CISO Series Podcast
Data Minimization Means We Don’t Tell You What We’re Collecting

Surveys show that most consumers support data minimization laws. However, most security professionals don’t think they can convince their boards to see data minimization as a competitive advantage. Why doesn’t consumer desire for data privacy translate to the business?

This week’s episode is hosted by David Spark, Producer of CISO Series, and Andy Ellis, Partner, YL Ventures. Joining us is Mandy Huth, SVP, CISO, Ultra Clean Technology.

Start with good defaults

Security awareness training is increasingly considered ineffective, with recent research showing only marginal improvements in phishing susceptibility, regardless of training type. This isn’t just a waste of time, it can actively harm security, argued JM Porup, CISO, Ava Labs. Employees prioritize job tasks over security policies, especially when security is treated as a bolted-on responsibility. Technical controls enforced by default—like mandatory multi-factor authentication—tend to be far more effective than optional behavior-based measures. Rather than rely on training that may satisfy compliance but not improve security posture, organizations should invest in controls that make the secure action the default, removing reliance on user discretion.

Building talent bridges

Building the next generation of cybersecurity professionals requires shifting from passive recruitment to intentional talent development. Apprenticeships and structured pipelines—from internships to full-time roles—can help bridge the gap for candidates entering from nontraditional backgrounds, argued Caroline Wong of Teradata in a recent Forbes piece. However, success depends on offering entry points and committing to active training and mentorship. Organizations must prioritize developing internal talent, equipping current staff with the ability to teach and guide others. This includes training in technical and so-called “soft” skills, such as communication and leadership. Remote work complicates this dynamic by limiting informal learning, highlighting the need for companies to formalize training methods and capture learning opportunities that once came through in-person interaction.

Don’t forget the humans

While many security issues can be traced to software bugs and misconfigurations, the root cause often lies in the gap between expectations and implementation. Vendors frequently deprioritize secure development due to misaligned incentives, and users misconfigure systems because defaults aren’t secure or usable enough, pointed out Ross Haleiuk of Venture in Security. Efforts like CISA’s Secure by Default initiative aim to reverse this trend by promoting hardened configurations out of the box. However, this framing overlooks the human element—mistakes like data misdelivery or falling for social engineering attacks can't be fully addressed by code or configuration alone. If you only focus on configurations and software vulnerabilities, you leave a big gap with operational behavior.

Differentiating with privacy

Despite growing public concern over privacy, especially among younger demographics, organizations treat it primarily as a compliance obligation rather than a competitive advantage. Surveys show strong consumer support for data minimization, yet the ISACA State of Privacy report found few boards recognize privacy programs as market differentiators. The disconnect lies in how companies collect and use personal data, prioritizing business needs and convenience over user protections. While some brands like Apple have successfully used privacy as a branding tool, most companies fail to demonstrate meaningful commitments or communicate their efforts clearly. Compounding the issue is a lack of consumer understanding about how data is shared or exploited, making it difficult to act in their best interests. 

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Dustin Sachs at the CyberRisk Collaborative for contributing this week’s “What’s Worse?!” scenario. 

Huge thanks to our sponsor, Vanta

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Build Customer Trust with Conveyor

Customer security reviews often miss their mark, leaving organizations scrambling to compensate with extensive questionnaires that divert attention away from genuine risk management. The inconsistency of these processes and the lack of clear authority or visibility contribute to prolonged timelines and increased frustration. So, how can companies maintain trust without drowning in the complex processes that come with these reviews?

In this episode, Chris Gomes, head of product at Conveyor, discusses how they automate the response to security questionnaires and focus on relieving the burden on customer trust offices overwhelmed by extensive review processes. Chris is joined by our panelists, Steve Gentry, advisor at Cognate Cyber, and Eduardo Ortiz-Romeu, vp, global head of cybersecurity at Techtronic Industries.

Listen to the full episode here.

Thanks to our sponsor, Conveyor.

What I love about cybersecurity. What I hate about cybersecurity.

"What I absolutely love about cybersecurity is I have a really high altruistic need to help people, and so I get to help protect people from the bad guys and I get paid for it. And then what I hate about cybersecurity is that there are bad guys out there and that I have to deal with them." - Mandy Huth, SVP, CISO, Ultra Clean Technology

Listen to the full episode of “Data Minimization Means We Don’t Tell You What We’re Collecting”

What Can Someone with No Experience Do in Cybersecurity?

"I went out of college and went and took a cyber security role. And I had no idea what cyber security was. People taught me all the things that they didn’t want to do. And so they said, ‘Rinki, here’s how you do war dialing.’ And, ‘Here’s how you go and configure a vuln management scanner.’" - Rinki Sethi, VP and CISO, BILL

Listen to the full episode of “What Can Someone with No Experience Do in Cybersecurity?”

Reddit AMA on r/cybersecurity

Our monthly AMA on r/cybersecurity on Reddit is underway.

Our topic is "I'm a former CISO who left to start my own security company. Ask Me Anything."

Join the conversation here. The discussion is going on all week.

Our participants are:

• Iftach Ian Amit, CEO and co-founder, Gomboc AI

• Sara Lazarus, founder and CISO , Faded Jeans Technology

• Olivia Rose🌹, CISO and founder, Rose CISO Group

• Rolin Peets, CIPM, CISSP, chief protection architect, Harbor IT

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Join the CISO Series San Francisco Walking Tour on the Last Day of RSA

Have you attended RSA Conference for years, but never taken the time to get to know San Francisco a little better? Then join David Spark on May 1st, 2025 at 7:30 AM for a walking tour of San Francisco’s North Breach. The tour starts sharp at 8:00 AM and will last 75-90 minutes. We’ll finish up at the W Hotel (255 Columbus Ave., San Francisco, CA) for breakfast, courtesy of our sponsor, Semperis.

Years before launching the CISO Series, our own David Spark was a San Francisco resident and lover of San Francisco history. He last ran tours 15 years ago, so join David on a walk through the city and down memory lane.

REGISTER for the tour HERE

Big Thanks to our sponsor, Semperis

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Bethany De Lude, CISO emeritus, The Carlyle Group.

Thanks to our Cyber Security Headlines sponsor, Dropzone AI

Super Cyber Fridays!
Understanding the Complexities of Risk Management

How do you calculate YOUR risk in cybersecurity? Not risk in general, your specific risk?

I spoke with Frederico Hakamine, technology evangelist at Axonius, to explore the essential variables that determine individual and company risk, including technical, business, asset, and personal risks. This calculation involves vulnerabilities, impacts, and business contexts. Technological sprawl and inherited systems also need to be accounted for, making managing these risks a constant challenge.

REGISTER for 4-25-25 Super Cyber Friday

Join us on April 25, 2025, for "Hacking Your Risk: An hour of critical thinking of all the things you look at to find what is specifically important to you," at 1pm ET/10am PT on Super Cyber Friday. Joining David and Frederico is Edward Contreras, senior EVP and CISO, Frost Bank.

Huge thanks to our sponsor, Axonius

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.