Today’s Agenda: When Will This Meeting End?

Today’s Agenda: When Will This Meeting End? - CISO Series Podcast

Everyone’s favorite meeting is a short meeting. But does anyone want a fun or entertaining meeting? Or is that a bad idea?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jeremy Embalabala, CISO, HUB International.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, SlashNext

With today’s transition to hybrid working, phishing attacks are becoming more prevalent than ever. Mobile phishing and credential harvesting are exploding and affecting business reputations, finances and most importantly, data loss. With new methods of phishing attacks appearing year over year, enterprises need more robust phishing protection to better protect this expanding attack surface and companies’ most valuable assets. Check out the report.

Full transcript

[Voiceover] Biggest mistake I ever made in security. Go!

[Jeremy Embalabala] I, like many other security practitioners, came from a strong technology background with an engineering background in architecture, and relying on that experience versus having an open mind listening to the problems that need to be solved was something that got me into some trouble.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. Hey! It’s me, David Spark. You know my voice. I’m the producer of the CISO Series. And joining me for this very episode is Mike Johnson. You’ve heard his voice, and it sounds just like:

[Mike Johnson] Hey! It’s me! I’m Mike Johnson, this is my voice.

[David Spark] You’re going to hear a lot more of that later in the show. I want to mention that we’re available at, or if you’re in Australia. No, if you’re in Australia, you’re going to be in Australia in just a second, Mike, we’re going to get to that in a second. Our sponsor for today’s episode is SlashNext! SlashNext, a phenomenal sponsor coming back sponsoring again. We love SlashNext. If you do any messaging, and my guess if you’re a business, you’re doing some kind of messaging, you’re going to want to hear what we have to say about SlashNext later in the show. All right. Mike, they say “SIZE-O” in Australia. That is how they pronounce it. You’re going to Australia – you’re going to have to learn how to say that. Try it.

[Mike Johnson] I think I’m just going to have to be pronouncing it wrong for them because I can’t get past CISO, I just… I can’t, I can’t.

[David Spark] “SIZE-O.” So, we did a show in Australia, I think like three, four years ago in Sydney, and I learned that that’s how they pronounce C-I-S-O in Australia. It isn’t just the way the water rotates in the toilet. It is also how they pronounce CISO. And they said “SIZE-O,” so I hired our voice Julie, who is our voice of the CISO Series, to redo our bumpers with “SIZE-O.”

[Mike Johnson] Localized.

[David Spark] I did localize it for them, yes.

[Mike Johnson] Very nice.

[David Spark] So, you are going to have to learn how to do that. Now, for those of you listening, by the time this airs Mike will have gone to Australia, and you’re going to Melbourne and Sydney and New Zealand. I have been to Melbourne and Sydney and New Zealand. I loved Melbourne specifically, I loved all of it, but Melbourne I went to go see one of their football games, which was phenomenal. Are you going to get a chance to see one?

[Mike Johnson] I don’t know that I’ll get a chance to see a football game, but my hope is to be able to see some of the city and plan my next trip. This is going to be a whirlwind. My hope is…

[David Spark] Oh, so you’re going to have no fun time?

[Mike Johnson] No fun time. But I’m going to pay attention for my next trip back where I can have fun time.

[David Spark] You couldn’t bake a little vacation on the end of a work trip or at the beginning of it?

[Mike Johnson] It’s busy times of the year, David, too many other stuff. I just got back from PTO. I had some vacation recently, so now I’ve got to heads-down, nose to the grindstone.

[David Spark] Always try to bake in a little vacation time with the work trip if you can, that’s what I always say. All right. This, actually, guest I met in Chicago, and I did bake a little vacation time. We went to do a live recording in Chicago, and I also saw some friends there while I was there, so I baked a few extra days of vacation time in Chicago as well. Although it wasn’t a true vacation because it was still work. But I’m thrilled that he’s on our show, he is the CISO for HUB International – Jeremy Embalabala. Jeremy, thank you so much for joining us.

[Jeremy Embalabala] Hi, David. Hi, Mike. Thanks for having me.

Looking down the security roadmap.


