Defense in Depth

All links and images for this episode can be found on CISO Series What are you doing to prepare for the next cyber disaster? You must train for it, because when it happens, and it will happen, everyone should know what they need to do. Check out this post for the discussions that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Roland Cloutier (@CSORoland), CISO, TikTok. Thanks to our podcast sponsor, Keyavi Data that protects itself? Now it does! We made data so smart it can think for itself. Secure itself. Stay continually aware of its surroundings. Control where, when and who is allowed access. And automatically report back to its owner. This changes the entire cybersecurity paradigm. Learn how. In this episode: What is the importance of cyber crisis management and training? What are the best ways to prepare for a cyber disaster? How to build exercises and training into a successful cybersecurity culture?

All links and images for this episode can be found on CISO Series What if you didn't spend all your time patching vulnerabilities but instead created a security policy that prevented known vulnerabilities from being exploited. How doable is this solution of virtual patching? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ody Lupescu, CISO, Ethos Life. Thanks to our podcast sponsor, Araali Networks Managing vulnerabilities at the speed and scale of the cloud is challenging, especially when the implications of a single mistake gives attackers an asymmetric advantage over defenders. Araali allows your security teams to resilient patch and monitor the most valuable apps and services so they cannot be exploited even if they are vulnerable. To learn more, visit araali. In this episode: What is virtual patching really? Is it a misnomer? What gets missed when it comes to virtual patching? Looking at a comprehensive approach to virtual patching.

All links and images for this episode can be found on CISO Series A 500+ person company doesn't have a security department. They need one and they need to convince the CEO they need one. How do you build a cybersecurity team and program from scratch? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rishi Tripathi (@ris12hi), CISO, Mount Sinai Health System. Thanks to our podcast sponsor, Tines Tines was founded by experienced security practitioners who cared about their teams. When they couldn't find an automation platform that delivered, they founded a company and built their own. A few years later, customers like Coinbase, McKesson, and GitLab run their most important security workflows on Tines – everything from phishing response to employee onboarding. To learn more, visit tines.com. In this episode: How to go about measuring risk? Leveraging compliance to get the point across. What needs to be considered to make a program uniquely geared to your company's needs?

All links and images for this episode can be found on CISO Series "If you want to catch a cybercrook, you need to think like one." But how do you actually go about thinking like a cybercriminal? What's the actual process? Check out this post and this post for the discussions that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Brian Brushwood (@shwood), creator of Scam School and World's Greatest Con. Plus he's launched multiple channels with millions of subscribers and multiple number one comedy albums. Plus, he's a touring magician. He's our first non-cyber professional guest, but he is so perfect for this episode. Thanks to our sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to "Zero Trust." Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: How much does actively thinking like a crook help build your cyber defenses? How do you actually go about thinking like a cybercriminal How do you break down their process?

All links and images for this episode can be found on CISO Series Could you build a data-first security program? What would you do if you focused your security program on just the asset? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Brian Vecci (@brianthevecci), field CTO, Varonis. Thanks to our sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to "Zero Trust." Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: Do I know where my sensitive data lives? How can I tell? Why do all the tools that try to classify data fail miserably? How much should we teach the data owners about risks in collecting and storing the information?

All links and images for this episode can be found on CISO Series Offensive security or "hacking back" has always been seen as either unethical or illegal. But now, we're seeing a resurgence in offensive security solutions. Are we redefining the term, or are companies now "hacking back?" Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Eric Hussey, CISO, Aptiv. Thanks to our podcast sponsor, Varonis On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to "Zero Trust." Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries. In this episode: Has the definition of offensive security changed? Can we truly fight back without legal repercussions? How does it apply when hackers hide behind proxies? Is hacking back even worth it?

