All links and images can be found on CISO Series.

This week's episode is co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Cliff Crosland, co-founder and CEO, Scanner.dev.

In this episode:

• Earning autonomy gradually
• The blast radius question
• The reality check
• Today's value, tomorrow's evolution

Huge thanks to our sponsor, Scanner

All your security logs end up in cloud storage like AWS S3. Scanner makes them searchable in seconds and runs real-time detections directly on that data. No pipelines, no re-ingestion. 100x faster than traditional data lakes, 10x cheaper than SIEMs. Loved by analysts. Built for AI agents. Learn more at scanner.dev.

All links and images can be found on CISO Series.

Check out this post by Dr. Chase Cunningham, CSO at Demo-Force, for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is Brett Conlon, CISO, American Century Investments.

In this episode:

• The experience paradox
• Who benefits from the narrative
• Kitchen sink job postings
• The aggregation problem

Huge thanks to our sponsor, Scanner

All your security logs end up in cloud storage like AWS S3. Scanner makes them searchable in seconds and runs real-time detections directly on that data. No pipelines, no re-ingestion. 100x faster than traditional data lakes, 10x cheaper than SIEMs. Loved by analysts. Built for AI agents. Learn more at scanner.dev

All links and images can be found on CISO Series.

Check out this post by Ross Haleliuk of Venture in Security for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is Davi Ottenheimer, vp, trust and digital ethics, Inrupt.

In this episode:

• Network security isn't dying—it's evolving
• The observability layer that can't be replaced
• What's old is new again
• The innovation gap

Huge thanks to our sponsor, HackerOne

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Alexandra Landegger, Executive Director and CISO, Collins Aerospace.

In this episode:

• Why do mergers and acquisitions always present challenges to an organization?

• When it comes to cybersecurity, how involved should a CISO be before AND after an acquisition?

• Can cybersecurity considerations make or break a deal?

• What skills did you find yourself flexing with your first M&A experience?

Thanks to our podcast sponsor, Aphinia!

Join Aphinia, a professional tribe of superheroes fighting cybercriminals. If you are a CISO, VP or a Director of cybersecurity, get instant free access to thousands of your peers, career advice, networking opportunities, consulting gigs and more. Join the good guys' team because the only way to succeed is together: https://aphinia.com/#signup_form

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Richard Ford, CTO, Praetorian.

In this episode:

• When did we all agree that red teaming was about validating security?

• Does it seem like increasingly red teaming is a catch all term for a whole lot of testing that isn't clearly defined?

• Is this making it hard to see its value?

• Can moving red teaming upstream be more valuable to your organization?

Thanks to our podcast sponsor, Praetorian

Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our guest, Adam Glick, CISO, PSG.

In this episode:

• Vendors need to reach out to CISOs, but what does a successful approach look like?

• Do vendors often spray and pray with outreach, rather than doing a bare minimum of research?

• What else can vendors do to try to create meaningful outreach to CISOs?

• How do you like security sales professionals to build a relationship with you?

Thanks to our podcast sponsor, Praetorian

Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Erik Decker, CISO, Intermountain Health.

In this episode:

• Why are we all struggling trying to manage third-party risk?
• Why do the hated questionnaires seem like compliance checkbox efforts?
• Does anyone believe it reduces risk?
• What's the right approach and how do you strike the right balance?

Thanks to our podcast sponsor, Praetorian

Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining me is our sponsored guest, Trevor Hilligoss, senior director of security research, SpyCloud.

In this episode:

• What are the things that raise red flags that you're about to experience an attack?
• What signals set off your Spidey sense that things could go sideways?
• What are the early warning signs an attack is underway?
• Did you learn anything new?

Thanks to our podcast sponsor, SpyCloud

Get ahead of ransomware attacks by acting on a common precursor: infostealer malware. SpyCloud recaptures what's stolen from infostealer-infected systems, and alerts your team to take action before compromised authentication data can be used by criminals to target your business. Get our latest research and check your malware exposure at spycloud.com/ciso.

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, David Christensen, VP, CISO, PlanSource.

In this episode:

• How do you actually focus your patching efforts on the vulnerabilities that are seen as universally holding the most risk?
• With limited resources, is it possible to "patch all the things"?
• How do we focus patching efforts to fix the most vital issues quickly?
• What are the risks we're dealing with?

