CISO Series Podcast

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Martin Mazor, vp and CISO, onsemi. In this episode: Has the shine worn off the cybersecurity promise of MFA? Why are threat actors increasingly finding ways to get around it? Given the high profile attacks we've seen getting around MFA, how much security stock should we put into it going forward? Thanks to our podcast sponsor, Material Security Material Security is a multi-layered email threat detection & response toolkit designed to stop attacks and reduce the threat surface across all of Microsoft 365 and Google Workspace. Learn more at material.security.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our guest, TC Niedzialkowski, CISO, Nextdoor. In this episode: Has the line between work and personal devices blurred? Why are we seeing signs that that line no longer exists for employees? What is the path of cybersecurity to keep company data secured when its continually commingling with personal devices? Thanks to our podcast sponsors, Eclypsium and Normalyze Eclypsium is helping enterprises and government agencies mitigate risks to their infrastructure from complex technology supply chains. Our cloud-based and on-premises platform provides digital supply chain security for software, firmware and hardware in enterprise infrastructure. Get started today at eclypsium.com/spark Where is my data? Is it sensitive? Who has access to the data? What are the risks? What is the cost of exposure? Am I compliant now? Enter Normalyze. Normalyze's agentless, machine-learning scanning platform continuously discovers sensitive data, resources, and access paths in all cloud environments. Learn more.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our sponsored guest, Aaron Shaha, CISO, CyberMaxx. In this episode: Is technical debt an inevitability in any organization? How do you go about "paying it down?" How do you decide when you need a systematic refresh and when can you kick the can down the road a little longer? Thanks to our podcast sponsor, CyberMaxx CyberMaxx offers MaxxMDR, our next-generation managed detection and response (MDR) solution that helps customers assess, monitor, and manage their cyber risks. MaxxMDR fuels defensive capabilities with insights from offensive security, DFIR, and threat hunting, on top of a technology-agnostic deployment model. We think like an adversary but defend like a guardian.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is my guest, Thom Langford, CISO, Velonetic. In this episode: Why do lots of businesses pledge to never pay ransomware demands? And why do their priorities quickly change when they need to get the business back to normal after an attack occurs? What good is a pledge like that without the infrastructure and organizational commitment to make it possible? Thanks to our podcast sponsor, CyberMaxx CyberMaxx offers MaxxMDR, our next-generation managed detection and response (MDR) solution that helps customers assess, monitor, and manage their cyber risks. MaxxMDR fuels defensive capabilities with insights from offensive security, DFIR, and threat hunting, on top of a technology-agnostic deployment model. We think like an adversary but defend like a guardian.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our sponsored guest, Matt Radolec, vp, incident response and cloud operations, Varonis. In this episode: Why is retaining cyber talent so hard? How can organizations keep an employee from going elsewhere? Why do organizations often not prioritize the factors to keep key employees? Thanks to our podcast sponsor, Varonis Ready to reduce your risk without taking any? Try Varonis' free data risk assessment. It takes minutes to set up and in 24 hours you'll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. Get started for free today.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Joshua Brown, vp and global CISO, H&R Block. In this episode: Why is retaining cyber talent so hard? How can organizations keep an employee from going elsewhere? Why do organizations often not prioritize the factors to keep key employees? Thanks to our podcast sponsor, CyberMaxx CyberMaxx offers MaxxMDR, our next-generation managed detection and response (MDR) solution that helps customers assess, monitor, and manage their cyber risks. MaxxMDR fuels defensive capabilities with insights from offensive security, DFIR, and threat hunting, on top of a technology-agnostic deployment model. We think like an adversary but defend like a guardian.