All links and images for this episode can be found on CISO Series A security professional announces a new position as CISO. As a vendor you see this as good timing to try a cold outreach to sell your product. Why do so many vendors think this is a good tactic, when in reality it's exactly what you should not do? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Yaron Levi (@0xL3v1), CISO, Dolby. In this episode: Is the pouncing on new CISOs actually a successful sales technique? Should vendors refine their relationship, and focus on "pull" rather than "push"? What about focusing on content marketing and thought leadership? Should vendors shift from "marketplace" to "metricplace?"

All links and images for this episode can be found on CISO Series How do you begin building a cyber security culture for the whole company? And more importantly, how do you maintain that? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Mike Hanley (@_mph4), CSO, GitHub. Thanks to our podcast sponsor, Anjuna Anjuna Confidential Cloud software effortlessly enables enterprises to safely run even their most sensitive workloads in the public cloud. Unlike complex perimeter security solutions easily breached by insiders and malicious code, Anjuna leverages the strongest secure computing technologies available to make the public cloud the most secure computing resource anywhere. In this episode: When building a cybersecurity culture, where is the most important place to start? How can we avoid it just becoming "lip service"? How can we blend cybersecurity culture into the main corporate culture?

All links and images for this episode can be found on CISO Series You're a security vendor and you've got a short briefing with a security analyst from a research firm. What do you want to get across to them, and what do you want to hear back from them? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Ed Amoroso (@hashtag_cyber), founder and CEO, Tag Cyber. Huge thanks to our sponsor, Cymulate The Ultimate Guide to Security Posture Validation: Learn how to effectively measure and reduce risk through continuous validation of your enterprise's security posture. Download the playbook here. In this episode: What are the right questions to ask? How can we better understand each other? What to NOT do in an analyst conversation

All links and images for this episode can be found on CISO Series Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Michael Johnson, CISO, Novi (the financial arm of Meta, formerly Facebook) Thanks to our podcast sponsor, Anjuna Anjuna Confidential Cloud software effortlessly enables enterprises to safely run even their most sensitive workloads in the public cloud. Unlike complex perimeter security solutions easily breached by insiders and malicious code, Anjuna leverages the strongest secure computing technologies available to make the public cloud the most secure computing resource anywhere. In this episode: Which is safer for sensitive data: public cloud or on-prem? Is it the technology, the people or the process that makes the difference? Who is most affected by the public/on-prem decision? Where does technical debt fit into this?

All links and images for this episode can be found on CISO Series Security professionals are drowning in activities. Not all of them can be valuable. What should security professionals stop doing be to get back some time? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Jim Rutt, CISO, Dana Foundation. Thanks to our podcast sponsor, Thinkst Most companies discover they've been breached way too late. Thinkst Canary fixes this: just 3 minutes of setup; no ongoing overhead; nearly 0 false positives, and you can detect attackers long before they dig in. Check out why our Hardware, VM and Cloud-based Canaries are deployed and loved on all 7 continents. In this episode: What tool or process should we stop doing to stop wasting time? Are "third-party risk reviews" useful at all? Can we smooth out the sales cycle? Are users to blame, or are they the victims?

How seamless are Distributed Denial of Service or DDoS solutions today? If you get a denial of service attack, how quickly can these solutions snap into action with no manual response by the user? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Alastair Cooke (@demitasenz), analyst, GigaOm. Huge thanks to our podcast sponsor, MazeBolt In this episode: Where should a DDoS solution reside? What vital elements should go into a DDoS solution? Do we need more automation and intelligence in these solutions? How involved should the customer be with their DDoS solution?

All links and images for this episode can be found on CISO Series Knowing is only one-third the battle. Another third is responding. And the last third is responding quickly. It's not enough to just have the first two thirds. We need to be faster, but how? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Jason Elrod (@jasonelrod), CISO, MultiCare Health System. Thanks to our podcast sponsor, Eclypsium Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants. In this episode: What can we do as a pragmatic first step to make our cybersecurity teams quicker and more responsive? Would continuous authorization and real time emergency messaging help? Should we improve test automation? What about people - better teaching & work conditions?

