All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Nick Muy, CISO, Scrut Automation.

In this episode:

• Segment and test

• Focus on you

• Embrace the risk lifecycle

• Not all vendors are the same

Thanks to our podcast sponsor, Scrut Automation

Scrut Automation allows compliance and risk teams of any size to establish enterprise-grade security programs. Our best-in-class features like process automation, AI, and 75+ native integrations reverse compliance debt and help manage risk proactively as your business grows. Visit www.scrut.io to learn more or schedule a demo.

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining me is our guest, Sherron Burgess, CISO, BCD Travel.

In this episode:

• Disingenuous claims rub everyone the wrong way. 

• Don’t put the CISO behind the 8-ball

• The sales hustle

• They didn’t understand the assignment

Thanks to our podcast sponsor, Scrut Automation

Scrut Automation allows compliance and risk teams of any size to establish enterprise-grade security programs. Our best-in-class features like process automation, AI, and 75+ native integrations reverse compliance debt and help manage risk proactively as your business grows. Visit www.scrut.io to learn more or schedule a demo.

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Christina Shannon, CIO, KIK Consumer Products. Joining us is our guest, Tomer Gershoni, CSO, Zoominfo.

In this episode:

• Moving beyond technology

• The art of a CISO

• CISOs always operate in context

• Elevating the CISO conversation

Thanks to our podcast sponsor, SeeMetrics

SeeMetrics automates cybersecurity metrics programs, continuously measuring and helping prioritize risks based on context. SeeMetrics unifies siloed data from your security stack and offers hundreds of ready-to-use metrics. Once connected with SeeMetrics, security teams reduce risk, minimize exposure and optimize performance while eliminating tedious repetitive manual work.

Ready to automate your security programs? start connecting your environment at seemetrics.co

All links and images for this episode can be found on CISO Series

Learning cyber is not a question for those who are just starting out. It's for everybody. Where and how do we learn at every stage of our professional careers?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Jerich Beason, CISO, Commercial, Capital One.

Thanks to our podcast sponsor, SlashNext

SlashNext protects the modern workforce from phishing and human hacking across all digital channels. SlashNext Complete™ utilizes our patented AI SEER™ technology to detect zero-hour phishing threats by performing dynamic run-time analysis on billions of URLs a day through virtual browsers and machine learning. Take advantage of SlashNext's phishing defense services for email, browser, mobile, and API.

In this episode:

• Where do we go to learn at every stage of our professional careers?
• We discuss how the learning process never really stops, but is on-going with cyber professionals continuing to learn throughout their careers.
• Why is the “know-it-all” leader a red flag to avoid?

All links and images for this episode can be found on CISO Series

You’re a CISO, vCISO, or MSSP rolling into a company that has yet to launch a cybersecurity department. How do you communicate about cyber with the IT department? They’re not completely new to cyber. What’s the approach to engagement that helps, but doesn’t insult? How do you offer practical cybersecurity advice?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is sponsored guest Scott McCrady (@scottsman3), CEO, SolCyber.

Thanks to our podcast sponsor, SolCyber

At SolCyber we're hell-bent on delivering Fortune 500 level cyber security for small and medium-sized enterprises. When you're being targeted by the same bad guys, nothing else will do. We bring to the table a curated stack of leading technologies and around-the-clock SOC support, all simply priced per user. Let us do the heavy lifting.

In this episode:

• How do you communicate about cyber with the IT department?
  
• What’s the approach to engagement that helps, but doesn’t insult?
  
• How do you offer practical cybersecurity advice?
  

All links and images for this episode can be found on CISO Series

Cybersecurity boils down to securing your data or data protection. But that simple concept has turned into a monumental task that is only exacerbated every time we move our data to a new platform. How do we secure data today, to be ready for whatever comes next in computing?

Check out this post and this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and guest co-host Gary Hayslip (@ghayslip), global CISO, SoftBank Investment Advisers. Our sponsored guest is Elliot Lewis (@ElliotDLewis), CEO, Keyavi.

Thanks to our podcast sponsor, Keyavi

Myth: Data can’t protect itself. Fact: Now it does! You control where your data goes in the world, who can access it and when. On any device. Anytime. Anywhere. FOREVER. Learn more at Keyavi.com.

