Super Cyber Fridays!
Join us TOMORROW, Friday [08-22-25], for "Hacking Tabletop Exercises"

Join us Friday, August 22, 2025, for “Hacking Tabletop Exercises: An hour of critical thinking about how to get better value out of running disaster scenarios.”

It all begins at 1 PM ET/10 AM PT with guests Raj Singh, CISO – North America, Sagility, and Brett Conlon, CISO, American Century Investments. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Defense in Depth
Do You Have a Functional Policy or Did You Just Write One?

Policies provide a great start, but they can't do anything by themselves. What kind of support does cybersecurity need from the organization to make policies meaningful?

Check out this post by Alan Wilemon of KirkpatrickPrice for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is Justin Berman, vp of engineering and CISO, StockApp.

Listen to the full episode here.

Maps without transportation

Cybersecurity policies without implementation controls are exercises in futility. Alban Fernandes cuts to the heart of the issue when he said, "Having a policy but no control over its implementation can be compared to having a map but no means of transportation." The analogy is perfect; guidelines without enforcement mechanisms are just expensive paperwork.

Aysun Güneren of Novartis adds that successful policies need comprehensive lifecycle management, from initial training through regular updates and eventual retirement, warning that "a smooth and simple process is key to avoid unnecessary bureaucracy."

The untouchable employee problem

Every CISO knows this scenario: You craft bulletproof policies, get C-suite approval, then watch enforcement crumble for that one "special" employee. "There is always that one special character that is exempt from enforcement because it would make their life a bit more difficult," observes Nino Renzi. "Every organization has at least one of these employees where the password does not expire, or can't have MFA."

Bilal Iqbal of McKesson argues the solution requires organizational commitment beyond documentation. Policies need "enabling support in the form of awareness communication, training on mechanisms to comply, metrics to track compliance, and reinforcement steps."

Attestation theater

Policy attestation has become security theater. How often do employees click "I agree" without reading a word? Tiana Tew of Cadence Bank poses the uncomfortable question, asking, "How many folks are actually reading before marking it as read?" She advocates for interactive training over checkbox compliance.

It doesn't take long to get stuck in an audit-driven policy trap. Merrill Albert warned about this, saying, "Policies without comprehension are just paperwork. The thing that bothers me is when companies create policies because an audit told them to, but they really don't care other than checking a box."

The lightbulb moment

Real policy understanding happens through practical, hands-on training that creates genuine "aha" moments. Sara Tumpek of Decathlon Austria describes the transformation: "Yesterday I held three different training sessions for our teams. It was amazing to see my colleagues experiencing real 'wow' moments." Her approach focuses on real-life examples that connect security principles to daily work. This kind of effective training builds bridges between security teams and the business rather than settling for checking compliance boxes.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, SecurityPal

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Using Configuration Management to Build Resilience

At Black Hat 2025, David Spark spoke with sponsored guest Danny Jenkins, CEO at ThreatLocker, to discuss a sobering reality: 90% of successful ransomware attacks happen because security tools weren’t properly configured.

To address this, ThreatLocker built DAC (Defense Against Configuration)—a system that runs 170 daily checks on every endpoint to catch the most common configuration mistakes, identified from tens of thousands of support tickets.

As Danny put it: “If you think something in cybersecurity is set and forget, you’re going to get bit in the backside.”

The challenge isn’t just deploying tools—it’s ensuring they keep working months later.

Read the full article and watch the video here.

Huge thanks to our sponsor, ThreatLocker

Navigating Security Careers In and Out of Government

Last month’s r/cybersecurity AMA tackled the pros and cons of working in both government and private sector security roles. We were joined by:

• Matt Conner, (u/SomeCyberGuy), CISO, Second Front Systems

• Brett Conlon, (u/BeachByteExec), CISO, American Century Investments

• Jeff Steadman, (u/Alarming-8426), deputy CISO, Corning Incorporated

• Adam Arellano, (u/AdamTalksTheCybers), field CTO, Traceable AI

Our participants shared candid insights on job stability, security clearances, career pivots, and how to frame your experience when making the leap between sectors. Their stories showed there’s no single “right” career path—just a series of choices that align with your risk tolerance, mission, and growth goals.

Up next: Starting Sunday, August 24 — "I’m a CISO who made the business care about cybersecurity. Ask me anything." Join on r/cybersecurity, and bring questions!

LIVE!
Cyber Security Headlines - Week in Review

Join us on YouTube for a special five-year anniversary edition of Cyber Security Headlines: Week in Review.

For this milestone episode, we’re bringing together three of our CISO Series reporters — Rich Stroffolino, Steve Prentice, and Hadas Cassorla — for an on-air roundtable. Plus, we’ll hear special video messages from our other two reporters, Lauren Verno and Sarah Lane.

We’ll still cover the week’s biggest cybersecurity headlines, but we’ll also look back at five years of reporting the stories that shape our industry.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Cyber chatter from around the web...
Jump in on these conversations

“Facial search tools - New security threat vector?” (More here)

“When should you look at switching companies?” (More here)

“What are your favorite open-source or free security tools?” (More here)

Coming up on Super Cyber Friday:

• [08-22-2025] [Hacking Tabletop Exercises]

Register now

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.