All links and images for this episode can be found on CISO Series Automation was supposed to make cybersecurity professionals' lives simpler. And it was supposed to solve the talent shortage. Has any of that actually happened? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Brian Lozada (@brianl1775), CISO, HBOMax. Thanks to our podcast sponsor, deepwatch Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together. In this episode: Should we be disappointed with what automation has actually delivered? Is it a tools vs people thing? Should we be better at assessing the impact of automation? Should we change the way we hire to help with automation?

All links and images for this episode can be found on CISO Series Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Josh Yavor (@schwascore), CISO, Tessian. Thanks to our podcast sponsor, Tessian 95% of breaches are caused by human error. But you can prevent them. Learn how Tessian can stop "OH SH*T!" moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data. In this episode: What do you do for the attacks your rule sets can't catch? Would it help if we eliminated email systems as the standard b2b toolset for communications? Are there any better ways to handle spearphishing? Are you ready to add BCC - Business communications compromise to your threat list?

All links and images for this episode can be found on CISO Series Why is cybersecurity becoming so complex? What is one thing we can do, even if it's small, to head us off in the right direction of simplicity? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Leda Muller, CISO at Stanford, Residential and Dining Enterprises. Thanks to our podcast sponsor, Eclypsium Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants. In this episode: Is cybersecurity becoming too complex? Should we change the way we talk about security to management? Maybe it's time to reframe the argument?

All links and images for this episode can be found on CISO Series Security convergence is the melding of all security functions from physical to digital and personal to business. The concept has been around for 17 years yet organizations are still very slow to adopt. A company's overall digital convergence appears to be happening at a faster rate than security convergence. Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest is Anne Marie Zettlemoyer (@solvingcyber), business security officer, vp, security engineering, MasterCard. Thanks to our podcast sponsor, Tessian 95% of breaches are caused by human error. But you can prevent them. Learn how Tessian can stop "OH SH*T!" moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data. Why are we still holding back on security convergence? Is it a matter of "if" or "when"? What happens when physical and info security are run by different departments? How can we measure the risks?

All links and images for this episode can be found on CISO Series In most jobs there's often a clear indicator if you're doing a good job. In security, specifically security leadership, it's not so easy to tell. "Nothing happening" is not an effective measurement. So how should security performance be graded? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest is Deneen DeFiore (@deneendefiore), CISO, United Airlines. Thanks to our podcast sponsor, Tessian In this episode: How should security performance be graded? Is "keeping it simple" the best option? What's the best measurement option?

All links and images for this episode can be found on CISO Series If we're going to turn the tables against our adversaries, everything from our attitude to our action needs to change to a format where attacks and breaches are not normalized, and we know the what and how to respond to it quickly. Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Scott Scheferman (@transhackerism), principal strategist, Eclypsium. Thanks to our podcast sponsor, Eclypsium Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants. Moving from a reactive to a proactive attitude Accelerating teams' ability to respond before damage happens Stopping marketing informing your strategy Patching "fast enough to matter"

All links and images for this episode can be found on CISO Series Is it too much experience? Is it that they're difficult to work with? Do they want too much money? Will they not be motivated? Are cyber professionals over the age of 40 being discriminated in hiring practices? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ben Sapiro, head of technology risk and CISO at Canada Life. Thanks to our podcast sponsor, Qualys Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. In this episode: Are cyber professionals over the age of 40 being discriminated in hiring practices? Is "older experience" a threat to younger managers? Do older professionals have too much attitude? What other work options exist for the 40+ expert?

All links and images for this episode can be found on CISO Series How do we turn the tide from reactive to proactive patch management? Does anyone feel good about where they are with their own patch management program? What would it take to get there? Check out this post and this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Sumedh Thakar (@sumedhthakar), CEO, Qualys. Thanks to our podcast sponsor, Qualys Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. In this episode: How do we turn the tide from reactive to proactive patch management? Do cultural differences make a difference? Do we need a new framework or template?

