• What type of risk or compliance data should CISA collect for its proposed metrics?
• Which metrics are most valuable to determine the health of a company?
• Why the constant frustration with patch management?
• How often should you be conducting vulnerability scans?

 All links and images for this episode can be found on CISO Series

If you're asking what certification you should go after to get the perfect cybersecurity job, you're asking the wrong question. Most hiring managers are inundated with resumes so they're looking for ways to get rid of yours. Don't be fooled thinking you're going to be seen because you have the "perfect" resume.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Mike Hanley (@_mp4h), CSO, GitHub.

Thanks to our podcast sponsor, BitSight

These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody’s, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com

In this episode:

• What's the formula (experience vs testimonials) for hiring managers' attention?
• What are the most effective techniques to building a resilient security team?
• What are security vendors NOT doing now that would greatly improve their visibility?
• Have you had to make any security exceptions just because an executive needed something?

All links and images for this episode can be found on CISO Series

CISOs agree that multi-factor authentication is the one security control that once deployed has the greatest impact to reduce security issues. Yet with all that agreement, it’s still so darn hard to get users to actually use it.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Arvind Raman (@arvind78), CISO, Mitel.

Huge thanks to our sponsor, Horizon3.ai

See your enterprise through the eyes of the attacker, identify your ineffective security controls, and ensure your limited resources are spent fixing problems that can actually be exploited. More from Horizon3.ai.

In this episode:

• If MFA is so great, why is it not more widespread?
• Are high valuations for cloud security startups a vote against cloud providers doing cloud security well?
• What is the biggest challenge in deploying zero trust on existing infrastructure?
• Are there universal security red flags?

All links and images for this episode can be found on CISO Series

It's all risk, all show, for the entire show. It's just the kind of risk we like to take.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Derek Vadala (@derekvadala), chief risk officer, BitSight.

Thanks to our podcast sponsor, BitSight

These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody’s, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com

In this episode:

• What cybersecurity risk is currently the most severe?
• What's important about of evaluating a startup's security protocols?
• What about third party risk management?
• Do you and your board know how resilient you are to a cyber attack?

All links and images for this episode can be found on CISO Series

What do you give to the person who wants to learn how to steal everything?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest Jim Wachhaus (@imanapt), risk intelligence evangelist, CyCognito.

Thanks to our podcast sponsor, CyCognito

By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network.

In this episode:

• How can we shore up our cybersecurity hygiene?
• What have we heard enough about with risk intelligence ?
• Gifts to buy someone who is looking into red teaming/vulnerability

All links and images for this episode can be found on CISO Series

What do you do if your boss gave you a corporate laptop and you fear they installed some tracking software? Should you wipe the drive or simply quit?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Purandar Das (@dasgp), co-founder and president, Sotero.

Thanks to our podcast sponsor, Sotero

Today’s compliance requirements require a security mindset that focuses on the data itself. We can’t truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how.

In this episode:

• Did the pandemic lead to innovations in cybersecurity?
• What should a company do when an employee makes a major mistake like emailing PII?
• Have we all heard enough about encryption?
• What do we do when the boss gives us a "new" computer with monitoring tech on board?

All links and images for this episode can be found on CISO Series

Risk is scary. Cyber risk is scarier. Not because it's worse, but mostly because we barely understand it. We've gone this long not understanding it. Maybe just ignoring it will allow us to wish it away.

On this week's episode of CISO/Security Vendor Relationship Podcast we have our first in-studio guest (since we moved the studio). Joining me, David Spark (@dspark), producer of CISO Series and Mike Johnson is our in-studio guest TJ Lingenfelter (@tj_555), sr. program manager, information security, Taylormade Golf.

Thanks to our podcast sponsor, BitSight

These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody’s, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com

In this episode:

• How can competitive companies can help each other be more secure?
• What to do when you can't get time with your CIO to discuss plans?
• Are we fooling ourselves to think we can maintain privacy for ourselves and that organizations can do it for us as well?
• What new cybersecurity buzzwords should be put to rest?

All links and images for this episode can be found on CISO Series

There's no question calculating risk is tricky. Because once you understand your risk then you can assign budget appropriately to reduce your risk. OR, you could just wait until you're breached and you'll know exactly what your risk is and how much it costs.

This week's episode of CISO/Security Vendor Relationship Podcast is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Dan Walsh, CISO, VillageMD.

Thanks to our podcast sponsor, deepwatch

Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.

In this episode:

• What can we learn from a 10-year cybersecurity veteran?
• What can state governments do to 'hire better' in cybersecurity?
• What can companies do to attract cybersecurity professionals to their location?
• What are ways to bring a clearer understanding of risk to the business without being alarmist?

All links and images for this episode can be found on CISO Series

Don't look at me to explain zero trust to you, because I'm just as confused. I've heard plenty of definitions, and they all sound good. I just don't know which one is right, or maybe they're all right.

This week's episode of CISO/Security Vendor Relationship Podcast was recorded in front of a live audience at KeyConf at the City Winery in New York City. My guest co-host for this special episode is JJ Agha, CISO, Compass. Joining us on stage were a host of guests, Admiral Rogers, former NSA director and Commander US Cyber Command, Oded Hareven, CEO and co-founder, Akeyless, and Dr. Zero Trust, Chase Cunningham (@cynjaChaseC).

Thanks to our podcast sponsor, Akeyless

As organizations embrace automation, they must control their secrets sprawl. Security teams must enable the transition with centralized access to secrets, and consistent policies to limit risk and maintain compliance. Akeyless provides a unified, SaaS based solution for Secrets Management, Secure Remote Access, and Data Protection. More about Akeyless

In this episode:

• Is zero trust easy for organizations to deploy and control?
• Are we taking zero trust too far?
• Does it help to have more eyes on the problem?
• What are the problems with secure remote access that we're still struggling with?

All links and images for this episode can be found on CISO Series

It's extremely easy to say you want to diversify. In fact, I'll do it right now three times. We want diversity. We're very pro diversity and it's our focus for the next year. Diversity is a very important part of our security program.

Please don't ask to though look at the lack of diversity on our staff. It doesn't match our rhetoric.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Sujeet Bambawale (@sujeet), CISO, 7-11.

Thanks to our podcast sponsor, Vulcan Cyber

Vulnerability scanners are commoditized. Cloud service providers provide free scanners. Open source scanners are plentiful. Your team doesn’t need another scanner, but they need to get better at identifying and prioritizing the risk that is buried in that scan data. Attend the Vulcan Cyber virtual user conference and learn how to assess and mitigate risk across all of your surfaces. Go to vulcan.io and click the button at the top of the screen to register for the event.

In this episode:

• How are you overcoming the challenges of diversity hiring?
• Are robocalls defeating MFA?
• Are you collaborative in cyber with your direct competitors?
• Were you sold something differently when you started in cyber?

All links and images for this episode can be found on CISO Series

Do the cybercriminals know my vacation schedule? If they’re already in our network, they probably do. Why don’t they share their vacation schedule with me. That way we can all enjoy our time off.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Patti Titus (@rusecur), CISO, Markel.

Thanks to our podcast sponsor, Sotero

Today’s compliance requirements require a security mindset that focuses on the data itself. We can’t truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how.

In this episode:

• What role is the quickest to a CISO role?
• How can we best correlate security behavior to business actions?
• Are attacks more likely on Fridays, just before a long weekend or vacation?
• Which breaches this year caused a shift in focus of your security program?

All links and images for this episode can be found on CISO Series

At one point a sales representative will get so desperate trying to get a reply from a prospect that they'll resort to some tepid attempt a humor. We've all seen the email that is trying to understand why we're not replying. And the salesperson tries to make it easy for the recipient to respond by just pressing a single digit. 1: You're too busy, 2: You didn't see my email, 3: You really wanted to respond but you're stuck in a well.

