CISO Series Podcast
If We Can't Do Better, at Least Do It Faster

We see third-party breaches in the news all the time. Odds are, most of those companies produced clean audit reports and filled in questionnaires. If all of that didn’t reduce risk, why are we still being consumed with this compliance theater busy work?

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining them is Vikas Mahajan, vp and CISO, American Red Cross.

Listen to the full episode here.

Questionnaires aren't risk management

Third-party risk management has become a box-checking exercise. We know this because any breached company could have produced a clean SOC 2 report the day before the incident, as noted by Ross Young of CISO Tradecraft. Outcome-driven vendor contracts have been proposed as a solution, paying a base rate and bonuses to vendors who meet your patching SLAs. Interesting idea, but it falls apart in practice. Proving compliance with custom SLAs costs vendors more than the bonus is worth, and they'll just pass that cost back to you. The better move is to stop pretending you can audit your way into knowing what's inside a vendor's environment. Focus on resiliency instead. Ask your critical suppliers how they plan to survive an attack or outage. Better yet, invite them into your tabletop exercises, so you have a plan together before something goes wrong.

The good old days were worse

Every few months, someone declares that cybersecurity hasn't improved, that we're still fighting the same five failures from the 1990s. Missing patches, credential reuse, and misconfigurations were all cited as perennial problems by Joshua Copeland of Crescendo. It's a compelling narrative, but it ignores how far the baseline has moved. Thirty years ago, there was almost no security consideration anywhere in software design. Telnet was standard. Updating a phone meant plugging it into a computer with a proprietary cable and manually running the install. Now your car patches itself overnight. The fundamentals still matter, and we need to do them well. But the claim that we're just pretending to be secure doesn't hold up against the extent of invisible security now running behind the scenes.

Buying or building your SOC

The instinct when building a SOC from scratch is to start with the tools: which SIEM, which platform, which vendor. The cybersecurity subreddit blew up with debate over it. Wrong starting point. Start with what you're protecting, what you can see today, and what you can realistically respond to. And for most organizations, the honest answer is don't build one at all. Around-the-clock coverage requires at least five to six people and more than a million dollars in salary before you buy a single tool. An MSSP gets you broader detection coverage from day one. But outsourcing only works if someone within your organization manages the relationship. The places where MSSPs go bad are when nobody in the company knows what the MSSP is doing.

Start the conversation, not the checklist

Shift left has become an eye-roll in cybersecurity, but the backlash has more to do with how vendors co-opted the phrase than with the underlying idea. At its core, it's just asking security teams to engage earlier, argues Derek Fisher of Temple University. One lightweight approach is four questions before any project kicks off: What are we building? What can go wrong? What are we going to do about it? Did we do a good job? It's not a formal threat model; it's an icebreaker that respects what the development team already knows. The alternative is walking in with a list of requirements you wrote without context, getting one thing embarrassingly wrong, and losing credibility on everything else. Embed security into the tools developers already use, show up as an advisor rather than an auditor, and the conversation shifts from compliance to collaboration.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now. 

Thanks to Steve Wingate, CyberGuard Advisors for providing our "What's Worse" scenario.

Thanks to our podcast sponsor, Adaptive Security

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Solving GRC Complexity with Anecdotes

In this episode, Yair Kuznitsov, CEO at Anecdotes, explains how his platform uses data-driven AI agents to automate GRC activities while maintaining the traceability and trust that auditors require. Joining him are Andrea Bergamini, CIO at Orbia, and Brett Conlon, CISO at American Century Investments.

Want to know:

• Why is integrating AI tools into GRC still such a persistent challenge?

• What GRC activity wastes the most human hours, and how can agents eliminate it?

• Where do humans step in when AI agents handle GRC tasks?

• How do you manage the complexity of multiple agents operating across your environment?

• What enterprise data do agents need access to, and how is least privilege maintained?

• What part of today's GRC team disappears in three years, and what roles become more important?

• How do you ensure resilience when data sources break, APIs change, or accounts go out of scope?

Check out the episode for the answers you need.

Thanks to our podcast sponsor, Anecdotes

Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best advice for a CISO…

“My best advice for a CISO is make friends, not enemies. You must learn to get along with your peers. They are critical for you to be able to get the security things you want done. And it's also important for you to make friends of your key executives. They are the ones who manage risk and they're the ones who need to understand cyber risk.“ - Vikas Mahajan, vp and CISO, American Red Cross

Listen to the full episode of “If We Can't Do Better, at Least Do It Faster”

How Much Autonomy Should You Give AI Agents in Your SOC?

"Treat it the same way you would an intern. Instead of, 'Go be a genius and go hunt down every threat in my system,' say, 'Here's the runbook we give to our level one analysts. Can you do this investigation?' And then they take that over." - Cliff Crosland, co-founder and CEO, Scanner.dev

Listen to the full episode of “How Much Autonomy Should You Give AI Agents in Your SOC?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Reddit ‘Ask Me Anything’ – February 2026

Our monthly AMA on r/cybersecurity on Reddit has begun! Our topic is "I've been a CISO more than once. Ask me anything about how the job differs between organizations."

For this edition, we're focusing on the unique experiences of CISOs who have held the role at multiple organizations. Our panel will share insights on how the job differs between companies, what aspects change with each organization, and what remains consistent regardless of where you work. They'll discuss navigating different company cultures, adapting security strategies to varied business contexts, and the lessons learned from leading security at more than one place.

Please ask questions for our participants here.

This month's participants are:

• Andrew Wilder, (u/CyberInTheBoardroom), CISO, Vetcor

• Krista Arndt, (u/thedrivermod), associate CISO, St. Luke's University Health Network

• David Cross, (u/MrPKI), CISO, Atlassian

• Peter Clay, (u/cpthuah36), CISO, Aireon

Thanks to all of our participants for contributing!

CISO Series Podcast LIVE in Orlando, FL 3-6-26

CISO Series Podcast is heading to Orlando for a live recording at Zero Trust World 2026! Join us on March 6 as David Spark welcomes Michelle Wilson, CISO, Movement Mortgage, and Rob Allen, chief product officer, ThreatLocker to the stage.

Register and use code ZTWCISO26 to save.

Find the full event details here.

BIG thanks to our sponsor, ThreatLocker

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Montez Fitzpatrick, CISO, Navvis, and Peter Gregory, best selling cybersecurity author. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Adaptive Security

Super Cyber Friday
Join us next week for “Hacking Citizen Developers”

Join us on Friday, March 6, 2026, for Super Cyber Friday: “Hacking Citizen Developers: An hour of critical thinking about how to embrace democratizing development without creating security chaos.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Amichai Shulman, CTO and co-founder, Nokod Security, and Bil Harmer, information security advisor, Craft Ventures, for an hour of insightful conversation and engaging games. And stick around for our always-popular meetup, hosted right inside the event platform.

Register for the Super Cyber Friday event series on Airmeet. Join us for just this episode, or choose to register for all of our upcoming episodes in this ongoing event series.

Thanks to our Super Cyber Friday sponsor, NOKOD

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.