[David Spark] Mike, in a blog post you wrote about the need to scale a security team to (1) outwardly support the velocity of the company and (2) inwardly scale the functions on the security team. And secondly, you asked the question how do you make our security teams more productive. It seems a really tough task but to pull this off would be tantamount to your business’s success and the sanity of your security team. So, I’m interested in some examples of how you’ve achieved productivity on both of these outward and inward scales.

[Mike Johnson] Sure. If you think about two different dimensions. Scaling outward, that’s all about empowering other teams within your organization to be able to get work done without waiting for you. This can be giving them documented guidance that they can then adopt. This can empower them with tools like threat modeling that they can go ahead and build out a threat model rather than waiting for when your security team might have the bandwidth to support them. It allows them to self-support. That’s the policy, procedural, documentation side of the outward scaling.

Another way of looking at is where can you build technical guardrails. An example for us is we’ve built guardrails within our AWS instance that certain checks need to pass for an engineering team to deploy. And the great thing there is they know what they need to do, they just do that, it deploys. Again, they’re not waiting for any review. They’ve been empowered to move forward because they’re operating within that technical framework. So, the outward scaling is really how you can support other teams, empower them to get work done that supports your security program but is also helping to propel them forward.

[David Spark] And I get a sense – I’m throwing this to you, Jeremy – that this sort of outward model that Mike describes is also what the individual teams that are not the security teams can communicate to the security team of, “Here’s how you can help us. Here’s how we operate. What can you do for us given our environment?” What have you done to increase productivity in both areas – inwardly and outwardly?

[Jeremy Embalabala] Yeah. So, communication’s definitely a big part of it but first, you need to really have a clear understanding and clarity for everybody of what you’re trying to communicate. And so one of the things that I’ve noticed that is something that we’re putting into place is really shifting the culture to where security is everybody’s responsibility, not just the security team’s responsibility.

[David Spark] We talk a lot about this on our show. Yeah.

[Jeremy Embalabala] Yeah. And so getting away from the traditional waterfall sequential process method that isn’t really scalable and can’t support growth, you know, kind of this review and approve linear fashion. That’s going to be critical in order to achieve that scalability inwardly and outwardly, right? Those inward scalability pressures are realized as you have that outward scalability concerns and pressures as you’re trying to grow. And so the challenge is really multidimensional, especially at HUB. We’ve got rapid organizational growth, you’ve got the threat landscape changing rapidly, you’ve got a regulatory environment that’s shifting along with customer expectations that are shifting.

And so it’s really around how do we change the way that we work to be able to support that growth and adjust to the changing landscape. And so to do that, we’re making a cultural shift, again, to where security’s everybody’s responsibility, and we need to think about and solve for risk inside of our project or operational workstreams. And that requires education, it requires partnership, it requires defining security outcomes. Essentially what good security looks like for my organization or for this project in this particular context, etc. And what’s defined with those outcomes? What are those security outcomes? And let’s socialize those and educate the other stakeholders on those risks so then we can partner together and deliver.

[David Spark] Mike, let me get you to just make the last comment on this with regards to what Jeremy said, and it’s something we’ve echoed many times of making it everybody’s responsibility. But what you’re talking about is structuring how you make it everybody’s responsibility. You know what I mean? Like having a formal… Not just getting up there waving your hand and going, “Hey, we’re all responsible for security,” and then just sort of walking away like, “Figure it out yourself how that comes about.” So, where does the structure come in that you find?

[Mike Johnson] You can’t just tell someone that security’s their responsibility and walk away and expect that they have accepted that responsibility. This is really where the relationship building of a CISO comes into play. You have to be working with your peers across the organization, and you first have that conversation with them. If they’re bought in, if they agree that security is their responsibility as well, then they can help amplify that message throughout their entire organization. So, this is all relationship building, and with those in place you can make progress and have people document and accept that security is their responsibility as well.

