CISO Series Podcast

All links and images for this episode can be found on CISO Series Legacy tech can often be the anchor that prevents an organization from growing. Put the issue of dealing with legacy tech long enough and the problem could get bigger than the business itself. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is TJ Mann (@teejaymann), CISO, Children's Mercy Kansas City. Thanks to our podcast sponsor, CYREBRO Ninety percent of post mortems show that the high cost of damage from a cyberattack was avoidable, but no one knew in time to stop it. CYREBRO's SOC Platform is your cybersecurity central command, integrating all your security events with 24/7 strategic monitoring, proactive threat intelligence, and rapid incident response. More from CYREBRO. In this episode: How legacy technology impedes business agility? Are we doing anything better to deal with legacy technology Is there anything that can be done at the purchase point to understand how you'll sunset equipment and technology And we ask whether or not our industry is willing to take the time and effort to hire and train the talent they so desperately want and need.

All links and images for this episode can be found on CISO Series People violate cybersecurity policies at a rate of one out of every 20 job tasks. It's just a matter of time before all your employees are in violation. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Bruce Schneier (@schneierblog), chief of security architecture, Inrupt and fellow and lecturer and Harvard Kennedy School. Thanks to our podcast sponsor, PlexTrac PlexTrac is a powerful, yet simple, cybersecurity platform that centralizes all security assessments, pentest reports, audit findings, and vulnerabilities. PlexTrac transforms the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize analytics, and collaborate on remediation in real-time. Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the perfect platform for CISOs! In this episode: Special tips for new CISOs just starting out and trying to establish their position. We examine where there are market forces fighting the most against achieving societal values in the digital space? What are signs that we're moving in the right direction of developing a digital social contract? And we ask, is "employees violating security policies" the top issue that needs to be resolved?

All links and images for this episode can be found on CISO Series A young woman is killing it in her first cybersecurity job out of college. Management is so thrilled with her that they want to give her a promotion. Problem is the promotion reveals a lot of other innerworkings that don't speak well of the company's culture. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Davi Ottenheimer (@daviottenheimer), vp trust and digital ethics, Inrupt. Thanks to our podcast sponsor, Code42 As the Insider Risk Management leader, Code42 helps security professionals protect corporate data and reduce insider risk while fostering an open and collaborative culture for employees. For security practitioners, it means speed to detection and response. For companies, it means a collaborative workforce that is productive and a business that is secure. Visit http://Code42.com/showme to learn more. In this episode: A student has some serious privacy concerns when they learn that "all data is being monitored and anonymously collected." We examine how we can break from the Internet Oligarchs who appear to be consuming, selling, and using so much of our data. How GDPR can benefit organizations to stay ahead of the competition. A young recruit facing imposter syndrome after receiving a promotion with added responsibilities.

All links and images for this episode can be found on CISO Series First job out of college and you get the cybersecurity job of your dreams... and nightmares. It's just too much, and you definitely don't have the experience to handle it all. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Rick Doten (@rick_doten), CISO, Carolina Complete Health. Check out Rick's Youtube channel with the CIS Critical Security Control videos. Thanks to our podcast sponsor, Kenna Security Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most. In this episode: We look at the #1 job according to a U.S. News & World Report. Hint: It's Information Security Analyst. We examine the possibility & practicality of running a security program entirely based upon free and open-source software. We break down how to help brand new recruits on the ground as they start their careers in cybersecurity.

All links and images for this episode can be found on CISO Series "No business wants more security, they want less risk," said a redditor on the cybersecurity subreddit. Executives seem to not care about cybersecurity because they're not talking in those terms. They talk in terms of managing risk. It's the InfoSec professional's job to do the translation. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Tom Doughty, vp and CISO, Prudential Financial. Thanks to our podcast sponsor, CYREBRO Ninety percnet of post mortems show that the high cost of damage from a cyberattack was avoidable, but no one knew in time to stop it. CYREBRO's SOC Platform is your cybersecurity central command, integrating all your security events with 24/7 strategic monitoring, proactive threat intelligence, and rapid incident response. More from CYREBRO. In this episode: How do you discuss cybersecurity with executives who don't care about cybersecurity? Does cybersecurity insurance help motivate better cybersecurity awareness? Why are we still struggling with cybersecurity hiring? What does a great day in information security look like?