Thanks to our podcast sponsor, SpyCloud

Get ahead of ransomware attacks by acting on a common precursor: infostealer malware. SpyCloud recaptures what's stolen from infostealer-infected systems, and alerts your team to take action before compromised authentication data can be used by criminals to target your business. Get our latest research and check your malware exposure at spycloud.com/ciso.

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Jerich Beason, CISO, WM.

In this episode:

• Does generative AI come with a new set of risks?
• How can we address these risks to take advantage of its benefits?
• How do we approach a much desired technology we're not so sure how we should secure?
• How can we take what we've learned from past technological advances and apply it to mitigate risks with generative AI?

Thanks to our podcast sponsor, SpyCloud

Get ahead of ransomware attacks by acting on a common precursor: infostealer malware. SpyCloud recaptures what's stolen from infostealer-infected systems, and alerts your team to take action before compromised authentication data can be used by criminals to target your business. Get our latest research and check your malware exposure at spycloud.com/ciso.

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our sponsored guest, Himaja Motheram, Censys.

In this episode:

• How can one create a security program around unknown problems?
• Don't we know a lot of the things we lack visibility into that can cause security issues?
• But what about the things you don't even know about in the first place?
• Will that thing we don't even know to look at, ever cause a security issue?

Thanks to our podcast sponsor, Censys

Censys is the leading Internet Intelligence Platform for Threat Hunting and Exposure Management. We provide the most comprehensive, accurate, and up-to-date map of the internet, which scans 45x more services than the nearest competitor across the world's largest certificate database (>10B). Learn more at www.censys.com.

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Russell Spitler, CEO and co-founder, Nudge Security.

In this episode:

• Are businesses walking a tightrope with generative AI?
• How can organizations implement generative AI responsibly?
• What can we learn from previous transitions that can help us responsibly bring generative AI into the workplace milieu?
• What else are we missing?

Thanks to our podcast sponsor, Nudge Security

Nudge Security provides complete visibility of every SaaS and cloud account ever created by anyone in your org, in minutes. No agents, browser plug-ins or network proxies required. With this visibility, you can discover shadow IT, manage your SaaS attack surface, secure SaaS access, and respond effectively to SaaS breaches.

All links and images for this episode can be found on CISO Series.

In increasingly complex technical defenses, threat actors frequently target the human element. This makes them a top attack vectors, but are they actually the weak leak in your defenses?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Christina Shannon, CIO, KIK Consumer Products.

Thanks to our podcast sponsor, SPHERE

SPHERE is the Identity Hygiene pioneer. It closes the loop on ownership, certification, and remediation challenges through an automated remediation process.

By working with the IAM and PAM solutions organizations have in place, SPHEREboard automates discovery and remediation on an ongoing basis. Learn more at sphereco.com!

In this episode:

• Threat actors frequently target the human element, but are they actually the weak leak in your defenses?
• Have we been treating humans wrong in our environment?
• Is the blame on security professionals for failing to design security systems to set humans up for success?
• Is it disingenuous to presume that cybersecurity would be perfect if not for users?

All links and images can be found on CISO Series.

Check out this post by Kevin Paige, CISO at ConductorOne, for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is our sponsored guest, Rob Allen, chief product officer, ThreatLocker.

In this episode:

• When configuration drift becomes operational reality
• The garden that never stops growing
• From detection to cultural shift
• The maturity gap

Huge thanks to our sponsor, ThreatLocker

ThreatLocker® Defense Against Configurations continuously scans endpoints to uncover misconfigurations, weak firewall rules, and risky settings that weaken defenses. With compliance mapping, daily updates, and actionable remediation in one dashboard, it streamlines hardening, reduces attack surfaces, and strengthens security. Learn more at https://www.threatlocker.com/

All links and images for this episode can be found on CISO Series.

We often talk about the contradiction of seemingly entry-level security jobs requiring years of experience. But maybe that's because entry-level jobs don't actually exist.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us this week is our guest Jay Wilson, CISO, Insurity.

Thanks to our podcast sponsor, SlashNext

SlashNext Complete delivers zero-hour protection for how people work today across email, mobile, and browser apps.  With SlashNext's generative AI to defend against advanced business email compromise, smishing, spear phishing, executive impersonation, and financial fraud, your people are always protected anywhere they work.  Request a demo today.