This week's episode of CISO/Security Vendor Relationship Podcast was recorded in front of a live audience at the SF-ISACA conference in San Francisco. It features me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is my other co-host Andy Ellis (@csoandy), operating partner, YL Ventures.

Huge thanks to our podcast sponsors, Code42, Sotero, and Constella Intelligence

As organizations gradually and cautiously move out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42.

Today’s compliance requirements require a security mindset that focuses on the data itself. We can’t truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how.

Threat actors target key employees due to their privileged access to sensitive data which can lead to credential theft, ATO, & ransomware attacks. Find out if your key employees and company have been exposed – without any obligation. More from Constella Intelligence.

In this episode:

• How do you go about making a business case for further investment in cyber security initiatives?
• Is it possible to get people to get security people change their behaviors?
• Using humor in cold sales. Does it ever work?
• ...and what happens when it backfires?

All links and images for this episode can be found on CISO Series

"Look, you wanna be elite? You have to do a righteous hack."

This entire episode we pay tribute to the movie "Hackers" with quotes all throughout the programming. This episode is hosted by me, David Spark (@dspark), producer of CISO Series, and my guest co-host Roland Cloutier (@CSORoland), CISO, TikTok. Joining us in this discussion is Steve Tran (@steveishacking), CISO, MGM Studios.

Thanks to our podcast sponsor, Code42

In this episode:

• Is it time to start thinking about protecting data differently?
• What is the biggest scam in tech that is deemed acceptable?
• Why is the convergence of security between physical and digital still not happening?
• Which part of your role is science vs art?

All links and images for this episode can be found on CISO Series

It’s extremely hard to tell if a cybersecurity leader is doing a good job. In fact, it’s tough for even them to know. Our best bet is watching for an improvement in the cybersecurity program over time.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Mark Wojtasiak (@markwojtasiak), vice president, research & strategy, Code42 and co-author of “Inside Jobs.”

Thanks to this week’s podcast sponsor, Code42

As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42.

In this episode:

• What is your business's biggest frustration when managing cybersecurity?
• Aaaand...what is your biggest frustration when managing cybersecurity?
• How do you know when a Security Leader (including yourself) is doing a good job?
• Would it help if Security hired a marketing manager?

Here's an awesome bonus episode of CISO/Security Vendor Relationship Podcast featured as the closing event at Evanta's Global CISO Virtual Executive Summit.

Here's what went down. The day before our recording, three representatives presented their unique and innovative security solutions to a panel of CISOs and the virtual audience in attendance.

The next day, everyone came back to offer up a quick elevator pitch and to be grilled by the CISOs. That's exactly what you get to hear on this bonus episode of CISO/Security Vendor Relationship Podcast.

Thanks to all our sponsors for this bonus episode of the podcast

Kasada

Axis Security

Ordr

Ten Eleven Ventures

All links and images for this episode can be found on CISO Series

What game should we play where we can trust you to behave fairly, but at the same time see how you could take advantage of us?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Deneen DiFiore (@deneendifiore), CISO, United Airlines.

Thanks to our podcast sponsor, Code42

As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42.

In this episode:

• Does becoming a business-minded security person take time?
• What does a qualified, entry level candidate have to do to get noticed?
• Without clear ROI, how does a CISO justify their budget?
• What game taught you the most about thinking like a hacker?

All links and images for this episode can be found on CISO Series

Do you really need hundreds of questions to know if you want to work with a vendor? Won’t just two or three well-pointed questions really give you a good idea?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Nick Selby (@fuzztech), CSO, Paxos Trust Company and co-host of Tech Debt Burndown podcast.

Thanks to our podcast sponsor, Kenna Security

In this episode:

• How do you suss out security vendors to make sure they're not a risk?
• How do you battle a typosquatter?
• What types of preparations do you have in place to know you're well prepared for an incident?
• How should CISOs and CIOs share cybersecurity ownership?

All links and images for this episode can be found on CISO Series

OK, you showed us our vulnerability. But we really don't want to fix it now. Could we just pay you off to keep quiet, and to buy us some more time to deal with this in a "not so timely" manner?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sameer Sait (@sameersait), CISO, Amazon - Whole Foods.

Thanks to our podcast sponsor, Code42

As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42.

In this episode:

• What if software developers used academic citations for code acquired from outside sources?
• What is a reported security vulnerability doesn't get fixed? Where do you go next?
• What if a 3rd party app developer needs access to a file/print share over the internet?
• What if you receive a pitch that makes a grandiose statement like "no false positives?" Follow-up or hard pass?

No, please not another acronym. I can't take another education cycle on another product segment. Oh, I'm sure Gartner is launching it. And I'm sure they'll make yet another Magic Quadrant to tell us which companies are in this new market segment. And we're going to have to buy this report so we understand this new category so we can create yet another line item on our budget sheet.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Ed Bellis (@ebellis), co-founder and CTO, Kenna Security (now a part of Cisco).

Thanks to our podcast sponsor, Kenna Security

In this episode:

• How do you develop unbiased knowledge about a new technology?
• Do you have advice on how to prepare for a SOC interview?
• Vulnerability management: what have we heard enough of?
• Do your parents know what you do for a living?

You don’t want anything to happen, but you also want security to somehow to calculate ROI. Maybe the ROI could be calculated from actual sales that security allowed to actually happen.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Ryan Gurney, CISO-in-residence, YL Ventures.

Thanks to our sponsor, YL Ventures

YL Ventures, a global VC firm, manages over $300 million and exclusively invests in early-stage Israeli cybersecurity startups. YL Ventures accelerates the evolution of its portfolio companies via strategic advice and operational execution, leveraging a network of CISOs and industry veterans from Fortune 100 and high-growth companies.

In this episode:

• What happens when Application Surface Management (ASM) vendors are purchased as Security assets?
• What do you do when your company wants to use a really insecure SaaS product?
• Does a startup need a CISO, or just a CISO-in-residence?
• Is there a better sign other than "nothing happened" that indicates you did a good job in cybersecurity today?"

All links and images for this episode can be found on CISO Series

It’s imperative we speak to him. We want to make sure they landed safely. And if he has some available time, maybe we can show him our slide deck.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Branden Newman, svp, CISO, MGM Resorts.

Thanks to our podcast sponsor, Grip Security

Ask yourself – do I know what SaaS my company is using? How do users access them? What data is uploaded and downloaded? Enterprises today are using hundreds and thousands of different SaaS, and have lost control over it.

Grip Security sees and secures every SaaS application. With simple deployment, you can have immediate visibility to the entire SaaS portfolio, and automated access and data governance at scale. This is the only way you could fight the SaaS Sprawl.

In this episode:

• How do security vendors communicate their uniqueness and product quality?
• If you were to start a data security company - what gap would you fill?
• What's the pushiest sales tactic you've seen in InfoSec?
• Assessing vendor pitches on email security or human layer security

All links and images for this episode can be found on CISO Series

I know your friends say they use excellent passwords, but they don't take the time and care we put into choosing the right combination of letters, numbers, and special characters that's unique to your personality. Once your friends and the dark web have a chance to see them, they'll want to emulate you by using your password over and over again.

This week's CISO/Security Vendor Relationship Podcast was actually recorded in front of a small live audience at The Passwordless Summit in Newport, Rhode Island. The event was sponsored by HYPR, our sponsor for this episode as well. Joining me and my co-host, Andy Ellis (@csoandy), operating partner, YL Ventures, was our sponsored guest, Brian Heemsoth (@bheemsoth), head of cyber defense and monitoring, Wells Fargo.

