CISO Series Podcast
I Just Can’t Communicate With the Business. I’ve Tried Condescension AND Derision.

While making informed technical decisions is key for a CISO, the biggest problems they face often aren't technical. Instead they stem from a failure to translate conversations about risk to the rest of the business. What difference does it make for a CISO when they consider getting buy-in to be their primary role in an organization?

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining them is Gary Chan, CISO, SSM Health. Be sure to check out Gary's security mentalism website.

Listen to the full episode here.

Decision-making with incomplete information

Cybersecurity professionals struggle with making decisions with imperfect and uncertain information. This causes some to wait for false certainties or cling to the perception of complete data before acting, warned Chris Grundemann of Khadga Consulting. The military principle that "a 70 percent plan violently executed will always defeat the 100 percent plan" applies directly to security leadership. At some point you must commit and execute based on what you know, without second-guessing once new information emerges.

The key is building confidence through frameworks. Use things like probability trees that help visualize potential outcomes, while preparing contingency plans for when decisions don't pan out as expected. Successful security leaders understand that making consistently good decisions with incomplete information builds their credibility and influence. Doing something goes a long way with your organization.

Translation beats technical expertise

New CISOs struggle with transitioning from technical audiences to business communications. It can be daunting to deal with translation problems when you're used to technical ones, as Bonoy Koonammavu of Secusy AI noted. The greatest challenge is that first-time CISOs try to justify new investments while forgetting to demonstrate the continuing value of existing security programs.

Business leaders don't care about "reducing risk" as a principle. That's why successful CISOs tell compelling stories that show concrete value. Frame security as a way to let them take on business risk. Ultimately, it's about how the security team helps the business succeed that matters.

Influence trumps authority for CISOs

CISOs hold accountability for security without control of infrastructure or vendor relationships. That's a tough spot to be in. As Troy Wilkinson, former CISO at Interpublic Group pointed out, influence is a CISO's most powerful tool for prioritizing risks. The biggest lie told to aspiring CISOs is that their goal should be to say no and make it stick. Effective security leadership happens through influence, not directive authority.

Success comes from creating positive experiences, being an exceptional storyteller who can articulate value, and being seen as someone who helps others succeed rather than just pointing out problems. Don't be the CISO that cried "that's too risky!" Focus on making people more effective. Build trust and demonstrate consistent value rather than relying on positional power.

Technical prowess creates adversaries

When you suffer from imposter syndrome, it's tempting to compensate by showcasing technical expertise. But this "tech flex" approach creates adversaries instead of allies when you reach leadership positions, as Jerich Beason, CISO at WM, learned from hard experience. The hard truth is that it's not enough to be "right." With every interaction, you need to bring people along with you and focus on what you're trying to achieve.

Emotional intelligence, communication skills, and political acumen aren't "soft skills" but instead determine whether you can drive organizational change. Technical work means nothing if people don't feel they can come to you. Building trusted partnerships with executive leadership requires focusing on impact and relationships rather than just demonstrating how smart you are.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jay Dance from StubHub for providing our "What's Worse" scenario.

Huge thanks to our sponsor, Vanta

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Proving Trust with Drata

Proving trust is one of the primary challenges facing cybersecurity today. Just look at the rash of data leaks coming from third parties in the news every week. There’s a significant gap between policy intent and execution, especially as companies navigate multi-tenant cloud infrastructures, distributed teams, and complex compliance requirements. Traditional GRC approaches using spreadsheets and siloed tools create massive overhead. This all becomes harder at scale, forcing organizations into painful trade-offs between thorough compliance and operational efficiency.

In this episode, Matt Hillary, CISO at Drata, explains how their AI-native trust management platform addresses these challenges by automating evidence collection from integrated systems and reducing manual effort by over 90%. Joining him are Mike Lockhart, CISO at EagleView, and Johna Till Johnson, CEO at Nemertes. The conversation explores how Drata’s platform bridges the policy-execution gap through hundreds of out-of-the-box integrations, AI-assisted questionnaire responses that handle 90% of vendor due diligence automatically, and real-time control monitoring that enables GRC teams to operate more like security operations centers, responding quickly to control failures rather than simply passing audits.

Huge thanks to our sponsor, Drata

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best advice for a CISO…

“Create experiences. People forget what you tell them, but they don’t forget how you make them feel.“ - Gary Chan, CISO, SSM Health

Listen to the full episode of “I Just Can’t Communicate With the Business. I’ve Tried Condescension AND Derision.”

Where are We Struggling with Zero Trust

"Zero trust is just a change in mindset. It’s a change from default permit to default deny. That is a fundamental shift in the way that people have thought about IT for 30, 40 years." - Rob Allen, chief product officer, ThreatLocker.

Listen to the full episode of “Where are We Struggling with Zero Trust”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

PREVIEW: CISO Series Podcast LIVE in Boca Raton, FL 9-12-25

Join David Spark for another CISO Series Podcast recording. We'll be in beautiful Boca Raton, Florida, at the historic Boca Raton Innovation Campus, helping ISSA South Florida celebrate their 25th anniversary!

Joining David on stage will be Brett Conlon, CISO, American Century Investments, and Ryan Barras, CISO, Mount Sinai Medical Center.

You need to get tickets here.

WHEN: September 12, 2025. Doors open at 8:00 am and we'll be recording in the afternoon.

Huge thanks to our sponsor, Dropzone AI

LIVE!
Cyber Security Headlines - Week in Review

Join us on YouTube for a special five-year anniversary edition of Cyber Security Headlines: Week in Review.

For this milestone episode, we’re bringing together three of our CISO Series reporters — Rich Stroffolino, Steve Prentice, and Hadas Cassorla — for an on-air roundtable. Plus, we’ll hear special video messages from our other two reporters, Lauren Verno and Sarah Lane.

We’ll still cover the week’s biggest cybersecurity headlines, but we’ll also look back at five years of reporting the stories that shape our industry.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Super Cyber Fridays!
Join us Friday for “Hacking Tabletop Exercises”

Join us on Friday, August 22, 2025, for Super Cyber Friday: “Hacking Tabletop Exercises.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Raj Singh, CISO – North America, Sagility, and Brett Conlon, CISO, American Century Investments, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.