Super Cyber Fridays!
Join us TOMORROW, Friday [12-12-25], for "Hacking AI Workflows"

Join us Friday, December 12, 2025, for “Hacking AI Workflows: An hour of critical thinking about securing sensitive data beyond traditional cybersecurity perimeters.”

It all begins at 1 PM ET/10 AM PT TOMORROW with guests James Rice, vp of product strategy and GTM, Protegrity, and Doug Mayer, vp, CISO, WCG. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Thanks to our Super Cyber Friday sponsor, Protegrity

Defense in Depth
How Much Cyber Risk Should a CISO Own?

CISOs don't own cyber risk. Until they do. Haven't we moved beyond the CISO being the scapegoat in waiting?

Check out this post by Nick Nolen of Redpoint Cyber for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is Erika Dean, former CSO, Robinhood.

Listen to the full episode here.

Delegation requires accountability

The debate over CISO risk ownership often overlooks a fundamental management principle: delegation comes with responsibility. Brian Wrozek of University of Texas at Dallas argued that "CISOs need to own something and be responsible for making final decisions and their area of expertise is cybersecurity risk plus all that contributes to it like threats, vulnerabilities, controls, etc." He noted that just as CEOs delegate finance to CFOs, "it is reasonable to delegate cyber risk to the CISO. The CISO needs to have 'skin in the game' so to speak." Simon Goldsmith, CISO at OVO, challenged the notion of CISOs as mere advisors, pointing out that "most CISOs aren't responsible for the resources, the systems, the data, the strategy, or the risk appetite of a company." He emphasized that security work "should be a first class citizen in a company's technology architecture and roadmapping, not an advisory function."

The reality of daily decision-making

CISOs make consequential risk decisions every day, whether their job descriptions acknowledge it or not. Mark Weatherford of Nvidia pushed back on the purely advisory framing, noting that "making risk decisions is exactly why companies choose to invest in a CISO. Dozens of risk decisions are made by the CISO every day that the exec team never even knows about and they 'own' those risk decisions." This doesn't happen in a vacuum, as Niel Harper, CSO at JetBrains explained, "No single person or department owns cyber risk; it's a shared responsibility that begins with the board of directors and senior executives and extends to asset owners, department heads, the CISO, and individual employees."

The gap between theory and practice

There's often a disconnect between how CISO accountability should work in theory versus how it actually plays out. Spencer Mott of KASP Solutions acknowledged the tension, saying that, "while I agree that technically, and in the ideal setting, the CISO shouldn't 'own' the risk. But the reality is, the CISO is hired for specifically for that reason and that's why being a 'fall-guy/girl', should demand the big bucks!" Mohammad S. of Federal Court System emphasized that risk decisions extend beyond any single function, noting that "the CISO's job is to surface the risk clearly, quantify the exposure, and recommend actions. But the final call on what level of risk the company can live with? That sits with the CEO and the board, not one executive."

Beyond the advisory role

The most effective CISOs don't just advise. They actively partner with the business to reduce risk. Jonathan Waldrop, CISO at Acoustic, emphasized the importance of action, explaining that "the CISO does advise, but they also must ACT. Nobody wants to work with the person who only tells them things they should do." He stressed that security "partners with business functions... IT, product engineering, legal, HR, everywhere really, and they ultimately help protect the business."

Thanks to our other unwitting contributor, Muhammad Khan of Satellite Ground Station - Pakistan.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, ThreatLocker

Join CISO Series Podcast live at ThreatLocker's Zero Trust World 2026, March 4-6th, 2026 in Orlando, FL. Use coupon code ZTWCISOSERIES26 to get $200 off your ticket.

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

What CISOs Want You To Know About Insider Threats

We assembled a panel of CISOs to talk about a crucial and often sensitive topic: dealing with insider threats. They shared their firsthand experiences managing, detecting, and preventing insider incidents. They fielded all kinds of questions about the human side of security risk. They all had some really unusual stories about dealing with insider threats that you don’t want to miss.

You can read all of the Q&A's straight from the source, but we've distilled some key takeaways for you from the AMA. Read the full article here.

Thanks to our participants!

• Andy Ellis, (u/CSOandy), principal, Duha

• David Cross, (u/MrPKI), CISO, Atlassian

• Jack Leidecker, (u/JD-Sec), CISO, GONG

• Leslie Nielsen, (u/cyberguy1729) CISO, Mimecast

Next up: “I'm a security professional who transitioned our security program from compliance-driven to risk-based. Ask Me Anything.” Starting Sunday, December 14 on r/cybersecurity.

LIVE!
Cyber Security Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Jason Shockey, CISO, Cenlar FSB, and Mike Lockhart, CISO, EagleView. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cyber Security Headlines sponsor, Adaptive Security

Cyber chatter from around the web...
Jump in on these conversations

“During an interview how should you answer ‘what is your biggest weakness?’”(More here)

“Fell for a phishing email and work account was hacked. Will I be fired?” (More here)

“Enterprise browser completely locked out our entire org” (More here)

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.