CISO job descriptions are all over the map in terms of what is desired and what the company is willing to pay. What are the questions organizations should be asking themselves when putting a CISO job post together? And what really matters to CISOs and wannabe CISOs?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is Dennis Pickett, vp, CISO, Westat.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Recorded Future
Full Transcript
Intro
0:00.000
[David Spark] CISO job descriptions are all over the map in what is desired and what the company’s willing to pay. What are the questions organizations should be asking themselves when putting a CISO job post together and which CISOs or wannabe CISOs actually care about?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO series. And joining me to co-host this very episode, it’s actually going to be a really fun topic, it’s none other than Geoff Belknap, who is a CISO himself, right, Geoff?
[Geoff Belknap] I am, for all intents and purposes.
[David Spark] How many times have you been a CISO?
[Geoff Belknap] More than once, less than a hundred.
[David Spark] If I know correctly, you’ve been it, hold it, one, two, three times? Three times a CISO?
[Geoff Belknap] Who’s counting, really?
[David Spark] Enough times.
[Geoff Belknap] Enough.
[David Spark] I’m guessing three times a CISO. Wasn’t that a song by Lionel Richie and the Commodores? You’re once, twice, three times a CISO?
[Geoff Belknap] That’s exactly who that song was about.
[David Spark] Yeah. I don’t believe, by the way, the term CISO was around when that song was recorded.
[Geoff Belknap] Well, we’re a very progressive, forward bunch.
[David Spark] You know what? If Lionel is listening to this, which I’m sure he is, would you record a version once, twice, three times a CISO?
[Geoff Belknap] Yeah. Or just email in and let us know for sure that we were what you were talking about, us, CISOs.
[David Spark] Yes. [Laughter]
[Geoff Belknap] Yeah. If you could just have your agent email in and confirm that for us, we’re pretty sure that’s what you meant.
[David Spark] Our sponsor for today’s episode is Recorded Future. Get ahead of present and future attacks with Recorded Future. We’re going to talk about just that a little bit later in the show, but first, let’s get to our topic at hand. The CISO role is still fairly new in the corporate structure and in using it in lyrics and pop music as well, as I understand.
So, it’s understandable to see the job qualifications do change. Okay? And that’s understandable because the role changes. Christian Hyatt, who’s the CEO at risk3sixty, put together a pretty comprehensive job description for the role, and this includes business skills like developing a security roadmap that aligns with business objectives, GRC experience.
Like the ability to do a sanity check on the security organizational structure, technical skills, and the ability to collaborate across IT and development teams. So, the list for a CISO role is extensive. The question, and I throw it to you, Geoff, is what’s most important to be successful in the role?
If you could sort of sum it up, not in a long job description, but hey, if you were hiring a CISO yourself, what would you want that person to be?
[Geoff Belknap] Oh, boy. I think my current thinking on this is you really need two key ingredients. You need some amount of what I would call the domain experience baseline, which is security depth. You need depth in the security space, and you need breadth, but you need depth in one area. Like if you’re a GSC person, great, but you also need to know some of the other domain, but you need that baseline of security experience.
And then the other bucket, you need executive leadership experience, or you need some kind of leadership experience. If you’re going to hold the CISO title, you are expected to be the seniormost leader for your security organization at your organization. And that is a whole ‘nother set of skills from just knowing security.
And I think you have to have at least those two things, and the amount of each of those really depends on what your organization is.
[David Spark] So, could a job description just have two bullet points?
[Geoff Belknap] Yeah. Be good at security and be good at leadership. Done. Hired. All done. Boy, this is going to be a short podcast.
[David Spark] Well, those can be extensive bullets. All right. The person to help us with those two, and God knows how many extra bullets after that, I guess we’ve had on many times before. We love having him back. It is the VP CISO himself over at Westat, none other than Dennis Pickett. Dennis, thank you so much for joining us.
[Dennis Pickett] Well, thank you very much for having me. I’m looking forward to doing this again.
This is not just a security issue.
4:08.061
[David Spark] Dustin Sachs of CyberRisk Collaborative said, “A good CISO needs to be able to help craft solutions that effectively balance key security principles with ‘meeting teams where they are.’ The CISO is willing to make security fun. We have implemented several mechanisms to do this at my company,” and I’m quoting this person, this was a while ago.