[Jeremy Embalabala] Yeah. It’s really around creating clarity and defining expectations for security up front and getting ahead of those versus being reactive, and that requires that relationship building and collaboration in order to get that. And the mechanics behind it that we’ve employed is really let’s embed those security outcomes into those traditional project workstreams or program management workstreams. Once we’ve agreed upon them, the other leaders cross-functionally are onboard, let’s embed them into the existing project management workflow and measure and track against those. And then everybody’s rowing in the same direction, and it’s not people working in parallel in silos and then coming to security kind of late in the process looking for an approval. You’ve partnered from the get-go. And that relieves a lot of pressure, a lot of tension from the system for everybody, and that creates that scalability.

I tell you, CISOs get no respect.


[David Spark] Nearly one-third of cybersecurity leaders have considered leaving their organizations, according to a study by BlackFog in an article by Steve Zurier in SC Magazine. CISOs’ complaints range from lack of work/life balance, failure to invest in people, and spending too much time on firefighting and not dealing with strategic issues. By the way, wanting to leave one’s job I do not think is unique to a CISO, but I bet – again, I’m just throwing this out here – I bet if we did a survey on all employees, a third said, “Well, I’ve considered leaving.” Everyone’s considered leaving. Who hasn’t?

But from my vantage point, what I see that’s unique is a CISO is not a lifelong career. Most – not all – most are looking to get out eventually. Tenures are brief and it seems three CISO gigs is enough, and you’re out – again, this is me just kind of shooting from the hip, but what I’ve seen – either doing some consulting or possibly working with a VC as an advisory CISO, I’ve seen that happen a lot. So, the choice to exit is to still capitalize on their knowledge in cybersecurity, yet not deal with the day-to-day stress and pressures of being a CISO. Jeremy, I’m going to start with you. Do you agree or disagree with my non-scientific estimation of a CISO lifecycle?

[Jeremy Embalabala] Yeah, I think that the pressures you’ve outlined, David, are real, especially around work/life balance, maybe a lack of strategic focus, and investments in people. Those are challenges that we all face as CISOs. But in my perspective, I think that CISOs have the power to change those things if they lean on their relationships and communicating risk and their ability to influence change in an organization. The CISO level has continued to kind of raise in stature in organizations, and so I think that it’s on us CISOs to change those things versus kind of accepting as facts and the lot that we’re dealt with in life.

[David Spark] So, you kind of avoided my question but you did say, you argued, the pressures are real but it’s on us to fix them. But do you believe the CISO tenure is not a lifelong career? Have you seen from your colleagues, do not speak for yourself here. Do not speak for yourself, but I just want to know through your colleagues, have you seen, “I’ve done this enough, I got to get out”?

[Jeremy Embalabala] Yeah, I haven’t seen that people want to get out necessarily. Maybe they move from one role to another for one reason or another. But in general, folks are not leaving security to go someplace else or leaving the CISO role to do something else unless they’re later on in their career.

[David Spark] Okay. Mike, I’m throwing this to you. What do you think of my estimation? Am I right or I’m full of it?

[Mike Johnson] I think you’re full of it. [Laughter]

[David Spark] Now we come to the realization, how Mike really feels about me.

[Mike Johnson] No, I’m really just being pragmatic about it, right? The fact is the career hasn’t been around very long.

[David Spark] That’s a good argument.

[Mike Johnson] And to become a CISO, you have to really work your way up to it, you don’t come out of college as a CISO. So, you’re really building an entire career in security that for a lot of people culminates in a CISO role. And I think to your point about three-time, four-time CISOs, I don’t see a whole lot of four-time CFOs or four-time CEOs. We’re executives and when you’re at an executive level, again, you’ve worked your butt off to get there, and you’re unlikely to spend 20 years as a CISO because you spent so much of your career getting there. So, I think it’s still early yet in our profession. But at the same time, I totally anticipate my path going forward at some point is to be a little bit less stressful in my position, and it may be a different CISO role, it may be in the VC world, it may be education. Who knows where it goes? But I do think it’s normal to want to dial back a little bit on your stress as you kind of roll into retirement.

[David Spark] All right. So, backup singer is not in the cards?

[Mike Johnson] I have taken that one officially off the list.

[David Spark] That’s officially off the list.

[Mike Johnson] But like professional actor or model? Model might, I haven’t ruled that one out.