All links and images for this episode can be found on CISO Series A CISO hears about your company's product from some other CISOs. Eager to find more information like a video demo they could watch on their own, they visit your site. They can't find anything except a prominently placed "Request a Demo" button. Fearing the marketing and salespeople who will hound them if they fill out the information, they just bail. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Jim Routh (@jmrouth1), former CISO for MassMutual and CVS/Aetna. Thanks to our podcast sponsor, Buchanan Technologies Short staffed and overworked IT groups can be overwhelmed by the massive scope of a comprehensive cybersecurity program. Buchanan Technologies makes the complex simple with our twenty-four by seven, customized, vetted strategies that identify risks, detect threats, implement security controls, and protect the confidentiality, availability, and integrity of your data. Discover more. In this episode: Why do vendors put the product demo videos behind gated walls? Tips for improving cybersecurity awareness within a large organization. The annoying pains of the vendor ecosystem. What are some really bad cybersecurity practices that need to be corrected right away?

All links and images for this episode can be found on CISO Series The web is awash with sites claiming they know what the security trends will be for 2022. All of them were filled with quotes from security experts at different vendors who "surprise" we're saying the big trend is what their product can fix. One publication, eWEEK, had probably the only logical set of trends and they look a lot like what happened in 2021. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Ori Arbel, CTO, CYREBRO. Thanks to our podcast sponsor, CYREBRO Ninety percent of post mortems show that the high cost of damage from a cyberattack was avoidable, but no one knew in time to stop it. CYREBRO's SOC Platform is your cybersecurity central command, integrating all your security events with 24/7 strategic monitoring, proactive threat intelligence, and rapid incident response. More from CYREBRO. In this episode: How should you be handling your security operations center (SOC)? Tips for improving your incident response planning. What are the cloud security trends of 2022?

All links and images for this episode can be found on CISO Series Are security conferences really helpful in advising you on making your business more secure, or are they just adding more worries to your plate that aren't actually going to be threats your business is going to have to face? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Jason Witty, CSO, USAA. Thanks to our podcast sponsor, CyCognito By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network. In this episode: What is the board's risk appetite? Is attending conferences helpful? What can security vendors do to help with board-level communications?

All links and images for this episode can be found on CISO Series Our entire network launched because of the irritation CISOs had with vendors could have stopped some breach that happened to another company. Then the chest pounding subsided, and we thought we were making an impact, until Log4j appeared... This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Tim Rohrbaugh, CISO, JetBlue. Thanks to our sponsor, CyCognito By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network. In this episode: Questionable vendor marketing tactics Developing your threat intelligence Valuable skills that hiring managers look for

All links and images for this episode can be found on CISO Series The trick to getting the attention of CISOs is to create an awesome company. Focus on that and the attention will follow. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Katie Stebbins (@ktlgs), board president, Global Epic. Thanks to our podcast sponsor, Kenna Security Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most. In this episode: So, how do you become so awesome that you can't be ignored? What happens when you expand your view of the purpose of security metrics? Is it possible to have a Digital Geneva Convention?

All links and images for this episode can be found on CISO Series If you're up against Google, Facebook, or Apple for hiring talent, chances are pretty good that your company is not going to match their pay and benefits. So if they're the bar for salary and benefits, your business' offerings will inevitably be subpar. So how do you build your employer brand to contend in areas where you're deficient in areas you can't compete? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Dan DeCloss (@wh33lhouse), CEO, PlexTrac. Thanks to our podcast sponsor, PlexTrac In this episode: When setting up defenses against MITRE ATT&CK mappings, how much is enough? What are you doing to build your employer brand and attract cyber talent to your business? How should you review your pentest results?

All links and images for this episode can be found on CISO Series Every organization has an Acceptable Use Policy (AUP) for their computers and network. Nobody reads it and everybody violates it. How the heck do you enforce or discipline people who violate your company's AUP? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Matt Radolec, senior director, incident response and cloud operations, Varonis. Thanks to our podcast sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to "Zero Trust." Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: Why do tabletop exercises fail? How should we deal with AUPs that do not get read? Is cyber resiliency an overused term? How valuable are visual detection techniques?