All links and images for this episode can be found on CISO Series Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Tony Sager (@sagercyber), svp, and chief evangelist, Center for Internet Security. Thanks to our podcast sponsor, Qualys In this episode: What role should HR play in the hiring process of cybersecurity candidates? What happens when HR's algorithms don't see the right keywords? What are some better ways to get noticed by a human decision maker?

All links and images for this episode can be found on CISO Series Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Andy Ellis (@csoandy), operating partner, YL Ventures. Thanks to our podcast sponsor, Varonis What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn't stand a chance. Get a free risk assessment. In this episode: What are some "positive vendor engagement" characteristics? What tips can we share with vendors who want to build a lasting good impression? How can a vendor go about building trust?

All links and images for this episode can be found on CISO Series When a senior person at your company asks you, "Are we secure?" how should you respond? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Paul Truitt, principal US cyber practice leader, Mazars. Thanks to our podcast sponsor, Varonis Still in the news is REvil's ransomware attack on Kaseya VSA servers. Varonis is here to help mitigate the blast radius of such attacks. Want a step-by-step guide on what you should be looking for? Learn more about how to prevent ransomware. In this episode: When a senior, non-technical person asks, "Are we secure?" how do you respond?" What does this question say about an executive's engagement level? Why are they asking this now? How relevant/accurate is this question anyway?

What are the tell tale signs you've got ransomware before you receive the actual ransomware threat? Check out this post and this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Brian Vecci (@BrianTheVecci), field CTO, Varonis. Thanks to our podcast sponsor, Varonis What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn't stand a chance. Get a free risk assessment. In this episode: How to catch the ransomware threat earlier The individual capabilities needed in a full anti-ransomware stack Honeypots and anomalous behavior Back to basics: look at how ransomware works

All links and images for this episode can be found on CISO Series Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Robert Wood (@holycyberbatman), CISO at Centers for Medicare & Medicaid Services. Thanks to our podcast sponsor, Living Security Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers. In this episode: Will there be a day that phishing can be solved by technology? Does more training lower risk? Is it enough just to protect "inside" the environment? What can we do to change the culture?

All links and images for this episode can be found on CISO Series SIEM tools that ingest and analyze data are ubiquitous in security operations centers. But just knowing what's happening in your environment is not enough. For competitive reasons, must SIEM tools expand and offer more automation, intelligence, and the ability to act on that intelligence? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Chris Grundemann (@ChrisGrundemann), category lead, security, GigaOm. Thanks to our podcast sponsor, Keyavi Cyber criminals who attack healthcare systems know medical record information has tremendous value for stealing identities. If you infuse personally identifiable information with geographical awareness and intelligence, you dramatically reduce the risk of patient identity theft. Join a live demo session on www.keyavi.com/sessions to learn more. In this episode: Will products from these two categories just merge as one product? Or will they NEED to merge? Are there advantages for them to stay separate? Where does "trust" fit into this merger?

All links and images for this episode can be found on CISO Series Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Adam Keown, director, information security, Eastman. Thanks to our podcast sponsor, VMware In this episode: What's more valuable to get hired: degrees or experience? What's better: narrow focus or broad skill range? What's more attractive: knowledge or drive? What's the deal: is there even such a thing as "entry level"?

All links and images for this episode can be found on CISO Series What is the most critical step to preventing ransomware? Security professionals may be quick to judge users and say it's a lack of cyberawareness. Could it be something else? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Rebecca Harness (@rebeccaharness), CISO, St. Louis University. Thanks to our podcast sponsor, VMware In this episode: What is the one critical step to preventing ransomware? The importance of leadership and employee buy-in How to make training and education actually work Should backups be included on this list? What about the supply chain?