In this episode:

• What's "entry level" in cybersecurity and does it even exist?
• What causes the contradiction of seemingly entry-level security jobs requiring years of experience?
• Why does it seem like there are still no entry level jobs?
• How do job candidates get creative with their experience to get a foot in the door?

All links and images for this episode can be found on CISO Series.

The Securities and Exchange Commission issued new cyber rules. What do these new rules mean for CISOs and will they ultimately improve our cybersecurity posture?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our guest, Jamil Farshchi, CISO, Equifax.

Thanks to our podcast sponsor, Nudge Security

Nudge Security provides complete visibility of every SaaS and cloud account ever created by anyone in your org, in minutes. No agents, browser plug-ins or network proxies required. With this visibility, you can discover shadow IT, manage your SaaS attack surface, secure SaaS access, and respond effectively to SaaS breaches.

In this episode:

• The Securities and Exchange Commission issued new cyber rules.
• What do these new rules mean for CISOs and will they ultimately improve our cybersecurity posture?
• Are these rules something to celebrate, or are they just going to make a CISOs compliance efforts even more difficult?
• For those companies who actually follow the guidance, will this step up their cyber game considerably?

All links and images for this episode can be found on CISO Series.

Are trade shows like RSA getting so big that there's not enough economic value for a CISO to attend? Or do these events have enough industry gravity to justify the spend?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest Lee Parrish, CISO, Newell Brands.

Thanks to our podcast sponsor, Censys

In this episode:

• Everyone sees value in security professionals coming together, but what specific value does a huge expo like RSA deliver?
• Are trade shows like RSA getting so big that there's not enough economic value for a CISO to attend?
• Or do these events have enough industry gravity to justify the spend?
• Will FOMO continue to force vendors to sponsor big shows like RSA?

All links and images for this episode can be found on CISO Series.

Work from home flourished during the pandemic. Many workers love it and don't want to go back. Some organizations are pushing for a return to the office. Is in-office work necessary to improve productivity and cybersecurity posture?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us for the episode is our guest, Shawn Bowen, CISO, World Kinect Corporation.

Thanks to our podcast sponsor, Nudge Security

Nudge Security provides complete visibility of every SaaS and cloud account ever created by anyone in your org, in minutes. No agents, browser plug-ins or network proxies required. With this visibility, you can discover shadow IT, manage your SaaS attack surface, secure SaaS access, and respond effectively to SaaS breaches.

In this episode:

• Is in-office work necessary to improve productivity and cybersecurity posture?
• Is this push for return to office just an effort for managers to return to the "good 'ole days" with no other rationale?
• So technology can be great from anywhere, but people cannot?
• Does successful work from home require a mature approach to leadership?

All links and images for this episode can be found on CISO Series.

Large language models and generative AI are today's disruptive technology. This is not the first time companies just want to ban a new technology that everyone loves. Yet, we're doing it all over again. Whether its ChatGPT or BYOD, people are going to use desirable new tech. So if our job isn't to stop it, how do we secure it?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest, Carla Sweeney, SVP, InfoSec, Red Ventures.

Thanks to our podcast sponsor, Censys

Censys is the leading Internet Intelligence Platform for Threat Hunting and Exposure Management. We provide the most comprehensive, accurate, and up-to-date map of the internet, which scans 45x more services than the nearest competitor across the world's largest certificate database (>10B). Learn more at www.censys.com.

In this episode:

• Whether its ChatGPT or BYOD, people are going to use desirable new tech. So if our job isn't to stop it, how do we secure it?
• Are tools like ChatGPT so different from what we've seen before that we can't apply lessons already learned?
• What risks are we solving for with it and where do we go from there?
• Is this just a security issue?

All links and images for this episode can be found on CISO Series.

What do the people least in the know about cyber, want to know? What are they asking?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest, Caitlin Sarian, AKA cybersecuritygirl on TikTok.

Thanks to our podcast sponsor, DataBee from Comcast Technology Solutions

DataBee™, from Comcast Technology Solutions, is a cloud-native security, risk and compliance data fabric platform that transforms your security data chaos into connected outcomes.

Built by security professionals for security professionals, DataBee enables users to examine the past, react to the present, and protect the future of the business.

In this episode:

• What do the people least in the know about cyber, want to know? What are they asking?
• How important is it to understand what concerns the average person?
• Are these reasonable concerns or do you think they're directed by media pressure?
• How do regular, everyday people know what is safe and best practices without a clear path or studying cybersecurity in depth?