All links and images for this episode can be found on CISO Series Yikes, this security hole one concerned student found in the school's network is going to require one heck of a pep rally to fix. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Dave Stirling, CISO, Zions Bancorporation. Thanks to our podcast sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to "Zero Trust." Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: Should the CISO position be seen as an organization in itself? Is the current data loss prevention (DLP) model outdated? How can an MSSP show its value? What should a high school student do if they see that their school has horrible security practices?

All links and images for this episode can be found on CISO Series If we had such a great conversation at the conference, why don't you want to respond to my emails? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Julie Tsai (@446688), cybersecurity leader. Thanks to our podcast sponsor, Varonis What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn't stand a chance. Get a free risk assessment. In this episode: Is there a "right" management structure for cybersecurity? Are there tools you can put in place to keep your DevOps program in check? What are the questions to ask during an interview that reveal how a company handles and prioritizes cybersecurity? How can we improve CISO / vendor relations?

All links and images for this episode can be found on CISO Series Winning at vulnerability management is not a numbers game. It's a tactical exercise of what matters most in your environment. Surprisingly, experts tell us close to two thirds of your vulnerabilities can and should be ignored. Why and which ones are those? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Ed Bellis (@ebellis), co-founder and CTO, Kenna Security (now a part of Cisco). Thanks to our podcast sponsor, Kenna Security Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most. In this episode: What type of risk or compliance data should CISA collect for its proposed metrics? Which metrics are most valuable to determine the health of a company? Why the constant frustration with patch management? How often should you be conducting vulnerability scans?

All links and images for this episode can be found on CISO Series If you're asking what certification you should go after to get the perfect cybersecurity job, you're asking the wrong question. Most hiring managers are inundated with resumes so they're looking for ways to get rid of yours. Don't be fooled thinking you're going to be seen because you have the "perfect" resume. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Mike Hanley (@_mp4h), CSO, GitHub. Thanks to our podcast sponsor, BitSight These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody's, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com In this episode: What's the formula (experience vs testimonials) for hiring managers' attention? What are the most effective techniques to building a resilient security team? What are security vendors NOT doing now that would greatly improve their visibility? Have you had to make any security exceptions just because an executive needed something?

All links and images for this episode can be found on CISO Series CISOs agree that multi-factor authentication is the one security control that once deployed has the greatest impact to reduce security issues. Yet with all that agreement, it's still so darn hard to get users to actually use it. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Arvind Raman (@arvind78), CISO, Mitel. Huge thanks to our sponsor, Horizon3.ai See your enterprise through the eyes of the attacker, identify your ineffective security controls, and ensure your limited resources are spent fixing problems that can actually be exploited. More from Horizon3.ai. In this episode: If MFA is so great, why is it not more widespread? Are high valuations for cloud security startups a vote against cloud providers doing cloud security well? What is the biggest challenge in deploying zero trust on existing infrastructure? Are there universal security red flags?

All links and images for this episode can be found on CISO Series It's all risk, all show, for the entire show. It's just the kind of risk we like to take. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Derek Vadala (@derekvadala), chief risk officer, BitSight. Thanks to our podcast sponsor, BitSight These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody's, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com In this episode: What cybersecurity risk is currently the most severe? What's important about of evaluating a startup's security protocols? What about third party risk management? Do you and your board know how resilient you are to a cyber attack?

All links and images for this episode can be found on CISO Series What do you give to the person who wants to learn how to steal everything? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest Jim Wachhaus (@imanapt), risk intelligence evangelist, CyCognito. Thanks to our podcast sponsor, CyCognito By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network. In this episode: How can we shore up our cybersecurity hygiene? What have we heard enough about with risk intelligence ? Gifts to buy someone who is looking into red teaming/vulnerability

All links and images for this episode can be found on CISO Series What do you do if your boss gave you a corporate laptop and you fear they installed some tracking software? Should you wipe the drive or simply quit? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Purandar Das (@dasgp), co-founder and president, Sotero. Thanks to our podcast sponsor, Sotero Today's compliance requirements require a security mindset that focuses on the data itself. We can't truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how. In this episode: Did the pandemic lead to innovations in cybersecurity? What should a company do when an employee makes a major mistake like emailing PII? Have we all heard enough about encryption? What do we do when the boss gives us a "new" computer with monitoring tech on board?

