All links and images can be found on CISO Series.

This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis (@csoandy), principal of Duha. Joining them is our sponsored guest, Nathan Hunstad, director, security, Vanta.

In this episode:

• Metrics that matter
• Testing for real
• AI as an assistant
• Intelligence without context

Huge thanks to our sponsor, Vanta

Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get back time to focus on strengthening security and scaling your business at vanta.com/ciso

All links and images can be found on CISO Series.

This week's episode is hosted by David Spark, producer of CISO Series and Jeff Steadman, deputy CISO, Corning Incorporated. Joining them is Quincey Collins, CSO, Sheppard Mullin. This episode was recorded live at the ISSA LA Summit in Santa Monica, California.

In this episode: 

• The foundational debate
• Strength over breadth
• Beyond traditional backgrounds
• Keeping perspective on risk

Huge thanks to our sponsors, Adaptive Security and Dropzone AI

AI-powered social engineering threats like deepfake voice calls, GenAI phishing, and vishing attacks are evolving fast. Adaptive helps security leaders get ahead with an AI-native platform that simulates realistic genAI attacks, and delivers expert-vetted security awareness training — all in one unified solution. Learn more at adaptivesecurity.com.

Dropzone AI autonomously investigates every security alert—no playbooks needed. This AI SOC analyst queries your CrowdStrike, Splunk, threat intel feeds, and 60+ other tools to build complete investigations in 5 minutes. Unlike black-box automation, it shows every query, finding, and decision. See it work yourself—explore the self-guided demo at dropzone.ai.

All links and images can be found on CISO Series.

This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is Jason Loomis, CISO, Freshworks.

In this episode:

• Making organizations take their security medicine
• Building CISO support systems
• Holding the door for humans
• Underappreciated risks: beyond the headlines

Huge thanks to our sponsor, Safe Security

SAFE is the category leader in Cyber Risk Quantification (CRQ) and the first vendor to deliver fully autonomous Third-Party Risk Management.We help CISOs, GRC, and TPRM leaders continuously and efficiently quantify, prioritize, and mitigate cyber risks across their entire attack surface — enabling digital growth and resilience. Learn more at tprmdemo.safe.security.

All links and images for this episode can be found on CISO Series.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Kurt Sauer, CISO, Docusign.

We recorded in front of a live audience at Microsoft's offices in Mountain View, CA as part of the ISSA-Silicon Valley chapter meeting. Check out all the photos from the event.

In this episode:

• Is a high profile cyberattack the best time for salespeople to come out of the woodwork asking if the affected CISO would like to see their product, which would have helped prevent the attack?
• Is there any way for a vendor to positively reach out to victims after a cyberattack?
• Also, what could be some effective ways to invest IP with generative AI to create value for the organization?

Thanks to our podcast sponsors, Veza, Sysdig, and SlashNext

75% of breaches happen because of bad permissions. The problem is that you don't know exactly WHO has access to WHAT data in your environment. For example, roles labeled as "read-only" can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment.

For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.

SlashNext Complete delivers zero-hour protection for how people work today across email, mobile, and browser apps.  With SlashNext's generative AI to defend against advanced business email compromise, smishing, spear phishing, executive impersonation, and financial fraud, your people are always protected anywhere they work.  Request a demo today.

All links and images for this episode can be found on CISO Series.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Arvin Bansal, former CISO for Nissan Americas.

In this episode:

• Why are so many companies unprepared for phone-based social engineering?
• Why do many orgs not give this attack surface the attention it deserves?
• Are we doing enough to support whistleblowers in cybersecurity?

Thanks to our podcast sponsor, Palo Alto Networks

As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

All links and images for this episode can be found on CISO Series.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Adam Zoller, svp, CISO at Providence. Joining me is our guest Sam Jacques, vp of clinical engineering, McLaren Health Care.

In this episode:

• When should cybersecurity be brought into the discussion when a merger is underway?
• Why is security always going to be an issue in a merger or acquisition?
• If we know it's so important, why does it always feel like we're reinventing the wheel each time?

Thanks to our podcast sponsor, Claroty

Claroty enables varied sectors to protect their cyber-physical systems, known as the Extended IoT. The platform integrates seamlessly, offering comprehensive controls for visibility, risk management, network protection, and more. Trusted by global leaders, Claroty operates in hundreds of organizations worldwide. Headquartered in NYC, it spans Europe, Asia-Pacific, and Latin America.

All links and images for this episode can be found on CISO Series.

In principle, we can generally all agree that security theater is a waste of time for security teams. But the reality is that these are things that look good, so it can be hard to justify to non-technical leadership why you're eliminating something they see as secure. So how can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Davi Ottenheimer, vp of trust and digital ethics, Inrupt.

Thanks to our podcast sponsor, Sysdig

For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.

