Defense in Depth
What Should Be in a CISO Job Description?

CISO job descriptions are all over the map in terms of what is desired and what the company is willing to pay. What are the questions organizations should be asking themselves when putting a CISO job post together? And what really matters to CISOs and wannabe CISOs?

Check out this post from Christian Hyatt of risk3sixty for the discussion that is the basis of our conversation on this week’s episode, co-hosted by David Spark, producer of CISO Series, and Geoff Belknap. Joining them is Dennis Pickett, vp, CISO, Westat.

Listen to the full episode here.

Stop siloing cybersecurity

The modern CISO is evolving beyond technical leadership to become a cultural and organizational change agent. Greg van der Gaast of Sequoia Consulting argues that security shouldn't be siloed in IT, but embedded across every business process, even those with no direct technical tie. The goal, he said, is to “optimise business process so that there's a lot less firefighting and 'risk management' needed in the first place,” with CISOs helping “improve culture (and no I don't mean user awareness)” to lift the entire organization’s standard of performance. That kind of leadership requires humility, creativity, and emotional intelligence. “A good CISO needs to be able to help craft solutions that effectively balance key security principles with 'meeting teams where they are,’” said Dustin Sachs of CyberRisk Collaborative. He added that effective CISOs aren’t afraid to admit mistakes. And they know how to make security engaging—even fun.

Leading the charge

Today’s CISO needs to wear a lot of hats. They left a purely technical role a long time ago. “A CISO needs to be an effective salesperson,” said Daniyal Nadeem of Oracle. “They have to sell and demonstrate the value of the entire CISO org to the board.” But the influence doesn't stop at the top. Matthew Sharp, CISO at Xactly Corp, emphasized the broader leadership demands: building customer trust to support growth, attracting and retaining high-performing teams, and navigating tough conversations to align security with business priorities. In an era of constant digital transformation, he added, CISOs must also “lead change while leveraging emerging tech”—bringing protection and innovation to the business.

A culture of ownership

Fostering a strong security culture starts with leadership, but it thrives when responsibility is shared across the organization. “Promote a sense of ownership and responsibility for security throughout the organization,” urged Jared Kurtz of Flexamat. Neha Malhotra of JPMorgan Chase added that technical expertise alone isn’t enough: “Building a great team… with the attitude of taking ownership and working with the least supervision is crucial.” She emphasized the CISO’s role in modeling that culture—“Be an empathetic leader who cares and leads by example.” Diane Calderon of Upvest echoed the need for empathy and strategic alignment, calling out the importance of “translating technical requirements into business requirements” and building a security culture that supports—not stifles—the business.

Preparing for resilience

Preparedness isn’t just a technical exercise—it’s a leadership imperative for all CISOs. Bryan Miott of First Republic emphasized that crisis management must be a core part of the CISO’s role: “If a breach does occur, the CISO needs to be able to mobilize a crisis response team,” which may include not just security and IT, but stakeholders from legal, PR, the board, and even federal law enforcement. He added that “response plans need to be in place long before an actual breach occurs,” underscoring that true resilience starts with planning, not panic.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Recorded Future

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Fridays!
Join us Friday, 05-30-25, for "Hacking Provable Security"

Join us Friday, May 30, 2025, for “Hacking Provable Security: An hour of critical thinking on how to go beyond security ratings and questionnaires.”

It all begins at 1 PM ET/10 AM PT on Friday, May 30, 2025, with guests Sravish Sridhar, founder and CEO, TrustCloud, and Tony Spinelli, former CISO, Capital One. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT), we'll do our meetup.

Register 

Thanks to our Super Cyber Friday sponsor, TrustCloud

Reddit AMA on r/cybersecurity

Our monthly AMA on r/cybersecurity on Reddit is underway.

Our topic is “I’m a Chief Information Security Officer (CISO). I also happen to be a woman. Ask me anything.”

Join the conversation here. The discussion is going on all week.

Our participants are:

• Krista Arndt, Associate CISO, St. Luke's University Health Network

• Renee Guttmann, Founder & Principal, CISOHive

• Mandy Huth, SVP, CISO, Ultra Clean Technology

• Bethany De Lude, CISO emeritus, The Carlyle Group

• Patty Ryan, Sr. Director & CISO, QuidelOrtho

• Hadas Cassorla, Principal Consultant, SideChannel

• Janet Heins, CISO, ChenMed

A Zero Trust Approach to Securing Your Inbox with Mailprotector

At Zero Trust World in Orlando, David Spark sat down with David Setzer, CEO of Mailprotector, to talk about what it means to apply zero trust principles to email.

Setzer explains how Mailprotector flips the traditional email security model—from assuming everything is safe to assuming nothing should be trusted by default.

Huge thanks to our sponsor, ThreatLocker

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be George Finney, CISO, The University of Texas System.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Cyber chatter from around the web...
Jump in on these conversations

Do people in cybersecurity use tools or program their own tools? (More here)

Good resources for learning applied cryptography and public key infrastructure? (More here)

Anyone else seeing an issue with new hires in the past 5 or so years? (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [05-30-2025] [Hacking Provable Security]

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.