All links and images for this episode can be found on CISO Series.

A security data lake, a data repository of everything you need to analyze and get analyzed sounds wonderful. But priming that lake, and stocking it with the data you want to get the insights you need is a more difficult task than it seems.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our sponsored guest, Matt Tharp, Head of Field Engineering, Comcast DataBee.

Thanks to our podcast sponsor, Comcast Technology Solutions

In this episode:

• What exactly is a data lake?
• How are people thinking about and handling the risks?
• If you want security data lakes to be successful, what customer problem are you trying to solve?
• How can you make it both dead simple to use AND highly effective?

All links and images for this episode can be found on CISO Series.

A threat intelligence program sounds like a sound effort in any security program. But, can you pull it off? There are so many phases to execute properly. Blow it with any one of them and your threat intelligence effort is moot.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us today is our special guest Jon Oltsik, distinguished analyst and fellow, Enterprise Strategy Group.

Thanks to our podcast sponsor, Comcast

DataBee™, from Comcast Technology Solutions, is a cloud-native security, risk and compliance data fabric platform that transforms your security data chaos into connected outcomes. 

Built by security professionals for security professionals, DataBee enables users to examine the past, react to the present, and protect the future of the business. 

In this episode:

• A threat intelligence program sounds like a sound effort in any security program. But, can you pull it off?
• Which phase of a threat intelligence program gives you the most trouble, and why?
• What has been your personal experience, and does it change organization to organization?
• How do you measure the success of the program to prove the value of the work being done?

All links and images for this episode can be found on CISO Series.

When you have an incident and you're engulfed by the stress that lasts more than a day, how do you manage and deal with it? And not only how do you manage your stress, but how do you manage everyone else's?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest, Tim Brown, CISO, Solarwinds.

Thanks to our podcast sponsor, Push Security

Do you have visibility of all the SaaS apps your employees are storing corporate data on? Are employees protecting all their accounts against identity-based attacks?

Discover all the SaaS your employees use - including shadow apps and identities - and secure your data. Find out more at pushsecurity.com.

In this episode:

• When you have an incident and you're engulfed by the stress that lasts more than a day, how do you manage and deal with it?
• And not only how do you manage your stress, but how do you manage everyone else's?
• During a major incident, which stress is more difficult to manage? Your own, or those around you?
• How is this everyone's concern?

All links and images for this episode can be found on CISO Series.

We all know that our employees need to be more security aware, but what are the methods to get them there? How can we make our employees more security conscious?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest Jack Chapman, vp, threat intelligence, Egress.

Thanks to our podcast sponsor, Egress

Egress helps organization stop email security risks is by addressing both inbound and outbound threats together,. We recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss. Learn more at egress.com.

In this episode:

• We all know that our employees need to be more security aware, but what are the methods to get them there?
• How can we make our employees more security conscious?
• What does it take to get security to "stick" with your coworkers?
• Why does security remain so darn difficult?

All links and images can be found on CISO Series.

Check out this post by Kevin Paige, CISO at ConductorOne, for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is Julie Tsai, CISO-in-Residence, Ballistic Ventures.

In this episode:

• Is least privilege dead?
• Modern tactics, timeless principle
• Implementation over ideology
• Pragmatism over purity

Huge thanks to our sponsor, Cyera

All links and images for this episode can be found on CISO Series.

Users have tried to upload sensitive company information and PII, personally identifiable information, into ChatGPT. Those who are successful getting the data in, have now made that data free to all. Will people's misuse of these generative AI programs be our greatest downfall to security and privacy?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest Suha Can, CISO, Grammarly.

Thanks to our podcast sponsor, Opal

Opal is building the next generation of intelligent identity. Identity is one of the last great enterprise frontiers. It's fragmented with legacy architecture. Opal's mission is to empower teams to understand and calibrate access end to end, and to build identity security for scale. Learn more by at www.opal.dev.

In this episode:

• Will people's misuse of these generative AI programs be our greatest downfall to security and privacy?
• Is AI the problem? Or is poor human judgement the problem?
• Is it better to get started with any guardrails until setting up a full policy?
• What are we going to do now?

All links and images for this episode can be found on CISO Series.

The demand for cybertalent is sky high. It's very competitive to get those people with skills. What if you were to train your staff and give them the skills you want? Essentially, what if you were to grow your own unicorn?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest, Jesse Whaley, CISO, Amtrak.

