Super Cyber Fridays!
Join us TOMORROW, Friday [04-11-25], for "Hacking Social Engineering"

Join us Friday, April 11, 2025, for “Hacking Social Engineering”: An hour of critical thinking about how a lack of controls sets us up for financial loss.

It all begins at 1 PM ET/10 AM PT on April 11, 2025 with guests Michael Scott, CMO, Trustmi, and Phil Beyer, Head of Security, Flex. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register 

Thanks to our Super Cyber Friday sponsor, TrustMi

Defense in Depth
Are New Gartner-Created Categories/Acronyms Helping or Hurting the Cybersecurity Industry?

It seems like cybersecurity is content to suffer death by a thousand Gartner quadrants. Why do we insist on complicating an industry that's begging for simplification?

Check out this post from Caleb Sima of WhiteRabbit for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is Alex Hutton, CISO, Atlantic Union Bank.

The race to differentiate 

The growing wave of new cybersecurity categories and acronyms is doing more to confuse than clarify. Ron Reiter of Sentra noted, “Start-ups are trying to differentiate themselves between existing security vendors, and between the other incumbents. If you don't have an edge in your storytelling above your direct competitors, CISOs will not even give you a chance because you're yet another start-up.” He added that new terms also aim to “simplify budgeting for security tools,” making it easier to justify additional spending—“it’s easier to pitch a DSPM rather than a ‘tool that automatically detects all of the sensitive data in the cloud, understands if it is currently at risk and what to do to mitigate that risk,’ which is not what a CSPM does, or is supposed to do.” But not everyone sees value in the acronym arms race. “As a vendor, I don't even think it helps us,” said Martin Bakal of MITRE. “Too much confusion means we have to research and explain more, all for the same thing.”

Don’t blame Gartner

Some new cybersecurity categories come from natural evolution rather than a shallow marketing ploy. “The fact that there are prior market constructs suggests that there will always be new constructs,” said Neal Hartsell of Gradient Cyber. “To say otherwise means that one somehow adheres strictly to the prior set, which is a function of what we knew about data ingest, analysis, and output representation at the time. It’s merely evolution.” Landon Winkelvoss of Nisos acknowledged the reality of the current system: “Right, wrong, or indifferent, the Gartner Quadrants are often viewed as the pinnacle of reaching that differentiation, as often informed from the buyers—cybersecurity practitioners and defenders—and vendors. If only there were a better way.”

Simplifying is complicated

There's an ongoing push to simplify communication and align around common frameworks in response to this categorical complexity. “Simplifying rather complex challenges isn't as easy as it sounds, especially with the rate at which technology changes,” said Joshua Saleh of ITM.CX. “The tech industry as a whole is constantly evolving, so keeping current is a never-ending mission.” David Lamb of Charles Schwab echoed the need for shared understanding across the industry, asking, “What if there was some kind of framework that listed out controls that translated into domains of security capabilities. That could be used for these security products to communicate what they do for the technology security posture for business enablement.”

Seeking connection

The explosion of acronyms in cybersecurity isn’t just confusing—it’s often inconsistent and disconnected from real solutions. “It would be great if the acronyms were at least used consistently,” said Ajish George of State Street. “Some of these are applied to various tools and projects more as wishful thinking and the need to populate a sparse quadrant or wave board rather than as any sort of meaningful taxonomy of the vendor ecosystem. CAASM, CCM, CSPM, XDR, LMAO, are all as labile as shifting sands and used to bolt together non-existent categories with a marketing flyer.”

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the episode.

Huge thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Join us for the Cyber Strikes & Security Insights RSA Happy Hour!

If you're looking for a night of networking, bowling, and games, then you need to join David Spark for our meetup in San Francisco to kick off RSA week. The event is free but you need to register!

EVENT: Cyber Strikes & Security Insights

WHERE: Lucky Strike Sanf Francisco, 200 King St, San Francisco, CA 94107-1702 (MAP)

WHEN: Monday, April 28, 2025, starting at 7pm

REGISTER HERE

Thanks to our sponsor, Vanta!

Security You Should Know
Managing Compliance and Risk with Hyperproof

The tendency to focus on merely checking boxes to achieve compliance can lead to superficial solutions that may not effectively reduce operational risk. A strategic pivot towards ensuring compliance through holistic security measures is key; long-term, it demands less effort and provides more substantial protection.

In this episode, Craig Unger, founder and CEO of HyperProof, discusses the company‘s efforts to help companies achieve compliance and manage third-party risks. Craig is joined by our panelists, Trina Ford, CISO of iHeartMedia, and former CISO TC Niedzialkowski.

Listen to the full episode here.

Thanks to our sponsor, Hyperproof

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Carla Sweeney, SVP, InfoSec, Red Ventures.

Thanks to our Cyber Security Headlines sponsor, Nudge Security.

Cyber chatter from around the web...
Jump in on these conversations

"What will you learn in cyber security if you have 4hrs everyday with unrestricted internet access?" (More here)

"A simple solution to decrease high turnover rates for CyberSecurity Professionals and attract talent." (More here)

"Should our MSSP SOC be sending us every single alert the SIEM generates?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [04-11-25] Hacking Social Engineering

• [04-18-25] Hacking the Evolving DDoS

• [04-25-25] Hacking Your Risk

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.