In this episode:

• Is security theater a waste of time for security teams?
• Why can it be hard to justify to non-technical leadership why you're eliminating something they see as secure?
• How can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?

All links and images for this episode can be found on CISO Series.

Usually the buck stops with the CEO. But for a CISO, what do you do when a CEO wants to exempt themselves from your security program? Whether it's granting privileged network access or just ignoring protocols, it can put a CISO in a tough spot. So how do you deal with a leader that thinks they're above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position? 

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and John C. Underwood, VP, information security, Big 5 Sporting Goods. Joining me is our guest, Joshua Scott, Head of Security and IT, Postman.

Thanks to our podcast sponsor, Veza

75% of breaches happen because of bad permissions. The problem is that you don't know exactly WHO has access to WHAT data in your environment. For example, roles labeled as "read-only" can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment.

In this episode:

• For a CISO, what do you do when a CEO wants to exempt themselves from your security program?
• How do you deal with a leader that thinks they're above the controls you have in place?
• Is it enough to document your disagreement or is there anything else you can do in that position?

All links and images for this episode can be found on CISO Series.

When it comes to security awareness, the advice generally doesn't change. There are a set of best practices that have proven to be effective. So we know what we want to tell people. Communicate it consistently. So how do we relay that information without sounding like a broken record?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us is our sponsored guest, Daniel Krivelevich, CTO for Appsec, Palo Alto Networks.

Thanks to our podcast sponsor, Palo Alto Networks

As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

In this episode:

• What security measures have been the most successful in preventing cyberattacks?
• What do we need to better understand about misconfigurations to better secure the cloud?
• How do we relay this information without sounding like a broken record?

All links and images for this episode can be found on CISO Series.

Organizations know that securing SaaS is vital. But polls consistently show they also know their current security isn't cutting it. With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our sponsored guest, Rohan Sathe, co-founder and CTO, Nightfall AI.

Thanks to our podcast sponsor, Nightfall

Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection.

In this episode:

• With security teams acting more as SaaS supervisors than app owners, how can we reduce the glaring gaps in our SaaS defenses?
• How can we secure new technology without creating new risks?
• If security no longer owns SaaS security, then how can they go about closing these gaps?

All links and images for this episode can be found on CISO Series.

If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Most of the time, these lists include CISOs from the biggest companies, or the ones with the best name recognition. But is that any kind of objective criteria? These lists generally serve the interest of boosting the credibility of the publisher, rather than being based on any kind of rigor. Is there any way to make these lists anything but fluff?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Janet Heins, CISO, iHeartMedia.

Thanks to our podcast sponsor, LimaCharlie

Whether you're looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie's SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io.

In this episode:

• If you search online, you'll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created?
• Is there any kind of objective criteria?
• Is there any way to make these lists anything but fluff?

All links and images for this episode can be found on CISO Series.

CISOs are common among the Fortune 500. But it remains rare to see them listed in executive leadership. Given that every company says security is of prime importance, why aren't CISOs named within the top company echelons?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series, and Allan Cockriel, CISO of Shell. Joining us is our special guest, Mary Rose Martinez, CISO, Marathon Petroleum.

Thanks to our podcast sponsor, Censys

Censys is the leading Internet Intelligence Platform for Threat Hunting and Exposure Management. We provide the most comprehensive, accurate, and up-to-date map of the internet, which scans 45x more services than the nearest competitor across the world's largest certificate database (>10B). Learn more at www.censys.com. 

In this episode:

• Given that every company says security is of prime importance, why aren't CISOs named within the top company echelons?
• Can you think of a security action that did work at one organization that simply wouldn't work in another because of the culture?
• When it comes to communicating bad news to the board and c-suite, what techniques have worked the best?

All links and images for this episode can be found on CISO Series.

We've heard a lot of talk about the security risks with emerging AI technologies. A lot of these center around employees using large language models. But what about the potential benefits of this technology for cybersecurity? Could we eventually see a de facto AI CISO on the job?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Rob Duhart, deputy CISO, Walmart. Joining us is our special guest, Aaron Hughes, CISO, Albertsons.

Thanks to our podcast sponsor, KnowBe4

In this episode:

• What are the potential benefits of A.I. for cybersecurity? Could we eventually see a de facto AI CISO on the job?
• How does neurodiversity improve awareness in your security program?
• Where have you taken advantage of AI for your security program? And specifically so you can do your job better as a CISO, where does AI deliver opportunities?

All links and images can be found on CISO Series.

This week's episode is hosted by David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining them is Jennifer Swann, CISO, Bloomberg Industry Group.

