CISO Series Podcast
I Can’t Choose. I Love All My Assets Equally.

Most organizations have a basic understanding of their crown jewels. Dig a level deeper, and it becomes a different story. Where are they? What's their value? Where are they traveling? Who has access to them? Who shouldn't have access to them? How will the cybersecurity team partner with the business to protect those assets?

This week’s episode is hosted by me, David Spark, producer of CISO Series, and Andy Ellis, partner, YL Ventures. Joining them is Tim Jacobs, vp, CISO, Commonwealth Care Alliance.

Listen to the full episode here.

Starting from zero

When a health organization starts from a cybersecurity baseline of almost zero, such as shared logins and no meaningful controls, it’s tempting to lead with fear or threats of HIPAA fines. Fear, uncertainty, and doubt (FUD) often backfires. A more effective approach is to avoid sounding alarmist and instead engage peers and allies within the organization to understand how change gets made. Crowdsource advice from respected business leaders internally, frame the risk in operational terms (e.g., what happens if ransomware locks you out), and seek outside help, such as a Microsoft-focused managed service provider, to assess the environment and propose baseline improvements. The goal is to present security enhancements as business enablers, not compliance checkboxes or apocalyptic predictions.

Prepare for decisive decisions

Effective crisis management in cybersecurity starts long before an incident occurs, but preparedness alone isn't enough—decisive leadership is essential in the moment. The key to timely decision-making lies in having a structured plan, maintaining open communication channels, and continuously distinguishing between what is known and unknown, noted Andrew Aken of DocDrew. Leaders must ensure the right people are working on the correct problems and have practiced their roles beforehand. Decisiveness also requires understanding the potential cost of each action, with leaders weighing whether a solution introduces more risk than it resolves, like trading a high-severity issue for several lower ones. Communicating these principles clearly to executives ahead of time through breach response planning and regular tabletop exercises builds trust and enables rapid action. Leadership must be prepared to make hard decisions, like severing internet connectivity, and ensure the business understands and supports the tradeoffs.

Working back from unacceptable

Effective threat modeling depends on understanding asset value, but actual asset value isn’t something you assign upfront; it’s something you uncover through risk modeling. While organizations often try to start by identifying their “crown jewels,” this process is rarely straightforward and is better approached by defining unacceptable business losses and working backward, argued Derek Fisher at Temple University. An asset gains value when its compromise or unavailability directly leads to those losses, whether it's patient harm in healthcare or halted operations in manufacturing. This approach reveals what matters most and what dependencies might be overlooked. Attempting to assign value based on replacement cost or revenue potential misses the broader impact and context.

Discovering inefficiencies

Security initiatives often reveal broader operational improvements beyond reducing cyber risk. By scrutinizing systems, communications, and infrastructure, security teams frequently uncover inefficiencies—unused assets, duplicative tools, outdated processes, or missing business controls, according to Rob Black of Fractional CISO. Efforts like internal audits, threat detection, and email security monitoring have exposed everything from inactive cloud services that can be deprovisioned to accounts payable vulnerabilities that would’ve gone unnoticed without security’s involvement. Framing these efforts around business value, such as cost reduction, process improvement, or faster delivery cycles, often gains more traction than leading solely with security benefits. In practice, security can catalyze modernization, agility, and improved governance, especially when its goals align with broader business priorities like operational efficiency or product quality.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Neil Saltman of AHEAD for contributing this week’s “What’s Worse?!” scenario. 

Huge thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Best Advice for a CISO...

“Find out what matters to the business. Make that your priority. Deliver that to support the business, and your program will flourish.“ - Tim Jacobs, vp, CISO, Commonwealth Care Alliance

Listen to the full episode of “I Can’t Choose. I Love All My Assets Equally.”

What Should Be in a CISO Job Description?

"That ability to communicate and lead separates a lot of great security engineers from being CISO leaders." - Dennis Pickett, vp, CISO, Westat

Listen to the full episode of “What Should Be in a CISO Job Description?”

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Zero Trust is a Philosophy and Journey that Never Ends

At Zero Trust World in Orlando, David Spark sat down with Howard Holton, CTO of GigaOm, to unpack the philosophy behind zero trust and how it’s evolving in real-world environments.

Holton explained that while the core principle—“trust nothing”—hasn’t changed, the way organizations implement it has matured. Instead of enabling everything by default, smart security teams now pause, observe, and selectively allow only what business truly needs.

It’s not about blocking—it’s about learning, adapting, and staying in control.

Huge thanks to our sponsor, ThreatLocker

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube  to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Steve Knight, former CISO, Hyundai Capital America.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Super Cyber Fridays!
Coming Up: “Hacking Provable Security” on Super Cyber Friday

Super Cyber Friday is back this Friday, May 30, 2025, with a live discussion challenging the limits of conventional security assessments. What truly defines provable security? Where do traditional ratings and questionnaires fall short—and how can CISOs shift from compliance checklists to measurable effectiveness?

David Spark of the CISO Series will be joined by Sravish Sridhar, Founder and CEO of TrustCloud, and Tony Spinelli, former CISO of Capital One. The event kicks off at 1 PM ET / 10 AM PT, with an interactive meetup to follow at 2 PM ET / 11 AM PT.

Register

Thanks to our Super Cyber Friday sponsor, TrustCloud

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.