In this episode:

• How do we secure data today, to be ready for whatever comes next in computing?
• How do we go about building a data transformation program that's platform agnostic?
• Why has this simple concept turned into a monumental task?

All links and images for this episode can be found on CISO Series

Is attack surface profiling the same as a pen test? If it isn't what unique insight can attack surface profiling deliver?

Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Nick Shevelyov, former CSO, Silicon Valley Bank.

Thanks to our podcast sponsor, Keyavi

Myth: Data can’t protect itself. Fact: Now it does! You control where your data goes in the world, who can access it and when. On any device. Anytime. Anywhere. FOREVER. Learn more at Keyavi.com.

In this episode:

• Is attack surface profiling the same as a pen test?
  
• What unique insight can attack surface profiling deliver?
  
• Is “Attack Surface Profiling” more like a natural evolution from traditional vulnerability management?
  

All links and images for this episode can be found on CISO Series

What’s your best indicator that your security program is actually improving? And besides you and your team, is anyone impressed?

Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Simon Goldsmith (@cybergoldsmith), director of information security, OVO Energy.

Thanks to our podcast sponsor, Votiro

Can you trust that your content and data is free of malware and ransomware? With Votiro you can. Votiro removes evasive and unknown malware from content in milliseconds, without impacting file fidelity or usability. It even works on password-protected and zipped files. Plus, it’s an API, so it integrates with everything – including Microsoft 365. Learn more at Votiro.com.

In this episode:

• What's the best indicator that your security program is actually improving?
  
• Does anyone care that you're actually improving your security posture?
  
• What should we be measuring to prove a security program is working and getting better?
  

All links and images for this episode can be found on CISO Series

Interviewing for leadership positions in cybersecurity is difficult for everyone involved. There are far too many egos and many gatekeepers. What can be done to improve recruiting of CISOs?

Check out this post and this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn with our guest Ty Sbano (@tysbano), CISO, Vercel.

Thanks to our podcast sponsor, Thinkst

Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this.
Deploy Canaries in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.

In this episode:

• What can be done to improve CISO recruiting?
• Is there a disconnect between HR and what the company actually needs regarding a position?
• How long should the interview process take?

All links and images for this episode can be found on CISO Series

How are nefarious actors using our own data (and metadata) against us? And given that, in what way have we lost our way protecting data that needs to be course corrected?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is John Ayers (@cyberjohn1747), vp of advanced detection and response office of the CTO, Optiv.

Thanks to our podcast sponsor, Optiv

The modern enterprise needs a solution as unique as its business.
 
Optiv’s Advanced Detection and Response (ADR) works with your organization to comb through the D&R clutter and find the ideal security solutions for your business. ADR delivers tailored detection and response backed by technology, real-time intel and deep expertise applied at touch. Bottom line: ADR finds and neutralizes threats fast, so you can focus on what matters.

In this episode:

• How are nefarious actors using our own data (and metadata) against us?
• In what way have we lost our way protecting data that needs to be corrected?
  
• We examine how our interconnectedness is both a blessing and a curse.
  
• Is there already far too much sensitive data in essentially open source intelligence?
  

All links and images for this episode can be found on CISO Series

Is it possible to position your security team as a profit center instead of the traditional cost center reporting to the CIO?

Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Michael Weiss, CISO, Human Interest.

Thanks to our podcast sponsor, Optiv

The modern enterprise needs a solution as unique as its business.
 
Optiv’s Advanced Detection and Response (ADR) works with your organization to comb through the D&R clutter and find the ideal security solutions for your business. ADR delivers tailored detection and response backed by technology, real-time intel and deep expertise applied at touch. Bottom line: ADR finds and neutralizes threats fast, so you can focus on what matters.

In this episode:

• Is it possible to position your security team as a profit center instead of the traditional cost center reporting to the CIO?
• Is security still primarily an efficiency conversation or has effectiveness now changed the dialogue on how success is measured?
• How to go about measuring the value cybersecurity provides the enterprise.
• We examine the problems that can arise when security is treated as a profit center.