In this episode:

• Vulnerability management vs. configuration control
• Open source security and supply chain trust
• Building security leadership presence
• AI governance and enterprise risk

Huge thanks to our sponsor, Vanta

Vanta's Trust Management Platform automates key areas of your GRC program—including compliance, internal and third-party risk, and customer trust—and streamlines the way you gather and manage information. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get started today at Vanta.com/CISO.

All links and images for this episode can be found on CISO Series.

In everyday life, it's often clear when to call in the authorities. Someone egging your house might not rise to the occasion, but a break-in gets a call to the cops. It's less clear when it comes to a cyberattack. What constitutes a significant attack and what are the regulatory requirements? Once you make the call, how do they help in your response?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest, David Ring, section chief at FBI, Cyber Division.

Thanks to our podcast sponsor, Hunters

Hunters SOC Platform is a SIEM alternative, delivering data ingestion, built-in and always up-to-date threat detection, and automating correlation and investigation processes to reduce risk, complexity, and cost for security teams. Learn more at hunters.security.

In this episode:

• What constitutes a significant attack and what are the regulatory requirements?
• Once you make the call, how do they help in your response?
• How do you approach "skills-and competency-based" hiring? And are there certain positions for which a 4-year degree is necessary?

All links and images for this episode can be found on CISO Series.

Even before the pandemic, we've been increasingly living in online collaboration apps. So why are organizations still making basic security mistakes with them? Is this a case of shadow IT or do these apps present unique challenges?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Rich Dandliker, chief strategist, Veza.

Thanks to our podcast sponsor, Veza

75% of breaches happen because of bad permissions. The problem is that you don't know exactly WHO has access to WHAT data in your environment. For example, roles labeled as "read-only" can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. Learn more at Veza.com.

In this episode:

• We've been increasingly living in online collaboration apps. So why are organizations still making basic security mistakes with them?
• Is this a case of shadow IT or do these apps present unique challenges?
• Startups are by nature a risky business, most fail. Why do they?

All links and images for this episode can be found on CISO Series.

Every company deals with off-boarding employees. Yet it feels like many organizations make basic security mistakes in this process. Is it just a case of HR and IT being out of sync, or is this an inevitably leaky process?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest Lorna Koppel, CISO, Tufts University.

Thanks to our podcast sponsor, LimaCharlie

Whether you're looking for endpoint security, an observability pipeline, detection and response rules, or other underlying security capabilities, LimaCharlie's SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast as threat actors. Move your SecOps into the modern era. Learn more at limacharlie.io.

In this episode:

• What can a vendor do that will actually make a CISO want to respond to a message?
• What are we doing right and wrong when it comes to hardening our environments?
• Do you think organizations are still struggling with hardening their environments and if so, why?

All links and images for this episode can be found on CISO Series.

Security vendors want to engage with CISOs. Yet many choose tactics that seem blatantly insulting. It might seem obvious that asking a CISO if they care about security does nothing to ingratiate yourself, but we still have inboxes full of these types of messages. So what can a vendor do that will actually make a CISO want to respond to a message?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest, Jeff Hudesman, CISO, Pinwheel.

Thanks to our podcast sponsor, Balbix

Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs.

In this episode:

• What can a vendor do that will actually make a CISO want to respond to a message?
• What are we doing right and wrong when it comes to hardening our environments?
• Do you think organizations are still struggling with hardening their environments and if so, why?

All links and images for this episode can be found on CISO Series.

We're seeing increasing recognition that cybersecurity jobs should focus on competency rather than years of experience. But how do you create job posts to encourage that? And how do applicants even show that on a resume?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for the episode is our special guest TC Niedzialkowski‌, CISO, Nextdoor.

Thanks to our podcast sponsor, Reqfast

Stop treating your various intelligence and security functions as if they are separate, unrelated activities and, instead, bring them together with Reqfast. Identify what's needed, identify areas for improvement, and make data-driven decisions with confidence.

In this episode:

• Are we finally seeing increasing recognition that cybersecurity jobs should focus on competency rather than years of experience?
• How do you create job posts to encourage that?
• How do applicants even show that on a resume?

All links and images for this episode can be found on CISO Series.

For some security problems, it can be tough to know when to try to fix the problem yourself or turn to a vendor. Deciding this shouldn't start with talking to someone that wants to sell you something. But how do you determine when it's time to call in a vendor?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for this episode is our special guest, Katie Ledoux, CISO, Attentive.

Thanks to our podcast sponsor, Palo Alto Networks

As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

In this episode:

• Why do many organizations have a problem relating quantification to something meaningful to the business?
• Is there a way to understand risks on a continuum that will make relating these to business a little more manageable?
• What are the questions security professionals should be asking themselves?

All links and images for this episode can be found on CISO Series.

Shifting Left is so five years ago. Advice and best practices are great, but context is king. Is there a mixture of best practices AND doing what's right for your business that's actually practical?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us for the episode is our sponsored guest Gaurav Banga, CEO, Balbix.