[David Spark] You haven’t ruled it out, okay. I did have one acting gig I just want to throw out, where I did a dramatization of the Apollo 13 mission because I looked like the chief scientist on the Apollo 13 mission. I had friends who were producing this documentary and goes, “Let’s get David to do this,” and he goes, “You think he’ll do it?” and I did. And so if you do a search on Apollo 13 and my name on YouTube, you’ll find my 45 seconds of acting fame.

[Mike Johnson] The big thing is do you have an IMDb entry.

[David Spark] I have an IMDb entry because of my work at ZDTV, TechTV.

[Mike Johnson] Well, there you go.

[David Spark] That’s it. But that doesn’t appear, that thing that I mentioned does not appear there.

[Mike Johnson] Ah, gotcha.

Sponsor – SlashNext


[David Spark] All right, before we get into our “What’s Worse?!” scenario, let me mention our sponsor SlashNext. Again, if you’re doing any kind of messaging – and again, I don’t see how anyone conducts business without doing messaging – you’ll want to listen to this. The phishing landscape is expanding, and how people work today has increased users’ exposure to cyberattacks, adding to the threats organizations already face. So, the bad guys know that most email has at least some protections in place and have therefore been turning their attention to alternative forms of messaging, which is pretty much what a lot of us are already using. So, this trend, combined with the fact that employees increasingly use the same devices for both work and personal purposes, has accelerated phishing by a whopping 61% compared to last year. So, if you don’t have something in place, it’s only getting worse.

So, security awareness training is only one part of the equation, and it’s not enough. Organizations must move from traditional security practices and last-generation tools to a modern security strategy, including robust AI phishing controls that address all variations of phishing attacks and provides a broad range of protections. SlashNext protects the modern workforce from malicious messages across all digital channels. It detects threats in real-time to stop attacks via email, mobile and web messaging apps across Office 365, Gmail, LinkedIn, WhatsApp, Telegram, Slack, Teams and many other messaging tools. For more, check them out at their website, and that is

It’s time to play “What’s Worse?!”


[David Spark] All right, Jeremy. You know how this game is played, right?

[Jeremy Embalabala] I’m in for a surprise on this one.

[Mike Johnson] [Laughter]

[David Spark] Two horrible scenarios. It is a surprise because neither one of you know what this is. Two horrible scenarios, you have to pick which one is worse. I always make Mike answer first. I love it when our guests disagree with Mike. No pressure there, here we go. Comes from Jonathan Waldrop who, by the way, has provided a ton of great “What’s Worse?!” scenarios for us. He is with Insight Global, and here we go. So, I just want to say that blocking these people who I’m going to describe in this section is not an option in either case. Just throwing that out there because that’s an easy way to solve these problems. All right. You get – scenario number one, Mike – you get marketing spam or cold calls from vendors that you already do business with, you can ignore them, but they just keep coming. That’s not good, one. Or the business development rep or sales rep that won’t take no for an answer. You don’t work with this person. They’re really persistent to the point of stalking. Which scenario is worse?

[Mike Johnson] Is this I’m on the recipient side or I’m the person doing this?

[David Spark] Yes, yes. You’re the recipient. You’re the CISO receiving.

[Mike Johnson] Okay.

[David Spark] So, it’s just the marketing spammer cold calls from the people you already work with, they’re kind of annoying but you kind of ignore them. Or someone you don’t work who’s really not taking no for an answer and they’re really persistent and you see them outside your door, they’re stalking you, they’ve got a telescope into your home. It’s really creepy.

[Mike Johnson] You’re making it really easy, David.

[David Spark] Well, I embellished. They’re not truly stalking you.

[Mike Johnson] The person who just will not freaking take no for an answer, it’s always a struggle to deal with that. Because I want to help, right? That’s just my nature. But they’re not listening.

[David Spark] The other people are actually working with you. You’ve already said yes to them.

[Mike Johnson] Yeah. But the reality is it’s kind of the normal thing. Right now, if I look at my inbox, I’ve got messages from half my vendors. And I do ignore them. There’s nothing that says I actually have to engage in that message. But the person who’s just coming at me via email and phone and snail mail and trying every way to get ahold of me…

[David Spark] Knocking on your front door, trick-or-treating.