All links and images for this episode can be found on CISO Series Risk is scary. Cyber risk is scarier. Not because it's worse, but mostly because we barely understand it. We've gone this long not understanding it. Maybe just ignoring it will allow us to wish it away. On this week's episode of CISO/Security Vendor Relationship Podcast we have our first in-studio guest (since we moved the studio). Joining me, David Spark (@dspark), producer of CISO Series and Mike Johnson is our in-studio guest TJ Lingenfelter (@tj_555), sr. program manager, information security, Taylormade Golf. Thanks to our podcast sponsor, BitSight These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody's, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com In this episode: How can competitive companies can help each other be more secure? What to do when you can't get time with your CIO to discuss plans? Are we fooling ourselves to think we can maintain privacy for ourselves and that organizations can do it for us as well? What new cybersecurity buzzwords should be put to rest?

All links and images for this episode can be found on CISO Series There's no question calculating risk is tricky. Because once you understand your risk then you can assign budget appropriately to reduce your risk. OR, you could just wait until you're breached and you'll know exactly what your risk is and how much it costs. This week's episode of CISO/Security Vendor Relationship Podcast is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Dan Walsh, CISO, VillageMD. Thanks to our podcast sponsor, deepwatch Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together. In this episode: What can we learn from a 10-year cybersecurity veteran? What can state governments do to 'hire better' in cybersecurity? What can companies do to attract cybersecurity professionals to their location? What are ways to bring a clearer understanding of risk to the business without being alarmist?

All links and images for this episode can be found on CISO Series Don't look at me to explain zero trust to you, because I'm just as confused. I've heard plenty of definitions, and they all sound good. I just don't know which one is right, or maybe they're all right. This week's episode of CISO/Security Vendor Relationship Podcast was recorded in front of a live audience at KeyConf at the City Winery in New York City. My guest co-host for this special episode is JJ Agha, CISO, Compass. Joining us on stage were a host of guests, Admiral Rogers, former NSA director and Commander US Cyber Command, Oded Hareven, CEO and co-founder, Akeyless, and Dr. Zero Trust, Chase Cunningham (@cynjaChaseC). Thanks to our podcast sponsor, Akeyless As organizations embrace automation, they must control their secrets sprawl. Security teams must enable the transition with centralized access to secrets, and consistent policies to limit risk and maintain compliance. Akeyless provides a unified, SaaS based solution for Secrets Management, Secure Remote Access, and Data Protection. More about Akeyless In this episode: Is zero trust easy for organizations to deploy and control? Are we taking zero trust too far? Does it help to have more eyes on the problem? What are the problems with secure remote access that we're still struggling with?

All links and images for this episode can be found on CISO Series It's extremely easy to say you want to diversify. In fact, I'll do it right now three times. We want diversity. We're very pro diversity and it's our focus for the next year. Diversity is a very important part of our security program. Please don't ask to though look at the lack of diversity on our staff. It doesn't match our rhetoric. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Sujeet Bambawale (@sujeet), CISO, 7-11. Thanks to our podcast sponsor, Vulcan Cyber Vulnerability scanners are commoditized. Cloud service providers provide free scanners. Open source scanners are plentiful. Your team doesn't need another scanner, but they need to get better at identifying and prioritizing the risk that is buried in that scan data. Attend the Vulcan Cyber virtual user conference and learn how to assess and mitigate risk across all of your surfaces. Go to vulcan.io and click the button at the top of the screen to register for the event. In this episode: How are you overcoming the challenges of diversity hiring? Are robocalls defeating MFA? Are you collaborative in cyber with your direct competitors? Were you sold something differently when you started in cyber?

All links and images for this episode can be found on CISO Series Do the cybercriminals know my vacation schedule? If they're already in our network, they probably do. Why don't they share their vacation schedule with me. That way we can all enjoy our time off. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Patti Titus (@rusecur), CISO, Markel. Thanks to our podcast sponsor, Sotero Today's compliance requirements require a security mindset that focuses on the data itself. We can't truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how. In this episode: What role is the quickest to a CISO role? How can we best correlate security behavior to business actions? Are attacks more likely on Fridays, just before a long weekend or vacation? Which breaches this year caused a shift in focus of your security program?