Thanks to our podcast sponsor, Balbix

Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs.

In this episode:

• What are your most successful tactics when talking to the boardroom?
• Is there a mixture of best practices AND doing what's right for your business that's actually practical?
• What have you heard enough with automation and what would you like to hear a lot more?

All links and images for this episode can be found on CISO Series.

There are so many third party vendors we want to work with, but uggh, their security and privacy is so troublesome. Is it only the security department's job to vet these partners or should everyone have a responsibility of keeping tabs on third party security?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Phil Beyer, former head of security, Etsy.

Thanks to our podcast sponsor, Balbix

Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs.

In this episode:

• There are many third party vendors that CISOs & practitioners want to work with, but why is their security and privacy so troublesome?
• Is it only the security department's job to vet these partners or should everyone have a responsibility of keeping tabs on third party security?
• What can frontline employees do to manage third-party risk?

All links and images for this episode can be found on CISO Series.

Do you know what security categories were created this year? I have no idea. Do you know which ones were deleted? I don't think any. Is category growth designed to make more money for the industry? Does it help customers build a better security strategy? It seems like a necessary evil that just confuses customers. The number of categories never decreases or replaces old categories.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our sponsored guest is Maxime Lamothe-Brassard (@_maximelb), CEO and co-founder at LimaCharlie.

Thanks to our podcast sponsor, LimaCharlie

LimaCharlie is inviting you for the unveiling of the SecOps Cloud Platform during a two-hour LinkedIn Live event on Wednesday, July 19th, starting at 10:00am PST. 

For every registrant, LimaCharlie will be donating $5 to the Internet Archive. Register for the event at limacharlie.io or on the LimaCharlie LinkedIn page.

In this episode: 

• Do you know what security categories were created this year? Do you know which ones were deleted?
• Is category growth designed to make more money for the industry?
• Does it help customers build a better security strategy?

All links and images for this episode can be found on CISO Series.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Jesse Whaley, CISO, Amtrak. Our guest was Paul Branley, CISO, TSB Bank.

We recorded this episode in front of a live audience in Tel Aviv as part of Team8's CISO Summit 2023. CISO Series is honored to have been invited to record our show at the event.

Thanks to our podcast sponsor, Team8

Team8 is a global venture group that builds and invests in early stage companies focused on digital transformation: cybersecurity, data, fintech and digital health. Its strong expertise in cyber is the backbone of Team8's CISO Village - a community of hundreds of CISOs who enjoy access to thought leadership, networking events, and partner with Team8 to support its company building process.

In this episode:

• Why should you NEVER boast about how good your security is?
• When upskilling your staff, how do you identify the knowledge that must be learned? Who will learn it? Who will provide it?
• What does this do to your current security if people are spending time teaching and learning?

All links and images can be found on CISO Series.

This week's episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is David Cross, CISO, Atlassian.

In this episode:

• Breaking the Sales Cycle
• Leadership Under Fire
• Predicting the Unpredictable
• Security Startups' Security Paradox

A huge thanks to our sponsor, ThreatLocker

ThreatLocker® is a global leader in Zero Trust endpoint security, offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit ThreatLocker.com.

All links and images for this episode can be found on CISO Series.

Troy Hunt's new site, "Dumb Password Rules," demonstrates yet another slice of security theater. Rules designed to make the creator believe they're making the business more secure, but appear to do nothing more than create unnecessary roadblocks and confusion.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Dave Hannigan (@davidhannigan), CISO, Nubank.

Thanks to our podcast sponsor, Reqfast

Stop treating your various intelligence and security functions as if they are separate, unrelated activities and, instead, bring them together with Reqfast. Identify what's needed, identify areas for improvement, and make data-driven decisions with confidence.

In this episode:

• Are dumb password rules the result of security theater or limitations of old technology?
• What really causes lack of sleep and burnout among IT and Security leaders?
• Why are we still struggling with cybersecurity hiring?

This week's episode was recorded in front of a live audience at the Colorado Convention Center in Denver as we kicked off the Rocky Mountain Information Security Conference (RMISC). See the blog post for this episode here.

Joining me, David Spark (@dspark), producer of CISO Series, on stage was my guest co-host, Jay Wilson, CISO for Insurity. Our guest is Michelle Wilson, CISO, Movement Mortgage.

HUGE thanks to our sponsor, Trend Micro

The stakes are high for cybersecurity decision makers as the threat landscape and attack surface continue to evolve. Explore Trend Micro's CISO Resource Center for research-driven strategic insights and best practices to help leaders better understand, communicate, and minimize cyber risk across the enterprise. Learn more.

All links and images for this episode can be found on CISO Series.

