CISO Series Podcast
How Much Risk Would a CISO Risk if a CISO Could Risk Risk?

CISOs first appeared in the C-Suite over thirty years ago. But their responsibilities and functions within an organization still vary wildly. If an organization wants their CISO to be more effective, take a moment to understand their purpose and how they function.

This week’s episode is hosted by David Spark, producer of CISO Series and Brett Conlon, CISO, American Century Investments. Joining them are Ryan Barras, CISO, Mount Sinai Medical Center.

 Listen to the full episode here.

Nobody understands what we do

The CISO role remains misunderstood three decades after its creation. CISOs sit in the C-suite by title but often lack real organizational power. Responsibilities vary wildly between organizations. The biggest part of the job is relationship building, not technical execution. CISOs need to understand their organizations better than anyone else—the culture, the business model, the risks, the vendors. Few disciplines are as broad. The C-suite must understand that cyber's job is to protect them from a critical business risk, that they may not understand, but it's the CISO's job to understand it and explain it. As a CISO, understand the basics of how the business operates. Where do you get customers and what drives revenue? Conversations about the volume of vulnerabilities are meaningless to business operations. Talk about what happens when point-of-sale systems go down for two days and the mobile app stops working. That's business impact. 

Someone else should fix this

Industry problems versus business problems create a critical distinction. If you hear "there needs to be," you're dealing with an industry problem—something holding everyone back with no financial incentive for any one organization to fix. Introducing regulation won't necessarily solve the problem. Healthcare is heavily regulated and still suffers massive breach rates. The real issue is vendors don't listen to industry needs. They build products and hunt for buyers rather than understanding what different industries require. What manufacturing needs differs from healthcare, which differs from finance. Vendors chase the most profitable industries rather than tailoring solutions by sector. The most beneficial change would be reversing the conference model—vendors listening to industry problems instead of pitching solutions. Forums like ISSA provide spaces for open dialogue on industry-wide challenges. But many problems labeled as industry-wide are really just excuses for not addressing basic security fundamentals.

Make the audience care

We've all suffered through bad panel sessions. The worst offense is when moderators, who are hosts, don't introduce their guests. Instead, they ask panelists to introduce themselves. No professional talk show host does this because it signals you barely know your guests. Who would believe they're your guests? Moderators who answer their own questions destroy conversational flow. Good panels happen when participants reveal personal information you couldn't find by Googling it. Read the room. Panelists speaking at the wrong technical level lose the room. The best panels get the audience involved throughout the discussion rather than saving questions for the end. It's true audience-to-panel engagement, and that creates a successful discussion that will hopefully drive attendees to rush the stage. 

Speaking CEO

The ideal CEO-CISO relationship centers on risk advisory, not technical updates. When CEOs ask "tell me what I don't know," they want to understand the security landscape for their industry, get a solid soundbite about business impact, and know what you're doing about it. This isn't your moment to air grievances. Keep it focused on industry context, company-specific risks, and your response. Making the CEO look good means making your team look good. Take a holistic approach that addresses issues within larger organizational processes, not just technology silos. When asked, "Are we secure?" educate your audience that they won't be receiving a "yes" or "no" answer. Security, just like business, is a journey. Simply describe the development and hopeful improvement of the security program.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Ozren Bogovac of GE Aerospace for providing our "What's Worse" scenario.

Thanks to our podcast sponsor, Dropzone AI

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Biggest mistake I ever made in security…

“Okay, that might have started with taking the job. Besides that, I think, maybe assuming that people actually understood the distinction between cybersecurity, the role, and IT in general. And in addition to that, probably making assumptions that when you accept the job, that there was a clear understanding of what budget you had allowed for hiring and for specific spending amounts.“ - Ryan Barras, CISO, Mount Sinai Medical Center

Listen to the full episode of “How Much Risk Would a CISO Risk if a CISO Could Risk Risk?”

How Much Cyber Risk Should a CISO Own?

"I definitely agree that every CISO owns the risk for cybersecurity. Whether or not they can effectively feel like they're able to manage that risk, if they're buried in an organization three levels below, four levels below a CEO, and rarely talks to the board, can't even get FaceTime with the rest of the C-suite, that's a problem." - Erika Dean, former CSO, Robinhood

Listen to the full episode of “How Much Cyber Risk Should a CISO Own?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Reddit ‘Ask Me Anything’ – December 2025

Our monthly AMA on r/cybersecurity on Reddit has begun! Our topic is "I'm a security professional who transitioned our security program from compliance-driven to risk-based. Ask Me Anything."

For this edition, we’ve assembled a panel of CISOs and security professionals to talk about a transformation many organizations struggle with: moving from a compliance-driven security program to a risk-based one. They’ll be here all week to share how they made that shift, what worked, what failed, and how to align security with real business risk — not just checklists and audits.

Please ask questions for our participants here.

This month’s participants are:

• David Cross, (u/MrPKI), CISO, Atlassian

• Kendra Cooley, (u/infoseccouple_Kendra), senior director of information security and IT, Doppel

• Simon Goldsmith, (u/keepabluehead), CISO, OVO

• Tony Martin-Vegue, (u/xargsplease), executive fellow, Cyentia Institute

Thanks to all of our participants for contributing!

LIVE!
Cyber Security Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Andy Ellis, principal, Duha, and Johna Till Johnson, CEO and founder, Nemertes. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cyber Security Headlines sponsor, Adaptive Security

Super Cyber Fridays!
Join us in 2026 for Super Cyber Friday!

That’s it for Super Cyber Friday in 2025! You can find all previous video episodes here.

Join us again in 2026 for our weekly live streams and post-show networking groups! Visit this link to register for future sessions. And be sure to import the CISO Series calendar into your planner to be reminded about all of our live streaming events.

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.