Thanks to our podcast sponsor, Opal

Opal is building the next generation of intelligent identity. Identity is one of the last great enterprise frontiers. It's fragmented with legacy architecture. Opal's mission is to empower teams to understand and calibrate access end to end, and to build identity security for scale. Learn more by at www.opal.dev.

In this episode:

• What if you were to train your staff and give them the skills you want?
• What if you were to grow your own unicorn?
• What's the best way to grow your staff?
• How do you figure out the right mix of talent and prioritize the hiring, training, on the job, and other experiences?

All links and images for this episode can be found on CISO Series.

What are we doing to improve access management? Make it too loose and it's the number one way organizations get breached. Put on too many controls and now you've got irritated users just trying to do their job. How does each organization find their sweet spot?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Paul Guthrie (@pguthrie), information security officer, Blend.

Thanks to our podcast sponsor, Opal

Opal is building the next generation of intelligent identity. Identity is one of the last great enterprise frontiers. It's fragmented with legacy architecture. Opal's mission is to empower teams to understand and calibrate access end to end, and to build identity security for scale. Learn more by at www.opal.dev

In this episode:

• What is the one most significant action you've taken to improve access management?
• What are we doing to improve access management?
• What is the correct balance between too many controls and not enough?
• How does each organization find their sweet spot?

All links and images for this episode can be found on CISO Series.

With the growth of business-led IT, does SaaS security need to be a specific focus in a CISO's architectural strategy?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Steve Zalewski who also hosts Defense in Depth.

Thanks to our podcast sponsor, AppOmni

Do you know which 3rd party apps are connected to your SaaS platforms? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk.

Get visibility to all 3rd party apps — and their level of data access — with AppOmni. Visit AppOmni.com to request a free risk assessment.

In this episode:

• With the growth of business-led IT, does SaaS security need to be a specific focus in a CISO's architectural strategy?
• Is the problem the architecture of the applications themselves or the fact that a non-security group is bringing these applications online? Is it both?
• Is this problem solvable?
• What technical controls can you put in place to mitigate risk from apps you deem risky?

All links and images for this episode can be found on CISO Series.

When it comes to data, compliance, and reducing risk, where are we gaining control? Where are we losing control? And what are we doing about that?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. We welcome our sponsored guest Amer Deeba, CEO and Co-founder, Normalyze.

Thanks to our podcast sponsor, Normalyze

Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches.

Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.

In this episode:

• When it comes to data, compliance, and reducing risk, where are we gaining control?
• Where are we losing control? And what are we doing about that?
• Is "losing control" inevitable?
• Is SaaS really extremely difficult to work with at scale?

All links and images for this episode can be found on CISO Series.

If you're struggling to get your first job in security or you're trying to get back into the industry after being laid off, you need to lean on your security community. But like networking, you should find it before you need it.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.

Thanks to our podcast sponsor, Egress

Egress helps organization stop email security risks is by addressing both inbound and outbound threats together,. We recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss. Learn more at egress.com.

In this episode:

• Are you struggling to get your first job in security or trying to get back into the industry after being laid off?
• What is the importance of building your security community network ?
• What should you look for in a community?
• What should you expect to put into it, and what should you expect to get back?

All links and images for this episode can be found on CISO Series.

What should a cyber job description require, and what shouldn't it? What's reasonable and not reasonable?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rob Duhart (@robduhart), deputy CISO, Walmart.

Thanks to our podcast sponsor, Normalyze

Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches.

Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.

In this episode:

• What should a cyber job description require, and what shouldn't it? What's reasonable and not reasonable?
• Do these completely unrealistic job descriptions hurt the entire industry?
• What is it we need to put in a cyber job description, and what do we need to leave out?
• Who's losing out here?

All links and images for this episode can be found on CISO Series.

Since so much technology today is not launched by the IT department, but by business units themselves. How do security professionals engage with business and application owners and have a conversation about security policy and procedures?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Harold Byun (@haroldnhoward), chief product officer, AppOmni.

Thanks to our podcast sponsor, AppOmni

Do you know which 3rd party apps are connected to your SaaS platforms? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk.
Get visibility to all 3rd party apps — and their level of data access — with AppOmni. Visit AppOmni.com to request a free risk assessment.

