CISO Series Podcast

All links and images for this episode can be found on CISO Series. CISOs and other security leaders have a lot of stress. But so do other C-level employees. Why does a CISO's stress seem that much more powerful? Is it that their job is still in constant development, or is the "C" in their name just in title, but not authority? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Aman Sirohi (@amangolf), CISO, People.ai. Thanks to our podcast sponsor, AuditBoard CrossComply is AuditBoard’s award-winning security compliance solution that allows organizations to build trust and scale their security compliance program with a connected risk platform that unifies SOC 2, ISO 2700x, NIST, CMMC, PCI DSS, and more across your organization. In this episode: Why does a CISO's stress seem that much more powerful? Is it that their job is still in constant development, or is the "C" in their name just in title, but not authority? What part of the supply chain security effort is truly building trust in your supplier and having ongoing reassurances that that trust is being maintained?

All links and images for this episode can be found on CISO Series. "The biggest threat to national security is that many of the most vital systems on the planet CURRENTLY run on outdated and insecure software," said Robert Slaughter of Defense Unicorns on LinkedIn. That's at the core of the third-party security issue. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Richard Marcus, vp, InfoSec, AuditBoard. Thanks to our podcast sponsor, AuditBoard CrossComply is AuditBoard’s award-winning security compliance solution that allows organizations to build trust and scale their security compliance program with a connected risk platform that unifies SOC 2, ISO 2700x, NIST, CMMC, PCI DSS, and more across your organization. In this episode: How big of a problem is outdated software in our industry? Is insecurity just the result of a lack of efficient process? How much does a company’s transparency before, during, and after a breach tell us about their corporate character? What's the behavior after a breach you want to see that reaffirms your commitment to doing business with a vendor?

All links and images for this episode can be found on CISO Series Security leaders will often ask challenging or potentially gotcha questions as barometers to see if you can handle a specific job. They're looking not necessarily for a specific answer, but rather a kind of answer and they're also looking to make sure you don't answer the question a specific way. Don't get caught in the trap. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Quincy Castro, CISO, Redis. Thanks to our podcast sponsor, Okta Auth0 is the leading provider of customer identity solutions. Watch Jameeka Aaaron, CISO for Auth0, explain how to balance security with friction to create a safe authentication experience without compromising on privacy. In this episode: What parts of cybersecurity can you comfortably outsource? What parts of cybersecurity do you want to outsource, but can't? One of the major arguments for outsourcing is "Finding cyber talent is really tough." Do you agree with that rationale to outsource? When building a security program for a startup, how do you establish scope and requirements?

All links and images for this episode can be found on CISO Series If you know a difficult concept very well and you're incapable of explaining it simply to others who don't understand it, it's known as the "curse of knowledge." It is for this reason far too many talented cybersecurity professionals struggle to educate others. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Okey Obudulu (@okeyobudulu), CISO, Skillsoft. Thanks to our podcast sponsor, Trend Micro Trend Micro Cloud One, a security services platform for cloud builders, delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Discover your dynamic attack surface, assess your risk, and respond with the right security at the right time. Discover more! In this episode: How important is knowing the crown jewels in your security program? Wouldn't a "crown jewel"-focused security program be myopic? Have you been guilty of "curse of knowledge" when you tried to explain something and what did you do to improve? How often does a security leader come into a program and have the sense they're starting out at square one?

All links and images for this episode can be found on CISO Series CISOs say stress and burnout are their top personal risks. Breaches, increased regulations, and the tech talent shortage are all contributors to the stress. Sure would be nice for the CISO and the rest of the team to look at a chart that showed the CISO's stress level in real time. This week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and special guest co-host Shawn Bowen (@SMbowen), CISO, World Fuel Services. Our guest is Meredith Harper (@mrhciso), svp, CISO, Synchrony. This episode was recorded in front of a live audience in Chicago at The City Hall nightclub for the opening night of Evanta's Global CISO Executive Summit. Thanks to our podcast sponsor, Cisco Cisco Secure delivers a streamlined, customer-centric approach to security that ensures it’s easy to deploy, manage, and use. We help 100 percent of the Fortune 100 companies secure work – wherever it happens – with the broadest, most integrated platform. Learn more at cisco.com/go/secure. In this episode: What do you think companies can do to alleviate this pressure and help a CISO better succeed? Why is there such a significant disconnect between companies’ increased commitment to diversity and inclusion and the day-to-day experiences of women of color? How can enterprise security maintain visibility into, and control over who and what is accessing their data?