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Alex Green, CISO, Delta Dental. In this episode: Is it true that employees cause as many significant cybersecurity incidents as outside threat actors? Does this come down to a lack of awareness or poorly designed security implementation? And what can we do to improve this situation? Thanks to our podcast sponsor, Silk Security Silk makes it easy for security teams to resolve more critical cyber risks in a fraction of the time. Instead of toiling over spreadsheets, and watching alert backlog graphs go up, Silk helps security teams contextualize, prioritize and collaborate with stakeholders in IT to regain control over their risk posture.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Shawn Bowen, svp and CISO, World Kinect Corporation. In this episode: Is it true that CISOs feel their jobs are harder than ever with higher levels of stress? Yet why does research also show that CISO job satisfaction increasing? How do we make sense of this contradiction? Thanks to our podcast sponsor, Silk Security Silk makes it easy for security teams to resolve more critical cyber risks in a fraction of the time. Instead of toiling over spreadsheets, and watching alert backlog graphs go up, Silk helps security teams contextualize, prioritize and collaborate with stakeholders in IT to regain control over their risk posture.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our sponsored guest, Nadav Lotan, product management team leader, Cisco. In this episode: How can security teams do their jobs without seeming like an impediment to developers? Why can this relationship seem oppositional? How can both sides work together to better secure software without seeming like a road block? Thanks to our podcast sponsor, Panoptica, Cisco's Cloud Application Security Platform Panoptica, Cisco's Cloud Application Security solution, provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments. Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility, contextual risk assessments, and actionable remediation insights for all your cloud assets.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Jamil Farshchi, evp and CISO, Equifax. In this episode: Data leaks are hard enough to deal with when caused by threat actors, but how bad is a self-inflicted data leak? Why do these types of incidents happen? How should an organization assess the risk it introduced? Thanks to our podcast sponsor, Varonis Ready to reduce your risk without taking any? Try Varonis' free data risk assessment. It takes minutes to set up and in 24 hours you'll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. Get started for free today.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our sponsored guest, Yoav Nathaniel, co-founder and CEO, Silk Security. In this episode: Why does it seem like securing APIs is so hard? Is it just a matter of complexity? Why does it seem like we can't go a week without hearing reports of a data leak caused by a failure in API security? Why do organizations struggle with API security? Thanks to our podcast sponsor, Silk Silk makes it easy for security teams to resolve more critical cyber risks in a fraction of the time. Instead of toiling over spreadsheets, and watching alert backlog graphs go up, Silk helps security teams contextualize, prioritize and collaborate with stakeholders in IT to regain control over their risk posture.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our sponsored guest, Jay Trinckes, director of compliance, Thoropass. In this episode: Why do credential stuffing attacks put organizations in such a tricky spot? Why is blaming the victim rarely the right move? What kind of reasonable expectations can companies have about how much users will do to protect themselves? Thanks to our podcast sponsor, Thoropass Still spending time collecting evidence and worrying about breaking free of an infinite audit loop? Relax! We fixed audits. Thoropass provides complete infosec compliance management, continuous monitoring, and security audits through AI-infused software and expert guidance – allowing you to do business with confidence. Learn more at www.thoropass.com.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest Kelly Haydu, vp, infosec, technology, and enterprise applications, CarGurus. In this episode: What other career fields are rife with talent that could successfully transition into our industry? What kind of framework do we need to surface a more diverse array of talent? Also, what happens when a vendor goes over your head to the CEO? Thanks to our podcast sponsor, Panoptica, Cisco's Cloud Application Security Platform Panoptica, Cisco's Cloud Application Security solution, provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments. Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility, contextual risk assessments, and actionable remediation insights for all your cloud assets.