All links and images for this episode can be found on CISO Series For four years in a row, Verizon's DBIR, has touted compromised credentials as the top cause of data breaches. That means bad people are getting in yet appearing to be legitimate users. What are these malignant users doing inside our network? What are the techniques to both understand and allow for good yet thwart bad lateral movement? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our sponsored guest Sandy Wenzel (@malwaremama), cybersecurity transformation engineer, VMware. Thanks to our podcast sponsor, VMware In this episode: Why are bad people getting inside our networks? Can machine learning help find them? How can we separate lateral movement from credential stuffing? Would using threat modeling and going passwordless help?

All links and images for this episode can be found on CISO Series You've just joined a company as CISO, what's the very first step you would take to improve the security posture of your new company? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Olivia Rose, vp of IT and security, Amplitude. Thanks to our podcast sponsor, Proofpoint Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint's 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report. In this episode: How can new CISOs fast-track their learning process to make better decisions sooner? How much does the CISO need to know about the environment before they start pentesting? Using a " Power Interest Matrix" to help manage the people who influence your work Why aligning with HR is a key move

All links and images for this episode can be found on CISO Series How is ransomware getting into your network? Is the path direct, like via email, or does it take a more circuitous route? Check out this post and this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our sponsored guest Ryan Kalember (@rkalember), evp, cybersecurity strategy, Proofpoint. Thanks to our podcast sponsor, Proofpoint Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint's 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report. In this episode: What role do email and phishing actually play? Has working from home really increased the threat? How dwell time has changed things Getting up to speed on sufficient backups

All links and images for this episode can be found on CISO Series Why should security professionals get certifications? Do they actually teach you what you need to know to solve cybersecurity challenges? OR do they act as gateways or approval checks to be admitted into the field of cybersecurity? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Will Gregorian (@willgregorian), head of IT and security, Rhino and our guest Shawn M. Bowen (@smbowen), CISO, World Fuel Services. Thanks to our podcast sponsor, Palo Alto Networks First, every company became a software company. Now, every company needs to be a cybersecurity company too. Prisma Cloud from Palo Alto Networks a single security platform that delivers comprehensive protection from code through app, so your company can keep doing what it's supposed to do. Learn more at paloaltonetworks.com/prisma/cloud. In this episode: Are certifications like the CISSP necessary? Even if they are necessary to get hired, are they relevant? Let's say something good about certs. Who benefits most from certs? The candidate or the hiring manager?

All links and images for this episode can be found on CISO Series How are you measuring your progress and success with cloud security? How much visibility into this are you providing to your engineering teams? Check out this post and this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our sponsored guest Matthew Chiodi (@mattchiodi), CSO, public cloud, Palo Alto Networks. Thanks to our podcast sponsor, Palo Alto Networks If you're doing cloud security right, no one knows if you've done anything. When you do it wrong, well, you end up on Cybersecurity Headlines. Prisma Cloud from Palo Alto Networks helps ensure your security stays in the quietly appreciated group. It's a single security platform that delivers comprehensive protection from code to cloud. Learn more at paloaltonetworks.com/prisma/cloud. In this episode What requirements need to be measured? Measuring against compliance Building a company-specific guardrails framework Measuring team performance by number of opened and closed issues

All links and images for this episode can be found on CISO Series What does a young person, eager to get into cybersecurity, have to show or prove to land their first help desk, tech support role? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our guest Bryan Zimmer (@bryanzimmer), head of security, Humu. Thanks to our podcast sponsor, Palo Alto Networks In 1666, Sir Isaac Newton famously used a prism to disperse white light into colors. Today, cloud security professionals use Prisma Cloud from Palo Alto Networks to disperse full lifecycle security and full stack protection across their multi- and hybrid-cloud environments. We think Sir Isaac would approve. Learn more about Prisma Cloud paloaltonetworks.com/Prisma/cloud. In this episode Balancing out certifications and experience If we train you, will you stay, or will you leave? What's your compelling story that shows what you can do? Researching the competition: what are other candidates doing?

