How to Tell If Your CISO Sucks at Their Job

If your CISO wants to be a ‘visionary’ but they can’t seem to pull off basic security functions, they probably suck at their job.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Lee Parrish (@leeparrish), CISO, Hertz.

Thanks to this week’s podcast sponsor, Keyavi Data

Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner’s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Is this the best use of our money

On CSO Online, Terena Bell has a piece on how to cut your budget without hurting security. The suggestions are well known: Identify overlaps in technology, renogiate contracts, and use tech to lower the need for manhours. Her last tip was a warning about layoffs. Are you always looking to reduce costs or is it something you do when it’s mandated? And how are you supported by the business if and when you proactively reduce costs? Or does that not ever happen because the demand is ever growing.

Is this where I should put my marketing dollars?

I’m not sure, but it’s possible that our guest is our first CISO that has an MBA. In his role as CISO he’s mentioned he uses common marketing techniques to advance your organization’s cybersecurity program. He said, “Security is just an inside sales job and that marketing creates the demand that sales fulfills.” Lee tells us about what he learned in his MBA training that was so critical for your growth as a CISO.

What’s Worse?!

We have a split decision on third party risk management.

How a security vendor helped me this week

We haven’t done this segment in a long time and we got a request from a listener to bring it back. So I ask Mike and our guest, recently, how has a security vendor helped you. And were any of those security vendors who helped not customers?

We’ve got listeners and they’ve got questions

A listener, who wishes to remain anonymous asks this question: “How do you convince a CISO to focus on the basics?”

The listener goes on and says, “I’m not a CISO but have seen and talked to many that want to be seen as ‘visionaries’ so they focus on ‘new hotness’ things like ‘zero trust’ instead of the basics things that are missing like patching, asset management, etc.” The listener understand this, and he’s obviously talking about his own CISO, hence the anonymity, but how do you approach your CISO and get him or her to balance their own time with basics or as Yaron Levi, CISO of Blue Cross Blue Shield of Kansas City says, “fundamentals” while also having a forward looking vision of security?

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.