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Grant Anthony, CISO, Orion Health. In this episode: Why getting buy-in to your security awareness program is so critical? Why do so many organizations get it so wrong? What framework can we apply to actually build trust with security awareness? Thanks to our podcast sponsors, Varonis Ready to reduce your risk without taking any? Try Varonis' free data risk assessment. It takes minutes to set up and in 24 hours you'll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. Get started for free today.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Brett Conlon, CISO, American Century Investments. Joining me is our guest, Mical Solomon, CISO, Port Authority of NY and NJ. In this episode: Does the hype around generative AI tools make it seem like these are a totally new technological challenge for cybersecurity? Are many of the challenges with securing them the same that we've seen from the rise of SaaS and proliferation of shadow IT? What lessons from that transition can we apply to AI? Thanks to our podcast sponsors, Living Security & KnowBe4 Living Security is the global leader in human risk management. Our HRM platform Unify transforms human risk into proactive defense by quantifying human risk and engaging the workforce with relevant training and communications proven to change human behavior. Living Security is trusted by security-minded organizations, including Mastercard, Verizon, Biogen, AmerisourceBergen, and Hewlett-Packard. Learn more at www.livingsecurity.com. KnowBe4's SecurityCoach enables real-time security coaching of your users in response to risky behavior. Based on the rules in your existing security software stack, you can configure your real-time coaching campaign to determine the frequency and type of SecurityTip that is sent to users at the moment risky behavior is detected.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Shyama Rose, CISO and head of IT, Affirm. In this episode: What is the impact of burnout to your security team directly? Does burnout directly play a role in how an organization can respond to security incidents.? All jobs involve dealing with stress, but what should we consider normal in cybersecurity? And when does that stress endanger your security mission? Thanks to our podcast sponsors, Panoptica, Cisco's Cloud Application Security Platform Panoptica, Cisco's Cloud Application Security solution, provides end-to-end lifecycle protection for cloud native application environments. It empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments. Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility, contextual risk assessments, and actionable remediation insights for all your cloud assets.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Trina Ford, CISO, iHeartMedia. In this episode: Why has the landscape for CISOs seemed particularly perilous in the past year? Does there seem to be more responsibilities with very real legal consequences attached to the role? There is a lot of guidance out there for CISO candidates negotiating for a new position, but what can a current CISO do once they are already in the role? Thanks to our podcast sponsors, Thoropass Still spending time collecting evidence and worrying about breaking free of an infinite audit loop? Relax! We fixed audits. Thoropass provides complete infosec compliance management, continuous monitoring, and security audits through AI-infused software and expert guidance – allowing you to do business with confidence. Learn more at www.thoropass.com.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Bob Schuetter, CISO, Ashland. In this episode: What should a company do when their name is in the press, but they didn't actually suffer a security incident? How much difference is there in responding to a fake data breach versus a real one? How would you handle responding to a fake breach claim? Thanks to our podcast sponsors, Thoropass Still spending time collecting evidence and worrying about breaking free of an infinite audit loop? Relax! We fixed audits. Thoropass provides complete infosec compliance management, continuous monitoring, and security audits through AI-infused software and expert guidance – allowing you to do business with confidence. Learn more at www.thoropass.com.