All links and images for this episode can be found on CISO Series What do we want the Board and C-Suite to know about cybersecurity? If you could teach them one thing about cybersecurity that would stick, what would that be? Check out this post and this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our guest Phil Huggins (@oracuk), CISO, NHS Test & Trace, Department of Health and Social Care. Thanks to our podcast sponsor, Proofpoint Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint's 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report. In this episode What the Board needs to know to make the CISO's job more effective It's not about the Board understanding cyber – but it is about mitigating risk Security is a shared responsibility: Board & CISOs Using other companies' breaches as Board learning opportunities

All links and images for this episode can be found on CISO Series The demand for CISOs is growing due to increased regulations and cyber threats. Yet, while the demand is there, the supply keeps rotating. Companies think the next CISO is going to fix the problems of the last one. Why is a CISO's tenure so short and why is the hiring process for CISOs so disjointed? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, Steve Zalewski, and Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers Thanks to our podcast sponsor, RevCult On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you're protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses. In this episode: Why a CISO's tenure is so short and why they leave The value of keeping risk management in the CISO's sights The need to clarify the CISO role in the mind of the executive The need to clarify the CISO role in the mind of the CISO

All links and images for this episode can be found on CISO Series Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Liam Connolly, CISO, Seek. and our guest Ben Sapiro (@ironfog), head of technology risk and CISO, Canada Life. Thanks to our podcast sponsor, RevCult On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you're protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses. In this episode: What actions can a manager take to retain staff? What do team members/employees want? How important is team chemistry? Establishing a creative thinking culture

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-salesforce-security/ Thanks to our podcast sponsor, RevCult On average, 18 percent of all your Salesforce data fields are highly sensitive and 89 percent of users have access to that data. RevCult is the only solution that helps you understand the data you have in Salesforce, and if you're protecting it. Get a free Salesforce Security Self-Assessment to understand your Salesforce security weaknesses. In this episode: Where is Salesforce delivering in security controls and where is it falling short? Salesforce security is more than just a single topic Working with 3rd party SalesForce apps

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-cloud-configuration-fails/ Why do we hear so many stories about incidents related to poor or misconfigured cloud services? Check out this post and this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our sponsored guest, Brendan O'Connor, CEO, AppOmni. Thanks to our podcast sponsor, AppOmni AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they're fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data. In this episode: Why configuration drift and 3rd party access are still significant issues Are cloud providers to blame? The dynamic nature of cloud over time – we can't keep up! Who is ultimately responsible?

All links and images for this episode can be found on CISO Series https://cisoseries.com/starting-pay-for-cyber-staff/ What should an entry level cybersecurity person be paid? And what level of education and training should be expected of them? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Naomi Buckwalter (@ineedmorecyber), director of information security and IT at Beam Technologies, and our guest Dan Walsh (@danwalshciso), CISO, VillageMD. Thanks to our podcast sponsor, AppOmni AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they're fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data. In this episode: Discussing the $15/hour entry level position Why are qualified people applying for low paying entry level jobs? The classic: This entry level position needs prior experience Assessing the value that interns can bring

All links and images for this episode can be found on CISO Series. https://cisoseries.com/fear-of-automation/ Why are security professionals so darn afraid of automation? We continue to hold on to the idea that people have to be integral in the real-time decision process to protect ourselves from the technology we deploy to protect us. Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, and Steve Zalewski, CISO, Levi Strauss, with our guest Edward Frye (@edwardfrye), CISO, Aryaka Networks and president of Silicon Valley chapter of ISSA. AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they're fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data. In this episode: Is it a fear of heavy lifting or not knowing what to lift? Is it a fear of change or a fear of cost? Is it a fear of automating human judgment?

