CISO Series Podcast
We Require 3-5 Years of Experience to Qualify for the Cyber Skills Shortage

Are cybersecurity influencers exploiting the cyber skills shortage as a means to sell a range of "get a cyber career quick"-type courses? While some areas in cybersecurity struggle to fill roles, the reality is that this demand isn't for entry-level positions. How do we start filling those badly needed skills without selling cybersecurity career snake oil?

This week's episode is co-hosted David Spark, the producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining them is Anne Marie Zettlemoyer, former vp of security, Activision Blizzard.

Listen to the full episode here.

SOC automation: Moving beyond alert fatigue

Security operations centers are struggling with a fundamental design flaw that creates unsustainable workloads for analysts. Modern SOC environments continue to overwhelm security teams with alerts that require extensive manual investigation and context gathering from multiple systems, noted Anton Chuvakin of the Google Cloud Security Podcast. The most effective approach involves implementing automation that delivers enriched, contextualized information directly to analysts rather than forcing them to piece together fragments from disparate tools. Success requires establishing feedback mechanisms that capture decision-making patterns and outcomes to improve automated processes continually. Organizations should prioritize solutions that provide comprehensive investigation results directly to analysts within their primary workspace, eliminating the need for manual data correlation across multiple platforms.

The entry-level security talent reality

The cybersecurity job market presents a complex picture where genuine skill shortages exist in specialized areas such as operational technology forensics and malware reverse engineering. At the same time, entry-level positions face different challenges entirely. Junior roles increasingly require a combination of technical experience, formal education, certifications, and demonstrated community involvement, rather than standalone qualifications, as illustrated by Leslie Carhart of Dragos on LinkedIn. The most effective pathway for newcomers involves starting with managed security service providers, which offer structured training environments and documented processes that build essential decision-making skills. Success in SOC roles depends more on developing persistence, analytical judgment, and soft skills than purely technical capabilities, requiring organizations to create proper mentorship and feedback systems for new analysts.

Learning from security incidents without blame

The cybersecurity industry's approach to incident response can focus on assigning individual blame rather than addressing systemic issues and learning opportunities. Security professionals frequently experience personal guilt following breaches, despite incidents typically resulting from multiple factors rather than single points of failure, as highlighted in a recent cybersecurity subreddit discussion. Effective incident management requires implementing structured shift rotations during extended responses to prevent team burnout and maintain decision-making quality throughout the crisis. Leadership must coach team members on managing the adrenaline and intensity of incident response while establishing clear protocols for when to bring in additional resources versus allowing individuals to contribute meaningfully to resolution efforts.

Evaluating security vendor viability and partnerships

Assessing vendor viability requires examining leadership backgrounds, market understanding, and demonstrated ability to deliver on commitments rather than relying solely on product demonstrations or funding announcements. Vendor viability should be on your radar, argued Christoper O'Malley, CEO at Exabeam. Successful vendor relationships involve starting with limited engagements to test responsiveness, technical capability, and willingness to collaborate on solution development. Organizations should evaluate how vendors handle direct questions about their security practices, business continuity plans, and worst-case scenarios, watching for evasive responses or deflection tactics. Risk management principles apply equally to vendor selection, requiring contingency planning for potential vendor failures, acquisitions, or product discontinuations, regardless of company size or market position.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Dustin Sachs of CyberRisk Collaborative for contributing this week’s “What’s Worse?!” scenario.  

Huge thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Quantifying, Prioritizing, and Remediating Risk with Qualys

Managing risk is the name of the game for a CISO. Quantification is a major part of that job, but it doesn’t end there. Without a means of communicating that quantification to the rest of the business, quantification just adds to the noise.

In this episode, Utpal "U.J." Desai, Senior Director of Product Management, Partner Programs at Qualys explains how they provide a comprehensive solution for the Risk Operations Center, with comprehensive ways to ingest data from your applications, make sense of the data, and give your organization the tools to make the right priorities with it. Joining him are our panelists, Montez Fitzpatrick, CISO at NavVis, and Derek Fisher, Director of the Cyber Defense and Information Assurance Program Temple University.

Thanks to our podcast sponsor, Qualys

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best Advice For a CISO

“Besides rethinking your life decisions, I want CISOs to really welcome the role of being an executive, and that means that you have to learn how the business makes money, how it loses money, how it protects money. So, you’ve got to learn how to speak in terms of dollars and downtime, brand impact, competitive advantage. Boards don’t buy EDR. They don’t buy the tech. They invest in resilience. So, while you are expected to be technical, it’s your strategic ability that’s going to set you apart from other CISOs.“ - Anne Marie Zettlemoyer, former vp of security, Activision Blizzard

Listen to the full episode of “We Require 3-5 Years of Experience to Qualify for the Cyber Skills Shortage”

Don’t Ask “Can” We Secure It, But “How” Can We Secure It

“We absolutely didn’t start with a yes. We started with a hard no, started with blocking everything that we could. We started making life as hard as we can because we didn’t know anything else, and we were IT guys trying to do their best job.” - Hanan Szwarcbord, vp, CSO and head of infrastructure, Micron Technology

Listen to the full episode of “Don’t Ask “Can” We Secure It, But “How” Can We Secure It”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Why Your CEO's Home WiFi is Your Company's Biggest Security Risk with BlackCloak

Think your company's cybersecurity ends at the office? David Spark spoke with Dr. Chris Pierson, founder and CEO at BlackCloak, and explored how attackers are increasingly targeting executives through their personal lives, families, and home networks to breach corporate defenses.

This emerging threat landscape is exactly what BlackCloak addresses through its comprehensive executive protection platform. As cyber criminals and nation-state actors increasingly recognize that the path of least resistance often runs through executives' personal lives, the traditional boundaries between personal and professional cybersecurity have completely dissolved.

Watch the video here.

Huge thanks to our sponsor, BlackCloak

In observance of July 4th in the United States, we won't be releasing an episode of Cyber Security Headlines - Week in Review

Super Cyber Friday!
Join us in two weeks, Friday July 11, for “Hacking the Resilience Mindset”

We have no live shows this Friday, but join us on Friday, July 11, 2025, for Super Cyber Friday: “Hacking the Resilience Mindset.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Liz Morton, field CISO, Axonius, and Nick Vigier, CISO, Oscar Health, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup. This time, it will be hosted right inside the event platform.

Register now on LinkedIn

Remember to add it to your calendar via LinkedIn or on Airmeet link in the invite.

Thanks to our Super Cyber Friday sponsor, Axonius

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.