Thanks to our podcast sponsor, HYPR

HYPR is the leader in Passwordless Multi-factor Authentication.
We protect workforce and customer identities with the highest level of assurance while enhancing the end user’s experience. HYPR shifts the economics of attack to the enterprise’s favor by replacing password-based MFA with Passwordless MFA. 
Welcome to The Passwordless Company®. It’s time to reimagine Identity Access Assurance. 
Learn More »

In this episode:

• Ways to make a good impression about the quality of your security
• How’s passwordless access working for you?
• When an EULA says no to reviewing the product
• What does a good SOC look like to you?

All links and images for this episode can be found on CISO Series

We've heard the question "How secure are we?" many times, and we know what it really means.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Kevin Morrison, CISO, Alaska Air.

Thanks to our podcast sponsor, Enso

Enso, an Application Security Posture Management platform, helps security teams scale and gain control over their AppSec programs. Enso discovers application inventory, ownership and risk to easily build and enforce security policies and transform AppSec into an automated, systematic discipline.

In this episode:

• Red flag-level bad security: run away or offer to help?
• How necessary is it to know patterns of where and how criminals are going to attack?
• How to manage the risk of onboarding entry level cybersecurity personnel who lack prior job experience?
• How do you answer the question, "Are we secure?"

All links and images for this episode can be found on CISO Series

What questions should we be asking of a consultant's referrals to see if they're really worth the money they're trying to overcharge us?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Ira Winkler (@irawinkler), CISO, Skyline Technology Solutions.

Thanks to our podcast sponsor, Varonis

Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis’ leading data security platform.

In this episode:

• Fujifilm refused to pay ransomware demand, restored from backup. Be like Fujifilm.
• What to do with people who ask for your password and sign-on – and those who comply
• Best techniques for interviewing cybersecurity consultant candidates
• The importance of securing inter-organization Slack and Teams channels

All links and images for this episode can be found on CISO Series

You think it's easy carrying around the burden of being so perfect all the time? It's tough to carry that responsibility to tell others what they need to do.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Ed Contreras (@cisoedwardc), CISO, Frost Bank.

Thanks to our podcast sponsor, Varonis

Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis’ leading data security platform.

• Does a quality tech stack help with recruitment and retention of talent?
• Should security features be free?
• And should those who charge be shamed?
• Failing phishing tests - is there a limit to how many?

All links and images for this episode can be found on CISO Series

We know we've got to say something about this breach, but geez, the details are really sordid and it would just be easier if we could just wrap it up with one giant "oops." You cool with that?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Matt Radolec, senior director, incident response and cloud operations, Varonis.

Thanks to our podcast sponsor, Varonis

Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis’ leading data security platform.

In this episode:

• How have insider threats morphed since the onset of Covid?
• Should paying ransomware be illegal?
• What goes into a good post-breach public incident response?
• Should ransomware focus more on backups?

All links and images for this episode can be found on CISO Series

Managing my own risk is tough enough, but now I have to worry about my partners' risk and their partners' risk? I don't even know what's easier to manage: the risk profile of all my third parties or all the exclusions I've got to open up to let third parties into my system.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Bruce Potter (@gdead), CISO, Expel.

Thanks to our podcast sponsor, Expel

Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one.

In this episode:

• What's easier to manage, 3rd party risk profiles or exclusions?
• Do you need a Git repository to apply for a job? What else?
• What's in your happy-grab-bag for hybrid work environments?
• Is there anything new to say about ransomware strategy?  

All links and images for this episode can be found on CISO Series

If I'm going to be riding my team really hard, how much charisma will I need to keep the team frightened so they stay motivated, yet don't want to leave?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jason Fruge (@jasonfruge), CISO, Rent-a-Center.

Thanks to our podcast sponsor, Expel

Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one.

In this episode

• CISO's second job: applying lessons learned from the first one
• Experts weigh in on what to do when a breach drops malware on you
• How to motivate staff to push themselves beyond initial expectations?
• What level of autonomy do you give your staff to make purchase decisions?

All links and images for this episode can be found on CISO Series

Great, you just purchased the cloud. Are you a little confused as to what you're going to do with it? Not a problem. Let's get you set up right with a world class misconfiguration. That should leave you open to all kinds of breaches.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Johnathan Keith, CISO, Viacom/CBS Streaming.

Thanks to our podcast sponsor, AppOmni

AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data.

• Why do we hear so many stories about poor & misconfigured cloud services?
• The benefits of Infrastructure as Code (IaC)
• What makes a vendor meeting worth your time?
• What's the best way to learn about a company's culture in a job interview?

All links and images for this episode can be found on CISO Series

We're trying really hard to keep our customers' data safe, but we all know given the number of attacks happening, our number will eventually come up, and we'll lose your data just like every other organization you trusted.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sandy Dunn (@sub0girl), CISO, Blue Cross of Idaho.

Thanks to our podcast sponsor, Expel

Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one.

• Dissecting Allen Gwynn's "one strike" opinion piece
• Transitioning cybersec into a mindset for all employees
• Shifting the risk: buying cyberinsurance instead of tools
• What's the proper way to behave during a breach?

All links and images for this episode can be found on CISO Series

As good as our virtual bouncers are, they often let in people with what seems to be a valid ID, and then once they're in our nightclub they cause a disruption and we have to kick them out.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Sandy Wenzel (@malwaremama), cybersecurity transformation engineer, VMware. 

Sandy also recommends participating in Pro's vs. Joe's CTF.

Thanks to our podcast sponsor, VMware

In this episode:

• How we have become more agile (and how we define agile)
• Five skills every SOC analyst needs (and how to build them)
• Lateral movement by threat actors (what have we heard enough of)
• What are some good assignments to give a cybersecurity intern (and are there better ones?)

All links and images for this episode can be found on CISO Series

We're a brand new consultancy and we promise if you just let us poke around your network, we'll find something wrong. Because everyone has something wrong in their network.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Phil Huggins (@oracuk), CISO, NHS Test & Trace, Department of Health and Social Care.

Thanks to our podcast sponsor, VMware

In this episode:

• Prioritizing the security challenges around risk and compliance
• What to consider before starting your own security consulting business
• The most valuable things you should learn from peers in your network or community

All links and images for this episode can be found on CISO Series

If you're happy with your best practice of rotating passwords, that's great for you. Just don't lay your old-timey "rules for better security" on me boomer.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Robb Reck (@robbreck), CISO on sabbatical and co-founder Colorado=Security, a podcast and Slack community.

Thanks to our podcast sponsor, VMware

In this episode:

• Who is supposed to put “security” into the shifted left SDLC?
• What's the scarcest resource to a CISO? Is it headcount or money?
• What's the hardest part about being a CISO?
• How to choose the “best” best practices.

All links and images for this episode can be found on CISO Series

https://cisoseries.com/how-cisos-make-it-worse-for-other-cisos/

Are CISOs inappropriately putting pressure on themselves and is that hurting the rep of all CISOs as a result?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Andy Ellis (@csoandy), operating partner, YL Ventures.

Thanks to our podcast sponsor, Orca Security

Orca Security provides instant-on security and compliance for AWS, Azure, and GCP － without the gaps in coverage, alert fatigue, and operational costs of agents or sidecars. Orca detects and prioritizes risk in minutes ﹣ not months ﹣ and is trusted by global innovators, including Databricks, Lemonade, Gannett, and Robinhood.

In this episode:

• Is the hiring process for CISOs broken?
• Why CISOs aren’t willing to share samples of their risk assessments
• Working with a vCISO through an MSSP
• What are the biggest misconceptions cybersecurity people have about CISOs?

All links and images for this episode can be found on CISO Series

https://cisoseries.com/excuse-me-what-bribes-do-you-accept/

The security vendor/practitioner sales cycle would go a lot faster and smoother if CISOs would just take an "incentive" for a meeting. Just tell me what "incentive" you would like. I'm sure it'll cost me a lot less than what I'm spending on marketing and sales.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Allison Miller (@selenakyle), CISO, reddit. Allison is available on reddit at /u/UndrgrndCartographer.