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Billy Norwood, CISO, FFF Enterprises. Joining us is our guest, Joshua Barons, head of information security at San Diego Zoo Wildlife Alliance. In this episode: Wasn't single sign-on supposed to solve all of our security woes? So why are we still seeing everything from phishing to session hijacking with SSO? Is this just growing pains for SSO or does this hint at a persistent problem? Thanks to our podcast sponsors, Praetorian Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest this week, Mike Kelley, CISO, EW Scrips. In this episode: Why do a lot of security professionals feel unheard? Does this frustration lead to some turning into scolds during a security incident, quick to say "I told you so"? How do you manage these security pros when they don't feel heard, both before and during a crisis? Thanks to our podcast sponsors, Praetorian Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Richard Ford, CTO, Praetorian. In this episode: Why do many CISOs think adopting new LLM-based tools will make breaches more likely? Why the rush to throw money at them? How do you go about building a security program that doesn't depend on individuals? Thanks to our podcast sponsors, Praetorian Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Suresh Vasudevan, CEO, Sysdig. In this episode: What will the employment landscape look like with Generative AI becoming the next big thing? Will we be hiring prompt engineers in a few years? Or will it become like putting "search engine proficiency" on your resume? Thanks to our podcast sponsors, Sysdig For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and sponsored co-host Jason Sabin, CTO, DigiCert. Joining us is our guest, Alexandra Landegger, executive director of security, Collins Aerospace. In this episode: Are CISOs prepared for the legal surprises that can come in the aftermath of a cyberattack? What about the legal fallout that can occur afterward? How does a security team work with legal beforehand to address these issues when drawing up incident response? Thanks to our podcast sponsors, DigiCert DigiCert is a leading global provider of digital trust, the infrastructure that enables individuals and businesses to have confidence that their digital interactions are secure. DigiCert's award-winning solutions enable organizations to establish, manage, and extend public and private trust across their digital footprint, securing users, servers, devices, software and content.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Kurt Sauer, CISO, Docusign. We recorded in front of a live audience at Microsoft's offices in Mountain View, CA as part of the ISSA-Silicon Valley chapter meeting. Check out all the photos from the event. In this episode: Is a high profile cyberattack the best time for salespeople to come out of the woodwork asking if the affected CISO would like to see their product, which would have helped prevent the attack? Is there any way for a vendor to positively reach out to victims after a cyberattack? Also, what could be some effective ways to invest IP with generative AI to create value for the organization? Thanks to our podcast sponsors, Veza, Sysdig, and SlashNext 75% of breaches happen because of bad permissions. The problem is that you don't know exactly WHO has access to WHAT data in your environment. For example, roles labeled as "read-only" can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second. SlashNext Complete delivers zero-hour protection for how people work today across email, mobile, and browser apps. With SlashNext's generative AI to defend against advanced business email compromise, smishing, spear phishing, executive impersonation, and financial fraud, your people are always protected anywhere they work. Request a demo today.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Arvin Bansal, former CISO for Nissan Americas. In this episode: Why are so many companies unprepared for phone-based social engineering? Why do many orgs not give this attack surface the attention it deserves? Are we doing enough to support whistleblowers in cybersecurity? Thanks to our podcast sponsor, Palo Alto Networks As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Adam Zoller, svp, CISO at Providence. Joining me is our guest Sam Jacques, vp of clinical engineering, McLaren Health Care. In this episode: When should cybersecurity be brought into the discussion when a merger is underway? Why is security always going to be an issue in a merger or acquisition? If we know it's so important, why does it always feel like we're reinventing the wheel each time? Thanks to our podcast sponsor, Claroty Claroty enables varied sectors to protect their cyber-physical systems, known as the Extended IoT. The platform integrates seamlessly, offering comprehensive controls for visibility, risk management, network protection, and more. Trusted by global leaders, Claroty operates in hundreds of organizations worldwide. Headquartered in NYC, it spans Europe, Asia-Pacific, and Latin America.

