CISO Series Podcast
Cosmo Quiz! 23 Ways to Make Your Vendors Obsessed With Your Security Standards

We don't go a week without hearing a story about a data breach caused by a third party. We're increasingly realizing the risk posed by the parties we have the least control over. Some extremely large organizations can exert pressure to raise standards for third-party security, but what can the rest of us do to contain these risks better?

This week’s episode is hosted by David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining them is their sponsored guest, Rob Allen, chief product officer, ThreatLocker.

Listen to the full episode here.

Large enterprise security demands drive vendor improvements

Major enterprise customers can effectively pressure vendors to implement stronger security practices, creating industry-wide improvements that benefit smaller organizations. JP Morgan's open letter to third-party providers demanding improved security is shaking up the industry. Companies of that scale carry a big stick. However, this approach faces limitations and doesn't apply to niche vendors. The most successful implementations are utilitarian. Get realistic improvements from the majority of vendors. Don't pursue perfection and recognize that small percentage gains still yield significant risk reduction.

Technical expertise becomes a leadership liability without delegation

Engineering leaders can struggle as leaders when technical mastery becomes a bottleneck rather than an asset. In a blog post, Taha Hussain distills that "your expertise is borrowed authority" while "real leadership is helping others build their own." Leaders don't just solve problems; they develop their team. And there isn't a one-size-fits-all approach to leadership. Organizations benefit from having both "doer" leaders who are hands-on and "enabler" leaders who focus on team development. But the key is you can't do it on an island. Leadership doesn't exist in a vacuum. You need to adapt to the organizational context.

EDR evolution needs prevention focus 

Endpoint detection and response (EDR) has become a commoditized table-stakes tool to have. It's something organizations implement as a matter of course rather than to build resilience. EDR always faces the fundamental limitation that reactive security requires perfect decision-making. Mess up once, and the game is over. More effective approaches emphasize prevention through controls like application allowlisting and network segmentation that stop threats before anything bad happens. EDR works best as one layer within a comprehensive security stack rather than your primary control. After all, you don't protect your home with just surveillance and rapid response, you still need good locks.

Career breaks require personal ownership and strategic timing

Taking career breaks in cybersecurity isn't something to take lightly. You might start prioritizing your personal circumstances, but market conditions, and your stress tolerance are also things to put on this scale. When job satisfaction comes down to just working for a paycheck, professionals should first look at what they can control. Maybe taking vacations can give perspective. Or look at an internal role change. You need to own personal development rather than expecting organizational change to do it for you. Toxic cultures rarely improve through individual effort, so don't expect to turn the battleship yourself.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now. 

Thanks to Rajitha Marur for contributing this week’s “What’s Worse?!” scenario. 

Huge thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Securing the Human Element with Trustmi

Wire fraud and payment security remain persistent challenges for organizations, with the FBI reporting a 33% increase in BEC losses between 2023 and 2024. The complexity of B2B payment processes creates multiple attack vectors that traditional email security solutions can’t fully address.

In this episode, Shai Gabay, co-founder and CEO of Trustmi, explains how their platform connects the dots across the entire payment ecosystem to prevent fraud before money leaves the organization. By integrating with existing payment workflows and leveraging AI to build behavioral baselines, Trustmi aims to eliminate the manual controls and siloed systems that make B2B payments vulnerable to attack. Joining him are Bethany De Lude, CISO Emeritus, and Adam Glick, CISO at PSG Equity.

Listen to the episode and find the transcript here.

Thanks to our podcast sponsor, TrustMi

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

What I love about security vendors…

“What I love about security vendors is their flagrant use of AI in everything. I feel sometimes if you don’t have AI somewhere festooned on your booth or your product or your web page, you’re basically left out, so I love that.“ - Rob Allen, chief product officer, ThreatLocker

Listen to the full episode of “Cosmo Quiz! 23 Ways to Make Your Vendors Obsessed With Your Security Standards”

Why Salespeople's Knowledge of Cybersecurity Is Critical for the Ecosystem

"When I'm dealing with salespeople, I want them to understand what I'm trying to do. Not to scare me, not to push a feature, but to help solve a problem. That requires understanding security, not just selling." - Jason Thomas, senior director, technogy security, governance, and risk, Cystic Fibrosis Foundation

Listen to the full episode of “Why Salespeople's Knowledge of Cybersecurity Is Critical for the Ecosystem”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Reddit ‘Ask Me Anything’ – July 2025

Our monthly AMA on r/cybersecurity on Reddit has begun. The topic is “I’m a security professional who has worked in and out of Government roles. I can tell you the pros and cons. Ask me anything.”

We’ve assembled a panel of security professionals who have worked in both the government and private sector. They’re here to answer your questions about the challenges, trade-offs, and lessons learned from moving between public and private cybersecurity roles.

Please ask questions for our participants here.

Our participants are:

• Matt Conner, (u/SomeCyberGuy), CISO, Second Front Systems

• Brett Conlon, (u/BeachByteExec), CISO, American Century Investments

• Jeff Steadman, (u/Alarming-8426), deputy CISO, Corning Incorporated

• Adam Arellano, (u/AdamTalksTheCybers), field CTO, Traceable AI

Thanks to all of our participants for contributing!

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Derek Fisher, Director of the Cyber Defense and Information Assurance Program, Temple University.

Thanks to our Cyber Security Headlines sponsor, Dropzone AI

Super Cyber Fridays!
Join us Friday for “Hacking the Talent Myth”

Join us on Friday, August 1, 2025, for Super Cyber Friday: “Hacking the Talent Myth: An hour of critical thinking about why the "skills shortage" might be a hiring problem.”

It all kicks off at 1 PM ET / 10 AM PT, when Rich Stroffolino will be joined by Mike Lockhart, CISO, EagleView, and Mathew Biby, director of cybersecurity, TixTrack, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.