CISO Series Podcast – Details, episodes & analysis

All links and images can be found on CISO Series.

This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis (@csoandy), principal of Duha. Joining them is our sponsored guest, Nathan Hunstad, director, security, Vanta.

In this episode:

• Metrics that matter
• Testing for real
• AI as an assistant
• Intelligence without context

Huge thanks to our sponsor, Vanta

Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get back time to focus on strengthening security and scaling your business at vanta.com/ciso

All links and images can be found on CISO Series.

This week's episode is hosted by David Spark, producer of CISO Series and Jeff Steadman, deputy CISO, Corning Incorporated. Joining them is Quincey Collins, CSO, Sheppard Mullin. This episode was recorded live at the ISSA LA Summit in Santa Monica, California.

In this episode: 

• The foundational debate
• Strength over breadth
• Beyond traditional backgrounds
• Keeping perspective on risk

Huge thanks to our sponsors, Adaptive Security and Dropzone AI

AI-powered social engineering threats like deepfake voice calls, GenAI phishing, and vishing attacks are evolving fast. Adaptive helps security leaders get ahead with an AI-native platform that simulates realistic genAI attacks, and delivers expert-vetted security awareness training — all in one unified solution. Learn more at adaptivesecurity.com.

Dropzone AI autonomously investigates every security alert—no playbooks needed. This AI SOC analyst queries your CrowdStrike, Splunk, threat intel feeds, and 60+ other tools to build complete investigations in 5 minutes. Unlike black-box automation, it shows every query, finding, and decision. See it work yourself—explore the self-guided demo at dropzone.ai.

All links and images can be found on CISO Series.

This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is Jason Loomis, CISO, Freshworks.

In this episode:

• Making organizations take their security medicine
• Building CISO support systems
• Holding the door for humans
• Underappreciated risks: beyond the headlines

Huge thanks to our sponsor, Safe Security

SAFE is the category leader in Cyber Risk Quantification (CRQ) and the first vendor to deliver fully autonomous Third-Party Risk Management.We help CISOs, GRC, and TPRM leaders continuously and efficiently quantify, prioritize, and mitigate cyber risks across their entire attack surface — enabling digital growth and resilience. Learn more at tprmdemo.safe.security.

All links and images for this episode can be found on CISO Series.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Kurt Sauer, CISO, Docusign.

We recorded in front of a live audience at Microsoft's offices in Mountain View, CA as part of the ISSA-Silicon Valley chapter meeting. Check out all the photos from the event.

In this episode:

• Is a high profile cyberattack the best time for salespeople to come out of the woodwork asking if the affected CISO would like to see their product, which would have helped prevent the attack?
• Is there any way for a vendor to positively reach out to victims after a cyberattack?
• Also, what could be some effective ways to invest IP with generative AI to create value for the organization?

Thanks to our podcast sponsors, Veza, Sysdig, and SlashNext

75% of breaches happen because of bad permissions. The problem is that you don't know exactly WHO has access to WHAT data in your environment. For example, roles labeled as "read-only" can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment.

For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.

SlashNext Complete delivers zero-hour protection for how people work today across email, mobile, and browser apps.  With SlashNext's generative AI to defend against advanced business email compromise, smishing, spear phishing, executive impersonation, and financial fraud, your people are always protected anywhere they work.  Request a demo today.

All links and images for this episode can be found on CISO Series.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Arvin Bansal, former CISO for Nissan Americas.

In this episode:

• Why are so many companies unprepared for phone-based social engineering?
• Why do many orgs not give this attack surface the attention it deserves?
• Are we doing enough to support whistleblowers in cybersecurity?

Thanks to our podcast sponsor, Palo Alto Networks

As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

All links and images for this episode can be found on CISO Series.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Adam Zoller, svp, CISO at Providence. Joining me is our guest Sam Jacques, vp of clinical engineering, McLaren Health Care.

In this episode:

• When should cybersecurity be brought into the discussion when a merger is underway?
• Why is security always going to be an issue in a merger or acquisition?
• If we know it's so important, why does it always feel like we're reinventing the wheel each time?

Thanks to our podcast sponsor, Claroty

Claroty enables varied sectors to protect their cyber-physical systems, known as the Extended IoT. The platform integrates seamlessly, offering comprehensive controls for visibility, risk management, network protection, and more. Trusted by global leaders, Claroty operates in hundreds of organizations worldwide. Headquartered in NYC, it spans Europe, Asia-Pacific, and Latin America.

All links and images for this episode can be found on CISO Series.

In principle, we can generally all agree that security theater is a waste of time for security teams. But the reality is that these are things that look good, so it can be hard to justify to non-technical leadership why you're eliminating something they see as secure. So how can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Davi Ottenheimer, vp of trust and digital ethics, Inrupt.

Thanks to our podcast sponsor, Sysdig

For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.

In this episode:

• Is security theater a waste of time for security teams?
• Why can it be hard to justify to non-technical leadership why you're eliminating something they see as secure?
• How can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

All links and images for this episode can be found on CISO Series.

Usually the buck stops with the CEO. But for a CISO, what do you do when a CEO wants to exempt themselves from your security program? Whether it's granting privileged network access or just ignoring protocols, it can put a CISO in a tough spot. So how do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position? 

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and John C. Underwood, VP, information security, Big 5 Sporting Goods. Joining me is our guest, Joshua Scott, Head of Security and IT, Postman.

Thanks to our podcast sponsor, Veza

75% of breaches happen because of bad permissions. The problem is that you don't know exactly WHO has access to WHAT data in your environment. For example, roles labeled as "read-only" can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment.

In this episode:

• For a CISO, what do you do when a CEO wants to exempt themselves from your security program?
• How do you deal with a leader that thinks they're above the controls you have in place?
• Is it enough to document your disagreement or is there anything else you can do in that position?

All links and images for this episode can be found on CISO Series.

When it comes to security awareness, the advice generally doesn't change. There are a set of best practices that have proven to be effective. So we know what we want to tell people. Communicate it consistently. So how do we relay that information without sounding like a broken record?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us is our sponsored guest, Daniel Krivelevich, CTO for Appsec, Palo Alto Networks.

Thanks to our podcast sponsor, Palo Alto Networks

As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

In this episode:

• What security measures have been the most successful in preventing cyberattacks?
• What do we need to better understand about misconfigurations to better secure the cloud?
• How do we relay this information without sounding like a broken record?

All links and images for this episode can be found on CISO Series.

Organizations know that securing SaaS is vital. But polls consistently show they also know their current security isn't cutting it. With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our sponsored guest, Rohan Sathe, co-founder and CTO, Nightfall AI.

Thanks to our podcast sponsor, Nightfall

Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection.

In this episode:

• With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses?
• How can we secure new technology without creating new risks?
• If security no longer owns SaaS security, then how can they go about closing these gaps?