Super Cyber Fridays!
Join us TOMORROW, Friday [09-26-25], for "Hacking Security Theater"

Join us Friday, September 26, 2025, for “Hacking Security Theater: An hour of critical thinking about compliance checkboxes that don't actually improve security.”

It all begins at 1 PM ET/10 AM PT on Friday, September 26 with guests Steve Zalewski, co-host, Defense in Depth, and Jonathan Waldrop, former CISO, The Weather Company. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Defense in Depth
How Can Security Vendors Better Stand Out?

We like to think the best product will stand out in the market. In cybersecurity, is it enough to just be great? When there are so many vendors selling to so few customers, how do security vendors get noticed?

Check out this post by David Mundy of Tuskira for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is Jason Taule, CISO, Luminis Health.

Listen to the full episode here.

ROI challenges

It's no secret that cybersecurity suffers from a business justification problem. "Cyber indeed has some unique aspects such as a real inability to articulate ROI in many cases, trying to drive investment for a product that may or may not stop something from occurring, which probabilistically may not happen," said Chris Hughes of Aquia. This uncertainty makes it nearly impossible for buyers to evaluate competing solutions using standard business metrics. The evaluation process itself lacks transparency and objectivity. Jorge Monteiro of ETHIACK questions whether the industry can move beyond analyst-driven assessments, saying, "If the best product wins, how can we make product evaluations more transparent? Can we create public benchmarks that really let vendors compete on technical stuff or are we just relying on Gartner and analysts?" Purchasing decisions depend more on vendor relationships and market positioning than actual product capabilities.

Venture capital saturation

The influx of venture capital into cybersecurity has created an oversupplied market where too many vendors chase too few buyers. Joseph Hoban from RedSeal laid out this reality: "Boatloads of venture money flowing into such a tight space, exploding the number of sellers chasing basically the same number of buyers. Buyers taking cover from this onslaught and coalescing into VC-sponsored advisory groups and/or receding behind their favored procurement partners... It's not as easy as it used to be." This oversaturation has forced a complete rethinking of go-to-market strategies. The old approaches no longer work. "Everyone's out here trying to 'optimize their GTM' like it's 2015. It's not. The game changed. The math changed. Most people just haven't emotionally accepted it yet," said Erik Lawrence from INFUSE. Success now requires vendors to anticipate buyer needs before buyers recognize them.

Risk aversion and organizational politics

When career safety and political considerations weigh heavy on cybersecurity purchasing decisions, its hard for the best product to shine through. Kim Tran from Gimmal explained the buyer's perspective, "It's less about being the best product, and more about buyers, many inexperienced or reluctant, being afraid to make the wrong selections/decisions; it's less about the cost of doing nothing, and more about the cost of doing something—how much social capital/credit am I willing to spend convincing and fighting with my executives and CFO that we need this?" This risk-averse environment means buyers worry more about implementation failure than missing superior solutions. "Everything in my job is politics. The best product is the one that can articulately explain the pain, the resolution, and the price without causing cognitive burden," said Virginia Case of STRATAC.

A GTM transformation

If traditional sales and marketing are obsolete, the cybersecurity requires completely new strategies for vendor success. "This isn't just another marketing challenge. It's a full-on market compression crisis. 4,000 vendors. 10,000 buyers. A few slots a year. No playbook written five years ago can solve today's math," said Praneeta Deshpande-Paradkar from Quilr. However, this compression creates opportunities for vendors willing to abandon conventional wisdom. "It's the companies that dare to rethink GTM—who build trust faster, create ecosystems not just customer lists, and who treat relationships as assets—that are breaking through." Success requires understanding that "chaos rewards the bold" while focusing on what security leaders actually need rather than what vendors want to sell.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. 

Huge thanks to our sponsor, Doppel

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

PREVIEW: CISO Series Podcast LIVE in Houston, TX 9-30-25

The CISO Series Podcast is heading to HOU.SEC.CON. to record in front of a live audience with Jerich Beason, CISO, WM, and Jack Leidecker, CISO, Gong (not Mary Rose as is mentioned in the video).

The conference takes place September 30–October 1, 2025, at the George R. Brown Convention Center in Houston, Texas.

Register for the conference here.

We'll also be playing a new game, Cyber Feud! Help us prepare for this game by filling out our quick, 5 question survey.

Huge thanks to our sponsor, Vorlon Security

Reddit ‘Ask Me Anything’ – September 2025

Our monthly AMA on r/cybersecurity on Reddit has begun! Our topic is "I’m a security professional who had to clean up a mess. Ask Me Anything."

We’ve assembled a panel of security leaders to discuss a topic many professionals know firsthand: cleaning up after a cybersecurity mess. They’re here all week to share how they handled tough situations, what they learned, and how those lessons can help others facing similar challenges.

Please ask questions for our participants here.

This month’s participants are:

• Dan Holden, (u/desmondholden), CISO, BigCommerce

• Montez Fitzpatrick (u/Beneficial-Expert635), CISO, NavVis

• Steve Zalewski (u/cybersecsteve), co-host, Defense in Depth

• Nick Espinosa (u/NickAEsp), host, The Deep Dive Radio Show

• Bil Harmer, CISSP, CISM, CIPP (u/wilharm3), information security advisor, Craft Ventures

Thanks to all of our participants for contributing!

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Brett Conlon, CISO, American Century Investments.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Cyber chatter from around the web...
Jump in on these conversations

“Security operation from hell.” (More here)

“Great Firewall leak just dropped half a terabyte of code and docs how do you even defend against that.” (More here)

“The US is now the largest investor in commercial spyware.” (More here)

Coming up in the weeks ahead on Super Cyber Friday we have:

• [09-26-25] Hacking Security Theater

• [10-17-25] Hacking Next Gen Data Threats

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.