All links and images for this episode can be found on CISO Series At one point a sales representative will get so desperate trying to get a reply from a prospect that they'll resort to some tepid attempt a humor. We've all seen the email that is trying to understand why we're not replying. And the salesperson tries to make it easy for the recipient to respond by just pressing a single digit. 1: You're too busy, 2: You didn't see my email, 3: You really wanted to respond but you're stuck in a well. This week's episode of CISO/Security Vendor Relationship Podcast was recorded in front of a live audience at the SF-ISACA conference in San Francisco. It features me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is my other co-host Andy Ellis (@csoandy), operating partner, YL Ventures. Huge thanks to our podcast sponsors, Code42, Sotero, and Constella Intelligence As organizations gradually and cautiously move out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42. Today's compliance requirements require a security mindset that focuses on the data itself. We can't truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how. Threat actors target key employees due to their privileged access to sensitive data which can lead to credential theft, ATO, & ransomware attacks. Find out if your key employees and company have been exposed – without any obligation. More from Constella Intelligence. In this episode: How do you go about making a business case for further investment in cyber security initiatives? Is it possible to get people to get security people change their behaviors? Using humor in cold sales. Does it ever work? ...and what happens when it backfires?

All links and images for this episode can be found on CISO Series "Look, you wanna be elite? You have to do a righteous hack." This entire episode we pay tribute to the movie "Hackers" with quotes all throughout the programming. This episode is hosted by me, David Spark (@dspark), producer of CISO Series, and my guest co-host Roland Cloutier (@CSORoland), CISO, TikTok. Joining us in this discussion is Steve Tran (@steveishacking), CISO, MGM Studios. Thanks to our podcast sponsor, Code42 In this episode: Is it time to start thinking about protecting data differently? What is the biggest scam in tech that is deemed acceptable? Why is the convergence of security between physical and digital still not happening? Which part of your role is science vs art?

All links and images for this episode can be found on CISO Series It's extremely hard to tell if a cybersecurity leader is doing a good job. In fact, it's tough for even them to know. Our best bet is watching for an improvement in the cybersecurity program over time. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Mark Wojtasiak (@markwojtasiak), vice president, research & strategy, Code42 and co-author of "Inside Jobs." Thanks to this week's podcast sponsor, Code42 As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42. In this episode: What is your business's biggest frustration when managing cybersecurity? Aaaand...what is your biggest frustration when managing cybersecurity? How do you know when a Security Leader (including yourself) is doing a good job? Would it help if Security hired a marketing manager?

Here's an awesome bonus episode of CISO/Security Vendor Relationship Podcast featured as the closing event at Evanta's Global CISO Virtual Executive Summit. Here's what went down. The day before our recording, three representatives presented their unique and innovative security solutions to a panel of CISOs and the virtual audience in attendance. The next day, everyone came back to offer up a quick elevator pitch and to be grilled by the CISOs. That's exactly what you get to hear on this bonus episode of CISO/Security Vendor Relationship Podcast. Thanks to all our sponsors for this bonus episode of the podcast Kasada Axis Security Ordr Ten Eleven Ventures

All links and images for this episode can be found on CISO Series What game should we play where we can trust you to behave fairly, but at the same time see how you could take advantage of us? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Deneen DiFiore (@deneendifiore), CISO, United Airlines. Thanks to our podcast sponsor, Code42 As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42. In this episode: Does becoming a business-minded security person take time? What does a qualified, entry level candidate have to do to get noticed? Without clear ROI, how does a CISO justify their budget? What game taught you the most about thinking like a hacker?

All links and images for this episode can be found on CISO Series Do you really need hundreds of questions to know if you want to work with a vendor? Won't just two or three well-pointed questions really give you a good idea? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Nick Selby (@fuzztech), CSO, Paxos Trust Company and co-host of Tech Debt Burndown podcast. Thanks to our podcast sponsor, Kenna Security In this episode: How do you suss out security vendors to make sure they're not a risk? How do you battle a typosquatter? What types of preparations do you have in place to know you're well prepared for an incident? How should CISOs and CIOs share cybersecurity ownership?