[Mike Johnson] Exactly. That’s absolutely the worse. This one’s hands down that that one’s the worst.

[David Spark] Okay. Because we thought because of the fact they were existing customers that would be an issue. Jeremy, agree or disagree with Mike here?

[Jeremy Embalabala] I got to disagree with Mike here.

[David Spark] All right.

[Jeremy Embalabala] For me, scenario one is worse, right? Those are folks that you’re already dealing with, they are supposed to be trusted partners that understand your priorities, your organization, your roadmap, your financial modeling. And if they don’t take no for an answer, then that’s going to be tough. I’m relying on having open, clear lines of communications with those folks to kind of get through normal operations and normal activities.

[David Spark] That’s the key line right there I think, Mike.

[Mike Johnson] It’s a good answer.

[David Spark] He’s got to trust the communications.

[Jeremy Embalabala] Right.

[Mike Johnson] I think the reality is, again, as always, both of these suck and…

[Jeremy Embalabala] They do.

[Mike Johnson] …we all have our coping mechanisms.

[David Spark] But I think Jeremy’s right.

[Jeremy Embalabala] You don’t have to butter me up, David.

[David Spark] Well, first of all, I always like to knock Mike down a peg because…

[Mike Johnson] That’s really what it is.

[David Spark] …in the previous segment, Mike did say I was full of it.

[Mike Johnson] [Laughter] Revenge is a dish best served immediately.

[David Spark] Exactly. Good point.

Is this the best use of my money?


[David Spark] The cost of getting and paying for cybersecurity insurance is so darn high. Would it be worth it to just self-insure? Interesting concept. Okay. What this would be is creating some type of fund that could be used should you suffer a breach. Duane Gran of Converge Technology Solutions posed this as a possibility, given the rising concerns of just getting insurance. There comes a point where the cost of insurance is just so darn high, and all the loopholes insurers are creating that do not give you coverage are so great that is it possible cyber insurance just simply won’t cover you. I mean, I’m wondering. So, think about all the costs you have to incur just to get the darn insurance. On top of all that, and the cost you then have to pay for the insurance. So, Jeremy, I’m interested to know – what would your situation need to be that would make self-insuring a valuable option? I would assume getting rejected for insurance would qualify, but what would you do to self-insure?

[Jeremy Embalabala] First I’ll qualify my statements around this – HUB is a broker, a large insurance broker, we have a very large cyber practice. I work with our brokers on procuring cyber insurance for HUB but I’m not an insurance producer, I’m not on the sales side. So, I’ll just put that out there, these comments are from a CISO’s perspective. But I mean, you’re right. I mean, outside of kind of the increasing cost of coverage, coverage is just flat out getting denied in some cases. In my mind, the cyber liability market is still somewhat immature…

[David Spark] Yeah. And I keep thinking about that. Let me just pause this discussion. You look at traditional insurance, like your auto insurance and your home insurance. They’ve got decades if not hundreds of years of actuarial tables to build these models. There isn’t that for cyber insurance, it’s more like months.

[Jeremy Embalabala] Right, right. And so like we talked about earlier, in an earlier segment around the CISO role being somewhat new and immature, that’s going to be some turbulence in cyber insurance because it’s also very new to the industry. But to answer your question, I think self-insurance is something that’s probably not feasible for a lot of folks, especially…

[David Spark] No, I think this is an outlier, for sure.

[Jeremy Embalabala] Right. Customer requirements often dictate cyber liability coverage during the RFP process or contractually, so outside of the cost or the ability to get coverage, even if you had kind of unlimited money, it’s going to be difficult to navigate the business landscape without having that coverage or being able to prove that coverage to folks. The other piece of it is we talk often about cyber insurance and the claims around breach expenses, specifically around forensics, legal support costs, notification requirements and those communication costs. What about business disruption, right? Cyber liability policies, there are policies that cover business disruption. And can you self-insure yourself for two, three, four-plus weeks of lost revenue? And so when you’re thinking about self-insuring, you’ve got to be careful in considering what are you trying to protect against. It goes far beyond just your kind of incident response cost.