All links and images for this episode can be found on CISO Series

For years we've been referring to malware protection as a cat and mouse game. The crooks come up with a new malware attack, and then the good guys figure out a way to stop it. And that keeps cycling over and over again. So where are we today with malware protection and is there any way to get ahead of the cycle?

Check out this post and this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Aviv Grafi (@avivgrafi), CTO and founder, Votiro.

Thanks to our podcast sponsor, Votiro

Can you trust that your content and data is free of malware and ransomware? With Votiro you can. Votiro removes evasive and unknown malware from content in milliseconds, without impacting file fidelity or usability. It even works on password-protected and zipped files. Plus, it’s an API, so it integrates with everything – including Microsoft 365. Learn more at Votiro.com.

In this episode:

• How can we take proactive approaches that are capable of stopping attacks, not just detecting them?
• What do you think we’re doing really well in terms of malware, and where could we do a lot better?
• We examine the need for organizations to upgrade their defenses.
• Has ransomware made a massive target out of every organization?

All links and images for this episode can be found on CISO Series

We all know and have experienced bad security awareness training. People can learn, and should learn about being cyber aware. How do you build a security awareness training program that sticks?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn with our guest Lisa Kubicki (@lmk2), trust and security, training and awareness director, DocuSign.

Thanks to our podcast sponsor, Drata

Save 200+ hours with Drata's automated continuous compliance solution for SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, & CCPA. Drata connects to your techstack with 75+ integrations, including AWS, GitHub, GCP, & more to automate the compliance process. Kickstart your compliance journey by requesting a demo and get 10% off

In this episode:

• We ask, “How do you build a security awareness training program that sticks?”
  
• How do you develop a program that resonates with staff and actually improves security outcomes?
  
• We get tips from the community on how they built a security awareness training program.
  
• We examine what a successful engagement would look like.
  

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Yaron Levi, CISO, Dolby. Joining us is our guest, Neil Watkins, svp technology and cybersecurity services, i3 Verticals.

In this episode:

• Visibility doesn’t matter without context

• Not all visibility is created equal

• Don’t forget to bring people into the loop

• Remediation doesn’t scale with more visibility

Thanks to our podcast sponsor, GitGuardian

GitGuardian is a Code Security Platform that caters to the needs of the DevOps generation. It provides a wide range of code security solutions, including Secrets Detection, Infra as Code Security, and Honeytoken, all in one place. A leader in the market of secrets detection and remediation, its solutions are already used by hundreds of thousands of developers in all industries. Try now gitguardian.com

All links and images for this episode can be found on CISO Series

You want to bring on entry level personal, But green employees, who are not well versed in security, IT, or your data introduce risk once they have access to it. What are ways to bring these people on while also managing risk?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rich Lindberg, CISO, JAMS.

Thanks to our podcast sponsor, SolCyber

At SolCyber we're hell-bent on delivering Fortune 500 level cyber security for small and medium-sized enterprises. When you're being targeted by the same bad guys, nothing else will do. We bring to the table a curated stack of leading technologies and around-the-clock SOC support, all simply priced per user. Let us do the heavy lifting.

In this episode:

• We ask, “What are ways to bring entry-level people onboard the company while also managing risk?”
• How does education stack up against on-the-job experience?
• Are there advantages to hiring an inexperienced greenthumb versus experienced only new hires?

Zero trust is a hollow buzzword. In any form of security, there exist critical points where we have to trust. What we need is a move away from implicit trust to explicit trust, or identity that can be verified.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Yaron Levi (@0xL3v1), CISO, Dolby.

Thanks to our podcast sponsor, Optiv

Need a guide on your Zero Trust journey? Jerry Chapman, Engineering Fellow at Optiv and author of "Zero Trust Security: An Enterprise Guide" shares the following takeaways:
- The key elements of Zero Trust
- How to visualize your Zero Trust journey and place it in the proper context
- Integrated technologies to drive adaptive processes and a mature security model
Learn more at www.optiv.com/zerotrust.

In this episode:

• We ask cyber professionals, where is the ‘trust’ in zero-trust?
• What and who should we be trusting?
• How should we refer to zero trust since you can't run any kind of operation where you trust no one and nothing?
  

All links and images for this episode can be found on CISO Series

Cyber professionals, who is responsible on your team for investigating new solutions?

