Join us tomorrow for "Hacking Vendor Trust"

Author

Josh Peets
April 09, 2026

Join us TOMORROW, Friday [04-10-26], for "Hacking Vendor Trust"

Join us Friday, April 10, 2026, for “Hacking Vendor Trust: An hour of critical thinking about how to build a partnership that spans people and products.”

It all begins at 1 PM ET/10 AM PT tomorrow, with guests Nick Espinosa, host, The Deep Dive Radio Show, and Michael Bickford, CISO, New York State Gaming Commission. We'll have fun conversation and games, plus at the end of the hour we'll do our meetup in breakout rooms.

Register for the Super Cyber Friday event series. Join us for just this episode, or choose to register for all of our upcoming episodes in this ongoing event series.

Defense in Depth
How Should We Measure the Performance of a CISO?

How does the business determine what counts as success for a CISO? What warrants a raise in salary?

Check out this post from the cybersecurity subreddit for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is Jason Richards, vp, information security, CHG Healthcare.

Listen to the full episode here.

Likability as a career strategy

Technical skill opens doors, but personality keeps them open. Making a personable effort with staff matters more than most people admit. "If you are friendly and approachable, you go the furthest. Sitting back and complaining about others being idiots or feeling overlooked rarely changes outcomes and realistically applies damage to your reputation." The upside of being approachable and positive, they noted, is that others are more likely to advocate for you and pull you into important projects. Public speaking can serve as a key tactical shortcut: "The quickest way to a CISO is to join the public speaking circuit."

The storytelling gap

Measuring security effectiveness is hard. Measuring a CISO's contribution to it is harder. One commenter identified the core problem: the industry lacks widely agreed-upon metrics for security effectiveness, which means success is "hugely dependent on CISO storytelling ability." Another framed metrics, not as objective scorecards, but as narrative tools. The better questions, they argued, are about what story is being told, what value security is bringing to the organization, and how the program will grow. "Finding a way to quantify this will give you a bargaining chip when it comes time to talk dollars."

How the math actually gets done

Some organizations tie security performance to concrete targets. One practitioner described a system with ten to fifteen measurable metrics baked into target agreements, covering maturity assessment scores, audit findings, and incident thresholds, with goals traceable all the way back to high-level business objectives. Bonus structures, though, tend to work differently. One commenter described a system where bonuses are negotiated at hiring and tied primarily to company performance, with individuals fighting it out with their managers to justify where they land on the rating scale. Another was more direct: technical metrics like MTTR (mean time to recover) or failed audits may inform the picture, but they rarely drive the number on their own. "A lot of the bonus is relationship and vibe driven," they wrote, "within your comp plan and subject to approval by the board."

The unofficial scorecard

What gets written in a performance review and what actually earns goodwill at the executive level are not always the same thing. One commenter laid it out, saying that, officially, CISOs are skilled at crafting goals and giving their bosses credit for them. Unofficially, one high-visibility save can outweigh a year of metrics. If a C-level executive gets phished and receives prompt, discreet attention, they noted that the CISO has earned a loyal backer. If the security team is visibly working around the clock after a serious zero-day drops, that effort gets noticed too.

Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now (also look at the links below).

Huge thanks to our sponsor, ThreatLocker

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

What does genuine partnership with a vendor actually look like?

What does genuine partnership with a vendor actually look like?

We asked our community, and they didn't hold back. The consensus: real partnerships are built on trust, accountability, and shared investment in outcomes — not just contract cycles.

Featuring:

  • Sam Jacques, VP of clinical engineering, McLaren Health Care

  • Montez Fitzpatrick, CISO, Navvis

  • Mark Eggleston, CISO, CSC

  • Chris Ray, field CTO, GigaOm

  • Krista Arndt, associate CISO, St. Luke's University Health Network

Want to keep the conversation going? Join us tomorrow for Super Cyber Friday, "Hacking Vendor Trust." Register here.

Join the CISO Series Podcast LIVE in Boston (4-30-26)

CISO Series Podcast is recording live at the offices of Aqueduct Technologies in Canton, Massachusetts. David Spark will be joined on stage by Andy Ellis, former CSO at Akamai and Principal at Duha, and Dmitriy Sokolovskiy, Senior VP of Cyber Resilience at Semrush.

All are welcome — whether you're just getting into cybersecurity or you're a seasoned veteran. Space is limited.

It's all happening on Thursday, April 30, 2026 at 5:00 PM. Register here.

Huge thanks to our sponsors, Dropzone AI and Strike48.

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you'll be having at work all week long.

Monday's episode featured Jack Kufahl, CISO, Michigan Medicine, and Adam Palmer, CISO, First Hawaiian Bank. Missed it? Watch the replay on YouTube and catch up on what's shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Vanta

Cyber chatter from around the web...
Jump in on these conversations

  • "Am I missing something or are Flock cameras a massive national security threat?" (More here)

  • "Tested our disaster recovery plan for the first time in 2 years - here's what we found and it wasn't pretty" (More here)

  • "Husband may have made a mistake causing a security incident at work" (More here)

Coming up on Super Cyber Friday:

  • [04-10-26] “Hacking Vendor Trust”

  • [04-17-26] “Hacking AI Trust”

  • [04-24-26] “Hacking Trust in Security”

Register for the Super Cyber Friday event series. You can register for all upcoming episodes in this ongoing event series. After you register, you can add events to your calendar right on our event series Airmeet page.

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.