Why does it seem that the only time we hear about a company's concern about security and privacy is after they're compromised. It is only at that moment they feel compelled to let us know that they're taking this situation very seriously because as we've ll heard before "security and privacy are very important to us."

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Andrea Bergamini, CISO, Orbia.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren't needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

In this episode: 

• Why does it seem that the only time we hear about a company's concern about security and privacy is after they're compromised?
• Is it only because at that moment they feel compelled to let us know that they're taking this situation very seriously?
• How do you get things going before you have a massive breach?

All links and images for this episode can be found on CISO Series.

There is a long history of security professionals complaining about the insecurity of new technologies. When new technologies take off, they rarely have lots of great security built in. The populace never comes around and says, "Security is right. We should stop using this thing we love." The popular technology ALWAYS wins.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Rinki Sethi (@rinkisethi), vp and CISO, BILL.

Thanks to our podcast sponsor, OffSec

With a Learn Enterprise plan, your employees get unlimited access to over 1,500 videos, 2,000 practical exercises, and more than 800 hands-on labs. The library is updated regularly with training content and modules defensive and offensive job role-specific content, from foundational to advanced. Google, Vmware, Microsoft all trust OffSec.

In this episode:

• Is it a coincidence that there is a long history of security professionals complaining about the insecurity of new technologies?
• When new technologies take off, why do they rarely have lots of great security built in?
• How does a cyber aware c-suite/board make better decisions that help a CISO and the business?

All links and images for this episode can be found on CISO Series.

When cybersecurity needs to cut budget, first move is to look where you have redundancy. That way you're not actually reducing the security effort. But after that, the CFO needs to know what are the most important areas of the business to protect. Where will they be willing to take on more risk? Because, with less security, the chances of failure increase.

This show was recorded in front of a live audience in New Orleans as part of the BSidesNOLA 2023 reboot conference. The episode features me, David Spark (@dspark), host and producer of CISO Series. My guest co-host is my former co-host, Allan Alford (@allanalfordintx), CISO for Precedent and host of The Cyber Ranch Podcast. Our guest is Mike Woods, corporate CISO for GE.

Thanks to our podcast sponsors: Conveyor, Nightfall AI, Rapid7

Love security questionnaires? Then you're going to hate Conveyor: the end-to-end trust platform built to eliminate questionnaires.
Infosec teams reduce the volume of questionnaires with a customer-facing trust portal and for any remaining questionnaires, our GPT-Questionnaire Eliminator response tool or white-glove questionnaire completion service will knock them off your to-do list. www.conveyor.com

Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection.

Rapid7 is the only connected, cloud to on-prem cybersecurity partner with unlimited incident response, unlimited automated workflows, unlimited vulnerability management, unlimited app security, you get the idea. Add it up – with Rapid7's decades of practitioner-first problem solving – and there's unlimited opportunity for you. See for yourself at Rapid7.com/ciso-series.

In this episode: 

• We always say, "trust but verify," but how do you actually verify?
• When it comes to cut budget, make sure you're already in the mind of the CFO.
• What's the difference between a good cybersecurity professional and a great one?

All links and images for this episode can be found on CISO Series.

As children, we don't dream of becoming a CISO, but yet we still have them. What is it a security professional can learn or even show, to demonstrate that they're getting ready for the position of a CISO?

This week's episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, operating partner, YL Ventures. Our guest is Paul Connelly, former CISO, HCA Healthcare.

Thanks to our podcast sponsor, Nightfall

Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection.

In this episode:

• What is it a security professional can learn or even show, to demonstrate that they're getting ready for the position of a CISO?
• How to tell that you are NOT CISO material?
• What don't CISOs know about physical security that they should know before they get into big trouble?

All links and images for this episode can be found on CISO Series.

It seems anything that's added to a business, like a new app or a third party vendor, just adds more risk. Risk definitely piles up faster than CISOs can reduce it.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Kurt Sauer (@kurtsauer), CISO, DocuSign (when we recorded the show, Kurt was the vp of security for Workday).

Thanks to our podcast sponsor, Stairwell

The standard cybersecurity blueprint is a roadmap for attackers to test and engineer attacks. With Inception, organizations can operate out of sight, out of band, and out of time. Collect, search, and analyze every file in your environment – from malware and supply chain vulnerabilities to unique, low-prevalence files and beyond.
Learn about Inception.

In this episode: 

• Does it seem like anything that's added to a business, like a new app or a third party vendor, just adds more risk?
• Does risk pile up faster than CISOs can reduce it?
• How do you avoid creating new risks when you add new applications, or even just update applications?

All links and images for this episode can be found on CISO Series.

This show was recorded in front of a live audience in New York City!