Check out this post and this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Nick Ryan, director of enterprise technology security and risk, Baker Tilly.

Thanks to our podcast sponsor, Votiro

Can you trust that your content and data is free of malware and ransomware? With Votiro you can. Votiro removes evasive and unknown malware from content in milliseconds, without impacting file fidelity or usability. It even works on password-protected and zipped files. Plus, it’s an API, so it integrates with everything – including Microsoft 365. Learn more at Votiro.com.

In this episode:

• We ask cyber professionals, who is responsible on their team for investigating new solutions? If it's a collaborative effort, how is that handled?
• What are CISOs looking for in a solution?
• And we discuss using existing solutions before purchasing and implementing more solutions.
  

All links and images for this episode can be found on CISO Series

In the cyber industry we pat each other on the back and give each other awards, all while the statistics for breaches appear to be worsening, Are we celebrating growing failure? Does the cyber industry suck?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Fredrick Lee (AKA "Flee") (@fredrickl), Flee, CSO, Gusto.

Thanks to our podcast sponsor, Cymulate

The Ultimate Guide to Security Posture Validation: Learn how to effectively measure and reduce risk through continuous validation of your enterprise’s security posture. Download the playbook here.

In this episode:

• We ask if our very own industry, ourselves, are the ones to blame for our constant woes?
• Where do we stand in accepting fault and responsibility for the industry's continued problems?
• Are the companies to blame for not taking IT seriously within their organizations?
• Are industry awards just fluff for patting each other on the back?
  

All links and images for this episode can be found on CISO Series

For some, the definition of zero trust has expanded from how we grant access to networks, applications, and data to how we trust individuals in the real world. Are we taking zero trust too far?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Thomas Doughty, CISO, Prudential Financial.

Thanks to our podcast sponsor, Netfoundry

NetFoundry, built on OpenZiti, is the only solution purpose-built to connect massively distributed apps, edges, clouds and devices in minutes, ensuring zero trust of the internet, local and OS host network and delivered as SaaS. Isolating the app to make network security irrelevant and remove the pain of public DNS, VPNs, bastions, as well as complex firewall rules.

In this episode:

• We ask if we’re taking the concept of zero-trust too far.
• We try to distinguish between where do we have to trust and where do we have to implement zero trust principles?
• Differentiating between humans and machines when it comes to trust.
• And is zero trust supposed to be a silver bullet or a cure-all?
  

All links and images for this episode can be found on CISO Series

Developers and security professionals have been heavily sold on the concept of "shift left" or deal with security issues early in development rather bolting it on at the end. It all made logical sense, but now we've been doing it for a few years and has shift-left actually reduced application security concerns?

Check out this post, this post, and this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Mike Gorman (@gormamic), head of security and compliance, NetFoundry.

Thanks to our podcast sponsor, Netfoundry

NetFoundry, built on OpenZiti, is the only solution purpose-built to connect massively distributed apps, edges, clouds and devices in minutes, ensuring zero trust of the internet, local and OS host network and delivered as SaaS. Isolating the app to make network security irrelevant and remove the pain of public DNS, VPNs, bastions, as well as complex firewall rules.

In this episode:

• We look at dealing with security issues early in development rather than bolting it on at the end.
• We ask whether or not application developers and security professionals are actually reducing security issues with "shift left” framework.
• And do they actually reduce or even eliminate the need for other security controls?
  

All links and images for this episode can be found on CISO Series

Do we have a Monitgue/Capulet rivalry between technical and compliance professionals? Why is this happening, and what can be done to improve it? Does it need to be improved?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Linda White, director of InfoSec, Axiom Medical.

Thanks to our podcast sponsor, Netfoundry

NetFoundry, built on OpenZiti, is the only solution purpose-built to connect massively distributed apps, edges, clouds and devices in minutes, ensuring zero trust of the internet, local and OS host network and delivered as SaaS. Isolating the app to make network security irrelevant and remove the pain of public DNS, VPNs, bastions, as well as complex firewall rules.

In this episode:

• We look at the Monitgue/Capulet rivalry between technical and compliance professionals.
• Is there a solution to this never-ending feud?
• And what can be done to improve relations?
  

