Join us TOMORROW, Friday [02-06-26], for "Hacking Analyst Happiness"

Join us Friday, February 6th, 2026, for “Hacking Analyst Happiness: An hour of critical thinking about why a happy SOC is an effective SOC.”

It all begins at 1 PM ET/10 AM PT TOMORROW with guests Jon Hencinski, head of security operations, Prophet Security, and Justin Lachesky, director, cyber resilience, Redis. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Thanks to our Super Cyber Friday sponsor, Prophet Security

Defense in Depth
Simple Security Solutions That Deliver a Big Impact

We all know what gets our attention in cybersecurity. But those big-ticket flashy items are often not what pay the biggest dividends. What are the simple, sometimes unsexy security controls that have a big impact?

Check out this post for the discussion that is the basis of our conversation on this week’s episode, co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is their sponsored guest, Rob Allen, chief product officer, ThreatLocker.

Listen to the full episode here.

Getting permissions right

Identity and access management (IAM) sits firmly in the category of unsexy security fundamentals that organizations consistently undervalue, at least until something goes wrong. "Identity and access management has to be on this list," said Jonathan Waldrop, CISO at Acoustic. "It is the least sexy security problem. When done well, no one notices. When it's done poorly, EVERYONE notices." The solution involves disciplined structure rather than technical wizardry. Howard Holton of GigaOm outlined the approach: apply permissions to well-defined roles, apply those roles to groups, then add users to groups rather than granting permissions directly to individuals. "Much easier to remove the permissions—remove them from the role/group. Much easier to see what permissions you are allowing—name the group something specific. Much easier to troubleshoot why user 1 can/can't do what user 2 can do," he explained.

The fundamentals that still fail

Many security failures stem from organizations not executing the basics. James Sparenberg of Insight Global pointed to patching as a prime example: "Regular rhythmic, predictable, and timely patching. Think about the number of times that you've seen XYZ corporation compromised because an exploit that the software maker patched back in March was exploited, and that's how the bad guys got in. Drop all the excuses, put out the effort, and patch/upgrade." Roy Ludmir of CalCom emphasized configuration management, particularly for critical infrastructure. "Secured configuration and hardening, especially of critical assets such as servers and particularly DCs (domain controllers) and internet-facing servers," he noted.

Know what you have

If you build security controls without an accurate asset inventory, you're guessing. "Least sexy is tracking your assets (hardware, software/services, vendors, identities, stacks, etc.) and the associated security architecture," said Ben Habing of Kroll. "Everything else hinges on those two key tenets. If I don't know what I have, less so how it's built, I don't have a chance of stopping any attack." Amy Chaney of Citi emphasized that, if implemented years ago, proper hygiene controls would have limited or prevented almost all successful attacks in the recent decade. She outlined the critical questions we should all be asking: "Is the configuration management database accurate and fully described? Are all data flows known, de-risked, controlled, and observed? Is access granted only for understood business purposes, least privileged, and available only when required? Do we only put sensitive data into secured environments, from the sandbox to production?" Without this foundational visibility, security teams are throwing defenses at a wall while attackers walk through open doors.

Simple controls, outsized impact

Some of the most effective controls are remarkably low-tech. Robin Oldham of Cydea pointed to a completely non-technical measure: "finance callbacks (to known good numbers) to verify new/changed payees." Emma Kelly of SafePaaS highlighted segregation of duties as another unglamorous essential. "Making sure no single person can both initiate and approve sensitive actions (like account creation, code deployment, or financial transactions)," she explained. "This dramatically reduces insider risk and can limit the blast radius of compromised accounts." These controls aren't as flashy as the latest AI-powered tools. But they address fundamental attack vectors that continue to succeed precisely because organizations overlook them in favor of more exciting technology.

Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, ThreatLocker

Join CISO Series Podcast live at ThreatLocker's Zero Trust World 2026, March 4-6th, 2026 in Orlando, FL. Use coupon code ZTWCISOSERIES26 to get $200 off your ticket.

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Experience the CISO Series Podcast LIVE in Orlando, FL (3-6-26)

Get away from the snow and head to Orlando for a CISO Series Podcast live recording!

We’re recording a podcast episode at Zero Trust World 2026. Joining David Spark on stage for the recording will be CISO Series co-host Michelle Wilson, CISO, Movement Mortgage, and our sponsored guest Rob Allen, chief product officer, ThreatLocker.

The event runs from March 4 through 6, and the live recording will be on the 6th.

Get all of the info you need here, and register for the event here.

Big thanks to our sponsor, ThreatLocker

Join CISO Series Podcast live at ThreatLocker's Zero Trust World 2026, March 4-6th, 2026 in Orlando, FL. Use coupon code ZTWCISOSERIES26 to get $200 off your ticket.

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Steve Zalewski, co-host, Defense in Depth, and Nick Espinosa, host, The Deep Dive Radio Show. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Strike 48

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Cyber chatter from around the web...
Jump in on these conversations

“When did ‘security engineering’ become mostly about managing noise?” (More here)

“Do security teams realistically have time to monitor honeypots?” (More here)

“what gives better practical experience, tryhackme or hackthebox?” (More here)

Coming up in the weeks ahead on Super Cyber Friday:

• [02-06-26] “Hacking Analyst Happiness”

• [02-20-26] “Hacking the Future of Log Data

 Save your spot and register for them all now!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.