Thanks to our podcast sponsor, Living Security

Why We're Breaking Security Awareness (And You Should Too)
Attend This Free, Virtual Conference From Your Home, Office, Or Even Your Couch. Living Security is breaking the mold of security awareness to wage war on the human risk factor with evolved strategies for the way we live, work, and play today.
Join cybersecurity industry thought leaders for fresh, modern perspectives designed to help you change behaviors and reduce your organization's risk in a world where life happens online.
This year’s sessions will cover:

• Human Risk Management
• Social Engineering
• DEI In Cybersecurity
• Enterprise Security Awareness
• Remote Working Security
• Ransomware

In this episode:

• Relying on the end-user to make an app secure is, in essence, shipping insecure software
• It's official: mandatory password changes are no longer in vogue
• What incentives would you accept to take a meeting with a vendor

All links and images for this episode can be found on CISO Series

https://cisoseries.com/holy-crap-weve-been-doing-this-for-three-years/

On this day three years ago, Mike Johnson and I released the first episode of CISO Series’ CISO/Security Vendor Relationship Podcast.

Our primary goal was to talk about the strained yet much needed relationship between security practitioners and vendors. With the help of our guest Dan Walsh, CISO, VillageMD and plenty of contributors we look back and ask ourselves, “What’s changed and has anything improved?”

If you're interested in hearing the full story of how CISO Series started, listen to this episode of Defense in Depth with Mike Johnson and Allan Alford where we walk through the origins of what has become a rather sizable media network.

Thanks to our podcast sponsor, Sonatype

With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code.

In this episode:

• What listeners get out of the show & what has changed in the industry
• How communication has changed among CISOs in three years
• Is there more compassion for vendors now?
• How is the vendor landscape changing?

All links and images for this episode can be found on CISO Series

https://cisoseries.com/something-stinks-in-here-i-think-it's-your-code/

The problem isn't our users, it's you and your past due code. Something happened. It's either been tainted or expired, but whatever it is, it smells and you need to clean it up.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Brian Fox (@brian_fox), co-founder and CTO, Sonatype.

Thanks to our podcast sponsor, Sonatype

With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code.

In this episode:

• How do you know if your DevSecOps effort is going to fail?
• How does an analyst justify their existence?
• Managing malicious intruders in code libraries
• Managing cybersecurity hygiene in the software chain

All links and images for this episode can be found on CISO Series

https://cisoseries.com/our-top-ten-list-of-vendors-that-arent-you/

You look at a top ten list is to see if you made the list. Don't bother. You're not on it.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Nancy Hunter, vp, CISO, Federal Reserve Bank of Philadelphia.

Thanks to our podcast sponsor, Code42

Redefine data security standards for the hybrid workforce. Check out Code42.

In this episode:

• Threat tracking: what’s better? Your SOC’s data or reading industry trends?
• Finding good security people -what’s better?: existing skills/experience, or a hunger to learn?
• Listing the things we like about security vendors
• Diversity hiring still has some challenges

All links and images for this episode can be found on CISO Series

https://cisoseries.com/do-we-have-to-let-the-ciso-sit-with-us/

I guess because it's a pandemic, and we really need them, just this one time, we'll let the CISO hang out at the cool kids' table.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Jadee Hanson (@jadeehanson), CISO, Code42.

Thanks to our podcast sponsor, Code42

Redefine data security standards for the hybrid workforce. Check out Code42.

In this episode:

• Apparently, CIOs have become really hot commodities within the organization
• Do compliance checkboxes to third party surveys provide any security for the supply chain?
• Insider risk should look more at mistakes as well as intentional acts
• The real value of vendor white papers

All links and images for this episode can be found on CISO Series

https://cisoseries.com/why-commute-when-you-can-stay-home-and-be-overworked/

Work from home seemed ideal until you realized you were working at all hours with people all over the world. It would actually be a nice respite to have to commute and leave work at a reasonable hour.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Adam Glick, CISO, Rocket Software.

Thanks to our podcast sponsor, Code42

Redefine data security standards for the hybrid workforce. Check out Code42.

In this episode:

• Work-from-home – the joys and the sorrows
• What do we want the board and C-Suite to know about cybersecurity?
• Are you a cybersecurity or infosec hiring manager? What kind of interview questions do you ask?
• CISOs working with young cybersecurity entrepreneurs

All links and images for this episode can be found on CISO Series

https://cisoseries.com/pushing-this-to-the-top-of-your-inbox-so-you-can-delete-it-again/

We're following up on our previous email because we love to engage in self-defeat. We assume you don't want to hear from me again, but just to make sure, I've delivered another email for you to delete.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Rinki Sethi (@rinkisethi), CISO, Twitter.

Thanks to our podcast sponsor, Sonatype

With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code.

In this episode

• It takes a while to hire an awesome cybersecurity team. It takes even more work to keep them.
• Breaches are bad, but handling them badly might be worse
• The unique aspects of work from anywhere security that take time to discover
• More of "what not to do" as a vendor pitching a cybersec prospect

All links and images for this episode can be found on CISO Series

https://cisoseries.com/ok-i-get-it-youre-all-special-snowflakes/

This department manager thinks their data is the most important. But then this department manager thinks their data is the most important. Can there really be so many crown jewels in your company that are all equally important? How's a CISO supposed to prioritize?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), executive vp, consumer products and engineering, and CISO, Fox

Thanks to our podcast sponsor, Herjavec Group

Herjavec Group excels in complex, multi-technology environments and keeps enterprise organizations secure with best of breed products and comprehensive service offerings. With 5 global Security Operations Centers, emerging technology partners, and a dedicated team of security specialists, we are well-positioned to be your organization’s trusted advisor in cybersecurity. Let’s connect!

On this week's episode

Hey, you're a CISO, what's your take?

Recently, we did a Friday video chat on "Hacking the Crown Jewels" where we talked about what's really important, where it resides, and who's accessing it and when. One of the questions that came up from consultant Ian Poynter was how do you handle the conflicts from the different department leaders as to what the crown jewels are? And Jakub Kaluzny of SecuRing asked, "What's harder, identifying your crown jewels, or protecting them?"

Can you change Mike's mind?

Our guest, Melody Hildebrandt mentioned that as of recently she was in a pro-vendor mood Only three months into the year she has taken more new vendor meetings than in all of 2020. What changed? And can she convince Mike to do the same?

"What's Worse?!"

As always, this will be a surprise on the show. And no one will like the options.

If you haven’t made this mistake, you’re not in security

Even if you've configured your email security platform correctly, you can still fail early and often as our guest Melody discovered. But she actually published her findings on Tech Insiders, along with Paul Cheesbrough. Examples she provided included email account compromises that resulted in full evasion of standard email defenses. And given that her business is often an early target for new attacks, protection through threat analysis has become essentially useless. Her solution for enterprise email is to adopt an API-based solution instead of gateways, along with deep machine learning, and continuous protection of email rather than initial scanning and approval. Let's look at how difficult this shift was and how Melody is managing it.

There’s got to be a better way to handle this

On Twitter I asked, "Since security people don’t get applause when nothing happens, how do you let the rest of the company know how well the security team is doing?" One mentioned a slide on reports that says "X days without a breach" others suggested showing improvements to metrics like vulnerability and mean time to response. So what do we say to the whole company, not just the board?

All links and images for this episode can be found on CISO Series

https://cisoseries.com/what-to-expect-when-youre-expecting-a-network-breach/

Are you expecting a little intrusion into your network any day now? You better be prepared. Are there some vulnerabilities you should have managed, but didn't? Don't worry, first time security professionals are always scared about their first incident.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Scott Kuffer, co-founder and COO, Nucleus Security

Thanks to our podcast sponsor, Nucleus Security

Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo

On this week's episode

There’s got to be a better way to handle this

We constantly hear security leaders talk about "people, process, and technology". Overwhelmingly, most security vendors are selling technology, then after a very steep drop there is the sale to managing people, and then "process" feels like a neglected stepchild. Let's talk about one process change made in the past year that had a significant impact on security posture? AND what is the "process" in security that needs the most help? Is there an opportunity in this area for security vendors or this just a combination of project management and increased automation?