All links and images for this episode can be found on CISO Series

Why do we end up with so many bad security products? Who is to blame and how can we fight back an ecosystem that may be fostering subpar products?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Haroon Meer (@HaroonMeer), founder and researcher, Thinkst Canary.

Thanks to our podcast sponsor, Thinkst Canary

Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this.
Deploy Canaries in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.

In this episode:

• Is the cybersecurity ecosystem giving a rise to subpar products?
• Why are so many security products implemented poorly
• How important is vendor feedback?
  

All links and images for this episode can be found on CISO Series

What are you doing to prepare for the next cyber disaster? You must train for it, because when it happens, and it will happen, everyone should know what they need to do.

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Roland Cloutier (@CSORoland), CISO, TikTok.

Thanks to our podcast sponsor, Keyavi

Data that protects itself? Now it does! We made data so smart it can think for itself. Secure itself. Stay continually aware of its surroundings. Control where, when and who is allowed access. And automatically report back to its owner. This changes the entire cybersecurity paradigm. Learn how.

In this episode:

• What is the importance of cyber crisis management and training?
• What are the best ways to prepare for a cyber disaster?
• How to build exercises and training into a successful cybersecurity culture?

All links and images for this episode can be found on CISO Series

What if you didn't spend all your time patching vulnerabilities but instead created a security policy that prevented known vulnerabilities from being exploited. How doable is this solution of virtual patching?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ody Lupescu, CISO, Ethos Life.

Thanks to our podcast sponsor, Araali Networks

Managing vulnerabilities at the speed and scale of the cloud is challenging, especially when the implications of a single mistake gives attackers an asymmetric advantage over defenders. Araali allows your security teams to resilient patch and monitor the most valuable apps and services so they cannot be exploited even if they are vulnerable.  To learn more, visit araali.

In this episode:

• What is virtual patching really? Is it a misnomer?
• What gets missed when it comes to virtual patching?
• Looking at a comprehensive approach to virtual patching.

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Sasha Pereira, vp of infrastructure and CISO, WASH.

In this episode:

• Is working the help desk a great place to get entry level cyber security skills?

• So why is it so often overlooked or even looked down upon? 

• What kind of experience do you need?

• What is the ideal path to break into the cybersecurity industry?

Thanks to our podcast sponsor, Push Security!

Prevent, detect and respond to identity attacks using Push Security’s browser agent. Enable Push’s out-of-the-box controls or integrate Push with your SIEM, XDR and SOAR.

Block phishing attacks, detect session hijacking and stop SSO passwords being exposed. Find out what else the Push browser agent can do at pushsecurity.com.

All links and images for this episode can be found on CISO Series

A 500+ person company doesn't have a security department. They need one and they need to convince the CEO they need one. How do you build a cybersecurity team and program from scratch?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rishi Tripathi (@ris12hi), CISO, Mount Sinai Health System.

Thanks to our podcast sponsor, Tines

Tines was founded by experienced security practitioners who cared about their teams. When they couldn’t find an automation platform that delivered, they founded a company and built their own. A few years later, customers like Coinbase, McKesson, and GitLab run their most important security workflows on Tines – everything from phishing response to employee onboarding. To learn more, visit tines.com.

In this episode:

• How to go about measuring risk?
• Leveraging compliance to get the point across.
• What needs to be considered to make a program uniquely geared to your company's needs?

All links and images for this episode can be found on CISO Series

"If you want to catch a cybercrook, you need to think like one." But how do you actually go about thinking like a cybercriminal? What's the actual process?

Check out this post and this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.

Our guest is Brian Brushwood (@shwood), creator of Scam School and World's Greatest Con. Plus he's launched multiple channels with millions of subscribers and multiple number one comedy albums. Plus, he's a touring magician. He's our first non-cyber professional guest, but he is so perfect for this episode.

Thanks to our sponsor, Varonis

On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to “Zero Trust.” Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries.

In this episode:

• How much does actively thinking like a crook help build your cyber defenses?
• How do you actually go about thinking like a cybercriminal
• How do you break down their process?

All links and images for this episode can be found on CISO Series

Could you build a data-first security program? What would you do if you focused your security program on just the asset?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Brian Vecci (@brianthevecci), field CTO, Varonis.