Thanks to Shawn Bowen. Shawn, we lost Shawn recently and Dustin got a chance to work at his previous role and just glad to quote him again.
[Dennis Pickett] I miss that guy.
[David Spark] But Dustin goes on to say, “An effective CISO needs to also have a sense of humility and a willingness to admit when they are wrong or made a mistake. Just today, I observed my CISO do this,” this would be Shawn, “And it made me respect him even more.” Do you willingly admit to mistakes, Geoff?
Yes?
[Geoff Belknap] Oh, absolutely. And in fact, I think it’s pretty important if you’re going to be CISO or really any kind of senior leader to admit that you make mistakes and own them.
[David Spark] Not only that, by the way, I make mistakes, and I tell my staff I love it when they point them out. That’s the other thing. I tell them how much I enjoy that because it makes me better and realizes that they are key on making sure that we are producing good product. Let me just read one more quote from Greg van der Gaast of Sequoia Consulting, said, “I bump this up a level to not be a tech function at all, a business-wide horizontal, incorporating security thinking into every business process, even the ones that don’t involve any tech, understanding of business processes across all departments, driver of synergies, executive support to optimize business process so that there’s a lot less firefighting and ‘risk management’ needed in the first place, help market and commercialize security where possible, and above all, help improve culture – and no, I don’t mean user awareness – to unlock the organization’s ability to do everything to a higher standard, which will automatically drag up security.” All right.
I very much like these two quotes, but the second one here from Greg, which is quite extensive, I think he kind of really sort of parses out all the sort of the business elements and how security empowers the business. Geoff?
[Geoff Belknap] When I talk about the other bucket, this is a dissertation, really, in what I’m talking about, right? You cannot do the job without understanding security at some technical level, but you cannot be a security leader, whether you’re CISO or VP of security or head of GRC, without understanding that this is effectively what you’re trying to do on a day-to-day basis.
You’re trying to understand how do you apply that knowledge to the individual business units? How do you support the company delivering value in some way, whether it’s selling a product or providing a service or operating a nonprofit? You have to be able to do both. And I think this is the thing that most people miss when they realize, they go like, “Great, I got my CISSP,” maybe I worked in the SOC for a while or I’m a great hacker.
You have to start learning this, right? And you can’t be a leader of any kind, whether it’s CIO or CISO or head of sales, unless you really understand that your job is to help the organization that you’re a member of be successful. Your job as a CISO is to help build trust and defend your environment so that the organization can be successful.
And it is all of these things, and frankly, there’s a long list that Greg didn’t go into that are a part of doing that successfully.
[David Spark] All right. I throw this one to you, Dennis, just leaning into Greg’s second comment here of that expanding that concept of how the CISO leads the security department to align with the business.
[Dennis Pickett] Yeah, absolutely. I think he really is talking about that creating the culture of security that you want to develop at your organization. You don’t want security to be an afterthought or an add-on. It needs to be part of everything people do. And it’s going to benefit you and the organization in a whole lot of ways.
If your developers are gathering security requirements and testing security while they’re doing functional requirements testing and gathering, that’s better than adding it on at the end. And it can be more subtle. If you create a culture where people are suspicious of emails with external links, you’re going to have fewer, as Greg points out here, fewer firefighting activities because you’re going to have fewer incidents because that culture of security becomes pervasive and it takes time.
What would a successful engagement look like?
8:46.695
[David Spark] Daniyal Nadeem of Oracle said, “A CISO needs to be an effective salesperson. They have to sell and demonstrate the value of the entire CISO org to the board.” And Matthew Sharp, CISO of Xactly Corp said, “Include building customer trust that enables business growth depending on business model, maybe direct experience supporting the sales cycle.” Also, Matthew says, “Attract and retain high-performance teams, experience with conducting crucial conversations to produce shared commitment in the face of opposing opinions, that’s pressing business demands.” And lastly, “Digital transformation is common these days, so experience leading change while leveraging emerging tech.
Some form of innovation as a builder is required.” So, a mishmash of sort of other tips from Matthew and both Daniyal and Matthew both lean on the CISO having to be a salesperson. Do you feel that way, that you’re a salesperson at any time, Dennis?
[Dennis Pickett] Yeah, absolutely. I think his quotes really touch on two things, the ability to communicate and the ability to build a team, which does also require communication. But those are critical aspects of the CISO role. And in fact, we were talking earlier about how aspiring CISOs may listen to this and want to know what they can do.