All links and images for this episode can be found on CISO Series OK, you showed us our vulnerability. But we really don't want to fix it now. Could we just pay you off to keep quiet, and to buy us some more time to deal with this in a "not so timely" manner? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sameer Sait (@sameersait), CISO, Amazon - Whole Foods. Thanks to our podcast sponsor, Code42 As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42. In this episode: What if software developers used academic citations for code acquired from outside sources? What is a reported security vulnerability doesn't get fixed? Where do you go next? What if a 3rd party app developer needs access to a file/print share over the internet? What if you receive a pitch that makes a grandiose statement like "no false positives?" Follow-up or hard pass?

No, please not another acronym. I can't take another education cycle on another product segment. Oh, I'm sure Gartner is launching it. And I'm sure they'll make yet another Magic Quadrant to tell us which companies are in this new market segment. And we're going to have to buy this report so we understand this new category so we can create yet another line item on our budget sheet. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Ed Bellis (@ebellis), co-founder and CTO, Kenna Security (now a part of Cisco). Thanks to our podcast sponsor, Kenna Security In this episode: How do you develop unbiased knowledge about a new technology? Do you have advice on how to prepare for a SOC interview? Vulnerability management: what have we heard enough of? Do your parents know what you do for a living?

You don't want anything to happen, but you also want security to somehow to calculate ROI. Maybe the ROI could be calculated from actual sales that security allowed to actually happen. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Ryan Gurney, CISO-in-residence, YL Ventures. Thanks to our sponsor, YL Ventures YL Ventures, a global VC firm, manages over $300 million and exclusively invests in early-stage Israeli cybersecurity startups. YL Ventures accelerates the evolution of its portfolio companies via strategic advice and operational execution, leveraging a network of CISOs and industry veterans from Fortune 100 and high-growth companies. In this episode: What happens when Application Surface Management (ASM) vendors are purchased as Security assets? What do you do when your company wants to use a really insecure SaaS product? Does a startup need a CISO, or just a CISO-in-residence? Is there a better sign other than "nothing happened" that indicates you did a good job in cybersecurity today?"

All links and images for this episode can be found on CISO Series It's imperative we speak to him. We want to make sure they landed safely. And if he has some available time, maybe we can show him our slide deck. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Branden Newman, svp, CISO, MGM Resorts. Thanks to our podcast sponsor, Grip Security Ask yourself – do I know what SaaS my company is using? How do users access them? What data is uploaded and downloaded? Enterprises today are using hundreds and thousands of different SaaS, and have lost control over it. Grip Security sees and secures every SaaS application. With simple deployment, you can have immediate visibility to the entire SaaS portfolio, and automated access and data governance at scale. This is the only way you could fight the SaaS Sprawl. In this episode: How do security vendors communicate their uniqueness and product quality? If you were to start a data security company - what gap would you fill? What's the pushiest sales tactic you've seen in InfoSec? Assessing vendor pitches on email security or human layer security

All links and images for this episode can be found on CISO Series I know your friends say they use excellent passwords, but they don't take the time and care we put into choosing the right combination of letters, numbers, and special characters that's unique to your personality. Once your friends and the dark web have a chance to see them, they'll want to emulate you by using your password over and over again. This week's CISO/Security Vendor Relationship Podcast was actually recorded in front of a small live audience at The Passwordless Summit in Newport, Rhode Island. The event was sponsored by HYPR, our sponsor for this episode as well. Joining me and my co-host, Andy Ellis (@csoandy), operating partner, YL Ventures, was our sponsored guest, Brian Heemsoth (@bheemsoth), head of cyber defense and monitoring, Wells Fargo. Thanks to our podcast sponsor, HYPR HYPR is the leader in Passwordless Multi-factor Authentication. We protect workforce and customer identities with the highest level of assurance while enhancing the end user's experience. HYPR shifts the economics of attack to the enterprise's favor by replacing password-based MFA with Passwordless MFA. Welcome to The Passwordless Company®. It's time to reimagine Identity Access Assurance. Learn More » In this episode: Ways to make a good impression about the quality of your security How's passwordless access working for you? When an EULA says no to reviewing the product What does a good SOC look like to you?