Thanks to our sponsor, Varonis

On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to “Zero Trust.” Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries.

In this episode:

• Do I know where my sensitive data lives? How can I tell?
• Why do all the tools that try to classify data fail miserably?
• How much should we teach the data owners about risks in collecting and storing the information?

All links and images for this episode can be found on CISO Series

Offensive security or "hacking back" has always been seen as either unethical or illegal. But now, we're seeing a resurgence in offensive security solutions. Are we redefining the term, or are companies now "hacking back?"

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Eric Hussey, CISO, Aptiv.

Thanks to our podcast sponsor, Varonis

On average, an employee can access 17 million files on day one. Varonis will show you where critical data is vulnerable, detect anomalies, and automatically right-size privileges to get you to “Zero Trust.” Their data security platform can test your ransomware readiness and show you where you stack up. Learn more at www.varonis.com/cisoseries.

In this episode:

• Has the definition of offensive security changed?
• Can we truly fight back without legal repercussions?
• How does it apply when hackers hide behind proxies?
• Is hacking back even worth it?

All links and images for this episode can be found on CISO Series

A security professional announces a new position as CISO. As a vendor you see this as good timing to try a cold outreach to sell your product. Why do so many vendors think this is a good tactic, when in reality it’s exactly what you should not do?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Yaron Levi (@0xL3v1), CISO, Dolby.

In this episode:

• Is the pouncing on new CISOs actually a successful sales technique?
• Should vendors refine their relationship, and focus on "pull" rather than "push"?
• What about focusing on content marketing and thought leadership?
• Should vendors shift from "marketplace" to "metricplace?"

All links and images for this episode can be found on CISO Series

How do you begin building a cyber security culture for the whole company? And more importantly, how do you maintain that?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Mike Hanley (@_mph4), CSO, GitHub.

Thanks to our podcast sponsor, Anjuna

Anjuna Confidential Cloud software effortlessly enables enterprises to safely run even their most sensitive workloads in the public cloud. Unlike complex perimeter security solutions easily breached by insiders and malicious code, Anjuna leverages the strongest secure computing technologies available to make the public cloud the most secure computing resource anywhere.

In this episode:

• When building a cybersecurity culture, where is the most important place to start?
• How can we avoid it just becoming "lip service"?
• How can we blend cybersecurity culture into the main corporate culture?

All links and images for this episode can be found on CISO Series

You're a security vendor and you've got a short briefing with a security analyst from a research firm. What do you want to get across to them, and what do you want to hear back from them?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Ed Amoroso (@hashtag_cyber), founder and CEO, Tag Cyber.

Huge thanks to our sponsor, Cymulate

The Ultimate Guide to Security Posture Validation: Learn how to effectively measure and reduce risk through continuous validation of your enterprise’s security posture. Download the playbook here.

In this episode:

• What are the right questions to ask?
• How can we better understand each other?
• What to NOT do in an analyst conversation

All links and images for this episode can be found on CISO Series

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Michael Johnson, CISO, Novi (the financial arm of Meta, formerly Facebook)

Thanks to our podcast sponsor, Anjuna

Anjuna Confidential Cloud software effortlessly enables enterprises to safely run even their most sensitive workloads in the public cloud. Unlike complex perimeter security solutions easily breached by insiders and malicious code, Anjuna leverages the strongest secure computing technologies available to make the public cloud the most secure computing resource anywhere.

In this episode:

• Which is safer for sensitive data: public cloud or on-prem?
• Is it the technology, the people or the process that makes the difference?
• Who is most affected by the public/on-prem decision?
• Where does technical debt fit into this?

All links and images for this episode can be found on CISO Series

Security professionals are drowning in activities. Not all of them can be valuable. What should security professionals stop doing be to get back some time?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Jim Rutt, CISO, Dana Foundation.

Thanks to our podcast sponsor, Thinkst

Most companies discover they’ve been breached way too late. Thinkst Canary fixes this: just 3 minutes of setup; no ongoing overhead; nearly 0 false positives, and you can detect attackers long before they dig in. Check out why our Hardware, VM and Cloud-based Canaries are deployed and loved on all 7 continents.