All links and images for this episode can be found on CISO Series. In principle, we can generally all agree that security theater is a waste of time for security teams. But the reality is that these are things that look good, so it can be hard to justify to non-technical leadership why you're eliminating something they see as secure. So how can we positively identify actual security theater practices and how do we communicate that to the rest of the organization? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Davi Ottenheimer, vp of trust and digital ethics, Inrupt. Thanks to our podcast sponsor, Sysdig For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second. In this episode: Is security theater a waste of time for security teams? Why can it be hard to justify to non-technical leadership why you're eliminating something they see as secure? How can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

All links and images for this episode can be found on CISO Series. Usually the buck stops with the CEO. But for a CISO, what do you do when a CEO wants to exempt themselves from your security program? Whether it's granting privileged network access or just ignoring protocols, it can put a CISO in a tough spot. So how do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and John C. Underwood, VP, information security, Big 5 Sporting Goods. Joining me is our guest, Joshua Scott, Head of Security and IT, Postman. Thanks to our podcast sponsor, Veza 75% of breaches happen because of bad permissions. The problem is that you don't know exactly WHO has access to WHAT data in your environment. For example, roles labeled as "read-only" can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. In this episode: For a CISO, what do you do when a CEO wants to exempt themselves from your security program? How do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position?

All links and images for this episode can be found on CISO Series. When it comes to security awareness, the advice generally doesn't change. There are a set of best practices that have proven to be effective. So we know what we want to tell people. Communicate it consistently. So how do we relay that information without sounding like a broken record? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us is our sponsored guest, Daniel Krivelevich, CTO for Appsec, Palo Alto Networks. Thanks to our podcast sponsor, Palo Alto Networks As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program. In this episode: What security measures have been the most successful in preventing cyberattacks? What do we need to better understand about misconfigurations to better secure the cloud? How do we relay this information without sounding like a broken record?

All links and images for this episode can be found on CISO Series. Organizations know that securing SaaS is vital. But polls consistently show they also know their current security isn't cutting it. With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our sponsored guest, Rohan Sathe, co-founder and CTO, Nightfall AI. Thanks to our podcast sponsor, Nightfall Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection. In this episode: With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses? How can we secure new technology without creating new risks? If security no longer owns SaaS security, then how can they go about closing these gaps?

All links and images for this episode can be found on CISO Series. If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Most of the time, these lists include CISOs from the biggest companies, or the ones with the best name recognition. But is that any kind of objective criteria? These lists generally serve the interest of boosting the credibility of the publisher, rather than being based on any kind of rigor. Is there any way to make these lists anything but fluff? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Janet Heins, CISO, iHeartMedia. Thanks to our podcast sponsor, LimaCharlie Whether you're looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie's SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io. In this episode: If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Is there any kind of objective criteria? Is there any way to make these lists anything but fluff?

All links and images for this episode can be found on CISO Series. CISOs are common among the Fortune 500. But it remains rare to see them listed in executive leadership. Given that every company says security is of prime importance, why aren't CISOs named within the top company echelons? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series, and Allan Cockriel, CISO of Shell. Joining us is our special guest, Mary Rose Martinez, CISO, Marathon Petroleum. Thanks to our podcast sponsor, Censys Censys is the leading Internet Intelligence Platform for Threat Hunting and Exposure Management. We provide the most comprehensive, accurate, and up-to-date map of the internet, which scans 45x more services than the nearest competitor across the world's largest certificate database (>10B). Learn more at www.censys.com. In this episode: Given that every company says security is of prime importance, why aren't CISOs named within the top company echelons? Can you think of a security action that did work at one organization that simply wouldn't work in another because of the culture? When it comes to communicating bad news to the board and c-suite, what techniques have worked the best?

All links and images for this episode can be found on CISO Series. We've heard a lot of talk about the security risks with emerging AI technologies. A lot of these center around employees using large language models. But what about the potential benefits of this technology for cybersecurity? Could we eventually see a de facto AI CISO on the job? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Rob Duhart, deputy CISO, Walmart. Joining us is our special guest, Aaron Hughes, CISO, Albertsons. Thanks to our podcast sponsor, KnowBe4 In this episode: What are the potential benefits of A.I. for cybersecurity? Could we eventually see a de facto AI CISO on the job? How does neurodiversity improve awareness in your security program? Where have you taken advantage of AI for your security program? And specifically so you can do your job better as a CISO, where does AI deliver opportunities?

All links and images for this episode can be found on CISO Series. In everyday life, it's often clear when to call in the authorities. Someone egging your house might not rise to the occasion, but a break-in gets a call to the cops. It's less clear when it comes to a cyberattack. What constitutes a significant attack and what are the regulatory requirements? Once you make the call, how do they help in your response? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest, David Ring, section chief at FBI, Cyber Division. Thanks to our podcast sponsor, Hunters Hunters SOC Platform is a SIEM alternative, delivering data ingestion, built-in and always up-to-date threat detection, and automating correlation and investigation processes to reduce risk, complexity, and cost for security teams. Learn more at hunters.security. In this episode: What constitutes a significant attack and what are the regulatory requirements? Once you make the call, how do they help in your response? How do you approach "skills-and competency-based" hiring? And are there certain positions for which a 4-year degree is necessary?

