CISO Series Podcast
Get ALL the Challenges of Cybersecurity AND Fewer Resources

"Less money, less resources, and a giant target on your back" isn't exactly a great pitch for recruiting cyber talent, but that's essentially the pitch municipalities have to make to bring in new cyberstaff. How can we set up municipal cybersecurity programs to succeed in what seems to be a thankless task?

This week’s episode is hosted by David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is Charles Blauner, operation partner and CISO in residence, Team8.

Expanding collective defense

Volunteerism and collective defense are gaining traction as viable strategies to protect critical infrastructure and underserved sectors in cybersecurity. Philanthropic initiatives like the Franklin Project aim to match skilled professionals with local governments and public systems that lack adequate funding or security expertise, as reported in CyberScoop. Rather than direct access to sensitive systems, these efforts often include education, vulnerability assessments, and awareness-building. The concept of collective defense—where organizations collaborate against shared threats—has long existed, with historical examples including large banks defending smaller peers during coordinated DDoS attacks. Beyond technical collaboration, collective defense also manifests in mentorship and peer support among cybersecurity leaders. Community isn’t just for networking; it holds a unique role in strengthening overall resilience.

Getting talent to the municipal level

Recruiting cybersecurity talent into municipal roles remains a significant challenge due to lower pay, rigid hiring processes, and limited visibility compared to private-sector roles. While public service appeals to some, governments often struggle to attract candidates beyond that mission-driven pool, noted Deb Radcliff on CSO Online. Traditional hiring practices—focused on degrees and certifications—screen out qualified individuals, especially veterans or self-taught professionals. Municipalities must modernize these systems and embrace alternative pathways, such as apprenticeship programs and rotational roles with private companies. Creative approaches, including leveraging tax policy to incentivize public-private workforce exchanges, would also help build pipelines and reduce friction in hiring. We can also reframe government service, positioning these roles as high-impact, short-term opportunities rather than long-term careers. The goal is to attract candidates eager to make a difference while gaining experience.

A mature reporting structure

Survey data shows that CISO reporting structures vary widely based on company size and ownership, with nearly a third of CISOs at public companies still reporting to the CIO. Smaller or privately held companies are more likely to place the CISO under the CEO, as a survey from Hitch Partners noted. This trend appears to reflect organizational maturity rather than intentional design. In many startups, for instance, CIO roles may not even exist, making reporting lines more flexible. Fixation on reporting structures misses the larger issue: organizational culture and governance are far more critical to a CISO’s success than who they report to. Without executive support, clear priorities, and accountability, even ideal reporting lines won't ensure effective cybersecurity leadership.

A pill for that cyberailment

Cybersecurity continues to struggle with standardizing how we measure the effectiveness of security controls, leading many to rely on subjective expert opinions rather than data-driven frameworks. Ross Haleiuk of Venture in Security proposed modeling cybersecurity after medicine, where standardized coding enables shared understanding and systemic research. While frameworks like MITRE ATT&CK and Defend begin to structure tactics and countermeasures, a major obstacle remains: the lack of incentives for organizations to share meaningful data. Even well-structured tooling misses the point, as actual progress lies in measuring processes and outcomes, not just technical configurations. And let’s not discount that medicine has been around a lot longer than cybersecurity which deals with rapidly adapting threat actors. That makes it challenging to build a universal system of measurement. 

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed tothe CISOSeries Podcast via your favorite podcast app, please do so now.

Thanks to Jonathan Waldrop, CISO at The Weather Company for contributing this week’s “What’s Worse?!” scenario. 

Listen to the full episode here.

Huge thanks to our sponsor, Material Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Solving Alert Fatigue with Dropzone AI

Security operations centers (SOCs) are drowning in alerts, forcing analysts to waste time chasing down false positives while real threats slip through. The problem isn’t just efficiency—it’s burnout, missed signals, and limits on what security teams can reasonably triage.

In this episode, Edward Wu, CEO and founder of Dropzone AI, explains how their AI-powered SOC analyst automates triage and investigation for security alerts. The result is more efficient operations, faster detection of real threats, and a significant reduction in alert fatigue. He’s joined by our panelists, TC Niedzialkowski, head of IT and security at Opendoor, and Steve Zalewski, co-host of Defense in Depth.

Listen to the full episode here.

Thanks to our podcast sponsor, Dropzone AI

Subscribe
Subscribe to Security You Should Know Podcast

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

What I hate about cyber security…

“I hate all the backseat drivers. It’s actually become institutionalized in a lot of organizations to have whole teams designed just to double check and question every decision a CISO makes.“ - Charles Blauner, operation partner and CISO in residence, Team8

Listen to the full episode of “Get ALL the Challenges of Cybersecurity AND Fewer Resources”

Why Are We Still Struggling to Fix Application Security?

"There hasn’t been much innovation for the past 30 years in code analysis tools. They all evolved from the virus scanners of the late ’80s and early ’90s that just look at code line by line… it’s the tools that have straitjacketed everyone and that have added to the frustration." - Eric Gold, chief evangelist, BackSlash

Listen to the full episode of “Why Are We Still Struggling to Fix Application Security?”

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be DJ Schleen, Head of Security, Boats Group.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Super Cyber Fridays!
Join us NEXT Friday, [05-09-25], for “Hacking the Validity of GenAI”

Joining David Spark, producer of CISO Series for this discussion will be:

• Chris Strand, global security and compliance officer, Thoropass

• Rob Gormisky, former InfoSec lead and founding engineer, Forage

Join us NEXT Friday, May 9, 2025, for “Hacking the Validity of GenAI: An hour of critical thinking about embracing these new tools while still meeting your compliance requirements”

It all begins at 1 PM ET/10 AM PT on Friday, May 9, 2025. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Thoropass

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.