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series, and a special guest host, Aaron Zollman, CISO & vp, platform engineering, Cedar. Our guest is Colin Ahern, chief cyber officer for the State of New York.

Thanks to our podcast sponsor, OpenVPN, SlashNext & Votiro

Take the cost and complexity out of secure networking with OpenVPN. Whether you choose our cloud-delivered or self-hosted solution, subscriptions are based on concurrent connections, so you pay for what you actually use. Start today with free connections, no credit card required, and scale to paid when you're ready.

SlashNext, a leader in SaaS-based Integrated Cloud Messaging Security across email, web, and mobile has the industry's first artificial intelligence solution, HumanAI, that uses generative AI to defend against advanced business email compromise (BEC), supply chain attacks, executive impersonation, and financial fraud. Request a demo today.

No matter what technology or training you provide, humans are still the greatest risk to your security. Votiro's API-centric product sanitizes every file before it hits the endpoint, so the files that your employees open are safe. This happens in milliseconds, so the business stays safe and never slows down.

In this episode:

• If you hired someone today, how would you know in 3 months time that they were the right fit?
• Do you have any other questions you've heard from candidates that you think are better?
• What doesn't the government currently know about cloud providers that they should know?

All links and images for this episode can be found on CISO Series.

Turns out cybersecurity professionals lie on their resumes. They add degrees and certifications they don't have. They omit degrees for fear of looking overqualified. And sometimes, they flat out invent jobs. But given the responses as to why people do it, it's because they're trying to get by the unnecessary barriers of cybersecurity hiring. Does that make the lying justified?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is David Nolan, vp, enterprise risk & CISO, Aaron's.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren't needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

In this episode: 

• Do some cybersecurity professionals really lie on their resumes?
• Is this because they're trying to get by the unnecessary barriers of cybersecurity hiring?
• Does that make the lying justified?

All links and images for this episode can be found on CISO Series.

Companies want to hire security professionals who know everything. Eager professionals who want all those skills are screaming please hire me and train me. But unlike the military which can turn a teenager into a soldier in 16 weeks, corporations in dire of cybersecurity help have little to no means to train. They're just hoping they'll show up perfect and ready to fight in a digital war.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Joe Lowis, CISO, CDC.

Thanks to our podcast sponsor, Cyolo

Too many critical assets and systems remain exposed because traditional secure access solutions are not able to protect the high-risk access scenarios and legacy applications that keep business operations running. With its trustless zero-trust access solution, Cyolo gives organizations the visibility and access control they need to secure every connection.

In this episode:

• Is it realistic for companies to hire security professionals who know everything?
• Do companies realize that there are professionals who want all those skills and are eager to learn?
• Why isn't there more emphasis on providing training like how the military trains all new recruits?

All links and images can be found on CISO Series.

This week's episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis (@csoandy), principal of Duha. Joining us is Gary Chan, CISO, SSM Health. Be sure to check out Gary's security mentalism website: https://www.gschan2000.com.

In this episode:

• Decision-making with incomplete information
• Translation beats technical expertise
• Influence trumps authority for CISOs
• Technical prowess creates adversaries

Huge thanks to our sponsor, Vanta

All links and images for this episode can be found on CISO Series.

Given the ease of sharing data, our sensitive information is going more places that we want it. We have means to secure data, but you really can't do that if you don't know where your data actually is.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Brian Vecci (@BrianTheVecci), field CTO, Varonis.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren't needed – reducing your risk on a continual basis. 

Discover more at www.varonis.com/cisoseries.

In this episode:

• What exactly is "dark data"? Are we creating more problems for ourselves by holding onto dark data?
• What is this generated yet unused data? Is this the same as ROT data or redundant, obsolete, trivial data?
• How can it be discovered and classified?

All links and images for this episode can be found on CISO Series.

No department is immune to budget cuts. When the budget cuts come in, where can security look first to save money? Mike Johnson said, "An expensive tool that doesn't mitigate risk should be at the top of the chopping block."

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Almog Apirion (@almogap), CEO and cofounder, Cyolo.

Thanks to our podcast sponsor, Cyolo

Too many critical assets and systems remain exposed because traditional secure access solutions are not able to protect the high-risk access scenarios and legacy applications that keep business operations running. With its trustless zero-trust access solution, Cyolo gives organizations the visibility and access control they need to secure every connection.

In this episode:

• When the budget cuts come in, where can security look first to save money? 
• Where has change management gotten easier and more difficult for you over the years?
• And how do you engage with your team and affected users about making a change that works best for the business?

All links and images for this episode can be found on CISO Series.

Is chaos engineering the secret sauce to creating a resilient organization? Purposefully disrupt your architecture to allow for early discovery of weak points. Can we take it even further to company environment, beyond even a tabletop exercise? How far can we test our limits while still allowing the business to operate?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Mike Wiacek, CEO, Stairwell.