What do you think of this vendor marketing tactic

Are security vendors eating their own dog food? The next time a security vendor pitches you, Chris Roberts of Hillbilly Hit Squad said on LinkedIn, "Ask them if they are using their own systems to protect themselves OR if they’re relying on someone else’s technology to protect their arses." An excellent question and HOW a vendor answers that question is very telling. So, is our sponsored guest using his own product to protect his business?

"What's Worse?!"

Jeremy Kempner, BT Americas offers up two really crappy communications options for Scott and Mike to wrestle with.

Please, Enough. No, More.

This week's topic: Risk-based vulnerability management, which can be defined as prioritizing your vulnerability remediation based on the risk it poses to your organization. What have we heard enough about with risk-based VM and what should we hear more about?

How have you actually pulled this off?

One of the key parts of a successful pentest is the reconnaissance phase where the necessary background information is generated. Let's walk through that process. How much involves planning vs. discovering? It's assumed that a lot of creativity goes into making a successful pentest. What are some of the techniques and information needed to increase success?

All links and images for this episode can be found on CISO Series

https://cisoseries.com/we-recommend-a-know-the-right-people-certification/

There are so many fantastic certifications out there for security professionals. But we've found the one certification that will really help you land the right job really quickly, is to provide proof that you know some people at our company who can vouch for you. Remember, we are a business that operates on trust, not giving people their first chances in cybersecurity.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Jesse Whaley, CISO, Amtrak

Thanks to our podcast sponsor, Adaptive Shield

Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats.

In this week's episode

Why is everybody talking about this now?

Should cybersecurity professionals fight back rather than block and tackle? former US government cyber security chief Chris Krebs, has called on law enforcement and others to fight back against ransomware attackers. Krebs, suggested posting private information of the hackers, with malicious intent, AKA doxxing. "Hacking back" is dangerous as it's hard to determine the attacker, and you're essentially taking the law into your own hands, but Chris Krebs is recommending this, seeing that ransomware is the biggest threat.

Dan Lohrmann of Security Mentor shared this article from the Financial Times and it drove a lot of debate. We've heard this before, but from someone like Chris Krebs, that's astonishing. What level of fighting back should people be comfortable with?

Are we having communication issues?

"I push back [on vendors] because I want depth and context from first contact," said John Keenan, director of Information Security, at Memorial Hospital at Gulfport. In this post on LinkedIn he said he's annoyed with vendors' generic first outreach and when he declines their response is "Well, I had to give it a shot". If they want a real connection, include "What's In It for Me". A generic response of "I think you'll really like what we've got to show," does not qualify. Let's talk about who has ever received a first (or heck any) contact that did have depth and context and could clearly articulate the "what's in it for you" message.

"What's Worse?!"

This week's challenge is from Nir Rothenberg, CISO, Rapyd.

How have you actually pulled this off?

Hiring in cybersecurity is a bear. As we've discussed before on this show, there's actually plenty of supply and demand in cybersecurity, yet jobs are not getting filled, possibly because of unreasonable requirements. Let's talk about what percentage of all the ideal skills people are willing to accept in a new hire, and situations where someone was hired who didn't possess that must have-skill for the job. ? And also let's look at the most effective training or mentoring technique used to get employees to adopt those skills.

Hey you’re a CISO. What’s your take?

On Twitter, Alyssa Miller AKA @alyssaM_InfoSec asked: "You're the CISO, rank the priority of the following list from a security perspective and explain your reasons:

A. A well-defined vulnerability management program
B. A reliable configuration management database/Asset Inventory
C. A comprehensive metrics and reporting practice.

A slight majority voted BAC or asset management, vulnerability management, then metrics. But there was plenty of disagreement. Let's look at that.

All links and images for this episode can be found on CISO Series

https://cisoseries.com/my-backup-plan-is-hoping-my-cloud-provider-has-a-backup-plan/

I think maybe I should check to see if we paid for cloud backup protection. Or maybe, we're doing it. Who knows?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series, and Mike Johnson. Our guest this week is Ty Sbano (@tysbano), chief security and trust officer, Sisense

Thanks to our podcast sponsor, Adaptive Shield

Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats.

On this week's episode

Why is everybody talking about this now?

Is your cloud service provider backing up your data, or should you be doing that? Many users of OVHcloud realized they should have been doing it because they didn't realize what they had bought. OVH suffered a fire that destroyed one of its data centers making some of the customer data unrecoverable. They had backup of some services, but no backups of other data. As of now, OVH is backing up all customer data for free, but this speaks to a big problem with trusting cloud providers, noted Enrico Signoretti of GigaOm in a post on LinkedIn. Did you pay for backups? How are they being provided? Where physically are they? And how often do you test restoring? Everyone knows they should do this, but how often is it actually being done?

Someone has a question on the AskNetSec subreddit

On the AskNetSec subreddit, the question was asked, "What's the advantage of reporting bugs to official sources over brokers?" Some really good pro and con discussions of both ranged from brokers usually pay more, to going straight to the source seems "the right thing to do." But there were so many variances that it wasn't that cut and dry. As a bug bounty hunter, if you find a significant bug, where should you go first? 

"What's Worse?!"

Rick Woodward from Gibbs & Cox asks, "which kind of dishonesty is the worst?"

Hey you’re a CISO, what’s your take?

Another redditor on the AskNetSec subreddit asks, what kinds of questions should the interviewee ask about a company's environment so they know they're not walking into a giant mess? There were a ton of good suggested questions in the thread. If you could only ask three, which three would you ask that would give you the most information about both the stability and challenge of the security environment?

What would you advise?

Ross Young asked, I want to be a board advisor, how am I going to be paid? How much effort do I want to spend on this? What compensation should I expect? What do companies expect a CISO as an advisor to do? You both are advisors, so what's your experience, advice, and what have you heard from others?

All links and images for this episode can be found on CISO Series

https://cisoseries.com/patches-yes-we-need-stinkin-patches/

There was a time we could trust a patch, but now our adversaries are actually looking at the patches to find even more vulnerabilities. And we keep patching those as well. Our patches' patches need patches. When does it stop?!

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Travis Hoyt (@travisehoyt), managing director, exec cybersecurity technology, TIAA

Thanks to our podcast sponsor, Adaptive Shield

Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats.

On this week's episode

What’s the best way to handle this

The vulnerability landscape is changing, according to a new report from Rapid7. One issue, as Rob Lemos of DarkReading reports, is that you can't necessarily trust patches. They're often incomplete, and attackers look at existing patches as an opportunity to find more flaws, which they do. And the threats come from different angles: they're widespread, targeted, often using a zero-day, and there are other vulnerabilities that are impending threats. It seems that the portion of the threats you know about and can defend against is shrinking, and you're battling more of the unknown. Have you seen similar, and if so how has your security program shifted as a result?

That’s something I would like to avoid

The NSA recently provided guidance on creating a Zero Trust security model. In the piece, the NSA says, "transitioning to a [zero trust] system requires careful planning to avoid weakening the security posture along the way." So what is the NSA talking about? What are common transitioning moves to zero trust that can make you vulnerable?

"What's Worse?!"

Jonathan Waldrop from Insight Global delivers a challenge specifically tailored for Mike.

Please, Enough. No, More.

Let's look at SaaS posture management, or just the ongoing management of potential issues that may come across SaaS platforms - and consider what we have heard enough about with regard to SaaS posture management, and what we would like to hear a lot more about.