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-hiring-talent-with-no-security-experience/ Should you look for the ideal candidate that has all the security talent you want, or should you find the right person and train them with the security talent you want. And if the latter, what is the right person to work in security who doesn't have security experience? Check out this post and this Twitter discussion for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Dev Akhawe (@frgx), CISO, Figma. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company's Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. Is there a cyber talent shortage? If so, does the shortage come from the hiring side? The dangers of leaving positions open too long The dangers of focusing on checklists vs. candidate potential

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-security-hygiene-for-software-development/ How do we improve the quality of our software? In the rush to be competitive, security has often taken a back seat to be first to market. What's the formula for fast and secure applications? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, and sponsored guest Wayne Jackson, CEO, Sonatype. Thanks to our podcast sponsor, Sonatype In this episode: Are we working too fast and under too much pressure to be secure? What types of scanning should we do, and how often? What about open source/third party software in the pipeline? What are the dangers inherent in purchasing "secure software"?

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-how-much-do-you-know-about-your-data/ Do cybersecurity professionals even know what they're protecting? How aware are they of the data, its content and its sensitivity? What happens to your security posture when you do understand the data you're protecting? What can you do that you weren't able to do before? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, and Steve Zalewski, CISO, Levi Strauss, with our sponsored guest, Aidan Simister (@aidansimister), CEO, Lepide. Thanks to our podcast sponsor, Lepide Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide's unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats – fast. In this episode: How much do you know about the data you are being asked to protect? Equating the value of the data to be protected with the cost of protection How to find out how data is being used Moving beyond the bare minimum of protection

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-do-startups-need-a-ciso/ Startups are all about proving the value of their product and growth. At the beginning, all of their money is funneled into product and market development. When do they need a CISO, if at all? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, and guest co-host Jimmy Sanders (@jfireluv), head of cybersecurity for Netflix DVD and our guest is Bryan Zimmer (@bryanzimmer), head of security for Humu. Thanks to our podcast sponsor, Lepide Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide's unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats – fast. In this episode: Should a company get a CISO right away, or wait until the security program matures? If they get a CISO should they go for "on-prem" or on-demand? Or.... should they just go and seek CISO-level advice from the security community?

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-insider-risk/ By just doing their jobs, your employees are introducing risk to the business. They don't mean to be causing issues, but their simple actions and sometimes mistakes can cause great harm. Is it their fault, or is it security's fault for not creating the right systems? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Steve Zalewski, CISO, Levis, and our sponsored guest Mark Wojtasiak (@markwojtasiak), vp, portfolio strategy & product marketing, Code42 and author of Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Distractions and fatigue causing split-second mistakes The need for tailored education and training Making it easier for people to make the right choice Identify ways damage could happen, in order to mitigate

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-whats-the-obsession-with-zero-trust/ Why is everyone obsessed with Zero Trust? Is it just a marketing ploy that vendors are using to sell their products? Or, is it truly a methodology that provides better security, especially in today's environment. Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, Melody Hildebrandt (@mhil1), evp, product & engineering and CISO, Fox. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode Does Zero Trust obscure the core principles it's supposed to serve? How does Zero Trust affect the assumptions around cybersecurity's control and ownership of a network What are the real Zero Trust best practices?

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-mentoring/ Companies want security people with experience and they want to grow cybersecurity leaders. It's often hard to find that experience, and while there are certification courses aplenty, courses in cybersecurity leadership are hard to find. One possible solution is mentoring, but that has its own hurdles. Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, and our guest Sean Catlett, CSO, Slack. In this episode The mutual value of being a mentor What obligations does a mentee have? Mentorship: large-scale concepts or day-to-day or both?

All links and images for this episode can be found on CISO Series https://cisoseries.com/defense-in-depth-securing-the-super-bowl-and-other-huge-events/ How do cybersecurity professionals secure a huge event like the Olympics, the Superbowl, or a city's New Year's Eve party? What are the unique considerations that come into play? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Tomás Maldonado (@tomas_mald), CISO, NFL Thanks to our podcast sponsor, Lepide Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide's unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats - fast. In this episode Protecting large events starts long before, like years before How threat actors targeting events differ from than those targeting companies It's not just the target - there's also public safety When it goes live, it GOES LIVE