Thanks to our podcast sponsor, Stairwell

The standard cybersecurity blueprint is a roadmap for attackers to test and engineer attacks. With Inception, organizations can operate out of sight, out of band, and out of time. Collect, search, and analyze every file in your environment – from malware and supply chain vulnerabilities to unique, low-prevalence files and beyond.
Learn about Inception.

In this episode:

• Is chaos engineering the secret sauce to creating a resilient organization? 
• Purposefully disrupt your architecture to allow for early discovery of weak points. Can we take it even further to company environment, beyond even a tabletop exercise?
• How far can we test our limits while still allowing the business to operate?

All links and images for this episode can be found on CISO Series.

In order to get any work done we try to shut out all possible distractions. That includes messaging apps. But those people who want to connect become annoyed that they can't reach you.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Howard Holton, CTO, GigaOm.

Thanks to our podcast sponsor, Cyolo

Too many critical assets and systems remain exposed because traditional secure access solutions are not able to protect the high-risk access scenarios and legacy applications that keep business operations running. With its trustless zero-trust access solution, Cyolo gives organizations the visibility and access control they need to secure every connection.

In this episode:

• In order to get any work done, why do we try to shut out all possible distractions, including messaging apps? 
• What happens when those people who want to connect become annoyed that they can't reach you?
• Who are the true innovators in cybersecurity? Is it the attackers or the defenders?

All links and images for this episode can be found on CISO Series.

What happens to your team after the layoffs? Your overextended team now realizes they're going to have to pick up the slack for those who left. How do you shift responsibilities in such a situation? Does anything fall away? Because you can't still operate at the same level. How do you adjust while maintaining morale and not burning out those who are there?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Dan Walsh, CISO, VillageMD. Our guest is Nick Vigier, CISO, Talend.

Thanks to our podcast sponsor, Sentra

Sentra's Data Security Posture Management Solution not only discovers and classifies cloud data, but ensures it always has the proper security posture. No matter where the data is moved or copied, Sentra can identify the type of data, who has access to it, and how it's meant to be secured.

In this episode: 

• What happens to your team after the layoffs?
• Your overextended team now realizes they're going to have to pick up the slack for those who left. How do you shift responsibilities in such a situation?
• How do you adjust while maintaining morale and not burning out those who are there?

All links and images for this episode can be found on CISO Series.

Future cybersecurity talent is frustrated. The industry demand for cybersecurity professionals is huge, but the openings for green cyber people eager to get into the field are few. They want professional training, and they want the hiring companies to provide the training. Problem is not enough companies have training programs in place and as a result they can only hire experienced cyber talent, shutting out those who want to get in.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Matt Radolec, sr. director incident response and cloud operations, Varonis.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren't needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

In this episode: 

• The industry demand for cybersecurity professionals is huge, so why are the openings for green cyber people eager to get into the field so few?
• Should more hiring companies provide the training?
• Is the problem that not enough companies have training programs in place?

All links and images for this episode can be found on CISO Series.

I don't need another vendor to find my problems. Finding my problems has not been the issue. That's the easy part. Fixing them with the staff I have is definitely "the problem." Vulnerability management must include ways to remediate, quickly.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is John C. Underwood, vp, information security, Big 5 Sporting Goods.

Thanks to our podcast sponsor, Pentera

Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale.

In this episode: 

• Do you need another vendor to find your problems when finding your problems has not been the issue?
• Or is actually fixing them with your staff "the problem"?
• Do you think vendors are finally moving away from offering "just" visibility and giving proactive advice and some cases automation to fix it?

All links and images for this episode can be found on CISO Series.

It's pretty darn easy to just utter the words "we're 100% secure." Pulling that off seems universally impossible, but some organizations are adamant about certain types of safety so they aim for 100%.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Yoav Regev (@yoav_regev), CEO, Sentra.

Thanks to our podcast sponsor, Sentra

Sentra's Data Security Posture Management Solution not only discovers and classifies cloud data, but ensures it always has the proper security posture. No matter where the data is moved or copied, Sentra can identify the type of data, who has access to it, and how it's meant to be secured.

In this episode: 

What does it take to have a successful security program?
What are the things to focus on when speaking with executives?
How do you stay innovative as a security professional and have new fresh perspectives?

All links and images for this episode can be found on CISO Series.

A CISO calls on security vendors to stop the spamming and cold calling. Are these annoyances the direct result the way salespeople are measured? Is that what drives the desperation and bad behavior?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Dmitriy Sokolovskiy, CISO, Avid.

Thanks to our podcast sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren't needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

In this episode:

• What NEW ways could salespeople be measured that would encourage good behavior with CISOs?
• There's still this desire to draw a linear path to sales, but how often does it cleanly play out that way?
• Are integrators, MSSPs, and resellers leveling the playing field for cybersecurity vendors?