In this episode:

• What's your experience talking about security policy and procedures with business and application owners?
• How do security professionals engage with business and application owners?
• How do they have a conversation about security policy and procedures?
• Is there anything you learned that you didn't realize before?

All links and images for this episode can be found on CISO Series.

There are millions of cybersecurity jobs open. Over time, that number has just been growing. What we're doing now does not seem to be working. So what's it going to take to fill all these jobs quickly?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Rich Gautier, former CISO for the U.S. Department of Justice, Criminal Division.

Thanks to our podcast sponsor, Brinqa

Understand your cyber assets, prioritize vulnerabilities, automate remediation, and continuously monitor cyber hygiene across the entire attack surface — infrastructure, applications and cloud — with Brinqa. See how at brinqa.com.

In this episode:

• There are millions of cybersecurity jobs open. What's it going to take to fill all these jobs quickly?
• Are job description requirements partially to blame for holding back the industry from tapping into greater diversity of expertise?
• Is it better off if you hire, train, culturally integrate, and reward that person?
• Does burn out and a steep learning curve keep adding to the problem?

All links and images for this episode can be found on CISO Series.

How do you create a positive security culture? It's rarely the first concept anyone wants to embrace, yet it's important everyone understands their responsibility. So what do you do, and how do you overcome inevitable roadblocks?

Check out this post and this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest, Jadee Hanson, CISO/CIO for Code42.

Thanks to our podcast sponsor, Code42

Code42 is focused on delivering solutions built with the modern-day collaborative culture in mind. Code42 Incydr tracks activity across computers, USB, email, file link sharing, Airdrop, the cloud and more, our SaaS-based solution surfaces and prioritizes file exposure and data exfiltration events. Learn more at Code42.com.

In this episode:

• How do you create a positive security culture?
• Where do we run into struggles when trying to create a positive security culture?
• Given its importance, why is it rarely the first concept anyone wants to embrace?
• What do you do, and how do you overcome inevitable roadblocks?

All links and images can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining them is their sponsored guest Bobby Ford, chief strategy and experience officer, Doppel.

In this episode:

• Beyond the click
• High-risk users demand different metrics
• Building engagement over punishment
• Creating a security culture through community

Huge thanks to our sponsor, Doppel

Doppel is protecting the world's digital integrity. Impersonators adapt fast — but so does Doppel. By pairing AI with expert analysis, we don't just detect deception; we dismantle it. Our platform learns from every attack, expands its reach across digital channels, and disrupts threats before they cause harm. The result? Impersonators lose. Businesses become too costly to attack. And trust stays intact. Learn more at https://www.doppel.com/

All links and images for this episode can be found on CISO Series.

All experienced security professionals were at one time very green. Entry level status means risk to your organization. That's if you give them too much access. What can you trust an entry level security professional to do that won't impose unnecessary risk? And how can those green professionals build trust to allow them to do more?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Kemas Ohale, vp, global information security, Lippert.

Thanks to our podcast sponsor, Normalyze

Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches.
Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.

In this episode:

• What can you trust an entry level security professional to do that won't impose unnecessary risk?
• How can those green professionals build trust to allow them to do more?
• What can they do with zero experience?
• How can they graduate upwards?

All links and images for this episode can be found on CISO Series.

What do we need to do to fix our processes to truly reduce risk and vulnerabilities?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Amad Fida (@brinqa), CEO, Brinqa.

Thanks to our podcast sponsor, Brinqa

Understand your cyber assets, prioritize vulnerabilities, automate remediation, and continuously monitor cyber hygiene across the entire attack surface — infrastructure, applications and cloud — with Brinqa. See how at brinqa.com.

In this episode:

• What do we need to do to fix our processes to truly reduce risk and vulnerabilities?
• How to work with all departments to improve process, communication, and motivation?
• Why does security need to be treated as a function of the enterprise risk program?
• What are the elements that make a great solution?

All links and images for this episode can be found on CISO Series.

Security professionals talk a lot about the reputational damage from breaches. And it seems logical, but major companies still do get breached and their reputation seems spared. What's the reality of what breaches can do to a company's reputation?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Cecil Pineda, CISO, R1.

Thanks to our podcast sponsor, Brinqa

Understand your cyber assets, prioritize vulnerabilities, automate remediation, and continuously monitor cyber hygiene across the entire attack surface — infrastructure, applications and cloud — with Brinqa. See how at brinqa.com.