[David Spark] Extremely good points. All right, Mike, give me a single scenario where self-insuring could actually work.

[Mike Johnson] The only one that to me comes to mind is when you have no other choice. We’ve seen…

[David Spark] So, this is truly last resort?

[Mike Johnson] Yes. I really think so. Because you don’t know what those losses are going to be, and you don’t know what their frequency is going to be, and so you can’t really do the math yourself to say, “I’ve got a 1% chance of a $2 million valued event,” which says, “Okay. Well, I need to set aside some amount of money, the likelihood…” so on and so forth. But it could be a huge thing, and it just comes out of nowhere, and you don’t even know that it’s going to happen. So, I don’t know how you would know how you would set aside that fund. If you have no choice, like a lot of cryptocurrency companies or the whole decentralized finance world, cyber insurance won’t touch them because the events that are just so massive, billions of dollars of losses, cyber insurance just can’t cover it, so they don’t. Those are the only places where self-insurance is your only option, and essentially what your self-insurance route there is is crossing your fingers and hoping.

[David Spark] Not much of a strategy, is it?

[Mike Johnson] It is not at all a strategy.

Are we having communication issues?


[David Spark] How can we improve meetings? A redditor on the cybersecurity subreddit asked for advice on how to make his meetings more fun, and the most popular response by a wide margin was “Don’t make it fun. Make it short.” So, should you make a meeting fun, or should you make it short? Or rather, effective I’m sure is what everyone wants. I’ll start with you, Mike. What have you done to improve meetings and choose any and all of these variables?

[Mike Johnson] No, I totally agree. I don’t want to go to a fun meeting. I can’t imagine…

[David Spark] You already know how to have fun. You don’t need your office…

[Mike Johnson] I don’t need a meeting for fun. You put it very astutely when you said “effective” and if I’m in a meeting and I come out of it going, “That was an effective meeting, that was a good use of my time, that was a good use of everyone’s time, and it feels pretty good.”

[David Spark] Let’s back up there. Walk me through, give me an example. What was an effective meeting? Best one you can think of.

[Mike Johnson] The ones that I’ve found most effective is where we have an agenda, we stick to it, and when we reach the end of the agenda, we walk out.

[David Spark] And let me throw out – probably everyone knows what they’re supposed to do next.

[Mike Johnson] That’s in some meetings… So, rewinding a little bit, also what you need to know is the purpose of the meeting. Sometimes the purpose of the meeting is to drive to a decision in the meeting, so you can be done and there’s no follow-ups. But if it is to lay out a strategy or figure out what’s next or assign responsibilities or any number of other things, you’re right. People need to know what the expectations are of them when they go out of the meeting. And that’s another effective meeting. You know what you’re responsible for, and you know who’s responsible for the other pieces.

[David Spark] All right. Good answer. Jeremy, I’m throwing you this. Do you ever want a fun meeting, ever?

[Jeremy Embalabala] Don’t want fun meetings, no. Short and effective meetings. I agree with Mike’s comments. In addition to an agenda, one of the things that I ask for is expected outcomes. I’d say that more often than not when an agenda and expected outcomes are circulated in advance of a meeting, we’re able to address what was needed without having the meeting. And to me, those are the best, the meetings that don’t even have to happen. Meetings to set meetings, general discussions with no clearly defined outcomes, defining dates for which we will set the date, those are red flags that to me show we have a lack of clarity, and direction that we need to provide. So, I think that there may or may not be action items that come out of a meeting, but that agenda and expected outcomes to me is really the key to having an effective meeting.

[David Spark] Let me ask you, and I’ve dealt with this before, is that somebody wants to have a fun meeting, and you have to go to this “fun” meeting. I get the sense there’s a lot of groans. Has there ever been a fun meeting for you, Mike?

[Mike Johnson] Has there ever been a fun meeting? I mean, “never” is a strong word, so I’m sure there have been.