All links and images for this episode can be found on CISO Series. Even before the pandemic, we've been increasingly living in online collaboration apps. So why are organizations still making basic security mistakes with them? Is this a case of shadow IT or do these apps present unique challenges? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Rich Dandliker, chief strategist, Veza. Thanks to our podcast sponsor, Veza 75% of breaches happen because of bad permissions. The problem is that you don't know exactly WHO has access to WHAT data in your environment. For example, roles labeled as "read-only" can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. Learn more at Veza.com. In this episode: We've been increasingly living in online collaboration apps. So why are organizations still making basic security mistakes with them? Is this a case of shadow IT or do these apps present unique challenges? Startups are by nature a risky business, most fail. Why do they?

All links and images for this episode can be found on CISO Series. Every company deals with off-boarding employees. Yet it feels like many organizations make basic security mistakes in this process. Is it just a case of HR and IT being out of sync, or is this an inevitably leaky process? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest Lorna Koppel, CISO, Tufts University. Thanks to our podcast sponsor, LimaCharlie Whether you're looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie's SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io. In this episode: What can a vendor do that will actually make a CISO want to respond to a message? What are we doing right and wrong when it comes to hardening our environments? Do you think organizations are still struggling with hardening their environments and if so, why?

All links and images for this episode can be found on CISO Series. Security vendors want to engage with CISOs. Yet many choose tactics that seem blatantly insulting. It might seem obvious that asking a CISO if they care about security does nothing to ingratiate yourself, but we still have inboxes full of these types of messages. So what can a vendor do that will actually make a CISO want to respond to a message? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest, Jeff Hudesman, CISO, Pinwheel. Thanks to our podcast sponsor, Balbix Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs. In this episode: What can a vendor do that will actually make a CISO want to respond to a message? What are we doing right and wrong when it comes to hardening our environments? Do you think organizations are still struggling with hardening their environments and if so, why?

All links and images for this episode can be found on CISO Series. We're seeing increasing recognition that cybersecurity jobs should focus on competency rather than years of experience. But how do you create job posts to encourage that? And how do applicants even show that on a resume? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for the episode is our special guest TC Niedzialkowski‌, CISO, Nextdoor. Thanks to our podcast sponsor, Reqfast Stop treating your various intelligence and security functions as if they are separate, unrelated activities and, instead, bring them together with Reqfast. Identify what's needed, identify areas for improvement, and make data-driven decisions with confidence. In this episode: Are we finally seeing increasing recognition that cybersecurity jobs should focus on competency rather than years of experience? How do you create job posts to encourage that? How do applicants even show that on a resume?

All links and images for this episode can be found on CISO Series. For some security problems, it can be tough to know when to try to fix the problem yourself or turn to a vendor. Deciding this shouldn't start with talking to someone that wants to sell you something. But how do you determine when it's time to call in a vendor? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for this episode is our special guest, Katie Ledoux, CISO, Attentive. Thanks to our podcast sponsor, Palo Alto Networks As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program. In this episode: Why do many organizations have a problem relating quantification to something meaningful to the business? Is there a way to understand risks on a continuum that will make relating these to business a little more manageable? What are the questions security professionals should be asking themselves?

All links and images for this episode can be found on CISO Series. Shifting Left is so five years ago. Advice and best practices are great, but context is king. Is there a mixture of best practices AND doing what's right for your business that's actually practical? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us for the episode is our sponsored guest Gaurav Banga, CEO, Balbix. Thanks to our podcast sponsor, Balbix Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs. In this episode: What are your most successful tactics when talking to the boardroom? Is there a mixture of best practices AND doing what's right for your business that's actually practical? What have you heard enough with automation and what would you like to hear a lot more?

All links and images for this episode can be found on CISO Series. There are so many third party vendors we want to work with, but uggh, their security and privacy is so troublesome. Is it only the security department's job to vet these partners or should everyone have a responsibility of keeping tabs on third party security? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Phil Beyer, former head of security, Etsy. Thanks to our podcast sponsor, Balbix Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs. In this episode: There are many third party vendors that CISOs & practitioners want to work with, but why is their security and privacy so troublesome? Is it only the security department's job to vet these partners or should everyone have a responsibility of keeping tabs on third party security? What can frontline employees do to manage third-party risk?

