It is believed that in ancient times cybersecurity was successfully fought with a glass half-full approach. Today’s pessimistic CISOs have yet to confirm the findings.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is George Finney (@wellawaresecure), CISO, Southern Methodist University and author of “Well Aware: The Nine Cybersecurity Habits to Protect Your Future”.

Thanks to our sponsor, Netskope

The Netskope security cloud provides unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Only Netskope understands the cloud and takes a data-centric approach that empowers security teams with the right balance of protection and speed they need to secure their digital transformation journey.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Vendors have questions our CISOs have answers

Neil Saltman of Anomali runs a CISO meetup group and he asks, “A common topic is CISOs going back to platform vendors versus best of breed because they are overwhelmed. When do you buy best of breed vs. just add it to the stack from Microsoft or other large vendors… When I worked at Bromium I had a CISO tell me ‘I’ll buy your product when Microsoft buys you.'”

Mike Johnson leans more to best-of-breed or in some cases build it yourself. Can Mike sympathize with these other CISOs and what would his situation have to be to make a platform play?

What I learned from a CISO

One of the main tenets of George’s new book, “Well Aware: The Nine Cybersecurity Habits to Protect Your Future” is that optimists outperform pessimists in productivity, wealth, and longevity. The “Department of No” cybersecurity people are just hurting themselves. You argue that the more positive attitude can be garnered by learning from people who have successfully protected their communities. What are examples of watching another’s success, and what can you learn?

What’s Worse?!

Both are going to cause problems. It’s tough to say which one’s worse.

It’s time for “Ask a CISO”

We’ve got a request for career advice, from an anonymous listener. We’ll call him Steve. Steve has been with his company 14 years and they were recently acquired and the new company was calling the shots. After the acquisition, the CISO and Steve were working on bringing the merged companies up to compliance standards and dealing with audits: SOC 2, Sarbanes-Oxley, PCI, etc. CISO was planning on leaving the company in 2021 and grooming Steve to replace him. Then COVID hit and the company gave the CISO a beautiful severance package leaving Steve with all the CISO’s responsibilities, but not the title change or salary. Steve asked the CIO about plans to replace the CISO and the CIO said Steve could apply once the position was announced. That was 5 months ago. Steve likes his job and the people he’s working with but he’s frustrated with no clear vision of future plans. We offer up some advice for Steve.

What’s the best way to handle this

Can we opt-in to cybersecurity awareness? At one of our live shows I asked the audience, “Who has gone through security awareness training?” Every hand went up with a loud audible groan. Most of us would like to opt-out of this mandated training. What if our coworkers could be enticed to opt-in? It’s the end of cybersecurity awareness month. What have you done or seen others do that’s actually worked? And now the far trickier question, what has worked over a long time?

Creative Commons attribution to Antti T. Nissinen (CC BY 2.0).