- CISO Series Newsletter
- Posts
- We Checked the “Yes” Box for Cybersecurity. What Else Do We Have to Do?
We Checked the “Yes” Box for Cybersecurity. What Else Do We Have to Do?
Josh Peets
June 17, 2025
CISO Series Podcast
We Checked the “Yes” Box for Cybersecurity. What Else Do We Have to Do?
Compliance doesn't equal security, but does that mean it can't be part of the equation? Instead of dismissing compliance as mere security theater, how can we use what we have to augment our security efforts?
This week’s episode is hosted by David Spark, producer of CISO Series, and Andy Ellis, partner, YL Ventures. Joining them is Alex Hall, CISO, Gensler.
Listen to the full episode here.
Evaluating secure messaging beyond the app
A high-profile Signal mishap sparked discussion about how quality security tools can be misused. The tool itself wasn’t the issue; the human error of misidentifying contacts led to a sensitive breach. This raised the importance of matching tools to their intended use case, especially when it comes to identity and access management. Organizations should prepare for tool failures in advance by establishing identity verification and fallback communication plans before an incident occurs. Ultimately, the episode emphasized that secure communication isn’t just about choosing the right app, but about managing how people interact with it under pressure.
Reframing compliance as a business enabler
It's time to put the familiar phrase “compliance doesn’t equal security” under the microscope. Rather than dismissing compliance outright, Shaun Kelley of IBM argued that it should be treated as a product feature that helps organizations meet market demands and unlock new business opportunities. Compliance provides a baseline of security that can streamline product development and enable faster sales cycles. However, it’s not a substitute for a customized risk analysis. Security leaders should leverage compliance to gain support for broader security initiatives while still going beyond checklists to address real business risks.
Incremental security investment vs. crisis response
Security budgets often arrive in two ways: after a crisis or through sustained, strategic growth. The better path, of course, is slow and steady investment aligned with business priorities. That means embedding security in the planning process, understanding who holds the budget, and framing requests in terms of business value, not fear, as pointed out by Rosalyn Page in a recent CSO Online piece. CISOs must build alliances across departments, including general counsel, product managers, and the CFO's office, using business strategy fluency and a working knowledge of financial models. Security is a business function, and winning budget means speaking the language of outcomes, not just threats.
Why culture, not punishment, drives secure behavior
Linking employee compensation to phishing test performance sounds like accountability, but it’s more likely to backfire. The idea is that employees will adopt secure behaviors if they receive a direct benefit from it, argued Wylie Hartwell of SIM Jacksonville. But rather than fostering a healthy security culture, it can create fear and resistance. Security leaders should focus on recognition, feedback, and improving technical controls that prevent phishing messages from reaching employees in the first place. A culture where people feel safe reporting mistakes leads to better threat detection and faster response.
Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.
Thanks to Dustin Sachs of CyberRisk Collaborative for contributing this week’s “What’s Worse?!” scenario.
Huge thanks to our sponsor, Vanta
Subscribe
Subscribe to CISO Series Podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.
10-second security tip
“Stop the email threat. That’s the primary vector for the hackers. So, if you focus your time and effort on the email threat, it buys you time to fix those many other problems that many of us find that we have in our organizations to solve. So, you need time and distance from the adversary to set up your information security program. So, if you’re ever wondering what to do, stop the email threat.“ - Alex Hall, CISO, Gensler
Listen to the full episode of “We Checked the “Yes” Box for Cybersecurity. What Else Do We Have to Do?”
Has the Shared Security Model for SaaS Shifted?
"To be able to have it on by default, as I’m standing up a brand new account or I’m training a brand new junior admin, he’s going to make mistakes. I would rather him have to figure out how to turn the security off than how to turn it on." - Jesse Webb, CISO and svp information systems, Avalon Healthcare Solutions
Listen to the full episode of “Has the Shared Security Model for SaaS Shifted?”
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
Security You Should Know Newsletter - Weekly
7 Best Responses to “I’m a CISO and a Woman, Ask Me Anything”
Every month, we host an AMA (Ask Me Anything) on Reddit.
In May, six women CISOs shared unfiltered insights, from navigating bias and burnout, to building technical and business credibility. Whether you’re breaking into the field or stepping into leadership, their stories are worth reading.
We’ve summarized the key takeaways in this article. Want to join into the conversation? Our next AMA kicks off this Sunday, June 22. Stay tuned for the details!
LIVE!
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Howard Holton, COO and industry analyst, GigaOm.
Thanks to our Cyber Security Headlines sponsor, Adaptive Security
Super Cyber Fridays!
Join us Friday for “Hacking What It Takes to Become a CISO”
Join us on Friday, June 20, 2025, for Super Cyber Friday: “Hacking What It Takes to Become a CISO.”
It all kicks off at 1 PM ET / 10 AM PT, when Rich Stroffolino will be joined by Montez Fitzpatrick, CISO, NavVis, and David B. Cross, CISO, Atlassian for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup. This time, it will be hosted right inside the event platform.
We’re trying something new this week: We’re hosting the show on Airmeet! The experience will feel familiar, but you’ll register through LinkedIn.
Remember to add it to your calendar via LinkedIn or on Airmeet link in the invite.
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.