All links and images for this episode can be found on CISO Series We've heard the question "How secure are we?" many times, and we know what it really means. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Kevin Morrison, CISO, Alaska Air. Thanks to our podcast sponsor, Enso Enso, an Application Security Posture Management platform, helps security teams scale and gain control over their AppSec programs. Enso discovers application inventory, ownership and risk to easily build and enforce security policies and transform AppSec into an automated, systematic discipline. In this episode: Red flag-level bad security: run away or offer to help? How necessary is it to know patterns of where and how criminals are going to attack? How to manage the risk of onboarding entry level cybersecurity personnel who lack prior job experience? How do you answer the question, "Are we secure?"

All links and images for this episode can be found on CISO Series What questions should we be asking of a consultant's referrals to see if they're really worth the money they're trying to overcharge us? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Ira Winkler (@irawinkler), CISO, Skyline Technology Solutions. Thanks to our podcast sponsor, Varonis Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis' leading data security platform. In this episode: Fujifilm refused to pay ransomware demand, restored from backup. Be like Fujifilm. What to do with people who ask for your password and sign-on – and those who comply Best techniques for interviewing cybersecurity consultant candidates The importance of securing inter-organization Slack and Teams channels

All links and images for this episode can be found on CISO Series You think it's easy carrying around the burden of being so perfect all the time? It's tough to carry that responsibility to tell others what they need to do. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Ed Contreras (@cisoedwardc), CISO, Frost Bank. Thanks to our podcast sponsor, Varonis Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis' leading data security platform. Does a quality tech stack help with recruitment and retention of talent? Should security features be free? And should those who charge be shamed? Failing phishing tests - is there a limit to how many?

All links and images for this episode can be found on CISO Series We know we've got to say something about this breach, but geez, the details are really sordid and it would just be easier if we could just wrap it up with one giant "oops." You cool with that? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Matt Radolec, senior director, incident response and cloud operations, Varonis. Thanks to our podcast sponsor, Varonis Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis' leading data security platform. In this episode: How have insider threats morphed since the onset of Covid? Should paying ransomware be illegal? What goes into a good post-breach public incident response? Should ransomware focus more on backups?

All links and images for this episode can be found on CISO Series Managing my own risk is tough enough, but now I have to worry about my partners' risk and their partners' risk? I don't even know what's easier to manage: the risk profile of all my third parties or all the exclusions I've got to open up to let third parties into my system. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Bruce Potter (@gdead), CISO, Expel. Thanks to our podcast sponsor, Expel Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one. In this episode: What's easier to manage, 3rd party risk profiles or exclusions? Do you need a Git repository to apply for a job? What else? What's in your happy-grab-bag for hybrid work environments? Is there anything new to say about ransomware strategy?

All links and images for this episode can be found on CISO Series If I'm going to be riding my team really hard, how much charisma will I need to keep the team frightened so they stay motivated, yet don't want to leave? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jason Fruge (@jasonfruge), CISO, Rent-a-Center. Thanks to our podcast sponsor, Expel Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one. In this episode CISO's second job: applying lessons learned from the first one Experts weigh in on what to do when a breach drops malware on you How to motivate staff to push themselves beyond initial expectations? What level of autonomy do you give your staff to make purchase decisions?

All links and images for this episode can be found on CISO Series Great, you just purchased the cloud. Are you a little confused as to what you're going to do with it? Not a problem. Let's get you set up right with a world class misconfiguration. That should leave you open to all kinds of breaches. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Johnathan Keith, CISO, Viacom/CBS Streaming. Thanks to our podcast sponsor, AppOmni AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they're fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data. Why do we hear so many stories about poor & misconfigured cloud services? The benefits of Infrastructure as Code (IaC) What makes a vendor meeting worth your time? What's the best way to learn about a company's culture in a job interview?

All links and images for this episode can be found on CISO Series We're trying really hard to keep our customers' data safe, but we all know given the number of attacks happening, our number will eventually come up, and we'll lose your data just like every other organization you trusted. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sandy Dunn (@sub0girl), CISO, Blue Cross of Idaho. Thanks to our podcast sponsor, Expel Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one. Dissecting Allen Gwynn's "one strike" opinion piece Transitioning cybersec into a mindset for all employees Shifting the risk: buying cyberinsurance instead of tools What's the proper way to behave during a breach?

