
CISO Series Podcast
Discussions, tips, and debates from security practitioners and vendors on how to work better together to improve security for themselves and everyone else.
Latest episodes

Jul 20, 2021 • 34min
How Would You Like Your Cloud Misconfigured?
All links and images for this episode can be found on CISO Series Great, you just purchased the cloud. Are you a little confused as to what you're going to do with it? Not a problem. Let's get you set up right with a world class misconfiguration. That should leave you open to all kinds of breaches. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Johnathan Keith, CISO, Viacom/CBS Streaming. Thanks to our podcast sponsor, AppOmni AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data. Why do we hear so many stories about poor & misconfigured cloud services? The benefits of Infrastructure as Code (IaC) What makes a vendor meeting worth your time? What's the best way to learn about a company's culture in a job interview?

Jul 13, 2021 • 32min
It’s Only a Matter of Time Before We Lose Your Data
All links and images for this episode can be found on CISO Series We're trying really hard to keep our customers' data safe, but we all know given the number of attacks happening, our number will eventually come up, and we'll lose your data just like every other organization you trusted. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sandy Dunn (@sub0girl), CISO, Blue Cross of Idaho. Thanks to our podcast sponsor, Expel Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one. Dissecting Allen Gwynn's "one strike" opinion piece Transitioning cybersec into a mindset for all employees Shifting the risk: buying cyberinsurance instead of tools What's the proper way to behave during a breach?

Jul 6, 2021 • 36min
His Credentials Say “Yes” But His Behavior Says “No Way”
All links and images for this episode can be found on CISO Series As good as our virtual bouncers are, they often let in people with what seems to be a valid ID, and then once they're in our nightclub they cause a disruption and we have to kick them out. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Sandy Wenzel (@malwaremama), cybersecurity transformation engineer, VMware. Sandy also recommends participating in Pro's vs. Joe's CTF. Thanks to our podcast sponsor, VMware In this episode: How we have become more agile (and how we define agile) Five skills every SOC analyst needs (and how to build them) Lateral movement by threat actors (what have we heard enough of) What are some good assignments to give a cybersecurity intern (and are there better ones?)

Jun 29, 2021 • 33min
We’re Experts at Finding Everything You’re Doing Wrong
All links and images for this episode can be found on CISO Series We're a brand new consultancy and we promise if you just let us poke around your network, we'll find something wrong. Because everyone has something wrong in their network. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Phil Huggins (@oracuk), CISO, NHS Test & Trace, Department of Health and Social Care. Thanks to our podcast sponsor, VMware In this episode: Prioritizing the security challenges around risk and compliance What to consider before starting your own security consulting business The most valuable things you should learn from peers in your network or community

Jun 22, 2021 • 34min
Hey Old Man, Go Rotate Your Own Passwords
All links and images for this episode can be found on CISO Series If you're happy with your best practice of rotating passwords, that's great for you. Just don't lay your old-timey "rules for better security" on me boomer. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Robb Reck (@robbreck), CISO on sabbatical and co-founder Colorado=Security, a podcast and Slack community. Thanks to our podcast sponsor, VMware In this episode: Who is supposed to put “security” into the shifted left SDLC? What's the scarcest resource to a CISO? Is it headcount or money? What's the hardest part about being a CISO? How to choose the “best” best practices.

Jun 15, 2021 • 39min
How CISOs Make It Worse for Other CISOs
All links and images for this episode can be found on CISO Series https://cisoseries.com/how-cisos-make-it-worse-for-other-cisos/ Are CISOs inappropriately putting pressure on themselves and is that hurting the rep of all CISOs as a result? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Andy Ellis (@csoandy), operating partner, YL Ventures. Thanks to our podcast sponsor, Orca Security Orca Security provides instant-on security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents or sidecars. Orca detects and prioritizes risk in minutes ﹣ not months ﹣ and is trusted by global innovators, including Databricks, Lemonade, Gannett, and Robinhood. In this episode: Is the hiring process for CISOs broken? Why CISOs aren’t willing to share samples of their risk assessments Working with a vCISO through an MSSP What are the biggest misconceptions cybersecurity people have about CISOs?

Jun 8, 2021 • 32min
Excuse Me, What Bribes Do You Accept?
All links and images for this episode can be found on CISO Series https://cisoseries.com/excuse-me-what-bribes-do-you-accept/ The security vendor/practitioner sales cycle would go a lot faster and smoother if CISOs would just take an "incentive" for a meeting. Just tell me what "incentive" you would like. I'm sure it'll cost me a lot less than what I'm spending on marketing and sales. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Allison Miller (@selenakyle), CISO, reddit. Allison is available on reddit at /u/UndrgrndCartographer. Thanks to our podcast sponsor, Living Security Why We're Breaking Security Awareness (And You Should Too) Attend This Free, Virtual Conference From Your Home, Office, Or Even Your Couch. Living Security is breaking the mold of security awareness to wage war on the human risk factor with evolved strategies for the way we live, work, and play today. Join cybersecurity industry thought leaders for fresh, modern perspectives designed to help you change behaviors and reduce your organization's risk in a world where life happens online. This year’s sessions will cover: Human Risk Management Social Engineering DEI In Cybersecurity Enterprise Security Awareness Remote Working Security Ransomware In this episode: Relying on the end-user to make an app secure is, in essence, shipping insecure software It's official: mandatory password changes are no longer in vogue What incentives would you accept to take a meeting with a vendor

Jun 1, 2021 • 33min
Holy Crap! We’ve Been Doing This for Three Years!
All links and images for this episode can be found on CISO Series https://cisoseries.com/holy-crap-weve-been-doing-this-for-three-years/ On this day three years ago, Mike Johnson and I released the first episode of CISO Series’ CISO/Security Vendor Relationship Podcast. Our primary goal was to talk about the strained yet much needed relationship between security practitioners and vendors. With the help of our guest Dan Walsh, CISO, VillageMD and plenty of contributors we look back and ask ourselves, “What’s changed and has anything improved?” If you're interested in hearing the full story of how CISO Series started, listen to this episode of Defense in Depth with Mike Johnson and Allan Alford where we walk through the origins of what has become a rather sizable media network. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode: What listeners get out of the show & what has changed in the industry How communication has changed among CISOs in three years Is there more compassion for vendors now? How is the vendor landscape changing?

May 25, 2021 • 36min
Something Stinks In Here. I Think It’s Your Code.
All links and images for this episode can be found on CISO Series https://cisoseries.com/something-stinks-in-here-i-think-it's-your-code/ The problem isn't our users, it's you and your past due code. Something happened. It's either been tainted or expired, but whatever it is, it smells and you need to clean it up. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Brian Fox (@brian_fox), co-founder and CTO, Sonatype. Thanks to our podcast sponsor, Sonatype With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code. In this episode: How do you know if your DevSecOps effort is going to fail? How does an analyst justify their existence? Managing malicious intruders in code libraries Managing cybersecurity hygiene in the software chain

May 18, 2021 • 32min
Our Top Ten List of Vendors That Aren’t You
All links and images for this episode can be found on CISO Series https://cisoseries.com/our-top-ten-list-of-vendors-that-arent-you/ You look at a top ten list is to see if you made the list. Don't bother. You're not on it. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Nancy Hunter, vp, CISO, Federal Reserve Bank of Philadelphia. Thanks to our podcast sponsor, Code42 Redefine data security standards for the hybrid workforce. Check out Code42. In this episode: Threat tracking: what’s better? Your SOC’s data or reading industry trends? Finding good security people -what’s better?: existing skills/experience, or a hunger to learn? Listing the things we like about security vendors Diversity hiring still has some challenges