All links and images for this episode can be found on CISO Series For some reason, the ABCs of sales ("Always Be Closing") in the world of cybersecurity sales has translated into "Always Be Creepy." Eagerness to make just a connection, forget closing, has turned into extremely forward approaches that would make anyone feel uncomfortable. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and my guests will be Steve Tran, CSO, Democratic National Committee and Matt Crouse, CISO, Taco Bell. It was recorded in front of a live audience in Santa Monica as part of the ISSA-LA Information Security Summit XII. Thanks to our podcast sponsor, Ostrich Cyber-Risk Ostrich Cyber-Risk “Birdseye” is a unified qualitative and quantitative cyber risk management application that allows you to quickly assess, prioritize and quantify your organization’s financial and operational risks in real-time, in one place. Benchmarked against industry-standards (NIST, CIS, ISO), Birdseye simulates risk scenarios, continuously tracks roadmap progress, and creates shareable reports. In this episode: What do security leaders do when they can't push through security initiatives they know should be done? Is this a real concern for CISOs, and if so, how does a CISO handle their staff when best efforts get thwarted? What's your advice for new CISOs when dealing with unsolicited sales emails from security vendors? Do they just ignore it all? Should they filter it out?

All links and images for this episode can be found on CISO Series After every breach, you hear the same mantra from the attacked company: "We take security and privacy seriously." It's lost all its meaning. But what if you truly ARE serious about how you handle security and privacy? Should you say "seriously" twice? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Geoff Belknap (@geoffbelknap), CISO, LinkedIn and co-host of Defense in Depth. It was recorded in front of a live audience at Microsoft's Silicon Valley Campus in Mountain View, California as part of a regular ISSA-SV and ISSA-SF meeting. Check out all the fantastic photos from the event here. Thanks to our podcast sponsor, SafeBreach and Noname Security SafeBreach provides continuous security control validation powered by our breach and attack simulation (BAS) platform. We enable security leaders to proactively prioritize remediation efforts and drive ROI quickly by consolidating technology costs around what truly enhances your security posture. Real-world attacks. Real-time results. Prevent API attacks in real-time with automated AI and ML-based detection from Noname Security. Monitor API traffic for data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks. Integrate with your existing IT workflow management system like Jira, ServiceNow, or Slack for seamless remediation. Learn more at nonamesecurity.com/runtime-protection In this episode: If you truly ARE serious about how you handle security and privacy, should you say "seriously" twice? Given the immense complexity not just on integration but also training, are we going to see more consolidation of point solutions into suites? When would it make sense for a company to completely dump their security team and completely outsource it? And if you were to outsource it, what the heck would that look like?

All links and images for this episode can be found on CISO Series There are vendors that CISOs can't look away from. Who are they and what did they do to get so much attention from CISOs? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Saša Zdjelar, svp, security assurance, Salesforce. Thanks to our podcast sponsor, Sysdig Sysdig is driving the standard for cloud and container security. With Sysdig, teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance. Customers get a single view of risk from source to run, with no blind spots, no guesswork, no black boxes. In this episode: What’s a great approach from a security vendor? What techniques do CISOs deploy to cut through the marketing noise? Can you think of vendors that were so good that you couldn't ignore them. What made them achieve that status?

All links and images for this episode can be found on CISO Series If you want to build a successful cybersecurity team, you need to be diverse, mostly in thought. But that diversity in thought usually is the result of people with diverse backgrounds who have had different experiences and have solved problems differently. It's actually really hard to hire a diverse team because what you want to do is simply hire people who look, talk, and sound like you. People who come from the same background as you. While that may work for building friends, it's not necessarily the best solution when building a team to secure your company. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is George Finney (@wellawaresecure), CISO, Southern Methodist University and author of “Well Aware: The Nine Cybersecurity Habits to Protect Your Future” and "Project Zero Trust." Thanks to our podcast sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Our automated, client-side, data protection capabilities increase web application visibility, facilitate threat analysis, and detect and protect from client-side attacks, such as Magecart, XSS, e-skimming, and other threats focused on front-end web applications. In this episode: What are the personality types you need on your staff? Can you be a vCISO if you're not a CISO first. And if you're a vCISO without ever being a CISO, are you just a cybersecurity consultant? Also, what are some creative uses of honeypots most users don't consider?

All links and images for this episode can be found on CISO Series What are signs your team is getting burnt out? It's not an imbalance of work and family, it's feeling you're having no impact. That you're working your tail off and nothing is getting accomplished. This happens often in cybersecurity. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sara-Michele Lazarus, vp/head of trust and security, Stavvy. Thanks to our podcast sponsor, Sysdig Sysdig is driving the standard for cloud and container security. With Sysdig, teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance. Customers get a single view of risk from source to run, with no blind spots, no guesswork, no black boxes. In this episode: What are signs your team is getting burnt out? What's the most valuable skill in a cybersecurity analyst? Why are we seeing so many zero day exploits right now?