CISO Series Podcast
Take Two-Factor Authentication and Call Me in the Morning

Cybersecurity controls almost inevitably create friction in the business. In some industries, that friction can be inconvenient. But in a healthcare setting, that friction can cost lives. How do we keep these organizations secure when there is so much at stake?

This week’s episode is hosted by David Spark, producer of CISO Series, and Andy Ellis, principal of Duha. Joining them is Janet Heins, CISO, ChenMed.

Listen to the full episode here.

Inbound gets ignored

Security vendors bang relentlessly on CISO doors, yet their own websites sit unattended. When Andrew Becherer, CISO at Sublime Security, used a vendor contact form, he found those submissions vanished into marketing queues managed by nobody. Vendors chase prospects who don't want to talk while ignoring the ones ready to buy. The reality is that marketing and sales operate as separate kingdoms. Websites are treated as branding exercises rather than sales channels. The warmest lead possible, someone actively seeking you out, gets lost. Meanwhile, sales teams pound away at cold outreach. Most experienced CISOs skip the forms entirely, going straight to LinkedIn peer networks to find someone who can make an actual introduction.

Independence under constraint

When your CISO reports to the executive creating the risk, that's not governance. Joshua Copeland of Crescendo argued it's closer to a hostage negotiation. Smart security leaders insist on peer-level reporting to avoid getting silenced. For CISOs stuck in compromised reporting structures, survival requires finding advocates outside the chain of command, such as enterprise risk, legal, or the CFO. Those advocates need seats at the table for performance review and budget. But at some level, you will always report to someone who creates risk. That reality doesn't call for despair. Focus on what you can do rather than what you can't change.

Methodology means nothing

If you want to start a flame war on LinkedIn, start a debate about risk quantification frameworks. It can get so heated that some CISOs will try to roll their own framework, as Rebecca Brock of Safe Security found out. But the business doesn't care about your methodology; they care about decisions. Walking into the boardroom claiming a precisely calculated dollar amount for cyber risk will get you laughed out. Addressing organizational risks requires storytelling, not spreadsheets. Use whichever risk methodology helps decision-makers make better choices. For most companies, that's not quantification at all; it's qualification. Executives don't want a standalone number; they care about whether you're better or worse than industry peers.

Lives over logins

It's easy to paint a dire picture of cybersecurity in healthcare. A locked-out doctor, a dying patient, unavailable two-factor authentication! Sounds dramatic, but it's mostly fiction. Multiple providers have patient information, creating built-in redundancy that prevents these Hollywood moments. But patient lives trump everything else in healthcare, said Nadine Michaelides of Anima People. The real problem isn't the hypothetical emergency override. It's designing security controls without understanding clinical workflows. Take a practice like disabling the printing of patient records. If terminals aren't in patient rooms, nurses will take a screenshot instead, exposing more data than if they could just print the records. Humans work around broken systems. Design for their reality.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Dr. Dustin Sachs, PsyberCog Labs, for providing our "What's Worse" scenario.

Thanks to our podcast sponsor, Guardsquare

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Getting Visibility Into AI Usage with Harmonic Security

In this episode, Alastair Paterson, CEO and co-founder at Harmonic Security, explains how Harmonic Protect addresses these challenges by securing workforce AI adoption through browser-based visibility, endpoint agents, and MCP gateways. Joining him are Ross Young, co-host at CISO Tradecraft, and Johna Till Johnson, CEO and founder at Nemertes.

Want to know:

• Why are enterprises still struggling with AI governance despite years of motivation to solve it?

• How does Harmonic keep pace with 50,000+ AI products when the landscape changes monthly?

• What's the difference between visibility, coaching, and blocking in AI governance?

• How do you implement AI controls without creating thousands of new alerts for security teams?

• Where does Harmonic fit in the multi-step process of setting policy, monitoring compliance, and enforcement?

• How can CISOs measure the ROI of AI governance tools and benchmark against industry peers?

• What's Harmonic's strategy with secure AI browsers?

• Why should AI browsers be blocked by default in the enterprise?

• What should CISOs prioritize for AI security in 2026?

Read the full article and listen to the full episode here.

Thanks to our podcast sponsor, Harmonic Security

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

What I love about cybersecurity…

“I love learning about the business and going into all the little nooks and crannies of the business and finding out what makes it tick and what's important and how I can help.“ - Janet Heins, CISO, ChenMed

Listen to the full episode of “Take Two-Factor Authentication and Call Me in the Morning”

When Cybersecurity Marketing Fails to Reach the Buyer

"AI and agentification are levers, they're multipliers, they're not objectives in and of themselves." - Tom Doughty, CISO, Generate:Biomedicines

Listen to the full episode of “When Cybersecurity Marketing Fails to Reach the Buyer”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

LIVE!
Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Steve Zalewski, co-host, Defense in Depth, and Nick Espinosa, host, The Deep Dive Radio Show. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Strike 48

Super Cyber Fridays!
Join us Friday for “Hacking Analyst Happiness”

Join us on Friday, February 6th, 2026, for Super Cyber Friday: “Hacking Analyst Happiness.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Jon Hencinski, head of security operations, Prophet Security, and Justin Lachesky, director, cyber resilience, Redis, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thanks to our Super Cyber Friday sponsor, Prophet Security

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.