Umm is this a good idea

OSINT should go beyond finding out a security practitioner's email and phone number, argued Alyssa Miller of S&P Global Ratings. Alyssa received an email pitch from a vendor offering a gift and she declined. That same vendor then followed up and called her. The vendor was pitching her something that wasn't in her department, that she had no control of, and she couldn't accept gifts because her company is in a heavily regulated market. In summary, Alyssa said if you're going to use OSINT, understand the person's business, their role, and if making such a request would be counterproductive. What types of vendor OSINT tactics work well and what types work poorly?

All links and images for this episode can be found on CISO Series

https://cisoseries.com/i-think-possibly-maybe-weve-solved-diversity-in-cybersecurity/

We're tired of hearing "we're trying" when it comes to the subject of how companies are trying to inject diversity into their organizations. It's a lopsided game and diverse candidates have to make ten times the number of attempts as their non-diverse counterparts.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Jimmy Sanders (@jfireluv), cybersecurity, Netflix DVD. Our guest this week is Jerich Beason (@blanketSec), svp, CISO, Epiq.

Thanks to our podcast sponsor, Living Security

Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers.

On this week's episode

How have you actually pulled this off?

As discussed before on this show, being the next CISO at a company that was recently breached can be very lucrative. We've had guests that have very successfully negotiated huge salaries as the post-breach CISO. Are CISOs setting themselves up for far too much responsibility to be seen as a the company's digital savior? What are the responsibilities of a post breach CISO?

Got a better answer than "we're trying?"

Over the years we have interviewed dozens of business owners, security professionals, and hiring managers about diversity. Almost all their answers fall into the following buckets:

1. We're trying but there's no pipeline.
2. We're working with XXX group to improve.
3. Diversity is needed because diversity of thought it needed to create a more secure organization.

No one will admittedly say they're against diversity. Yet systemic racism, sexism, or just boys' clubism in general continues to exist. It appears most of the non-diverse business leaders are being pressured into admitting it's a problem. So they do it, and we even get token hires, but it all comes off as diversity theater and not the business actually making a shift. What is the story of diversity in cybersecurity many people don't get and need to actually be doing, not just giving lip service to?

"What's Worse?!"

Eugene Kogan, CSO at a confidential company sets it up: Who do you want on our side: executives or employees?

And now a listener drops knowledge

"Learn cybersecurity in public," suggests AJ Yawn of ByteChek who recommends joining a training program and then publishing what you've learned on a blog. As AJ explains, "Doing this will help you build relationships & prove to potential employers you’re applying your new knowledge." He concludes with the advice, "Don’t learn in silence." The community responded to AJ's advice. It's great advice, which everyone agreed to in the comments, but why then do so few people actually do it?

There’s got to be a better way to handle this

Zero trust is not a technology that can be purchases as a solution. It's an architecture, methodology, and framework that you have to consciously adopt, noted Stephen Lyons of F5 on a post on LinkedIn. Can solutions already in-house be rejiggered to adopt a zero trust methodology? And if so, what changes would need to be made to existing systems to have a more zero trust environment?

All links and images for this episode can be found on CISO Series

https://cisoseries.com/unnecessary-research-reveals-cisos-hate-cold-calls/

In a study we never actually conducted, our fellow security leaders said unequivocally that there never has been a time they welcome a phone call from someone they don't know trying to book a demo to see a product they have no interest in.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Andy Steingruebl (@asteingruebl), CISO, Pinterest. Our guest this week is Andy Purdy (@andy_purdy), CSO, Huawei

Thanks to our podcast sponsor, Living Security

Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change.
This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers.

On this week's episode

Here’s some surprising research

As compared to small and medium companies, big enterprises don't appear to trust the big telcos to execute their 5G strategy. This according to new research from Omdia as reported by Iain Morris of Light Reading. When asked, "do you trust a communications service provider, AKA big telco, to execute your security strategy," SMEs overwhelmingly supported the telcos over all other options, and big enterprises didn't. They trusted their own expertise or wanted to lean on a cloud service provider like Amazon or Google. Let's investigate this discrepancy.

If you're not paranoid yet here’s your chance

As if you didn't know it already, get ready for some sobering news about third-party risk: According to a survey by BlueVoyant, as reported by SC Magazine, 80 percent of those surveyed had at least one breach caused by a third party vendor within the past year. Most of those surveyed didn’t monitor third-party suppliers for cyber risk. But, even if they wanted to, it's often a point in time measurement, sometimes only yearly, and organizations have an average of 1409 vendors. UK's National Cyber Security Center puts the focus of securing against third party risk squarely on the development of the software supply chain, and the need for isolation and proven security checks throughout the development process. That may be good advice, but it still seems so overwhelming given the volume and how much you can't control.

"What's Worse?!"

A vulnerability response and incident detection conundrum from Jonathan Waldrop, Insight Global

What’s the best way to handle this

Lessons learned from a big security incident and how these will be applied to the next big security incident.

What do you think of this vendor marketing tactic

Very few, if any, security leaders like cold calls. Yet, even with all the expressed distaste of them, they still exist, and that's probably because they still work, and still deliver significant ROI. But when these companies calculating that ROI, are they calculating all the people they've annoyed? One vendor sales rep who said after searching their CRM for "Do Not Call" there was a slew of vitriol from CISOs screaming to never contact them again. And as we all know, CISOs talk to other CISOs. So if you've angered one CISO sufficiently to never consider you, they've probably told a few friends as well. Let's discuss getting pushed over the edge by a vendor's aggressive sales tactics and what was done to essentially shut them off, including telling others about their actions.

All links and images for this episode can be found on CISO Series

https://cisoseries.com/one-day-youll-grow-up-to-know-less-than-you-do-now

We know so little when we're born. We're just absorbing information. But then we get older, and get the responsibility to secure the computing environment of a large company, we actually see that knowledge we absorbed start slipping away. What we thought we knew of what's in our network is so far afield from reality.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Tomás Maldonado (@tomas_mald), CISO, NFL.

Thanks to our podcast sponsor, Nucleus Security

Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo

It’s time to measure the risk

Outside of security basics and popular controls like SSO, MFA, and password management, what are the most effective means (or security control) to reduce risk? People have been offering some great suggestions on LinkedIn such as reducing attack surface, knowing what you're protecting, education, more conversations about risk, and actually having someone in charge of security and risk. All reduce risk, but what truly gives the biggest bang for the buck in terms of risk reduction?

Are we making this situation better or worse?

When things break, what's the best tactic to remediation? A bigger/better version of the last thing, or critical thinking? Both actually have serious costs associated to them. The first being equipment and maintenance, and the second having the talent that's able to think of unique and innovative soluitons. In a post on LinkedIn, Greg van der Gaast of cmcg argues that bigger walls just result in continued security problems at a more expensive, yet slower rate. He argues many issues could be avoided with critical examination, especially in IT.

It's time to play, "What's Worse?!"

Ross Young asks how badly do you need to measure your security program.

How would you handle this situation?

Our guest, Tomás Maldonado, describes what's unique about being a CISO for the NFL - the specific security concerns that aren't necessarily on the radar at his previous organizations, and the security issues around huge global events like the Super Bowl.

Well that didn’t work out the way we expected

Perception vs. reality in security. On LinkedIn, Ross Young, CISO at Caterpillar Financial Services said, "In April 2018, McAfee published a survey asking 1,400 IT professionals to estimate the number of cloud services in use within their organization. The average response was 31, with only 2% of respondents believing that they had more than 80—yet the real average is 1,935." This supports the great need of asset inventory. There are many instances CISOs have to make an estimate of what they have given the best information. We look at examples of when the reality of a situation was far from the initial perception, and how to manage this.

