CISO Series Podcast
Welcome to Cybersecurity: Where Everything Is Made Up and the Points Don’t Matter

Measuring a CISO’s performance can be tricky. For a while, a company getting breached was a “resume-generating event” for many CISOs. However, as security incidents become eventualities rather than possibilities, a CISO's performance is measured during an incident. How can we best understand a CISO's performance?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining us is Mike D’Arezzo, executive director of infosec and GRC, Wellstar Health Systems.

The shift left myth

The longstanding justification for "shift left"—that fixing bugs earlier is exponentially cheaper—stems from a questionable 1980s IBM think piece, not rigorous research. While it feels intuitively correct, the idea lacks solid economic backing, especially for minor software bugs, as Chris Hughes of the Resilient Cyber Podcast pointed out. True cost escalations occur when foundational design flaws go unaddressed. Additionally, Hughes references a study showing that companies typically recover from breaches quickly, weakening the business case for "shift left" development. However, "shift left" is not without its defenses. It aligns with common sense and efficiency: building secure software from the start empowers developers, minimizes security cleanup later, and keeps engineering focused on delivering features. 

Reconsidering CISO evaluations

Evaluating a CISO's performance can't be reduced to whether a company gets hacked—cyber incidents can still occur despite best efforts. As security journalist JM Porup pointed out, tying a CISO's performance to security incidents makes them a “scapegoat-in-waiting.” The more accurate measure is how well the CISO identifies risks, recommends appropriate responses, and aligns security execution with the company’s risk tolerance and resources. Keep in mind that the CISO's role varies widely across organizations, making a one-size-fits-all evaluation model ineffective. Recognizing “near misses” and celebrating preventative wins fosters better engagement across teams and reinforces the CISO's role as a proactive enabler rather than just a reactive defender.

The power of “how”

How can CISOs foster more collaborative and creative problem-solving? Start by refaming security conversations from “Can I secure this?” to “How would we secure this?” said Mike Johnson, CISO at Rivian and co-host of this very show. Rather than defaulting to a restrictive “no,” this mindset encourages dialogue that aligns security with innovation, allowing teams to explore safer alternatives without stifling progress. It's an approach that works when evaluating emerging technologies or unconventional proposals, like medical devices with potential security concerns. By shifting from gatekeeping to guidance, security leaders can foster a culture of thoughtful experimentation while still maintaining core safety principles.

Building bridges

A strong relationship with the CFO is essential for CISOs, especially as cyber investments often lack easily quantifiable returns. Success begins with framing security proposals through clear use cases and estimated costs, then refining those estimates through vendor validation and business context, argued David Ghee on CSO Online. Demonstrating risk reduction and operational benefits helps align with the CFO's priorities. However, if a CISO is going to connect with a CFO, financial literacy is critical. Don't underestimate the value of learning core accounting principles, financial metrics, and how risk is discussed in finance. Overpromising ROI is risky; CISOs should mirror how CFOs assess and communicate uncertainty, like with foreign exchange risk. While mentorship from CFOs can be valuable, what matters most is building peer-level understanding and trust. The relationship is ultimately about integrating cybersecurity into broader business thinking..

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jerich Beason, CISO at WM for contributing this week’s “What’s Worse?!” scenario. 

Huge thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Understanding Application Control with ThreatLocker

Managing application control amid increasing ransomware threats while not impeding business flow remains a challenge. Organizations need a layered defense to bolster their security posture without overinvesting in overlapping tooling.

In this episode, Rob Allen, chief product officer at ThreatLocker, discusses how their deny-by-default approach to application control helps simplify this persistent challenge. Rob is joined by our panelists, Janet Heins, CISO at ChenMed, and Shaun Marion, vp, CSO at Xcel Energy.

Listen to the full episode here.

Big thanks to our sponsor, ThreatLocker.

San Francisco walking tour led by David Spark of CISO Series

WHEN: May 1st, 2025. Assemble at 7:30 AM. Tour starts sharp at 8:00 AM. Tour will last 75-90 minutes where we'll end up the at W Hotel for breakfast

WHERE: In front of Vesuvio's Cafe (255 Columbus Ave., San Francisco, CA map) on Jack Kerouac Alley. (Photo and another photo) 

Years before podcaster David Spark launched the CISO Series, he was a San Francisco resident and lover of San Francisco history. After spending a month at the San Francisco Public Library pouring over old news articles to write “Nude, Lewd, and Crude: The Rise of Strippers, Beats, and Comedians in San Francisco’s North Beach from the 1950s to 1970s,” Spark became a San Francisco tour guide where he led walking tours, joked and played games with tourists, and handed out misfortune cookies (A precursor to his “What’s Worse?!” game). It’s been 15 years since Spark last led a formal tour and he’s looking forward to doing it again with you on the very last day of RSA.

The tour will start sharp at 8:00 AM in front of Vesuvio’s on Kerouac Alley which is very close to the corner of Columbus and Broadway, right next to the City Lights Bookstore. Spark will be there at 7:30 AM, so come early and be ready for a super-fast and fun 75-90 minute walking tour that will take you from North Beach to Chinatown to Union Square and then finish at the W Hotel where the folks over at Semperis will have a light breakfast prepared for all of us.

Register for this event here.

Thanks to our sponsor, Semperis

What I love about security vendors…

"Twenty years ago, security vendors would just throw out whatever they could and whatever stuck, stuck. But what I like today is that most of them are purpose built. Most of them come with an idea that they’re directed to sell, and then solve real world problems." - Mike D’Arezzo, executive director of infosec and GRC, Wellstar Health Systems

Listen to the full episode of “Welcome to Cybersecurity: Where Everything Is Made Up and the Points Don’t Matter”

Are New Gartner-Created Categories/Acronyms Helping or Hurting the Cybersecurity Industry?

"What if my CIO comes to me and says, 'Alex, what are we doing about CSPM?' Because he read about it or heard about it on a podcast like this. And I say, 'What’s a CSPM?' That doesn’t look good." - Alex Hutton, CISO, Atlantic Union Bank

Listen to the full episode of "Are New Gartner-Created Categories/Acronyms Helping or Hurting the Cybersecurity Industry?" 

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Trina Ford, CISO, iHeartMedia.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
Navigating the New DDoS Frontier

The motivations for launching DDoS attacks have changed in recent years; have our defensive strategies kept up?

From an exponential increase in attack volume, size, and frequency, to the diversification of attack vectors and motivations, we’re seeing significant changes in the landscape. I talked about these developments with Ashley Stephenson, CTO at Corero, exploring how businesses have adapted with more powerful infrastructures and how attackers’ motivations have expanded to include nation-state actions and competitive disruptions. 

REGISTER for 4-18-25 Super Cyber Friday

Join us on April 18, 2025, for “Hacking the Evolving DDoS”: An hour of critical thinking about the changing threats to service availability” at 1pm ET/10am PT on Super Cyber Friday. Joining me and Ashley is Eduardo Ortiz-Romeu, vp, global head of cybersecurity, Techtronic Industries.

Thanks to our Super Cyber Friday sponsor, Corero

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.