We could offer a simpler explanation of our technology, but if we confuse you we can charge a lot more.



This episode was recorded in front of a live audience at BsidesSF 2020 in San Francisco. It’s hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Olivia Rose, CISO, Mailchimp.

Look at that screen! We were in a movie theater. Those small people in the lower right are David Spark, producer, CISO Series, Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, and Olivia Rose, CISO, Mailchimp. Photo credit to @ash1warya.

Thanks to this week’s podcast sponsors, Vulcan Cyber and CyberArk

Vulcan is a vulnerability management platform built for remediation. By orchestrating the entire remediation process, Vulcan ensures that vulnerabilities aren’t just found, they’re fixed. Pioneering a remediation orchestration approach, the platform enables security, operational and business teams to effectively remediate cyber risks at scale.
Stop managing, start fixing.
At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

How to become a CISO

What is some actionable “let’s start today” advice. What could an individual do right now to develop the skills to be a cyber leader and make it clear to management, that’s what they’re gunning for?

What we’ve got here is failure to communicate

If all vendors stopped sending cold emails, which is what we constantly hear CISOs say they should do, how should they spend their time and money instead to greatly improve their success? If a CISO played the role of a vendor, which happens often, what should you do, to get to you?

What’s Worse?!

We play TWO rounds.

What do you think of this vendor marketing tactic?

According to a recent study by Valimail, CISOs are very suspect of security vendors’ claims. In general, the numbers are horrible for vendor credibility. Close to half of security professionals claim the following:

  • Vendors’ tech and explanation are confusing
  • Practitioners have a hard time seeing and measuring value
  • Practitioners don’t know how a vendor’s product will stay valid on their security roadmap.

What could cybersecurity vendors do to make their claims more believable?

Close your eyes and visualize the perfect engagement

Rafal Los, Armor Cloud Security asked, “If you could implement one thing in your organization that would receive universal adoption without push-back, what would it be?” The question, which seems reasonable, but in the security world often feels impossible, generated a ton of responses on both LinkedIn and Twitter. Many wanted company-wide adoption of one solution, such as MFA or vulnerability management. Others wanted widespread and ongoing security education. Our CISOs debate the one pushback-free solution that would yield the greatest results.