In this episode:

• What tool or process should we stop doing to stop wasting time?
• Are "third-party risk reviews" useful at all?
• Can we smooth out the sales cycle?
• Are users to blame, or are they the victims?

How seamless are Distributed Denial of Service or DDoS solutions today? If you get a denial of service attack, how quickly can these solutions snap into action with no manual response by the user?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Alastair Cooke (@demitasenz), analyst, GigaOm.

Huge thanks to our podcast sponsor, MazeBolt

In this episode:

• Where should a DDoS solution reside?
• What vital elements should go into a DDoS solution?
• Do we need more automation and intelligence in these solutions?
• How involved should the customer be with their DDoS solution? 

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Russ Ayers, svp of cyber & deputy CISO, Equifax.

In this episode:

• Are we  seeing AI and LLM rapidly push into what was science fiction into production?

• What happens as our ability to generate realistic sound, video, and images opens the obvious door for indistinguishable fakes from the real thing? 

• How do we keep up as security professionals?

• What are the security implications for this tech hitting the consumer market?

Thanks to our podcast sponsor, Sonrai Security

A one-click solution that removes excessive permissions and unused services, quarantines unused identities, and restricts specific regions within the cloud. Later, maintain this level of security by automatically enforcing policies as new accounts, roles, permissions, and services are added to your environment.

Start a free trial today! sonrai.co/ciso

All links and images for this episode can be found on CISO Series

Knowing is only one-third the battle. Another third is responding. And the last third is responding quickly. It’s not enough to just have the first two thirds. We need to be faster, but how?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Jason Elrod (@jasonelrod), CISO, MultiCare Health System.

Thanks to our podcast sponsor, Eclypsium

Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants.

In this episode:

• What can we do as a pragmatic first step to make our cybersecurity teams quicker and more responsive?
• Would continuous authorization and real time emergency messaging help?
• Should we improve test automation?
• What about people - better teaching & work conditions?

All links and images for this episode can be found on CISO Series

Automation was supposed to make cybersecurity professionals’ lives simpler. And it was supposed to solve the talent shortage. Has any of that actually happened?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Brian Lozada (@brianl1775), CISO, HBOMax.

Thanks to our podcast sponsor, deepwatch

Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.

In this episode:

• Should we be disappointed with what automation has actually delivered?
• Is it a tools vs people thing?
• Should we be better at assessing the impact of automation?
• Should we change the way we hire to help with automation?

All links and images for this episode can be found on CISO Series

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Josh Yavor (@schwascore), CISO, Tessian.

Thanks to our podcast sponsor, Tessian

95% of breaches are caused by human error.
But you can prevent them. Learn how Tessian can stop “OH SH*T!” moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data.

In this episode:

• What do you do for the attacks your rule sets can't catch?
• Would it help if we eliminated email systems as the standard b2b toolset for communications?
• Are there any better ways to handle spearphishing?
• Are you ready to add BCC - Business communications compromise to your threat list?

All links and images for this episode can be found on CISO Series

Why is cybersecurity becoming so complex? What is one thing we can do, even if it's small, to head us off in the right direction of simplicity?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Leda Muller, CISO at Stanford, Residential and Dining Enterprises.

Thanks to our podcast sponsor, Eclypsium

Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants.

In this episode:

• Is cybersecurity becoming too complex?
• Should we change the way we talk about security to management?
• Maybe it's time to reframe the argument?

All links and images for this episode can be found on CISO Series

Security convergence is the melding of all security functions from physical to digital and personal to business. The concept has been around for 17 years yet organizations are still very slow to adopt. A company's overall digital convergence appears to be happening at a faster rate than security convergence.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest is Anne Marie Zettlemoyer (@solvingcyber), business security officer, vp, security engineering, MasterCard.

Thanks to our podcast sponsor, Tessian

95% of breaches are caused by human error.
But you can prevent them. Learn how Tessian can stop “OH SH*T!” moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data.

• Why are we still holding back on security convergence?
• Is it a matter of "if" or "when"?
• What happens when physical and info security are run by different departments?
• How can we measure the risks? 

