Great Security Program. Too Bad We Can’t Implement It.

Security theory only goes so far. If you want your security program to work, everyone has to do their part.

This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our sponsored guest is Scott McCormick, CISO, Reciprocity.

Thanks to this week’s podcast sponsor, Reciprocity

ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

How CISOs are digesting the latest security news

The Wall Street Journal has a story about cybersecurity budgets during the COVID-19 crisis. Many companies are dealing with budget cuts across the board. One issue mentioned was that the first items to go from the cybersecurity budget would probably be big projects that require a lot of integration. So as to avoid getting left on the cutting room floor, what would be your advice to vendors on how better to situate themselves, prepare, and prove to potential buyers that they can help with the ease of that integration? Also, for those security leaders, how do they best show compassion to the rest of the business and don’t just fight for their slice of the budget pie?

It’s time for “Ask a CISO”

On reddit, countvonruckus states and then asks, “It’s great to see CISOs giving back through mentorship. As a younger professional looking to become a CISO someday, it can be difficult to get a minute of a senior leader’s time even for critical work decisions. How should someone looking to find a mentor or to benefit from the mentorship of a particular leader go about asking in a respectful but effective way? Is there anything a mentee can do to provide value in exchange that will make it more worthwhile for mentors?”

It’s time to play, “What’s Worse?!”

Two “What’s Worse?!” scenarios nobody likes but many have faced especially now.

Please, Enough. No, More.

Operationalizing GRC. What have you heard enough about operationalizing GRC, and what would you like to hear a lot more?

Looking down the security roadmap

On Quora, the question was asked, “Do cloud providers implement governance, risk management and compliance (GRC) well?” I didn’t know how one would define “well” and what we should expect from cloud providers to help with GRC efforts. This harkens back to our last segment, because we would hope that cloud providers could actually help us operationalize GRC. What are cloud providers doing to help in GRC efforts?

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.