In this episode:

• Security professionals talk a lot about the reputational damage from breaches, so why do companies still get breached?
• What's the reality of what breaches can do to a company's reputation?
• Does a breach really result in lasting reputation damage?
• Are we more accepting of breaches now?

All links and images for this episode can be found on CISO Series.

Do RFPs or request for proposals work as intended? It seems they're loaded with flaws yet for some organizations who must follow processes, they become necessary evils for both buyers and sellers. What can we do to improve the process?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Keith McCartney (@kmflgator), vp, security and IT, DNAnexus.

Thanks to our podcast sponsor, TrustCloud

TrustCloud is the all-in-one platform to accelerate sales and security reviews, automate compliance efforts, and map contractual liability across your business. Connect with us to learn how you can transform security from a cost center into a profit driver with TrustCloud's programmatic risk and compliance verification tools.

In this episode: 

• Do RFPs or request for proposals work as intended?
• Does it seem they're loaded with flaws?
• Have they become necessary evils for both buyers and sellers?
• What can we do to improve the process?

All links and images for this episode can be found on CISO Series.

What are the moves we should be making in cloud to improve our security? What constitutes a good cloud security posture?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Andy Ellis, operating partner, YL Ventures. We welcome our sponsored guest Yoav Alon, CTO, Orca Security.

Thanks to our podcast sponsor, Orca Security

Orca Security is the pioneer of agentless cloud security that is trusted by hundreds of enterprises globally. With continuous first-to-market innovations and expertise, the Orca Platform ensures security teams quickly identify and remediate risks to keep their businesses secure. Connect your first account in minutes by visiting www.orca.security.

In this episode:

• What does successful cloud security look like?
• What are the moves we should be making in the cloud to improve our security?
• What constitutes a good cloud security posture?
• What should we be measuring when it comes to cloud security?

All links and images for this episode can be found on CISO Series.

One CISO has had enough of the security vendor marketing emails and cold sales calls. He's blocking them all. But it's not a call to avoid all salespeople. He just doesn't have the time to be a target anymore. So how should vendors engage with such a CISO? And does CISO represent most CISOs today?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Joy Forsythe, VP, Security, Thrive Global.

Thanks to our podcast sponsor, Code42

Code42 is focused on delivering solutions built with the modern-day collaborative culture in mind. Code42 Incydr tracks activity across computers, USB, email, file link sharing, Airdrop, the cloud and more, our SaaS-based solution surfaces and prioritizes file exposure and data exfiltration events. Learn more at Code42.com.

In this episode:

• How should vendors engage with CISOs who are tired of being targeted?
• How can vendors reach CISOs who have had enough of the security vendor marketing emails and cold sales calls?
• Does CISO represent most CISOs today?
• Is the sales "system" essentially broken?

All links and images for this episode can be found on CISO Series.

Do we really need more categories of security products? Every new Gartner magic quadrant complicates the marketplace but at the same time helps us understand the other vectors we need to protect. Do new categories of security products help or hurt the industry?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Corey Elinburg (@celinburg), CISO, CommonSpirit Health.

Thanks to our podcast sponsor, Egress

In this episode:

• Do we really need more categories of security products?
• Does it seem like every new Gartner magic quadrant complicates the marketplace but at the same time helps us understand the other vectors we need to protect?
• Do new categories of security products help or hurt the industry?
• Does this make it hard to keep up to date on all new products?

All links and images for this episode can be found on CISO Series.

How can security leaders and how do they go about matching business case to every security action you want to take? Is this the right way to sell security to the board?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Sravish Sridhar (@sravish), founder and CEO, TrustCloud.

Thanks to our podcast sponsor, TrustCloud

TrustCloud is the all-in-one platform to accelerate sales and security reviews, automate compliance efforts, and map contractual liability across your business. Connect with us to learn how you can transform security from a cost center into a profit driver with TrustCloud's programmatic risk and compliance verification tools.

In this episode:

• How can security leaders best make a case for security?
• How do you go about matching business cases to every security action you want to take?
• Is this the right way to sell security to the board?
• How do you show that security can be aligned to business objectives?

All links and images for this episode can be found on CISO Series.

Security tools are supposed to do a job. Either they need to alert you, protect you, or remediate an issue. But they don't always work and that's why we have breaches. Who's at fault, the tool or the administrators who configured the tool?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Kenneth Foster (@Kennethrfoster1), vp of IT governance, risk and compliance at FLEETCOR.