All links and images for this episode can be found on CISO Series. Do you know what security categories were created this year? I have no idea. Do you know which ones were deleted? I don't think any. Is category growth designed to make more money for the industry? Does it help customers build a better security strategy? It seems like a necessary evil that just confuses customers. The number of categories never decreases or replaces old categories. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our sponsored guest is Maxime Lamothe-Brassard (@_maximelb), CEO and co-founder at LimaCharlie. Thanks to our podcast sponsor, LimaCharlie LimaCharlie is inviting you for the unveiling of the SecOps Cloud Platform during a two-hour LinkedIn Live event on Wednesday, July 19th, starting at 10:00am PST. For every registrant, LimaCharlie will be donating $5 to the Internet Archive. Register for the event at limacharlie.io or on the LimaCharlie LinkedIn page. In this episode: Do you know what security categories were created this year? Do you know which ones were deleted? Is category growth designed to make more money for the industry? Does it help customers build a better security strategy?

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Jesse Whaley, CISO, Amtrak. Our guest was Paul Branley, CISO, TSB Bank. We recorded this episode in front of a live audience in Tel Aviv as part of Team8's CISO Summit 2023. CISO Series is honored to have been invited to record our show at the event. Thanks to our podcast sponsor, Team8 Team8 is a global venture group that builds and invests in early stage companies focused on digital transformation: cybersecurity, data, fintech and digital health. Its strong expertise in cyber is the backbone of Team8's CISO Village - a community of hundreds of CISOs who enjoy access to thought leadership, networking events, and partner with Team8 to support its company building process. In this episode: Why should you NEVER boast about how good your security is? When upskilling your staff, how do you identify the knowledge that must be learned? Who will learn it? Who will provide it? What does this do to your current security if people are spending time teaching and learning?

All links and images for this episode can be found on CISO Series. Troy Hunt's new site, "Dumb Password Rules," demonstrates yet another slice of security theater. Rules designed to make the creator believe they're making the business more secure, but appear to do nothing more than create unnecessary roadblocks and confusion. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Dave Hannigan (@davidhannigan), CISO, Nubank. Thanks to our podcast sponsor, Reqfast Stop treating your various intelligence and security functions as if they are separate, unrelated activities and, instead, bring them together with Reqfast. Identify what's needed, identify areas for improvement, and make data-driven decisions with confidence. In this episode: Are dumb password rules the result of security theater or limitations of old technology? What really causes lack of sleep and burnout among IT and Security leaders? Why are we still struggling with cybersecurity hiring?

This week's episode was recorded in front of a live audience at the Colorado Convention Center in Denver as we kicked off the Rocky Mountain Information Security Conference (RMISC). See the blog post for this episode here. Joining me, David Spark (@dspark), producer of CISO Series, on stage was my guest co-host, Jay Wilson, CISO for Insurity. Our guest is Michelle Wilson, CISO, Movement Mortgage. HUGE thanks to our sponsor, Trend Micro The stakes are high for cybersecurity decision makers as the threat landscape and attack surface continue to evolve. Explore Trend Micro's CISO Resource Center for research-driven strategic insights and best practices to help leaders better understand, communicate, and minimize cyber risk across the enterprise. Learn more.

All links and images for this episode can be found on CISO Series. Why does it seem that the only time we hear about a company's concern about security and privacy is after they're compromised. It is only at that moment they feel compelled to let us know that they're taking this situation very seriously because as we've ll heard before "security and privacy are very important to us." This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Andrea Bergamini, CISO, Orbia. Thanks to our podcast sponsor, Varonis Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren't needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries. In this episode: Why does it seem that the only time we hear about a company's concern about security and privacy is after they're compromised? Is it only because at that moment they feel compelled to let us know that they're taking this situation very seriously? How do you get things going before you have a massive breach?

