View this email in your browser

CISO Series Podcast
Why Bother Helping Users When We Can Complain About Them?

If you want to annoy a security professional, just point out the nearest sticky note on a monitor with a password. These common workplace practices make starting a dogpile session on users easy. But does that help the situation outside of a momentary catharsis? How do we make these conversations about errant security practices constructive to improve security awareness?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest Daniel Daraban, senior director of product management, Bitdefender.

Practice makes perfect

Leaders can turn positive workplace values—like honest communication, team engagement, and receptivity to feedback—into actionable habits, as outlined by Geoff Hancock of Access Point Consulting, in a recent LinkedIn post. Clear and constructive feedback is critical. CISOs should look at the "Situation-Behavior-Impact" (SBI) framework as a practical tool for delivering feedback effectively. While giving feedback is a learned skill, practicing it can make it second nature over time. Developing these behaviors takes practice and intentionality, but over time, they can become a natural part of a leader's daily routine. For new CISOs, start with structured steps and practice them until these skills become reflexive.

Shaming doesn’t help anyone

How can you address lax security practices, like leaving passwords on sticky notes, without fostering an "us versus them" culture? Security professionals love to dump on “stupid users,” but while these pile-ons make entertaining cybersecurity subreddit threats, they don’t improve the culture of cybersecurity. Instead of shaming individuals, turn such errant behavior into teachable opportunities. Poor practices are often symptoms of more significant issues, such as lack of awareness or training. CISOs must create a culture where people feel safe asking questions and admitting mistakes. Labeling people as "stupid" is unproductive and contradicts building a collaborative security environment. Rather than shaming something like a sticky note with a password, highlight the benefits of alternative solutions, such as password managers. Humor and other creative approaches can encourage better habits while keeping the conversation positive and engaging.

Cybersecurity is a flat circle

The pendulum of cybersecurity continues to swing from prevention to detection and response and now back to prevention. That allows us to use the lessons from detection to inform smarter, more effective prevention strategies. Many organizations have mature detection tools like EDR and MDR, and the next step is leveraging these insights to develop intelligent prevention strategies. Prioritization is the key to risk mitigation. Organizations should focus on critical risks that significantly impact their security posture rather than trying to address everything at once.

Building the bridge  

Recent regulatory changes make it imperative to align the CISO with the rest of the executive team. This relationship often gets dismissed as lip service, as pointed out by Raja Mukerji of ExtraHop on Dark Reading. Part of this requires us to look past the idea that budget allocation reflects organizational alignment; dollars spent do not always correlate with improved security outcomes. Instead, look for better proxies for alignment. Emphasize measuring engagement and anecdotal evidence, such as how often leadership consults cybersecurity on decisions. Translate technical risks into business risks to demonstrate how security impacts revenue, operations, and brand reputation. Cybersecurity teams should be involved in strategic planning from the outset, framing cybersecurity as a business enabler rather than a cost center. Building stronger connections between cybersecurity and business leaders requires clear communication, shared priorities, and a focus on resilience over reaction.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Yashvier Kosaraju, CISO, SendBird for providing our “What’s Worse” scenario.

Listen to the full episode.

Thanks to our podcast sponsor, Bitdefender

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

How Can We Fix Alert Fatigue?

"Every company has eventually a lot of different problems, but it comes down to one common denominator, which is, "I feel I need more people on my team." Now, that is really the common feeling. Now, we can talk about whether that's the right thing to do to add more people, but essentially the talent shortage is by far the most common problem that I hear from almost every CISO that I talk to." - Itai Tevet, CEO, Intezer

Listen to the full episode of "How Can We Fix Alert Fatigue?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Bethany De Lude, CISO, The Carlyle Group.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Super Cyber Fridays!
Join us Friday [01-24-25], for "Hacking Platformization"

Join us Friday, January 24, 2025, for “Hacking Platformization: An hour of critical thinking of how stitching together data, tools, and processes is necessary for the success of your security program.”

It all begins at 1 PM ET/10 AM PT on Friday, January 24, 2025 with guests Elad Koren, vice president, product management, Palo Alto Networks and a special guest (that means we’re still in booking mode). We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Palo Alto Networks

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.