All links and images for this episode can be found on CISO Series

In most jobs there’s often a clear indicator if you’re doing a good job. In security, specifically security leadership, it’s not so easy to tell. “Nothing happening” is not an effective measurement. So how should security performance be graded?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest is Deneen DeFiore (@deneendefiore), CISO, United Airlines.

Thanks to our podcast sponsor, Tessian

In this episode:

• How should security performance be graded?
• Is "keeping it simple" the best option?
• What's the best measurement option?

All links and images for this episode can be found on CISO Series

If we’re going to turn the tables against our adversaries, everything from our attitude to our action needs to change to a format where attacks and breaches are not normalized, and we know the what and how to respond to it quickly.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Scott Scheferman (@transhackerism), principal strategist, Eclypsium.

Thanks to our podcast sponsor, Eclypsium

Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants.

• Moving from a reactive to a proactive attitude
• Accelerating teams' ability to respond before damage happens
• Stopping marketing informing your strategy
• Patching "fast enough to matter"

All links and images for this episode can be found on CISO Series

Is it too much experience? Is it that they're difficult to work with? Do they want too much money? Will they not be motivated? Are cyber professionals over the age of 40 being discriminated in hiring practices?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ben Sapiro, head of technology risk and CISO at Canada Life.

Thanks to our podcast sponsor, Qualys

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

In this episode:

• Are cyber professionals over the age of 40 being discriminated in hiring practices?
• Is "older experience" a threat to younger managers?
• Do older professionals have too much attitude?
• What other work options exist for the 40+ expert?

All links and images for this episode can be found on CISO Series

How do we turn the tide from reactive to proactive patch management? Does anyone feel good about where they are with their own patch management program? What would it take to get there?

Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Sumedh Thakar (@sumedhthakar), CEO, Qualys.

Thanks to our podcast sponsor, Qualys

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

In this episode:

• How do we turn the tide from reactive to proactive patch management?
• Do cultural differences make a difference?
• Do we need a new framework or template?

All links and images for this episode can be found on CISO Series

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Tony Sager (@sagercyber), svp, and chief evangelist, Center for Internet Security.

 Thanks to our podcast sponsor, Qualys

In this episode:

• What role should HR play in the hiring process of cybersecurity candidates?
• What happens when HR's algorithms don't see the right keywords?
• What are some better ways to get noticed by a human decision maker?

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Vivek Ramachandran, founder, SquareX.

In this episode:

• Are secure web gateways still an effective tool in the enterprise?

• As the browser has changed a lot in the last decade, are Secure Web Gateways - SWGs still keeping up? 

• Why is this a problem?

• Does anyone have a better solution?

Thanks to our podcast sponsor, SquareX

SquareX helps organizations detect, mitigate and threat-hunt web attacks happening against their users in real-time, including but not limited to malicious sites, files, scripts, and networks.

Find out more at sqrx.com.

All links and images for this episode can be found on CISO Series

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Andy Ellis (@csoandy), operating partner, YL Ventures.

Thanks to our podcast sponsor, Varonis

What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn’t stand a chance. Get a free risk assessment.

In this episode:

• What are some "positive vendor engagement" characteristics?
• What tips can we share with vendors who want to build a lasting good impression?
• How can a vendor go about building trust?

All links and images for this episode can be found on CISO Series

When a senior person at your company asks you, "Are we secure?" how should you respond?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Paul Truitt, principal US cyber practice leader, Mazars.

Thanks to our podcast sponsor, Varonis

Still in the news is REvil’s ransomware attack on Kaseya VSA servers. Varonis is here to help mitigate the blast radius of such attacks. Want a step-by-step guide on what you should be looking for? Learn more about how to prevent ransomware.

In this episode:

• When a senior, non-technical person asks, "Are we secure?" how do you respond?"
• What does this question say about an executive's engagement level?
• Why are they asking this now?
• How relevant/accurate is this question anyway?

What are the tell tale signs you've got ransomware before you receive the actual ransomware threat?

Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Brian Vecci (@BrianTheVecci), field CTO, Varonis.

Thanks to our podcast sponsor, Varonis

What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn’t stand a chance. Get a free risk assessment.

In this episode:

• How to catch the ransomware threat earlier
• The individual capabilities needed in a full anti-ransomware stack
• Honeypots and anomalous behavior
• Back to basics: look at how ransomware works