All links and images for this episode can be found on CISO Series

https://cisoseries.com/would-you-look-at-that-unrealistic-licensing-deal/ 

CISOs know that salespeople want to make the best licensing deal they can possibly get. But unpredictability in the world of cybersecurity makes one-year licensing deals tough, and three-year licensing deals impossible.

This episode is hosted by David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Mark Eggleston, (@meggleston) CISO, Health Partners Plans.

This recording was recorded live in front of a virtual audience at the "SecTalks - Leading with grit in security" virtual conference brought to you by our sponsor, Cobalt.

Thanks to our podcast sponsor, Cobalt

Cobalt offers a faster more effective pentesting solution through its Pentest as a Service (PtaaS) platform. With it, you can schedule a pentest in as little as 24 hours for all kinds of assets. The platform also connects you with a global pool of pentesters called the Cobalt Core, whose skills can match what you need. And instead of sending you a huge PDF that raises more questions you can’t answer, they engage with your team throughout the pentest. Findings can land straight into Jira and GitHub, helping you fix vulnerabilities as soon as they’re discovered. Cobalt makes pentesting easy, quick to deploy, scalable, and simple to remediate.

On this week's episode

Why is everybody talking about this now?

A redditor is struggling and overwhelmed! The person is in school studying, working, and loving cybersecurity, but has completely and utterly failed the foundations course and is on academic probation. The person told their story to the cybersecurity subreddit community, and the support came out in droves. We've seen this before. People hit a major wall professionally and they just reach out to the anonymous masses for support. The story hits a nerve and the community is eager to show encouragement. In fact, just this past week, the New York Times had an article about the unemployment subreddit offering advice and information to those struggling. We'll take a look at this tactic of reaching out for support and guidance through discussion boards.

What do you think of this vendor marketing tactic?

"Pro tip to vendors: don’t claim that you can’t do a one-year licensing deal. You might end up with a zero-year license deal", said Ian Amit, CSO, Cimpress on LinkedIn. We'll look at the art of negotiating a contract with a vendor: What is it ultimately you want? What are you willing to concede on and what must you have? And what are the situations that cause this to change?

It's time to play, "What's Worse?!"

Jason Dance of Greenwich Associates suggests two scenarios that others believe is security, but actually isn't.

If you haven’t made this mistake, you’re not in security

On Twitter, the CISO of Twitter, Rinki Sethi, said, "A career mistake I made, I rolled out a phishing testing program before the company was ready for it. The HR team said it was against the company culture and if I tried a trick like that again, I would be fired. Lesson - communication is important in #cybersecurity." Rinki asked for others' stories of failure. Let's explore a few.

What Is It and Why Do I Care?

For this week's game, the topic is vulnerability management. We look at four pitches from four different vendors. Contestants must first answer what "vulnerability management" is in 25 words or less, and secondly must explain what's unique about their vulnerability management solution. These are based on actual pitches - company names and individual identities are hidden. The winners will be revealed at the end.

All links and images for this episode can be found on CISO Series

https://cisoseries.com/this-is-the-year-im-going-to-lose-weight-and-care-about-security/

Every year I say I'm going to do it. I'm going to get healthy and be much better about securing my digital identity and my data. But then after about two weeks I give up, use the same password across multiple accounts, and eat a pint of Häagen-Dazs.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Dan Walsh, CISO, VillageMD. Our sponsored guest this week is Drew Rose, (@livsecaware)CSO, Living Security

Thanks to our podcast sponsor, Living Security

Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change.

This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers.

On this week's episode

What would you advise?

Over on the AskNetSec subreddit, a pentester wants out. The redditor is looking for exit opportunities into another job in cybersecurity. Other redditors suggested IT audit, SOC operations, incident response, forensics. What would be an ideal next step for a pentester?

We don’t have much time. What’s your decision?

What happens when a previous employer of yours gets hacked and your information is potentially stolen. This happened to a redditor who asked this question on the cybersecurity subreddit. If nothing has actually happened, what can they do and what can potentially happen? Is a warning of "I may be compromised" to anyone going to do anything?

"What's Worse?!"

Jason Dance of Greenwich Associates delivers a really annoying "What's Worse?!" scenario.

Please, Enough. No, More.

The topic is "Security Awareness Training". David prefaces this with a top finding from a Forrester report that said, "Unless You Capture Hearts And Minds, No Amount Of Training Will Work". So with that said, what have people heard enough about with regard to security awareness training and what would they like to hear a lot more?

Pay attention. It’s security awareness training time

What if security behavior was rated as a performance score, suggested Ashish Paliwal of SONY. In his LinkedIn article, he agreed you can't train yourself to better security. It requires positive reinforcement. He suggested psychometric tests and a scoring system where you would gain points for good security behavior and lose points for bad security behavior (-10 for clicking on a phish, +10 for reporting). Creative ideas that he acknowledges have lots of challenges. The focus here is changing human behavior, possible the hardest feature to implement. What user experience does change behavior? And why would or why wouldn't Ashish's suggestions work?

All links and images for this episode can be found on CISO Series

https://cisoseries.com/please-accept-this-not-a-bribe-gift-as-an-act-of-desperation/

Offering me a gift for a meeting was definitely not Plan A. Or was this a situation that you ran out of creative ideas and it's actually more cost efficient to buy your way into meeting with me?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is
John Overbaugh, (@johnoverbaugh) vp, security, CareCentrix.

Thanks to our podcast sponsor, Nucleus Security

Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo.

On this week's episode

OK, what’s the risk?

People hear all too often that risk security isn't compliant security and vice versa, but isn't compliance just another form of risk? Shouldn't it be given quantitative and qualitative ratings like any other risk, prioritized, and remediated especially in highly regulated environments?

Why is everyone talking about this now?

On LinkedIn, LinkedIn CISO, Geoff Belknap asked, "Tech Vendors: Please, stop offering cash or gift cards for meetings. It throws into question the entire basis for a relationship and It's not ethical."

Vendors take CISOs out for lunch all the time. That is a form of a gift. One vendor said because they can't take a CISO out they send a Starbucks card in lieu of the coffee they were going to purchase. Then there are the gifts that arrive for attending an event.

Edward Kiledjian at OpenText, said, "I recently had a vendor get upset with me that I wasn't willing to accept his gifts. He said others in my position accept it and he couldn't understand why I was being so 'stubborn.'"

How should this situation be handled and does a CISO's opinion of the vendor change as a result?

"What's Worse?!"

David tried to second guess Mike and was wrong on this bad idea from Jesse Whaley, CISO, Amtrak.

If you haven’t made this mistake you’re not in security

When Zero Day bugs arrive, security flaws just keep perpetuating. Garrett Moreau of Augury IT posted an article from MIT Technology Review about Google's research finding that when patches are released for zero days, they're often incomplete. Hackers can actually find the vulnerability sitting on the next line of code right next to the patched line of code, making it very easy for a hacker to reignite the zero day vulnerability. How can this problem stop perpetuating itself?

Someone has a question on the cybersecurity subreddit

A frustrated redditor eager to learn cybersecurity is getting stuck on CTFs (Capture the Flags ) and is losing the motivation as a result. The person is worried that relying on walkthroughs will be harmful. Responses from the reddit community were that the walkthroughs are there to help people learn, and that most CTFs don't resemble real life. They're there to teach a few tricks. So, is that the case?

All links and images for this episode can be found on CISO Series

https://cisoseries.com/foul-that-interview-question-is-unfair/

Pick a side. You either want your employees to have a work/life balance, or you want them to be obsessed with security 24/7. You can't have both.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Arpita Biswas, (@0sn1s) senior incident response engineer, Databricks

Thanks to our podcast sponsor, StackRox

StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle.

What would you advise?

People speak a lot about the importance of integrating security and DevOps. Now it's time to learn some specifics, like how to energize developers to be more security minded in their development. What works? What hasn't worked?

"What's Worse?!"

