We’re just a bunch of immature teenagers who can’t seem to control ourselves or our security program. We’re definitely exploring new solutions in the latest episode of the CISO/Security Vendor Relationship Podcast.


This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Michael Makstman, CISO of the City and County of San Francisco.

Enormous thanks to our sponsor this week, Axonius, simple asset management for cybersecurity.

Got feedback? Join the conversation on LinkedIn

On this episode:

Why is everyone talking about this now?

Allan Alford, CISO of Mitel, who appeared on last week’s bonus episode had very popular post on LinkedIn discussing the maturity of a security program. He argued that many vendors believe budget is the determining factor as to whether or not to adopt a security solution. He argued that budget is not high on the list. Actually, a security program’s maturity is much higher and all security vendors should have a clear idea where their product fits on the security maturity ladder.

Ask a CISO

On our last episode, the one recorded in front of a live audience, Ahsan Mir (@ahsanmir), CISO, Autodesk, said that any security program that can’t withstand human error is not a good security program. I asked the CISOs how they go about thinking about building a security program that can withstand human error.

What’s Worse?!

This week’s challenge focuses on what’s harder, training or hiring staff?

What’s a CISO to do?

I asked the two Mikes if they’ve ever come into a job and seen a process that didn’t make sense for the environment, but was fully in motion when they walked in. How did they react in the situation. Did they investigate, amend, or stop?

First 90 days of a CISO

Chad Loder (@chadloder), CEO of Habitu8 asked a question that I embellished and asked our two CISOs. “When you were interviewing for a CISO position, what do you feel was the most telling question you were asked and was there anything that wasn’t asked, that you think should be asked of any possible CISO candidate?”

Got feedback? Join the conversation on LinkedIn