All links and images for this episode can be found on CISO Series. There is a long history of security professionals complaining about the insecurity of new technologies. When new technologies take off, they rarely have lots of great security built in. The populace never comes around and says, "Security is right. We should stop using this thing we love." The popular technology ALWAYS wins. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Rinki Sethi (@rinkisethi), vp and CISO, BILL. Thanks to our podcast sponsor, OffSec With a Learn Enterprise plan, your employees get unlimited access to over 1,500 videos, 2,000 practical exercises, and more than 800 hands-on labs. The library is updated regularly with training content and modules defensive and offensive job role-specific content, from foundational to advanced. Google, Vmware, Microsoft all trust OffSec. In this episode: Is it a coincidence that there is a long history of security professionals complaining about the insecurity of new technologies? When new technologies take off, why do they rarely have lots of great security built in? How does a cyber aware c-suite/board make better decisions that help a CISO and the business?

All links and images for this episode can be found on CISO Series. When cybersecurity needs to cut budget, first move is to look where you have redundancy. That way you're not actually reducing the security effort. But after that, the CFO needs to know what are the most important areas of the business to protect. Where will they be willing to take on more risk? Because, with less security, the chances of failure increase. This show was recorded in front of a live audience in New Orleans as part of the BSidesNOLA 2023 reboot conference. The episode features me, David Spark (@dspark), host and producer of CISO Series. My guest co-host is my former co-host, Allan Alford (@allanalfordintx), CISO for Precedent and host of The Cyber Ranch Podcast. Our guest is Mike Woods, corporate CISO for GE. Thanks to our podcast sponsors: Conveyor, Nightfall AI, Rapid7 Love security questionnaires? Then you're going to hate Conveyor: the end-to-end trust platform built to eliminate questionnaires. Infosec teams reduce the volume of questionnaires with a customer-facing trust portal and for any remaining questionnaires, our GPT-Questionnaire Eliminator response tool or white-glove questionnaire completion service will knock them off your to-do list. www.conveyor.com Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection. Rapid7 is the only connected, cloud to on-prem cybersecurity partner with unlimited incident response, unlimited automated workflows, unlimited vulnerability management, unlimited app security, you get the idea. Add it up – with Rapid7's decades of practitioner-first problem solving – and there's unlimited opportunity for you. See for yourself at Rapid7.com/ciso-series. In this episode: We always say, "trust but verify," but how do you actually verify? When it comes to cut budget, make sure you're already in the mind of the CFO. What's the difference between a good cybersecurity professional and a great one?

All links and images for this episode can be found on CISO Series. As children, we don't dream of becoming a CISO, but yet we still have them. What is it a security professional can learn or even show, to demonstrate that they're getting ready for the position of a CISO? This week's episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Our guest is Paul Connelly, former CISO, HCA Healthcare. Thanks to our podcast sponsor, Nightfall Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection. In this episode: What is it a security professional can learn or even show, to demonstrate that they're getting ready for the position of a CISO? How to tell that you are NOT CISO material? What don't CISOs know about physical security that they should know before they get into big trouble?

All links and images for this episode can be found on CISO Series. It seems anything that's added to a business, like a new app or a third party vendor, just adds more risk. Risk definitely piles up faster than CISOs can reduce it. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Kurt Sauer (@kurtsauer), CISO, DocuSign (when we recorded the show, Kurt was the vp of security for Workday). Thanks to our podcast sponsor, Stairwell The standard cybersecurity blueprint is a roadmap for attackers to test and engineer attacks. With Inception, organizations can operate out of sight, out of band, and out of time. Collect, search, and analyze every file in your environment – from malware and supply chain vulnerabilities to unique, low-prevalence files and beyond. Learn about Inception. In this episode: Does it seem like anything that's added to a business, like a new app or a third party vendor, just adds more risk? Does risk pile up faster than CISOs can reduce it? How do you avoid creating new risks when you add new applications, or even just update applications?