CISO Series Podcast

Kurt Sauer, CISO at Docusign, discusses the appropriateness of vendors reaching out to CISOs after a cyberattack. The podcast also explores investing IP with generative AI and enhancing security. Other topics include dealing with known vs unknown vulnerabilities, the risks of sharing passwords, building a culture of reporting, and presenting data to board members.

All links and images for this episode can be found on CISO Series. This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Arvin Bansal, former CISO for Nissan Americas. In this episode: Why are so many companies unprepared for phone-based social engineering? Why do many orgs not give this attack surface the attention it deserves? Are we doing enough to support whistleblowers in cybersecurity? Thanks to our podcast sponsor, Palo Alto Networks As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

Sam Jacques, vp of clinical engineering at McLaren Health Care, joins the hosts to discuss cybersecurity considerations in mergers and acquisitions. They also delve into securing medical devices and debate the risks of generative AI. The chapter explores the challenges of asking for budget in cybersecurity and emphasizes the importance of vendor accountability in healthcare entities.

All links and images for this episode can be found on CISO Series. In principle, we can generally all agree that security theater is a waste of time for security teams. But the reality is that these are things that look good, so it can be hard to justify to non-technical leadership why you’re eliminating something they see as secure. So how can we positively identify actual security theater practices and how do we communicate that to the rest of the organization? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Davi Ottenheimer, vp of trust and digital ethics, Inrupt. Thanks to our podcast sponsor, Sysdig For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second. In this episode: Is security theater a waste of time for security teams? Why can it be hard to justify to non-technical leadership why you’re eliminating something they see as secure? How can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

All links and images for this episode can be found on CISO Series. Usually the buck stops with the CEO. But for a CISO, what do you do when a CEO wants to exempt themselves from your security program? Whether it's granting privileged network access or just ignoring protocols, it can put a CISO in a tough spot. So how do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position?  This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and John C. Underwood, VP, information security, Big 5 Sporting Goods. Joining me is our guest, Joshua Scott, Head of Security and IT, Postman. Thanks to our podcast sponsor, Veza 75% of breaches happen because of bad permissions. The problem is that you don’t know exactly WHO has access to WHAT data in your environment. For example, roles labeled as “read-only” can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. In this episode: For a CISO, what do you do when a CEO wants to exempt themselves from your security program? How do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position?

The podcast discusses the effectiveness of security measures in preventing cyberattacks and the need to better understand misconfigurations in cloud security. It also highlights the importance of involving and empowering developers in app security, the debate between default security and no security settings, and the shift from securing to protecting the software supply chain through risk management.

Explore how organizations are grappling with the rise of generative AI and managing new technology risks. Learn about the shift towards business units taking ownership of SaaS security and the challenges for security teams. Discover the importance of setting policies, compliance regulations, and budget allocation in companies. Understand the role of security in reducing risk for businesses and quantifying cyber risks to justify security spending.

All links and images for this episode can be found on CISO Series. If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Most of the time, these lists include CISOs from the biggest companies, or the ones with the best name recognition. But is that any kind of objective criteria? These lists generally serve the interest of boosting the credibility of the publisher, rather than being based on any kind of rigor. Is there any way to make these lists anything but fluff? This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Janet Heins, CISO, iHeartMedia. Thanks to our podcast sponsor, LimaCharlie Whether you’re looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie’s SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io. In this episode: If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Is there any kind of objective criteria? Is there any way to make these lists anything but fluff?

Mary Rose Martinez, CISO at Marathon Petroleum, joins the hosts to discuss why CISOs are not included in top company echelons. They explore the effectiveness of security actions in different organizations, communication techniques for reporting bad news to the board, the importance of transparency, assessing business continuity during cyber attacks, the consequences of ransomware, and the challenges faced by CISOs. The episode concludes with an announcement of a CISO Executive Summit and a thank you to the podcast sponsor.

This podcast explores the potential benefits of AI for cybersecurity and the idea of an AI CISO. It discusses the importance of neurodiversity in cybersecurity hiring and creating an inclusive workplace. The hosts examine the use of language in security and advocate for a more collaborative reporting environment. They also delve into the concept of the attacker's advantage and play a game of risk management. The speakers engage in a lively discussion about extreme scenarios, including the role of AI in cybersecurity. The podcast concludes with a discussion on flexible time off and hiring, along with acknowledgements to the sponsor.