CISO Series Podcast
Are You Implying This Line Graph Isn’t a Compelling Cybersecurity Narrative?

Just because metrics are derived from cold hard facts doesn't mean we should present them as such. If CISOs don't frame their metrics to tell a story about their security program, how can they expect the business to care?

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining them is our sponsored guest, Nathan Hunstad, director, security, Vanta.

Listen to the full episode here.

Metrics that matter

Security metrics must demonstrate business impact, not just track activity. Common measurements such as mean time to detect and respond (MTTD and MTTR) actually create perverse incentives, argued Nick Ryan of RSM. When you block threats preemptively, those metrics get worse because you're no longer counting them. Better metrics tie security work directly to revenue generation, tracking customer questionnaires that close deals and cost savings through automation. You'll get buy-in if you map revenue-generating processes to cyber risk controls. Start from an understanding of how the company makes money. Then work backwards to identify the threats that could disrupt it.

Testing for real

Penetration tests should exploit vulnerabilities to demonstrate genuine business risk, not just identify technical gaps. Nathaniel Shere of Skillable characterized anything less as a glorified vulnerability scan. You don't need to break things to prove the test worked. The value emerges through collaboration between testers and defenders, where interactive exercises reveal gaps and help both sides learn. Pure black box testing delivers less value than most organizations realize. Define scope and expectations up front because vendors will provide whatever result you're willing to pay for. Collaborative approaches show defenders where to focus attention.

AI as an assistant

Large language models won't replace security operations staff; automation already does. Operational reliability requires repeatability, something GenAI doesn't exactly excel at. Ask the same question twice and get completely different answers. AI should handle time-consuming, low-value tasks, such as generating scripts or searching security systems. But forcing AI as the only interface fails when precise queries require deterministic results. AI today is an efficiency multiplier. It's helpful to have natural language searches for knowledge bases or chatbots that surface findings from compliance reports. Every vendor now claims AI capabilities. Just be wary that slapping that functionality onto tools won't automatically add value.

Intelligence without context

Threat intelligence becomes valuable when used to build a strategy. The challenge is sharing that intelligence often strips it of the context that makes it valuable, as pointed out by Mary K Pratt in a recent CSO Online piece. Knowing that an adversary compromised a specific system matters internally. But when the lawyers make you remove that vital information, the intelligence loses relevance for others. Organizations need to know what adversaries are doing broadly, where they're pivoting, and what they're saying about your organization. Monitoring the dark web for specific threats is a good start. But a greater value lies in understanding adversarial trends to inform your overall security strategy.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jay Dance of StubHub for providing our "What's Worse" scenario.

Thanks to this episode’s security tip sponsor, Anvilogic

Thanks to our podcast sponsor, Vanta

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Securing Application Delivery with Island

In this episode, Braden Rogers, chief customer officer at Island, explains how their enterprise browser platform rethinks application delivery by building security services natively into the browsing experience. Joining him are Nick Ryan, former BISO, RSM and Janet Heins, CISO at ChenMed.

Want to know:

• How can you explain browser-based security to your CEO without getting lost in technical details?

• What’s the actual architecture when delivering applications through an enterprise browser versus traditional VDI?

• How do you roll out a new browser to 20,000 users without creating change management chaos?

• What happens to your existing security stack, like proxies, DLP, CASBs, and RBI tools?

• Can you give users the freedom to use personal applications while protecting corporate data?

• What does the offline experience look like when cloud services go down?

• How does browser-based security handle the explosion of AI models in the enterprise?

• What’s the difference between browser enforcement and deploying a full enterprise browser?

• How do you balance different security controls for different applications without overwhelming users?

• What does vendor support look like from proof of concept through deployment?

Check out the full episode for the answers you need.

Thanks to our podcast sponsor, Island

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Biggest mistake I ever made in security…

“Early in my career, thinking that the security team was the de facto security expert in any situation, and when there was disagreement between developers and the security team, clearly the security team was right, and that was obviously not always the case. And I learned very quickly that security teams have different incentives and motivations and maybe being the best at security is not one of them.“ - Nathan Hunstad, director, security, Vanta

Listen to the full episode of “Are You Implying This Line Graph Isn’t a Compelling Cybersecurity Narrative?”

How to Manage Configuration Drift

"We came to jokingly refer to the MDR team as the configuration police because probably 90% of the calls that they were making to customers were as a result of misconfigurations." - Rob Allen, chief product officer, ThreatLocker

Listen to the full episode of “How to Manage Configuration Drift”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Reddit ‘Ask Me Anything’ – November 2025

Our monthly AMA on r/cybersecurity on Reddit has begun! Our topic is "I'm a CISO who has experience dealing with an ‘insider threat.’ Ask Me Anything."

For this edition, we’ve assembled a panel of CISOs to talk about a crucial and often sensitive topic: dealing with insider threats. They’re here all week to share their firsthand experiences managing, detecting, and preventing insider incidents. And to answer your questions about the human side of security risk. All of them have really unusual stories about dealing with insider threats.

Please ask questions for our participants here.

This month’s participants are:

• Andy Ellis, (u/CSOandy), principal, Duha

• David Cross, (u/MrPKI), CISO, Atlassian

• Jack Leidecker, (u/JD-Sec), CISO, GONG

• Leslie Nielsen, (u/cyberguy1729) CISO, Mimecast

Thanks to all of our participants for contributing!

CISO Series meetup in Boston

Live in Boston? Work in cybersecurity? Maybe you're just studying and you want to work in cyber? If any of those are true, then you MUST join us on Monday, November 24th, 2025 for our Boston-based CISO Series meetup!

Join us from 5-7 at City Tap House Boston, 10 Boston Wharf Road, Boston, MA
RSVP Here

Huge thanks to our Boston-based sponsors Entro Security and RoonCyber for hosting this event.

What’s the Cybersecurity Equivalent of Leaving Your Front Door Wide Open?

At HOU.SEC.CON 2025, David Spark asked a simple question. “What’s the cybersecurity equivalent of leaving your front door wide open?”

The answers came quickly. Easy-to-crack passwords, leaving laptops unlocked and unattended, server room doors propped open, lack of MFA, and some others that you maybe haven't considered.

Watch the video and tell us in the comments: What’s the “front door wide open” scenario that you still see in 2025?

Big thanks to the sponsor of this video, Jericho Security

LIVE!
Cyber Security Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Robb Dunewood, host, Daily Tech News Show, and Howard Holton, CEO, GigaOm. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cyber Security Headlines sponsor, KnowBe4

Super Cyber Fridays!
Join us Friday for “Hacking the Budget Battle”

Join us on Friday, November 21, 2025, for Super Cyber Friday: “Hacking the Budget Battle: An hour of critical thinking about how to communicate the value of your cybersecurity program.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Ross Young, co-host, CISO Tradecraft, and Sam Jacques, vp, clinical engineering, McLaren Health Care, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.