Super Cyber Fridays!
Join us TOMORROW, Friday [08-08-25], for "Hacking Toxic Culture"

Join us Friday, August 8, 2025, for “Hacking Toxic Culture: An hour of critical thinking about how and why we poison the well in cybersecurity.”

It all begins at 1 PM ET/10 AM PT on Friday, August 8 with guests Mike Lockhart, CISO, EagleView, and Ross Young, CISO-in-residence, Team8. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Defense in Depth
Cybersecurity Has a Prioritization Problem

If all it took was effort to keep an organization secure, we'd see fewer breaches. Our industry doesn't suffer from a lack of work ethic, but are we spending those energies chasing the wrong thing?

Check out this post by Rinki Sethi, CSO at Upwind Security, for the discussion that is the basis of our conversation on this week’s episode, co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining them is Terry O'Daniel, former CISO at Amplitude.

Listen to the full episode here.

Beyond prioritization: aligning risk with reality

Security teams often talk about prioritization, but that’s only part of the equation. As Ayoub Fandi of GitLab points out, a well-managed risk register should tie technical risks to engineering workflows, including understanding who within the organization moves the needle. “Even with good prioritisation, if we don't survey the stakeholder landscape… we can have the right number 1 risk and still have no meaningful mitigation,” Fandi said.

Mike McGilvray of Prudent Technologies echoes the need for relevance over routine. “If you’re not conversing with your vendors about what’s important to you. Then you’re just doing the same old thing that isn’t working."

From signals to strategy

Security tools are plentiful, but turning data into actionable insights remains a challenge. “There are clearly enough tools that do the identification part right,” said Ashish Popli. But understanding “what will break us” at scale requires modeling the attack surface and using algorithmic analysis to simulate threats and possible outcomes.

Anthony Martin of Walmart highlights another missing link: communication. “Security teams often have enough ‘tools’ but are limited in their effectiveness by ineffective communication of their really difficult subject matter in the appropriate business context,” he said. It's hard to point to the value of security when your insights aren’t framed in terms the business understands.

The Case for Maturity Models

Security leaders remain divided on the value of maturity models, but many still see them as essential. They're often used in aviation and in firefighting. “Checkboxes are never a bad idea, especially before a release,” said Jean-Philippe Martin of Start with WCPGW. “Measuring efficiency/performance and measuring maturity are not mutually exclusive.”

Ran Nahmias of Tamnoon agrees, noting that regulatory expectations haven’t gone away. “Maturity models still have a valuable place,” he said, especially when it comes to proving value to stakeholders outside the security team.

Security Starts With Culture

When security feels like just another checkbox, something else, probably more profound, is broken. “It’s a culture problem,” said Nick Karaskiewicz of Baxter International. “Security is a cultural choice which, when evangelized appropriately… becomes a proactive approach.”

However, culture doesn’t grow in a vacuum. It depends on who is doing the work and how they’re supported. Thomas McCourt of Blue Team Tom Consulting called out the lack of experience and investment in many security teams. “A lot of companies aren’t upskilling their workers,” he said. “Most cybersecurity companies employ tools with a ‘set it and forget it’ mentality.” McCourt called for better processes, more accountability, and more transparency. Maturity in the field starts with maturity in how we develop people.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, SecurityPal AI

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Montez Fitzpatrick, CISO, Navvis.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Cyber chatter from around the web...
Jump in on these conversations

“How are people securing payment portals without a big IT team?” (More here)

“Do you guys see a future for domain level expertise in healthcare cybersecurity?” (More here)

“What’s one skill you wish analysts had on your team?” (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [08-08-25] Hacking Toxic Culture

• [08-15-25] Hacking Burnout

• [08-22-25] Hacking Tabletop Exercises

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.