All links and images for this episode can be found on CISO Series As good as our virtual bouncers are, they often let in people with what seems to be a valid ID, and then once they're in our nightclub they cause a disruption and we have to kick them out. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Sandy Wenzel (@malwaremama), cybersecurity transformation engineer, VMware. Sandy also recommends participating in Pro's vs. Joe's CTF. Thanks to our podcast sponsor, VMware In this episode: How we have become more agile (and how we define agile) Five skills every SOC analyst needs (and how to build them) Lateral movement by threat actors (what have we heard enough of) What are some good assignments to give a cybersecurity intern (and are there better ones?)

All links and images for this episode can be found on CISO Series We're a brand new consultancy and we promise if you just let us poke around your network, we'll find something wrong. Because everyone has something wrong in their network. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Phil Huggins (@oracuk), CISO, NHS Test & Trace, Department of Health and Social Care. Thanks to our podcast sponsor, VMware In this episode: Prioritizing the security challenges around risk and compliance What to consider before starting your own security consulting business The most valuable things you should learn from peers in your network or community

All links and images for this episode can be found on CISO Series If you're happy with your best practice of rotating passwords, that's great for you. Just don't lay your old-timey "rules for better security" on me boomer. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Robb Reck (@robbreck), CISO on sabbatical and co-founder Colorado=Security, a podcast and Slack community. Thanks to our podcast sponsor, VMware In this episode: Who is supposed to put "security" into the shifted left SDLC? What's the scarcest resource to a CISO? Is it headcount or money? What's the hardest part about being a CISO? How to choose the "best" best practices.

All links and images for this episode can be found on CISO Series https://cisoseries.com/how-cisos-make-it-worse-for-other-cisos/ Are CISOs inappropriately putting pressure on themselves and is that hurting the rep of all CISOs as a result? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Andy Ellis (@csoandy), operating partner, YL Ventures. Thanks to our podcast sponsor, Orca Security Orca Security provides instant-on security and compliance for AWS, Azure, and GCP － without the gaps in coverage, alert fatigue, and operational costs of agents or sidecars. Orca detects and prioritizes risk in minutes ﹣ not months ﹣ and is trusted by global innovators, including Databricks, Lemonade, Gannett, and Robinhood. In this episode: Is the hiring process for CISOs broken? Why CISOs aren't willing to share samples of their risk assessments Working with a vCISO through an MSSP What are the biggest misconceptions cybersecurity people have about CISOs?

All links and images for this episode can be found on CISO Series https://cisoseries.com/excuse-me-what-bribes-do-you-accept/ The security vendor/practitioner sales cycle would go a lot faster and smoother if CISOs would just take an "incentive" for a meeting. Just tell me what "incentive" you would like. I'm sure it'll cost me a lot less than what I'm spending on marketing and sales. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Allison Miller (@selenakyle), CISO, reddit. Allison is available on reddit at /u/UndrgrndCartographer. Thanks to our podcast sponsor, Living Security Why We're Breaking Security Awareness (And You Should Too) Attend This Free, Virtual Conference From Your Home, Office, Or Even Your Couch. Living Security is breaking the mold of security awareness to wage war on the human risk factor with evolved strategies for the way we live, work, and play today. Join cybersecurity industry thought leaders for fresh, modern perspectives designed to help you change behaviors and reduce your organization's risk in a world where life happens online. This year's sessions will cover: Human Risk Management Social Engineering DEI In Cybersecurity Enterprise Security Awareness Remote Working Security Ransomware In this episode: Relying on the end-user to make an app secure is, in essence, shipping insecure software It's official: mandatory password changes are no longer in vogue What incentives would you accept to take a meeting with a vendor

All links and images for this episode can be found on CISO Series https://cisoseries.com/holy-crap-weve-been-doing-this-for-three-years/ On this day three years ago, Mike Johnson and I released the first episode of CISO Series' CISO/Security Vendor Relationship Podcast. Our primary goal was to talk about the strained yet much needed relationship between security practitioners and vendors. With the help of our guest Dan Walsh, CISO, VillageMD and plenty of contributors we look back and ask ourselves, "What's changed and has anything improved?" If you're interested in hearing the full story of how CISO Series started, listen to this episode of Defense in Depth with Mike Johnson and Allan Alford where we walk through the origins of what has become a rather sizable media network. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company's Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode: What listeners get out of the show & what has changed in the industry How communication has changed among CISOs in three years Is there more compassion for vendors now? How is the vendor landscape changing?