CISO Series Podcast
Time to Choose a Security Vendor: Dart Board or Spin the Wheel?

It seems like we've never had more cybersecurity vendors than we do today. But everyone is using the same playbook, with the same slick demos, the same certifications, and the same claims of being "the best." CISOs want vendor solutions to solve problems. Why is it so hard to get that information from the people selling solutions?

This week’s episode is hosted by David Spark, producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining them is Pavi Ramamurthy, global CISO and CIO, Blackhawk Network.

Listen to the full episode here.

We can't promise safe, but we can promise ready

The dreaded "Are we safe?" question from the board isn't really asking for a number. It's asking for confidence in your strategic approach. Security leaders need to shift from trying to be quants to strategic interpreters, argued Eckhart Mehler, CISO at GIZ. Embrace the insight of mathematician John Allen Paulos: "Uncertainty is the only certainty there is, and knowing how to live with insecurity is the only security." Heat maps and scoring models have their place, but ultimately they're conversation starters. The real skill is speaking confidently about ambiguity without sounding indecisive. A CISO should never promise absolute safety, but they can confidently say they'll be ready.

Are we accidentally building security nightmares?

Developers love shiny toys, but they're spinning up AI integrations faster than security teams can say "can we get a review done?" This introduces a "lethal trifecta," according to Simon Willison. That dreaded trifecta combines AI tools that access private data, communicate with the outside world, and expose users to untrusted content. Once that genie is out of the bottle, good luck finding a vendor that can put it back. If CISOs think they're not already exposed, they're wrong. That quick test script an engineer spun up last weekend? It's probably in production now, and it might have accidentally built a chatbot that can read payroll data and tweet as your intern. There's no magic AI firewall yet. Security leaders need to start talking with developers to build out how to play with their new toys securely.

Being held accountable for things you had no say in

The underlying reason CISOs walk away isn't technical complexity. They're being set up to fail. Rinki Sethi, CSO at Upwind Security, argued this comes down to "being held accountable for things you had no say in." When there's no budget, no trust, and no alignment, there is no real chance of success. You need at least a couple of years to make a judgment call about whether you can succeed in a role, but the warning signs appear much earlier. During the interview process, ask, "Why did the last CISO leave? What kind of budget will I get? How many hats am I wearing? Do I have the freedom to make changes?" Then read between the lines of those responses. Walking away earlier is often better for both the CISO and the company.

The safe space problem in vendor evaluation

With over 3,200 security vendors competing in roughly 75 product categories, most of which look eerily similar, the traditional evaluation process has become a commodity experience. There are just "too many solutions, too many complexities" for the usual vendor's sales process to be effective, argued Mike Privette of Return on Security in a TechTarget piece. The vendors that stand out are the ones who've done their homework, understand your specific problem, and come prepared to solve it. Vendors aren't just competing against each other, but against doing nothing and building it yourself.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jay Dance, StubHub for providing our "What's Worse" scenario.

Huge thanks to our sponsor, Adaptive Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Navigating Your Meeting Shadow Data with FORA

In this episode, Joe Essenfeld, CEO and co-founder at FORA, explains how their platform addresses these challenges by automatically processing recorded meetings to generate personalized, contextual summaries while maintaining strict data privacy controls. Joining him are Howard Holton, CEO at GigaOm, and Derek Fisher, director of cyber defense at Temple University.

The conversation explores how FORA’s AI-powered personalization engine creates individualized meeting cards based on organizational context and project involvement. The platform implements sophisticated filtering to remove personal banter and protects sensitive information through automated labeling systems that can detect IP discussions, HR-sensitive content, and accidental recordings.

Read the full article and listen here.

Thanks to our podcast sponsor, FORA

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

What I love about cybersecurity…

“Well, I love playing chess, but when you play chess in cybersecurity, it's like the pieces are on fire, the board is upside down, and business is yelling, ‘Move faster!’“ - Pavi Ramamurthy, global CISO and CIO, Blackhawk Network

Listen to the full episode of “Time to Choose a Security Vendor: Dart Board or Spin the Wheel?”

How Can Security Vendors Better Stand Out?

"Integration is the biggest challenge. When I’m evaluating what’s ‘best,’ I usually start with my existing vendors: can they solve this issue? I don’t want the added complexity of another product—more screens, more overhead, higher total cost of ownership to manage." - Jason Taule, CISO, Luminis Health

Listen to the full episode of “How Can Security Vendors Better Stand Out?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

CISO Series Podcast LIVE in NYC (10-23-25)

The CISO Series Podcast will be heading to the Big Apple for another fun podcast recording.

We’re recording a podcast episode at Mimecast Elevate25. Joining me on stage for the recording will be Matthew Southworth, CSO, Priceline, and Leslie Nielsen, CISO, Mimecast. Here’s everything you need to know:

WHERE: Convene 30 Hudson Yards, New York City 

WHEN: October 23, 2025. The event runs from October 22-24, 2025

The event is FREE! Register to attend HERE.

Huge thanks to our sponsor, Mimecast

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Steve Zalewski, co-host, Defense in Depth.

Thanks to our Cyber Security Headlines sponsor, Nudge Security

Super Cyber Fridays!
We’ll be back Friday [10-17-25], for "Hacking Next Gen Data Threats"

Join us again on Friday, October 17, 2025, for “Hacking Next Gen Data Threats: An hour of critical thinking about what you need to setup your AI guardrails.”

Joining us will be Abhi Sharma, CEO and co-founder, Relyance AI. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Thanks to our Super Cyber Friday sponsor, Relyance AI

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.