CISO Series Podcast
Dear Abby: Why Should I Trust a Vendor Selling Me Zero Trust?

In the same breath as a vendor will try to sell you a zero trust solution, they will also overpromise what their product can do. Security professionals know that no vendor can solve all their security issues, but so many want you to believe it. Too many promises erode believability and trust.

This week’s episode is hosted by David Spark, producer of CISO Series and Dan Walsh, CISO, Datavant. Joining them is our sponsored guest, Rob Allen, chief product officer, ThreatLocker.

Listen to the full episode here.

When EDR gets knocked out

Ransomware gangs are disabling endpoint detection before deploying payloads. Frustration at this boiled over on a recent cybersecurity subreddit post. Defense in depth can't just be a catchphrase or a podcast title anymore. Network telemetry is key, but it isn't enough. You need to layer in identity management, MFA monitoring, anomaly detection, and immutable backups. Harden your EDR by blocking vulnerable drivers and adding application allow-listing. Different types of layers will provide more security than stacking similar controls.

Red flags in vendor theater

When vendor pitches feel too perfect, you've found your red flag. A vendor who can't explain their solution's limitations probably doesn't understand them either, according to a LinkedIn post by Raghav Dinesh of IBM. Admitting limitations builds trust far more than claiming to do it all. No one expects a tool to be perfect; they just want it to help solve problems. Strong vendors understand where their product excels and where it needs complementary solutions. Honest assessments beat perfect sales narratives every time.

Configuration chaos

In the last year, 61 percent of security leaders experienced breaches due to failed or misconfigured controls. The "you didn't configure it right" response needs to end. Stop blaming your customers! Organizations need actual guidance for their specific environment. Configuration breakdowns extend beyond individual tools to exploitable environment settings. Simple checks matter: Is RDP encrypted? Can vulnerable utilities run? Organizations often think they've checked compliance boxes when configurations tell a different story.

The sticker problem

Cars are complex systems that need to perform at a high level. Sounds a lot like software. So Adam Isles wondered on Lawfare why we couldn't use the same window sticker model for software as we do for cars. Software "window stickers" that combine threat modeling, pen testing, and security inventories face the same execution problems as SBOMs and security questionnaires. Car stickers show features but don't predict resilience. Software can last for decades while facing constant new threats. So any attempt at point-in-time assessments will only result in compliance theater without delivering real security insight. Static assessments can't capture the realities of a dynamic security environment.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now. 

Thanks to Ozren Bogovac of Generac for providing our "What's Worse" scenario.

Huge thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Turning Trust into a Growth Engine with SafeBase by Drata

In this episode, Al Yang, CEO and Co-founder at SafeBase by Drata, explains how their trust center platform addresses these challenges by creating transparent, always up-to-date security portals that streamline NDAs, access requests, and security questionnaires through AI automation. Joining him are Dan Holden, CISO at Commerce, and Terry O'Daniel, former CISO at Amplitude.

Read the full article and listen to the podcast here.

Thanks to our sponsor, SafeBase by Drata

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best advice for a CISO…

“Listen to the CISO Series Podcast. Tell other CISOs, spread the word. “ - Rob Allen, chief product officer, ThreatLocker

Listen to the full episode of “Dear Abby: Why Should I Trust a Vendor Selling Me Zero Trust?”

What Soft Skills Do You Need in Cyber?

"I think just being curious and staying curious is just part of being a human. Having that conflict resolution is part of being a human. I think it starts when, if I'm just meeting someone for the first time, instead of kind of diving right in, asking a bunch of questions about how can we sell you this and how can we sell you that, let's get to know each other a little bit first." - Ryan Dunn, Leader of Product and Supply Chain Technology, Specialized Bicycle Components

Listen to the full episode of “What Soft Skills Do You Need in Cyber?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

NEW SHOW ANNOUNCEMENT: Department of Know

Many of our listeners have told us that they often use the news in the daily Cyber Security Headlines show in team meetings. Because of this, we thought that to serve our audience best, we should mimic that experience with a Monday "kick off your week" cyber show.

That's why we've decided to move our Friday "Week in Review" show to Monday and call it "Department of Know."

Join us LIVE every Monday at 4 PM ET/1 PM PT on the CISO Series YouTube channel to kick off your week with Department of Know: a live, roundtable-style cybersecurity news show built to launch your week in action.

Our first episode will happen on October 27th, 2025.

We’ll break down the stories that matter most to your business, your defenses, and your decisions for the week ahead. Join your peers, ask questions live, and walk away ready to brief your team with confidence.

CISO Series Meetup in New York City!

Join us for a CISO Series meetup TONIGHT in New York City! On Tuesday, October 21, network with NYC security pros at Gibney’s NYC. Drinks, laughs, and cyber friends welcome!

RSVP here!

Thanks to our event sponsors, Anvilogic and ThreatLocker.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be David Cross, CISO, Atlassian.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Super Cyber Fridays!
Join us Friday for “Hacking the Death of EDR”

Join us on Friday, October 24, 2025, for Super Cyber Friday: “Hacking the Death of EDR.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Davi Ottenheimer, vp, digital trust and ethics, Inrupt, and Rob Teel, CTO, Oklahoma Department of Commerce, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.