CISO Series Podcast
New Study Finds No Email Has Ever “Found You Well”

Look at the inbox of any CISO, and you'll either find an endless stream of vendor outreach emails or some very robust filtering rules. Every CISO is quick to point out that the current vendor playbook is vexing and inefficient. So how can the industry create meaningful contact between vendors and CISOs, rather than just defaulting to volume?

This week’s episode is hosted by David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining them is David Cross, CISO, Atlassian.

Listen to the full episode here . 

Breaking the sales cycle

The cybersecurity sales model remains fundamentally broken . Ask the nearest CISO and you'll hear how they are drowning in hundreds of unpersonalized vendor messages, as recently pointed out by Val Tsanev of Execweb on LinkedIn. The path forward isn't more volume. It's better access through warm introductions and genuine relationship building. Effective vendor engagement requires deep personalization. Vendors need to understand their customers' specific environment, technology stack, and decision-making structure. Skip the generic pitches already! Create an environment where customers can explore solutions without fear of aggressive follow-up campaigns. The most effective sales strategy remains making existing customers extraordinarily happy. It's not that hard.

Leadership under fire

When we talk about leadership skills, we don't bring up staying cool during incidents enough. Levity and emotional command can transform crisis response, as Jerich Beason, CISO, WM, pointed out in a recent LinkedIn post. This composure can transform intensity into productive momentum. You can actively develop this skill. Realistic tabletop exercises can simulate genuine pressure rather than checkbox compliance activities. Military veterans often excel in these situations due to their training in operating under fire and maintaining discipline during very real chaos. This all starts with identifying who will be making what decisions before an incident hits. As the saying goes, plans are useless, planning is essential.

Predicting the unpredictable

When you're asked about the cost of cybersecurity, it's time to embrace intelligent uncertainty rather than pursuing false precision. It's like weather forecasting, the more exact you try to be, the more glaring it is when you're wrong, argued Rob Labbé, CISO-in-residence, Mining and Metals ISAC. A practical framework breaks costs into four components: security spend, incident costs, security friction, and opportunity costs. Base all of this around likelihood versus impact assessments. Start with the heavy hitters, like ransomware that could damage business operations, then work systematically through lower-impact incidents to build cost models. 

Security startups' security paradox

Security startups face a credibility challenge . They want to sell security solutions to enterprises, but haven't secured their own nest first. A thread on the cybersecurity subreddit pointed out that this creates significant problems during mergers and acquisitions when security standards are applied, potentially reducing acquisition valuations. Early-stage companies must balance survival needs with security investments. But should security vendors face higher expectations? Customers assume their providers practice what they preach. The solution? Adopt a staged approach to security maturity - crawl, walk, run. This approach should scale as you target larger customers.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Dustin Sachs of Cyberrisk Collective for providing our "What's Worse" scenario.

Thanks to our podcast sponsor, ThreatLocker

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts , Spotify , YouTube Music , Amazon Music , Pocket Casts , RSS , or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Enhancing Humans in Your SOC with Redcarbon

SOCs are drowning in alerts. Human analysts find themselves overwhelmed by the sheer volume of security data generated from multiple tools and platforms. And that’s before we consider the rapid growth in threat actor activity. The traditional approach of manual alert triage, threat hunting, and incident response simply can’t meet the realities of today’s threat landscape.

In this episode, Simone Rapizzi, CSO at RedCarbon, explains how their AI-powered platform uses specialized models to automate threat detection and response while learning from each customer’s unique environment. Joining him are Jonathan Waldrop, former CISO, and John Scrimsher, CISO at Kontoor Brands.

Listen to the episode and find the transcript here.

Huge thanks to our sponsor, RedCarbon

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Who should be listening to the CISO Series Podcast?

“Everyone should be listening to this podcast, and this series, because that is how you grow in your network.“ - David Cross, CISO, Atlassian

Listen to the full episode of “New Study Finds No Email Has Ever ‘Found You Well’”

Do You Have a Functional Policy or Did You Just Write One?

"My belief is that first and foremost, it’s much more important to implement technical and process controls that create guardrails, so I don’t care if most people comprehend every detail of policy. The average employee is hired to achieve business outcomes, not to memorize security policies. The real focus should be on the subset of policies where human decision-making matters, and that’s where training and reinforcement actually add value." - Justin Berman, formerly vp of platform engineering and CISO at Thirty Madison Health

Listen to the full episode of “Do You Have a Functional Policy or Did You Just Write One?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter  - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Reddit ‘Ask Me Anything’ – August 2025

Our monthly AMA on r/cybersecurity is live! The topic this month: “I’m a CISO who made the business care about cybersecurity. Ask me anything.”

We’ve brought together a group of security leaders who have successfully bridged the gap between security teams and business stakeholders. They’re here to share how they’ve earned buy-in, influenced priorities, and made security part of the business conversation.

Please post your questions for our panel here .

Our participants are:

• Richard Marcus, (u/AuditBoard_Rich ), CISO, AuditBoard

• Adam Glick, (u/CISOAdam ), CISO, PSG Equity

• Joshua Scott, (u/threatrelic ), CISO, Hydrolix

• Kathleen Mullin, (u/BoardroomCISO ), CISO, My Virtual CISO and Director, The Board of Directors, The SABSA Institute

• Montez Fitzpatrick, (u/Beneficial-Expert635 ), CISO, Navvis

Thanks to all of our participants for contributing!

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube  to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Johna Till Johnson, CEO and founder, Nemertes.

Thanks to our Cyber Security Headlines sponsor, Prophet Security

Super Cyber Fridays!
Join us in two weeks for “Hacking AI in Meetings”

Join us on Friday, September 5th, 2025, for Super Cyber Friday: “Hacking AI in Meetings: An hour of critical thinking about how to avoid liability while getting value from your recordings.”

It all kicks off at 1 PM ET / 10 AM PT, when  David Spark  will be joined by Joe Essenfeld, CEO, FORA, and Doug Mayer, vp, CISO, WCG , for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thanks to our Super Cyber Friday sponsor, FORA

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com .

Interested in sponsorship, contact me, David Spark .