CISO Series Podcast
Why Highlight Diversity When We Can Just Hope You Don't Notice?

Despite making strides to build diverse teams, it's still common to see homogenous cybersecurity teams. When we see it, do we provide constructive ways to fix it, or do we just attack? What have been successful methods through internal or external influence that have succeeded in building diverse teams?

This week's episode is hosted by David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining is Julie Myerholtz, CISO, Brunswick Corporation.

Listen to the full episode here.

Your cloud, your problem 

Cloud providers ship platforms designed for flexibility, not security. That means privilege escalation paths, permissive defaults, and configurations that look fine until they're exploited. Shared responsibility sounds like a partnership, but in practice, it means the vendor secures the building, and you secure everything inside it, noted Rock Lambros of RockCyber. The S3 bucket era taught that lesson the hard way, and while defaults have improved, the core dynamic hasn't changed. Treating "managed" as "secure" is a dangerous shortcut. Organizations need to own their security posture inside every cloud environment, segment aggressively, and stop assuming the foundation is safe just because someone else poured it.

Kill your sacred cows 

Security controls have a shelf life, but nobody puts an expiration date on them. Password rotation policies, abandoned years ago by NIST, still survive in organizations because audit teams keep checking for them. DLP tools that crush performance for marginal protection keep running because nobody wants to be the one to turn them off. A thread on the cybersecurity subreddit was rife with examples. The fix isn't another audit, it's a beginner's mind. Ask your newest hire what doesn't make sense. Bring in people outside the security team and let them poke at your processes. Design thinking beats institutional muscle memory. If a control hasn't produced a tangible outcome in the last 12 months, it's not protecting you, it's just consuming cycles.

AI broke your vendor math 

One AI tool doesn't add one vendor, it adds a stack. Chris Matthews of UpGuard broke this down into the app layer, the model provider, the integration connectors, the vector database, the hosting, and the logging. Your third-party risk footprint quietly explodes while the product demo looks like a single login page. Traditional risk management is built for static SaaS assessments and SOC 2 reports. It can't answer the questions AI demands: where does data flow through the model, what gets retained, and is your data training someone else's product? Wholesale blocking AI isn't the answer either. The business opportunity cost is real. But until risk processes catch up, security leaders are flying partly blind with tools that learn faster than we can evaluate.

Feedback is a gift. Open it. 

A cybersecurity training platform launched its creator lineup with 18 men and zero women. Josh Mason of Synack called it out publicly. The company responded, and the updated list now features more than half women. That's the best-case version of how blind spots get corrected. Someone speaks up, and the organization listens. The harder part is building a culture where that feedback loop doesn't require public shaming to activate. Diverse teams catch what homogeneous ones miss, but only if dissent is welcome. Thank people who point out what's uncomfortable. If they get silenced or defensive, they won't bother again, and you'll keep making the same mistakes without knowing it.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven't subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Oscar Morales from Calian IT and Cyber Solutions for providing our "What's Worse" scenario.

Thanks to this week’s security tip sponsor, Qualys.

Huge thanks to our sponsor, Vanta

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Your Customers Already Know You’re Not Transparent

The 891-question security questionnaire isn't a trust-building exercise. It's a ritual that transfers liability without producing confidence, and both sides of the transaction know it.

In a recent roundup on the CISO Series blog, insights from Steve Gentry, owner - security advisor, Cognate Cyber, Christopher Gomes, head of product, Conveyor, Terry O'Daniel, former CISO, Al Yang, CEO & co-founder, SafeBase, Mike Lockhart, CISO, Eagleview, and Matt Hillary, CISO, Drata and others converge on a single conclusion: trust isn't a questionnaire problem. It's a visibility problem.

Conveyor, SafeBase, and Drata are each closing the gap between what vendors claim about their security posture and what customers can actually verify — at the questionnaire layer, the relationship layer, and the evidence layer.

Read the full article.

Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Experience the CISO Series Podcast LIVE in Boston (4-30-26)

Boston-area cybersecurity professionals, this one's for you!

Join us for a live audience recording of the CISO Series Podcast with hosts David Spark and Andy Ellis, legendary CISO and author of "1% Leadership." Joining them is their guest, Dmitriy Sokolovskiy, senior vice president, information security, Semrush.

REGISTER FOR THE EVENT here.

Huge thanks to our sponsor, Strike48.

Best advice for a CISO...

“My best advice for a CISO is to focus on the business. Understand that we're only there because we're running a business and we need to manage risks for that business. Look at cybersecurity from the P&L perspective and protect what's most important to that balance sheet and accept risk in other places.“ - Julie Myerholtz, CISO, Brunswick Corporation

Listen to the full episode of "Why Highlight Diversity When We Can Just Hope You Don't Notice?"

Who is Responsible for the Conflict Between Security and Developers?

"Everybody says shift left, bring it to the developer at their workstation or at their laptop. Do you want to know what the most developer friendly thing is? The least amount of JIRA tickets for vulnerability issues." - Matt Brown, solutions architect, Endor Labs

Listen to the full episode of "Who is Responsible for the Conflict Between Security and Developers?"

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Bil Harmer, CISO, Supabase, and Chris Ray, Field CTO, GigaOm. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, ThreatLocker

Super Cyber Friday
Join us every Friday in April for “Trust Month”

Trust is at the core of everything we do in cybersecurity — and this April, we're dedicating an entire month to it on Super Cyber Friday.

Throughout April, each episode will tackle a different dimension of trust: building it within your security team, knowing when a vendor becomes a true partner, gaining confidence in AI output, and earning a seat at the table as a business enabler rather than a blocker.

Four Fridays. Four conversations. One theme that touches every corner of the industry. Register for the full series, and get notified whenever new episodes are scheduled.

>>> REGISTER for single episodes or the whole Super Cyber Friday series <<<

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.