CISO Series Podcast
Our CISO Certainly Puts the Tool in Multi-Tool

CISOs rarely enter the role as experts in everything. But when they get the job, there's the temptation to try to become a cyber Swiss Army knife. Why do we try to marginally improve our weaknesses when we could just double down on our strengths?

This week’s episode is hosted by David Spark, producer of CISO Series and Jeff Steadman, deputy CISO, Corning Incorporated. Joining them is Quincey Collins, CSO, Sheppard Mullin. This episode was recorded live at the ISSA LA Summit in Santa Monica, California.

Listen to the full episode here.

The foundational debate

With AI tools increasing automation of what were once entry-level cybersecurity tasks, it might become harder to reveal those fundamental skills. AI tools can't replace the basic understanding needed to validate their outputs, argued Helen Patton of Cisco in a LinkedIn post. Cybersecurity starts with information technology. You still need to grasp how computers, networking, and cloud systems actually work before you can secure them. The triad of confidentiality, integrity, and availability remains essential, and there's no shortcut around them. Without that foundation, professionals won't know when AI is feeding them incorrect information or missing critical context about their environment.

Strength over breadth

Security leaders don't need to master every technical domain. But they must know how to ask the right questions and know when to reach out for help. Understanding encryption, your business operations, and your technology stack matters, but expertise in everything is unrealistic, argued Jerich Beason, CISO, WM. The key is hiring for your gaps and surrounding yourself with people who bring different perspectives. As leaders move up, technical skills naturally fade. That's because their focus needs to move up to strategy. Hiring for your gaps is less about filling in specific certifications, but finding someone who understands how you think. Culture fit matters more than credentials.

Beyond traditional backgrounds

Attitude, aptitude, and appetite trump specific backgrounds when building a security team. Annalise Lewis and Laura Melissa Williams of Manifesto recently argued for bringing "strategic artists" into cybersecurity leadership. While different perspectives challenge assumptions and modernize processes, practical needs still drive hiring decisions. The whole person matters more than their resume. How someone approaches problems reveals more than where they went to school. Business knowledge does bring immediate value, especially when someone internal wants to move into security. While creative thinking has its place, proven ability to contribute remains the priority.

Keeping perspective on risk

Cybersecurity rarely causes companies to shut down completely. The real business killers are market failures and bad strategy, argued Ross Haleliuk of Venture in Security. That doesn't mean security isn't important, but it does mean keeping perspective. Every business unit matters. Security's job is to mitigate risk, not claim the company can't survive without perfect protection. Risk appetite varies, and sometimes the business will accept risks that security teams would rather avoid. Decision-makers need security to understand what they're signing off on. Security needs a business lens, not just a threat-focused view.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Erkan Sertoğlu of sahibinden.com for providing our "What's Worse" scenario.

Thanks to this episode’s security tip sponsor, Anvilogic

Huge thanks to our sponsors, Adaptive Security and Dropzone AI

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Securing Application Delivery with Island

In this episode, Braden Rogers, chief customer officer at Island, explains how their enterprise browser platform rethinks application delivery by building security services natively into the browsing experience. Joining him are Nick Ryan, former CISO, and Janet Heins, CISSP, CISO at ChenMed.

Want to know:

• How can you explain browser-based security to your CEO without getting lost in technical details?

• What’s the actual architecture when delivering applications through an enterprise browser versus traditional VDI?

• How do you roll out a new browser to 20,000 users without creating change management chaos?

• What happens to your existing security stack, like proxies, DLP, CASBs, and RBI tools?

• Can you give users the freedom to use personal applications while protecting corporate data?

• What does the offline experience look like when cloud services go down?

• How does browser-based security handle the explosion of AI models in the enterprise?

• What’s the difference between browser enforcement and deploying a full enterprise browser?

• How do you balance different security controls for different applications without overwhelming users?

• What does vendor support look like from proof of concept through deployment?

Read more and listen to the podcast for the answers you need.

Thanks to our podcast sponsor, Island

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Biggest mistake I ever made in security…

“Not firing a managed security services provider fast enough.“ - Quincey Collins, CSO, Sheppard Mullin

Listen to the full episode of “Our CISO Certainly Puts the Tool in Multi-Tool”

Is Least Privilege Dead?

"Just-in-time provisioning, zero standing access, those are actually pretty good flavors of least privilege. It's just, I think that for the sake of people's understanding or getting twisted in some other form, I don't think it should be taken as, ‘Oh, least privilege is dead. Just go ahead and give everyone the root keys.’" - Julie Tsai, CISO-in-Residence, Ballistic Ventures

Listen to the full episode of “Is Least Privilege Dead?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

CISO Series meetup in Boston

Live in Boston? Work in cybersecurity? Maybe you're just studying and you want to work in cyber? If any of those are true, then you MUST join us on Monday, November 24th, 2025 for our Boston-based CISO Series meetup!

Join us from 5-7 at City Tap House Boston, 10 Boston Wharf Road, Boston, MA
RSVP Here

Huge thanks to our Boston-based sponsors Entro Security and RoonCyber for hosting this event.

LIVE!
Cyber Security Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Jacob Combs, CISO, Tandem Diabetes Care, and Ross Young, co-host, CISO Tradecraft. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
Join us Friday for “Hacking Cybersecurity Marketing”

Join us on Friday, November 14, 2025, for Super Cyber Friday: “Hacking Cybersecurity Marketing: An hour of critical thinking about how to better speak to the community.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Gianna Whitver, co-founder and CEO, Cybersecurity Marketing Society, and Steve Zalewski, co-host, Defense in Depth, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.