All links and images for this episode can be found on CISO Series.

We are all very easily distracted, and adversaries know that. So they'll try any little trick to make us not pay attention, look away, or do what we're not supposed to do all in an effort to break our human defenses.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Shaun Marion, CISO, McDonald's.

Thanks to our podcast sponsor, Sentra

Sentra's Data Security Posture Management Solution not only discovers and classifies cloud data, but ensures it always has the proper security posture. No matter where the data is moved or copied, Sentra can identify the type of data, who has access to it, and how it's meant to be secured.

In this episode:

• Do you have a "security hive" and what does it do for you?
• What are the active behaviors you're deploying to reduce the stress in your life as a CISO and how are you doing it for your team, and all staff as well? ?
• Could volunteering help with burnout and recruitment?

All links and images can be found on CISO Series.

This week's episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis (@csoandy), principal of Duha. Joining us is our sponsored guest, Kevin Tian, co-founder and CEO, Doppel.

In this episode: 

• AI fraud gets on the juice
• Agentic AI demands a new security mindset
• The new frontier for social engineering
• We still need human verification

Huge thanks to our sponsor, Doppel

Doppel is the first social engineering defense platform built to dismantle deception at the source. It uses AI and infrastructure correlation to detect, link, and disrupt impersonation campaigns before they spread - protecting brands, executives, and employees while turning every threat into action that strengthens defenses across a shared intelligence network.

All links and images for this episode can be found on CISO Series.

For those security practitioners who leave a job to go work for a security vendor, please stop calling it "going to the dark side."

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Jason Mar-Tang, director of sales engineering, Pentera.

Thanks to our podcast sponsor, Pentera

Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale.

In this episode:

• Why do we call security practitioners who leave a job to go work for a security vendor, "going to the dark side?"
• Do security professionals say this because once they go work for a vendor their motivation shifts from protecting to sales?
• Over the years what other small steps have we seen that have made improvements in the vendor/practitioner divide?

All links and images for this episode can be found on CISO Series.

Tabletop exercises are critical procedures to learn how everyone will react during an actual attack. Panic is usually the first response, so why don't we do that when we're playing our pretend game of getting our business compromised by a nefarious hacker?

This week's episode of CISO Series Podcast was recorded in front of a live audience in Clearwater, Florida for the Convene conference produced by the National Cybersecurity Alliance (AKA StaySafeOnline.org). Joining me on stage for the recording was my guest co-host, Hadas Cassorla, CISO, M1 and our guest, Kathleen Mullin (@kate944032), CISO, Cancer Treatment Centers of America.

Thanks to our podcast sponsors, Cofense, KnowBe4 & Terranova

Cofense is the only company to combine a global network of 32 million people reporting phish with advanced AI-based automation to stop phishing attacks. Our global phishing defense centers work 24/7 to support more than 2,000 enterprise customers, providing the technology and insights needed to identify & block threats.

KnowBe4 is the world's largest integrated Security Awareness Training and Simulated Phishing platform. KnowBe4 helps organizations manage the ongoing problem of social engineering through a comprehensive new-school awareness training approach. Tens of thousands of organizations worldwide use KnowBe4's platform to mobilize their end users as a last line of defense.

Get free phishing benchmarking data to drive effective behavior change and grow your organization's security-aware culture with the latest edition of the Phishing Benchmark Global Report! Taken from this year's Gone Phishing Tournament, this report gives security and risk management leaders the insight they need to strengthen data protection. More at terranovasecurity.com.

In this episode:

• Where do you see tabletops coming apart and being ineffective and what are the core elements that truly make them succeed?
  
• Have you ever seen a real incident play out where you can point to the tabletop as the reason you were able to handle the incident?
  
• Are people the safety net for your security controls OR should security controls the safety net for your people?

All links and images for this episode can be found on CISO Series.

Everyone's favorite meeting is a short meeting. But does anyone want a fun or entertaining meeting? Or is that a bad idea?

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jeremy Embalabala, CISO, HUB International.

Thanks to our podcast sponsor, SlashNext

With today's transition to hybrid working, phishing attacks are becoming more prevalent than ever. Mobile phishing and credential harvesting are exploding and affecting business reputations, finances and most importantly, data loss. With new methods of phishing attacks appearing year over year, enterprises need more robust phishing protection to better protect this expanding attack surface and companies' most valuable assets. Check out the report.

In this episode:

• Everyone's favorite meeting is a short meeting. But does anyone want a fun or entertaining meeting? Or is that a bad idea?
• How do we make our security teams more productive?
• The cost of getting and paying for cybersecurity insurance is so darn high. Would it be worth it to just self-insure?