Thanks to our podcast sponsor, AppOmni

Do you know which 3rd party apps are connected to your SaaS platforms? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk.
Get visibility to all 3rd party apps — and their level of data access — with AppOmni. Visit AppOmni.com to request a free risk assessment.

In this episode:

• Why do security tools fail?
• Who's at fault, the tool or the administrators who configured the tool?
• Is it usually because the control is ineffective or was the control misconfigured / ignored?
• Do InfoSec produts have an efficacy issue or an implementation issue?

All links and images for this episode can be found on CISO Series.

We talk a lot on this show about what makes cybersecurity such a hard job, yet there are so many people who are in it and love it. What draws people to this profession and why do they love it so much?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest David Cross (@MrDBCross), CISO, Oracle SaaS Cloud.

Thanks to our podcast sponsor, Orca Security

Orca Security is the pioneer of agentless cloud security that is trusted by hundreds of enterprises globally. With continuous first-to-market innovations and expertise, the Orca Platform ensures security teams quickly identify and remediate risks to keep their businesses secure. Connect your first account in minutes by visiting www.orca.security.

In this episode: 

• We talk a lot on this show about what makes cybersecurity such a hard job, yet there are so many people who are in it and love it.
• What draws people to this profession and why do they love it so much?
• Do you love the ability to influence the organization and leadership?
• Do you love making an impact by helping people and businesses with safer behaviors and activities?

All links and images can be found on CISO Series.

Check out this post by Mike Gallardo for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Geoff Belknap. Joining them is Alex Guilday, BISO, Royal Caribbean Group.

In this episode:

• Timing the approach
• When persistence becomes harassment
• Playing the long game
• The necessity argument

Huge thanks to our sponsor, Cyera

AI is moving fast - can your security keep up? Join the leaders shaping the future of data and AI security at DataSecAI Conference 2025, hosted by Cyera, Nov 12–13 in Dallas. Register now at https://datasecai2025.com/did. 

All links and images for this episode can be found on CISO Series.

We expect our users to be perfect security responders even when the adversaries are doing everything in their power to trick them. These scams are designed to make humans respond to them. Why aren't we building our security programs to account for this exact behavior that is simply not going to go away?

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ken Athanasiou, CISO, VF Corporation.

Thanks to our podcast sponsor, Code42

In this episode: 

• Why do we expect our users to be perfect security responders even when the adversaries are doing everything in their power to trick them?
• Aren't these scams designed to make humans respond to them?
• Why aren't we building our security programs to account for this exact behavior that is simply not going to go away?
• Why do so many security practitioners treat our users as children to be managed instead of adults to be educated and assigned a level of accountability?

All links and images for this episode can be found on CISO Series.

How do you make the argument that your company needs a CISO, and that YOU should be that leader? What do you need to demonstrate to prove you can be that person?

Check out this post and this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Radley Meyers (@radleymeyers), Partner, SPMB Executive Search.

Thanks to our podcast sponsor, SPMB

SPMB connects top executive talent to the world's best and fastest growing innovators across the country. A key area we bring extensive knowledge and expertise to is our dedicated Security Practice, leading both functional searches (CISO and VP's defining security strategy) and building out executive teams at top security software companies.

In this episode: 

• How do you make the argument that your company needs a CISO, and that YOU should be that leader?
• What do you need to demonstrate to prove you can be that person?
• Do you have a sound understanding of the WHY behind the organization's existence and how value is added or taken away?
• How do you lay out a plan to win in whatever industry you are in because of security NOT despite it?

All links and images for this episode can be found on CISO Series.

How do you become a CISO? It doesn't follow a linear pattern as many other professions. There are many different paths and there are many different entry points.

Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Yabing Wang, CISO, Justworks.

Thanks to our podcast sponsor, SPMB

SPMB connects top executive talent to the world's best and fastest growing innovators across the country. A key area we bring extensive knowledge and expertise to is our dedicated Security Practice, leading both functional searches (CISO and VP's defining security strategy) and building out executive teams at top security software companies.

In this episode:

• How do you become a CISO?
• Why doesn't it follow a linear pattern as many other professions?
• Why are there so many different paths and entry points?
• Why is it valuable to know how others did it and how you can glean that knowledge and apply it to your situation?