CISO Series Podcast
Do You Think These Compliance Boxes Check Themselves?

Compliance regimes and security awareness training are there to help our staff make savvier decisions about personal, digital, and data security. For all the money we've invested in them, have they improved anything?

This week's episode is hosted by David Spark, producer of CISO Series and Pam Lindemoen, CSO, vp of strategy, Retail and Hospitality-ISAC. Joining them is Jason Mayor, deputy CISO, Raymond James Financial.

Listen to the full episode here.

This episode was recorded in front of a live audience at the National Cybersecurity Alliance's Convene conference in Clearwater, Florida.

Coaching security 

The $6 billion security awareness training industry hasn't solved the human-error problem, and rebranding the entire category as "human risk management" may not change that. As Jon Oltsik of SiliconANGLE pointed out, what works is treating training less like a compliance calendar item and more like a coaching relationship. Tie any training to real threat behavior, and update it as threats evolve. Phishing simulations only hold value when they're followed by a genuine conversation about what almost happened and why. The real measure of a successful training program isn't how many courses employees complete. It's whether actual click rates on malicious emails are going down over time.

Planned security theater 

Security professionals know security theater when they see it: phishing tests announced in advance, data classification systems that users game to avoid friction, DLP tools left in report-only mode until a breach forces the issue. The instinct when confronted with these practices is to call them out, but that tends to go over poorly. The more effective move is to reframe the conversation around making the existing control more valuable rather than eliminating it. Doing something beats doing nothing. The goal is to keep raising the bar on what "something" means.

Making "nothing bad happened" a compelling story 

Demonstrating cybersecurity ROI is fundamentally an exercise in translation, not mathematics. Financial models and quantitative frameworks exist and have their place. But before any numbers come out, the framing has to fit how leadership already thinks, argued Defense in Depth co-host Steve Zalewski. Organizations built on relationships need the trust-first conversation. Once you have that, provide data to supplement that trusted understanding. The strongest ROI arguments show how security investments reduce friction and enable the business. Success in security often looks like nothing happened, which means the narrative has to be built before it's needed.

Getting security teams to think like the business 

Security practitioners who can't articulate why a control matters to the business will keep losing ground in the conversation. Building a business-minded security team starts with a seat at the table, argued Rinki Sethi, CISO at Upwind Security. Sitting in on business meetings, understanding what different teams are trying to accomplish, and experiencing firsthand how little most people know about security. The "five whys" approach is a useful forcing function: keep asking why until you hit the answer that matters to the organization. The hard work is connecting security work to business outcomes, and that only develops through deliberate contact with the business itself.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven't subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jonathan Waldrop, CISO at Acoustic, for providing our "What's Worse" scenario.

Huge thanks to our sponsors, Adaptive Security, KnowBe4, and Zepo

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Biggest mistake I ever made in security…

“Biggest mistake I ever made was stopping my pursuit of understanding the business. Obviously, we talk a lot about knowing your business very well. I think I got to a point in my career where I thought I knew the business well enough. Long story short, came to a head in a very senior risk management discussion where I had sort of lost sight and lost some of my business understanding, which resulted in me telling a very different story about a particular risk category when the business was viewing that risk category very, very different than me at the time.“ - Jason Mayor, deputy CISO, Raymond James Financial

Listen to the full episode of "Do You Think These Compliance Boxes Check Themselves?"

How to Engage With a CISO When They Express Interest

"If you can make me smarter in 2 minutes, I will give you 20 more later." - Adam Palmer, CISO, First Hawaiian Bank

Listen to the full episode of "How to Engage With a CISO When They Express Interest"

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

The Cool and Not-So-Cool of RSA 2026

David Spark just got back from RSA, and he has some thoughts. From the rapid evolution of agentic AI, to the rise of homegrown AI-built security tools, this year’s conference made one thing clear: the industry is moving fast, and the gap between those embracing AI and those dabbling is widening. Plus: guerrilla marketing wins, color-coded vendor charts lose, and a first-timer gets some hard-won advice.

Read David’s full RSA wrap-up here.

You can't trust your eyes anymore. Here's what you CAN do.

Live deepfakes are no longer a future threat - they're happening now, and the old detection tricks don't work anymore. 

Chris Pierson, CEO of BlackCloak, breaks down how executives and their families can protect themselves through verified, closed-loop identity confirmation before high-stakes conversations ever take place.

Watch the full video here.

Thanks to our sponsor, BlackCloak

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Dennis Pickett, vp, CISO, Westat, and Jacob Combs, CISO, Tandem Diabetes Care. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, ThreatLocker

Super Cyber Friday
Join us Friday for “Hacking Trust in Leadership”

Join us on Friday, April 3, 2026, for Super Cyber Friday: “Hacking Trust in Leadership: An hour of critical thinking about how to build productive relationships within your security team.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Jack Leidecker, CISO, Gong, and Doug Mayer, vp, CISO, WCG, for an hour of insightful conversation and engaging games. And stick around for our always-popular meetup, hosted right inside the event platform.

Register for the Super Cyber Friday event series. Join us for just this episode, or choose to register for all of our upcoming episodes in this ongoing event series.

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.