CISO Series Podcast

Davi Ottenheimer, VP of Trust and Digital Ethics at Inrupt, dives into the complexities of security theater in organizations. He explains how security practices often persist due to optics and compliance, even when ineffective. The discussion includes tips for identifying security theater and communicating its risks to non-technical leadership. Davi also highlights the importance of maintaining trust during these transitions and shares insights on ethical AI, the risks of LLMs, and community shifts in the InfoSec landscape.

All links and images for this episode can be found on CISO Series. Usually the buck stops with the CEO. But for a CISO, what do you do when a CEO wants to exempt themselves from your security program? Whether it's granting privileged network access or just ignoring protocols, it can put a CISO in a tough spot. So how do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and John C. Underwood, VP, information security, Big 5 Sporting Goods. Joining me is our guest, Joshua Scott, Head of Security and IT, Postman. Thanks to our podcast sponsor, Veza 75% of breaches happen because of bad permissions. The problem is that you don't know exactly WHO has access to WHAT data in your environment. For example, roles labeled as "read-only" can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. In this episode: For a CISO, what do you do when a CEO wants to exempt themselves from your security program? How do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position?

The podcast discusses the effectiveness of security measures in preventing cyberattacks and the need to better understand misconfigurations in cloud security. It also highlights the importance of involving and empowering developers in app security, the debate between default security and no security settings, and the shift from securing to protecting the software supply chain through risk management.

Explore how organizations are grappling with the rise of generative AI and managing new technology risks. Learn about the shift towards business units taking ownership of SaaS security and the challenges for security teams. Discover the importance of setting policies, compliance regulations, and budget allocation in companies. Understand the role of security in reducing risk for businesses and quantifying cyber risks to justify security spending.

All links and images for this episode can be found on CISO Series. If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Most of the time, these lists include CISOs from the biggest companies, or the ones with the best name recognition. But is that any kind of objective criteria? These lists generally serve the interest of boosting the credibility of the publisher, rather than being based on any kind of rigor. Is there any way to make these lists anything but fluff? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Janet Heins, CISO, iHeartMedia. Thanks to our podcast sponsor, LimaCharlie Whether you're looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie's SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io. In this episode: If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Is there any kind of objective criteria? Is there any way to make these lists anything but fluff?

Mary Rose Martinez, CISO at Marathon Petroleum, joins the hosts to discuss why CISOs are not included in top company echelons. They explore the effectiveness of security actions in different organizations, communication techniques for reporting bad news to the board, the importance of transparency, assessing business continuity during cyber attacks, the consequences of ransomware, and the challenges faced by CISOs. The episode concludes with an announcement of a CISO Executive Summit and a thank you to the podcast sponsor.

This podcast explores the potential benefits of AI for cybersecurity and the idea of an AI CISO. It discusses the importance of neurodiversity in cybersecurity hiring and creating an inclusive workplace. The hosts examine the use of language in security and advocate for a more collaborative reporting environment. They also delve into the concept of the attacker's advantage and play a game of risk management. The speakers engage in a lively discussion about extreme scenarios, including the role of AI in cybersecurity. The podcast concludes with a discussion on flexible time off and hiring, along with acknowledgements to the sponsor.

This podcast explores the regulatory requirements of a cyberattack and the role of the FBI in responding to such incidents. The hosts discuss the importance of personal development in cybersecurity careers and analyze cyber threat trends. They also compare the consequences of a loss of satellite networks and a global financial meltdown. The speaker shares their experience working with the FBI on an espionage case and recommends building relationships with them as a CISO.

This podcast discusses the ongoing security mistakes organizations make with online collaboration apps, the risks and advancements of AI, the benefits of collaboration apps in eliminating shadow IT, and the challenges of information overload.

Guest Lorna Koppel, CISO at Tufts University, discusses the challenges of off-boarding employees. They also explore the dilemma of sharing hacking details, hiring practices, and the risks of sharing work computers. The importance of cross-training, mental health, and self-care is emphasized.