You just learned something was breached. Uggh. (Thanks to Mike Toole, Censys)

What’s the best way to handle this ?

What questions should be asked to see if a security team is cloud incident ready? A good article over on F5 by Sara Boddy, Raymond Pompon, and Sander Vinberg, provides some suggestions such as "Can you describe our attack surface and how have you reduced it to the bare minimum?" and "How are we managing access control?" and "What do we do when systems or security controls fail?" Which of the questions is the most revealing to cloud security readiness and why?

Should you ignore this security advice?

On the AskNetSec subreddit someone inquired about a good hiring question. One redditor suggested asking "What do you do on your own home network with respect to security?" to which another redditor argued that the question was unfair. He left the security and networking for work. He had other hobbies and interests for home life. Another person said, yes it is unfair, but there are plenty of candidates who do breathe security 24/7 and if given a choice, the redditor would take that person. The politically correct thing to say is you want the person with the work-life balance, but wouldn't we be more impressed with the person who has security in their blood day and night?

Close your eyes and visualize the perfect engagement

Another question on AskNetSec subreddit asked "What are the most important skills you see missing among other coworkers or your team?" The two most common answers I saw on the thread were communications and critical thinking. Are these correct. or should something else go there? ? And if those two did improve, what would be the resulting effect to a company's security program?

All links and images for this episode can be found on CISO Series

(https://cisoseries.com/why-do-we-fire-the-ciso-tradition/)

Yes, firing the CISO probably won't solve our security issues. But our community has a multi-generational heritage of relying on scapegoats to make them feel good about their decisions.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Kirsten Davies (@kirstendiva), CISO, Estee Lauder Companies.

Thanks to our podcast sponsor, Kenna Security

With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer’s unique environment across infrastructure, applications and IoT.

Why is everybody talking about this now?

On the AskNetSec subreddit one redditor asked, "Why do people always get fired over a breach?" to which one responded, like many others, "it’s just tradition. Military, government, corporations. It’s an old-fashioned thing really, but a lot of people still believe a 'blood sacrifice' is required to restore faith from the public or the shareholders." How tenable is it to keep doing this with so many breaches? After a breach what are the different actions needed to appease shareholders, executives, employees, and customers? And when is blood letting warranted?

How to become a CISO

Over on the CISOseries subreddit, a hopefully soon-to-be-CISO asked, "What should I ask before being a CISO at a startup?" This startup is pre-IPO. 2000 employees. About $1B in valuation. The redditor is looking for advice beyond asking what's the current security strategy and what the reporting structure would look like. What would you want to ask in such a situation?

"What's Worse?!"

Probably the ultimate "What's Worse?!" scenario.

Hey you’re a CISO. What’s your take?

On LinkedIn, Kris Rides asked, "If you can only do one thing to retain your staff what would that be?" What have you done and has any of your staff let you know that certain actions you took meant a lot to them. According to research from leadership consulting firm DDI, 57 percent of employees who walk out the door, do so because they can't stand their boss. For that reason, the pressure is heavily on the CISO to make sure they're well-liked by their staff.

There’s got to be a better way to handle this

Can you think of a moment you had to make a significant shift in your security program? What did you do and why? Was there a specific event that triggered it?

All links and images for this episode can be found on CISO Series

(https://cisoseries.com/click-this-link-to-fail-a-phishing-test/)

Our phishing tests are designed to make you feel bad about yourself for clicking a link. We're starting to realize these tests are revealing how insensitive we are towards our employees.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Yaron Levi, (@0xL3v1) former CISO, Blue Cross Blue Shield of Kansas City.

Thanks to this week’s podcast sponsor, Stackrox

StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle.

Is this a cybersecurity disinformation campaign?

On reddit, an explosive discussion formed around a ComputerWeekly.com article by Saj Huq of Plexal about the importance of making disinformation a security issue. The problem though has primarily fallen into the hands of social media companies mostly because that's where disinformation spreads. While we've seen disinformation being used as a political tool, for businesses, it can tarnish your corporate brand, consumer trust, and ultimately the value of your product. It's also used in phishing campaigns. Breaches are compromising your data. Disinformation is questioning the validity and value of data without even stealing it. How do you combat that?

Are we having communication issues?

We're recording this episode shortly after GoDaddy sent its infamous phishing test email that promised employees a $650 bonus check. Those who clicked on the email were rewarded with additional security training. It took the entire Internet to point out how insensitive this was, GoDaddy's response was "We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologized." They argued that while it may be insensitive, these types of well-timed phishing emails do happen. A lot of people do not like phishing tests and Yaron has proven that if creative enough, anyone can fall for a phish. How can the company and security be more sensitive to employees, respect them, while also letting them know they may receive a malicious email just like this?

"What's Worse?!"

An international What's Worse conundrum.

How do you go about discovering new security solutions?

Julia Wool, Evolve Security said, "I just finished a Splunk course and wanted to explore other SIEM platforms and I am having a difficult time understanding how an enterprise should choose a vendor in this space. I couldn't imagine being the guy at an enterprise that has to consider all these different vendors that seem to be doing the same thing." Julia brings up a really good concern: If you were completely green, didn't have CISO connections, and were going to choose a SIEM for the first time how would you go about determining your needs and then researching and deciding? What sources would you use? And how do you limit this effort so you're not overwhelmed?

There’s got to be a better way to handle this

Brian Fanny, Orbita, asks, "Vendor scope can change over time within a project or the start of another and harder to control than the initial evaluations. They start off when non-critical requirements/needs eventually grow into handing assets of greater value and/or gaining access to more critical systems. How do you keep up with vendor/project scope creep from the security sidelines?"

All links and images for this episode can be found on CISO Series https://cisoseries.com/our-hope-it-doesnt-happen-to-me-security-strategy/ 

We're thinking it just might be possible to wish our security problems away.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Steve Giguere, (@_SteveGiguere_) director of solution architecture and community, StackRox.

Thanks to this week’s podcast sponsor, Stackrox

StackRox is the industry’s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle.

On this week's episode

That’s something I would like to avoid

Security theater is a security placebo. We're being told that it's effective, and we may fool ourselves into believing it is, but the reality is there's no real security medicine there. Over on Infosecurity Magazine, Danny Bradbury has identified a few key ones I want to call out. In particular, technology buzzwords - like getting a solution with AI, data collection - more data, more insights, right?, and endless security alerts - for practitioners and end users. All of these seem to be in regular practice today. Does calling out security theater result in pushback? And if so, how do you handle calling it out and how would you shift each of these security placebos into a more medicated version?

There’s got to be a better way to handle this

On reddit, kautica0 asks, "If a company becomes aware of a 0-day vulnerability and it impacts their production web application serving customers, what actions should be taken? Should it even be considered an incident?"

Just because it's a 0-day vulnerability does that make it more threatening than any of the known vulnerabilities? There was a lot of logical advice that was akin to how we would handle any vulnerability, but the 0-day nature had the looming feeling of this could be an incident very quickly and would require an incident response plan.

"What's Worse?!"

A "What's Worse?!" entry from our youngest listener.

Please, enough. No, more.

The topic is Kubernetes Security. We discuss what we have heard enough about when it comes to Kubernetes security and what we would like to hear more.

Where does a CISO begin

Is being cloud first a security strategy? Over on the UK's National Cyber Security Centre, an article argues that we should not ask if the cloud is secure, but whether it is being used securely. What does that mean? And is there an argument for and against cloud first being a valid security strategy?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/hey-reseller-whats-the-value-youre-adding/)

It seems that you're offering so much more when you add the VA ("value added") in front of your title. What is that? Why am I working with you rather than buying directly from the vendor?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Doug Cahill (@dougcahill), vp, and group director, cybersecurity, Enterprise Strategy Group.

Thanks to this week’s podcast sponsor, Dtex

Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com.