[David Spark] You just can’t think of it. Like you play a game or there’s, I don’t know what, there’s something that happened that made it entertaining.

[Mike Johnson] Usually those aren’t meetings though. There’s a difference between…

[David Spark] Social events.

[Mike Johnson] Yes. There’s a difference between getting a group of folks together and maybe that is a social event, that’s not a meeting. I think there have been some where we would have an icebreaker at the beginning, and that was just because of the group of folks didn’t really know each other.

[David Spark] There were some new people there.

[Mike Johnson] Mm-hmm, mm-hmm. And sometimes those icebreakers can be fun, sometimes they can be very groan worthy.

[David Spark] Yeah. Most icebreakers are pretty groan worthy, aren’t they, Jeremy?

[Jeremy Embalabala] Yeah. For me, it depends on, again, the expected outcomes. If the expected outcomes you’re looking to accomplish with the meeting are breaking the ice and introducing new people, and as an executive, getting people to be comfortable working with one another and collaborating, then fun meetings make sense, right?

[David Spark] Yeah, it’s a good idea to do that. Very good point. That’s actually an excellent point. Sometimes you’re supposed to have a fun meeting because that’s the purpose of the meeting.

[Jeremy Embalabala] Right. But if it’s Monday morning, and it’s the same people you’ve been working with for six months and you’re midstream in a project, not the time for a fun meeting probably.

[David Spark] Good point.



[David Spark] All right. Well, that brings us to the end of this episode. That was awesome, Jeremy. Jeremy, I’m going to let you have the last word. By the way, that was Jeremy Embalabala who is the CISO over at HUB International. I want to thank our sponsor SlashNext. Check them out at If you have any messaging interests, check them out. Also, you know what? They are giving out a full year of their home mobile app, and I will make a link to that. You get a free year of that and so check it out. That will be available on our site as well for this very episode. Mike, any last words?

[Mike Johnson] Jeremy, thank you very much for joining us. It was great to sit down and have the conversation, get your perspectives. I really liked how you talked about communication a lot. That was very much a theme that came through, relationships. I appreciated how you talked about cyber insurance, and that’s an area that a lot of folks have a lot to learn, and I think people got some good nuggets from that. The one that I want to call folks out on is where you were talking about getting away from the waterfall model, and you said something that I don’t think anyone has ever that I’ve heard put it in those terms of “get rid of the review and approve cycle.” And I think that’s really a great way for people to think about how they can get more collaborative with regards to security. Get rid of that review and approve lifecycle, figure out how you can make that work, and you’ll end up working better with the rest of your organization. So, thank you specifically for that tip, for coming onto our show, and had a great conversation. Thank you, Jeremy.

[David Spark] All right, Jeremy, you get the final word, and I always ask are you hiring – are you hiring?

[Jeremy Embalabala] We are hiring. We’ve got, I , nine open roles right now…

[David Spark] Wow, that’s great.

[Jeremy Embalabala] …on our security and compliance team, so we’re growing. So, if there’s qualified applicants out there, I’m sure everybody listening to this podcast is competing for the same small pool of excellent resources. But check us out – And if you’re looking for cyber insurance –

[David Spark] I should mention they should drop that they heard you on this show, yes?

[Jeremy Embalabala] 100%. Thanks for having me, David. And Mike, it’s been great.

[David Spark] Awesome. Well, you were fantastic on the show. By the way, I’m going to double down on what Mike said. I think opening up people’s eyes to all the other issues that are involved in cyber insurance that really can’t be solved with self-insuring, and I think we answer the question as it’s truly the very last resort, essentially. And sadly, it’s the last resort for a lot of companies because so many get rejected. But honestly, many get rejected because they don’t have their systems up to snuff. But as you mention, these cryptocurrency companies, it’s never going to happen, or it’s not going to happen until things sort of settle down, I guess. Thank you again, Jeremy. Thank you, Mike. Thank you to our sponsor SlashNext. We greatly appreciate their support. And we greatly appreciate our support from our audience. Guess what? I need a lot more “What’s Worse?!” scenarios, so send them in, we want them. Thank you for your contributions and listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to the CISO Series Podcast.

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.