We get the feeling that as we’re adding more solutions and requiring more certificates, we’re just making the problem of finding great security talent harder and harder. Has the problem of not enough talent become an issue that we created? We discuss that and more on this week’s episode of CISO/Security Vendor Relationship Podcast.



This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Taylor Lehmann (@BostonCyberGuy), CISO, Wellforce.

Thanks to this week’s sponsor, Chronicle, makers of Backstory


Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

How CISOs are digesting the latest security news

The Hill reports, “A Democrat on the House Intelligence Committee introduced a bill on Wednesday that would require publicly traded companies to disclose to investors whether any members of their board of directors have cybersecurity expertise.”

The Cybersecurity Disclosure Act of 2019, would require the SEC to issue a new set of rules requiring U.S. companies to tell their investors whether they have someone who has cyber expertise on their board. If they don’t, they must explain to their investors why this is the case.”

Will such a measure pass and if not, what is the best action here to insure some level of cybersecurity confidence?

Why is everybody talking about this now?

On a recent episode of the podcast we talked about swapping out the word “security” for “safety.” Chris Roberts of Attivo Networks brought this topic up and he says if we change the conversation more people will care. How does the viewpoint of security change when you’re talking about safety? How does behavior change?

What’s Worse?!

I can’t believe it’s taken me this long to ask this question.

Hey, you’re a CISO, what’s your take on this?

Once you connect a device to the Internet and trade information, you’re now a potential attack vector. And if your device is critical for maintaining life, like automobiles and medical devices, vulnerabilities no longer become a case of losing data, but of losing lives. Medical device manufacturers are rarely experts at software development, let alone cybersecurity. Vulnerabilities happen all the time. What is and isn’t working with the reporting, alerting, and fixing of device vulnerabilities?

Ask a CISO

Could the talent gap be a self-fulfilling prophecy or at the very least an avoidable consequence of security’s red hot growth,” asked Sam Curry, CSO at Cybereason, on Forbes. “What started as an esoteric field is becoming even more arcane as we grow.” Curry offered some suggestions on where to improve situations to improve the complexity of security. Are fixing these issues harder than fixing security?

Got feedback? Join the conversation on LinkedIn.