CISO Series Podcast
Our Security Team’s Love Language is Buying New Tools

It's easy to focus on the latest advancements in security tooling. But security incidents often don't happen because you lacked the latest and greatest technology. They happen because your work culture is actively working against your security efforts.

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is our sponsored guest, Tim Leehealey, vp of corporate strategy and operations, Strike48.

Listen to the full episode here.

Defensible, not perfect

Digital forensics teams are told every case is urgent and every finding must be 100% correct. But perfection is the wrong target, argues Eric L. Waldrep of the Waldrep Company. What matters in litigation isn't having complete knowledge of what happened; it's making no claim you can't defend. Opposing counsel rarely attacks your technical analysis. They attack your procedures, your documentation, and your credibility. Get those wrong, and your conclusions don't matter, no matter how technically sound they are. Meanwhile, the ground keeps shifting: OS updates and AI-generated evidence change what artifacts mean in forensics. The real pressure isn't the forensics. It's the paperwork that proves you did the forensics right.

Tools aren't going to save you

Your firewall isn't the problem. Your SIEM isn't the problem. That shiny new EDR tool? Not the problem either. Culture is. Your culture isn't in a set of frameworks or documents; it's defined by every exception you approve, argued Gavriel Schneider in a CSO Online piece. But the fix isn't locking everything down. Security must enable the business, not hinder it. If your controls create friction that the organization can't absorb, people will route around them every time. Start with the culture you have and design security that fits, with exceptions.

Logs are wasted on the SOC

Every AI-powered SIEM startup says the same thing: we'll automate your SOC analysts. But that's just putting a copilot on yesterday's architecture. The more interesting question is what else your logs can do. Organizations are already discovering that the same data powering alert triage can drive fraud detection, network operations, and compliance workflows. The SIEM doesn't have to be a siloed security tool. Treat it as a hub for log-based intelligence. It will make it much harder to ignore in budget conversations.

The myth of the lone wolf

New research from Black Hat analyzing over a thousand insider threat cases found that nearly a third involved collusion. But this isn't a long-running conspiracy that would be at home in a heist movie. They're temporary alliances: two or three employees with complementary access who team up just long enough to bypass controls, then go their separate ways. That makes detection hard because traditional monitoring looks for individual anomalies, not short-lived partnerships. One pattern worth noting: financial fraud tends to stay solo because the perpetrators know exactly what they're doing wrong. IP theft is different. People who think they're outsmarting the system almost always want to bring a friend.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Joseph Carson of Segura for providing our "What's Worse" scenario.

Thanks to our podcast sponsor, Strike48

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Best advice for a CISO…

“Well, I don't know about best advice, but I like the best definition for you. The best definition I ever heard of a CISO is someone who can tell you why the protection architecture he had in place yesterday didn't work. It's just [Laughter] it's the nature of the beast, right? The attack profile is always built around whatever protection architecture's out there today, but the reality is half of your job is explaining why what you had in place didn't work. [Laughter] It's a tough life to lead in some ways.“ - Tim Leehealey, vp of corporate strategy and operations, Strike48

Listen to the full episode of “Our Security Team’s Love Language is Buying New Tools”

Should You Phish Your Employees or Not?

"Phishing clicks are not created equal... it's that third level when you start to enter your credentials. That's like the holy sin of phishing simulations, and that's the ones that you really want to make sure you stop people from doing." - Mark Eggleston, CISO, CSC

Listen to the full episode of “Should You Phish Your Employees or Not?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

CISO Series Podcast LIVE in Clearwater, FL 3-3-26

CISO Series Podcast records LIVE TODAY at Convene in Clearwater, Florida! Last chance to join David Spark and Pam Lindemoen, CSO and VP of Strategy, Retail & Hospitality ISAC, and Jason Mayor, Deputy CISO, Raymond James Financial.

Grab your tickets with code CISOPodcast for 15% off. You can find all of the info here.

Thanks to our sponsors, Adaptive Security, KnowBe4 and Zepo Intelligence

How ThreatLocker's Default Deny Stops Mal Advertising Attacks

David Spark speaks with Rob Allen, chief product officer at ThreatLocker, about how threat actors used paid Google ads to distribute malware-laced versions of trusted software—and why traditional antivirus didn't stand a chance.

The conversation covers why detection alone fails when attackers establish persistence within hours, and how prevention-first controls stop threats before they execute. Join us March 4–6 in Orlando, plus a live CISO Series episode on March 6. Get $200 off with ZTWCISO26 at ztw.com.

Thanks to our Premium Video sponsor, ThreatLocker

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Mark Eggleston, CISO, CSC, and Dan Holden, CISO, Commerce. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Adaptive Security

Super Cyber Friday
Join us Friday for “Hacking Citizen Developers”

Join us on Friday, March 6, 2026, for Super Cyber Friday: “Hacking Citizen Developers: An hour of critical thinking about how to embrace democratizing development without creating security chaos.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Amichai Shulman, CTO and co-founder, Nokod Security, and Bil Harmer, information security advisor, Craft Ventures, for an hour of insightful conversation and engaging games. And stick around for our always-popular meetup, hosted right inside the event platform.

Register for the Super Cyber Friday event series on Airmeet. Join us for just this episode, or choose to register for all of our upcoming episodes in this ongoing event series.

Thanks to our Super Cyber Friday sponsor, Nokod Security

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.