CISO Series Podcast
This Security Control Is So Good We Don’t Even Have to Turn It On (LIVE in Clearwater, FL)

Not all security controls are created equal. Some result from a thoughtful security program, others come from compliance requirements. But what do you do with controls from leadership that are more about optics than security outcomes?

This week’s episode is hosted by David Spark, producer of CISO Series and Christina Shannon, CIO, KIK Consumer Products. Joining them is Jim Bowie, CISO, Tampa General Hospital.

This episode was recorded in front of a live audience at the Convene conference in Clearwater, Florida, hosted by the National Cybersecurity Alliance (NCA), providers of the website, StaySafeOnline.org.

A journey, not a destination

Security awareness training should be treated as an ongoing process, not a one-time compliance requirement. A long-term strategy works best when it includes planned themes and exercises throughout the year to build knowledge progressively, argued Santosh Kamane of RIVIDEX. Training should focus on high-risk areas of the organization and be tailored to the teams most exposed to those risks, with regular testing to reinforce behavior. To increase effectiveness, training must also be engaging and personally relevant—connecting lessons to everyday situations, such as home security, helps improve retention and adoption. Finally, training should scale by skill level: simpler, relatable content for non-technical staff and more hands-on, technical exercises for advanced users. Interactive methods, like letting employees experience simulated attacks or take on the role of the attacker, are especially effective at reinforcing key lessons.

The difference between pressure and stress

Cybersecurity is a high-pressure field, but it doesn’t have to lead to burnout if organizations foster a sense of purpose and support. We know other high-pressure fields do a better job of dealing with burnout, said William MacMillan on Dark Reading. Empowering staff to lead projects, make decisions, and pursue training enhances engagement and fosters a sense of ownership over their work. Teaching teams how their efforts directly reduce business risk adds meaning and clarity to their roles. However, passion for the job can blur boundaries, with some employees struggling to disconnect. Efforts like scheduled emails, encouraging time off, or even involving partners (with consent) can help enforce work-life balance. We want to create sustainable, mission-driven work, not exhaustion.

Fighting commodity deepfakes

As deepfake technology rapidly advances, organizations are exploring layered defenses to verify identity and prevent social engineering attacks. We need these defenses now because research from Google Deepmind, Stanford, and Northwestern found that it takes remarkably little raw material to train convincing doppelgangers. Verbal passwords remain a strong and straightforward line of defense, especially when used in real-time interactions to confirm identity during suspicious calls. Some companies are implementing stricter verification processes, like requiring video calls for high-level password resets or removing help desk access to reset credentials entirely. More commonly, automated systems that utilize facial recognition and government ID validation are being used to confirm identity before granting access. These steps, combined with robust multi-factor authentication strategies and ongoing awareness training, help staff recognize warning signs and resist manipulation—especially in scenarios that feel urgent or seem too good to be true.

Getting leadership on the same page

Absurd security controls often arise from well-meaning but misinformed leadership responding to incidents or perceived threats, resulting in ineffective or even harmful outcomes. Examples from a recent cybersecurity subreddit post include extreme proposals like blocking access to every website or backing up all user data indefinitely. These types of controls typically reflect a misunderstanding of risk and resource tradeoffs, resulting in security theater rather than meaningful protection. Effective responses must involve educating leadership on the real consequences—such as increased liability, storage costs, or user disruption—and guiding them toward more strategic solutions, such as targeted risk mitigation, data classification, and smarter backup retention policies.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Adam Ferdman from Common Sense Security Solution for contributing this week’s “What’s Worse?!” scenario. And thanks to Brian Roberts of Campbells Companies, Roger Penteria of Discover Financial Services, Erin Gallagher of Fastly, and Laura Streeter of Liberty Mutual for their questions during our audience question speed round.

Thanks to our podcast sponsors, Proofpoint, Cofense, & KnowBe4

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know

Prioritizing Your Security Gaps with Pentera

The velocity of innovation necessitates an agile approach to infrastructure management, which often leads to complexity and, consequently, vulnerabilities. Organizations are in a relentless race to identify and prioritize security gaps, but how can we effectively manage and mitigate these risks?

In this episode, Jay Mar-Tang, field CISO at Pentera, discusses how Pentara blends the efficiency of automation with insightful human judgment to addresses the gaps in traditional security processes while enhancing effectiveness and response times. Jay is joined by our panelists, Keith McCartney, vp, security and IT, DNAnexus, and Nick Espinosa, host of the nationally syndicated Deep Dive Radio Show.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Security You Should Know podcast, please go ahead and subscribe now.

Thanks to our sponsor, Pentera.

Biggest mistake I ever made in security…

"Letting my parents convince me to help them recover files off their hard drive." - Jim Bowie, CISO, Tampa General Hospital

Listen to the full episode of "This Security Control Is So Good We Don’t Even Have to Turn It On"

Cybersecurity Is NOT an Entry-Level Position

"The fight for relevance of if cyber security should exist is over. We won. Cyber security needs to fight to solve problems. Part of that solution is getting more minds in the discipline. What got us here won’t get us there." - Montez Fitzpatrick, CISO, Navvis

Listen to the full episode of "Cybersecurity Is NOT an Entry-Level Position" 

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Howard Holton, COO and industry analyst, GigaOm.

Thanks to our Cyber Security Headlines sponsor, Qualys

Super Cyber Fridays!
Join us NEXT Friday [04-11-25], for "Hacking Social Engineering"

Please join us on Friday, April 11, 2025, for “Hacking Social Engineering: An hour of critical thinking about how a lack of controls is setting us up for financial loss.”

It all begins at 1 PM ET/10 AM PT on Friday, April 11, 2025 with guest Michael Scott, CMO, Trustmi, and Phil Beyer, Head of Security, Flex. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our sponsor, TrustMi

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.