And I think the ability to communicate and lead separates a lot of great security engineers from being CISO leaders. So, that ability to communicate with people in any direction on your org chart in a way that they can understand, so they can feel what is important to you is also important to them is a critical aspect of the role.
[David Spark] I throw this one to you, Geoff, as well. And let me just also throw out this last comment that Matthew mentioned about digital transformation. I mean, a good significant portion of your job is knowing what to do next, and it’s not a roadmap that’s easily laid out, is it?
[Geoff Belknap] No, it’s not. And this is why I think a lot of people feel it’s selling, but to sort of plus-one with what Dennis said…
[David Spark] Yeah, you winced when I said “selling” a little bit there.
[Geoff Belknap] Well, there is some truth to, like I spend time with customers, and to some extent I am selling the brand. But I don’t like CISOs to be involved in actually pitching the product. I feel like that muddies the water sometimes because I would really like the CISO to be responsible for securing it and not feel like they’re making a tradeoff to make it more marketable.
[David Spark] Let me push back a little bit on that.
[Geoff Belknap] Sure.
[David Spark] Isn’t that also part of the trust that is needed when you’re onboarding a customer? Like, “Hey, let me have you talk to our CISO about how we’re handling security and how we’re handling privacy.”
[Geoff Belknap] A hundred percent. And that is something I think falls right into this conversation talk track, which is you need to be able to communicate what your organization is doing, why your customers or users or whoever you’re delivering value for should trust you, because the basis required to be able to do business or to provide a service of any kind, whether it’s free or otherwise, is trust.
And you have to be able to communicate clearly about what you’re doing and convincingly. And I think we feel like that’s selling, although I don’t like “selling” because it feels like there might be a trick or maybe there’s an unbalanced value in that equation.
[David Spark] You’re just part of the sales cycle, maybe I’d say it that way.
[Geoff Belknap] Yeah, perhaps. But I think what’s most important is you are pitching your idea, your vision, right? If you’re involved in transformation of a technology or a direction that you want the business to go strategically, you have to be able to articulate a direction and a convincing reason why, and why that is beneficial to the end users, to the business, to the board, to the investors.
And you also need to be able to pitch it to your own people. Why should they work hard to do this security thing? If you’re going to implement a new control that might add friction to people, why is that important? And you cannot just fall back on, “Because it’s the most secure thing to do.” That’s a great way to lose your constituency.
But if you are good at marketing the value of those things, both from a security perspective and a value to the business, you can win a lot of support. And I think that’s why we talk about communications is important, sales is important, but really, what we’re saying is communication from an influencer’s perspective, and this is one of the most undervalued skills that everybody who is successful at this job, to Dennis’s point, has either intrinsically or has developed intentionally.
[David Spark] Let me throw this to you, Dennis. Isn’t there a point, or don’t you look forward to this point, where you’ve communicated something about security to a non-security person and they’re a sales person, they go out, and you overhear or you’re in the room when they’re communicating how you’re dealing with security, how you’re dealing with privacy, how you’re working with third parties, whatever it is, and they nail it.
And you’re like, “I did my job. I didn’t have to say any of that, and they did it.” And I realized I’m safe in knowing that they are out representing us correctly. A, have you had moments, and you must feel great, like, “Oh.” There’s always this feeling I want to be represented correctly, right? I mean, that’s got to be the key moment you’re looking for.
[Dennis Pickett] Absolutely. I love that feeling, and I love when I hear people sort of repeat the things I’ve said back to me at other times. Say, “I was doing this one thing and something looked suspicious, and I remembered you saying we should talk about that and not just sweep it away.” And you start hearing, it kind of goes back to that culture of security we’re talking about, where people aren’t just going, “Oh, it’s probably fine.” They’re going, “No, wait, let me take a look into this and check it out.” And you talked about the salesperson.
Well, I think the sales, we wince a little at that, as you said, because we have visions of people trying to convince others to buy something that they don’t necessarily need in order to make a sale. But in security, these things are needed, and it’s something you can believe in. And what we’re selling is that trust that Geoff was mentioning before.
You should trust us because we are doing the right things, and here’s what it is. So, when those salespeople then repeat those things back and they can say it with confidence because it’s true, you really know you’re doing your job well, and the organization is going to benefit from that.
Sponsor – Recorded Future
14:58.241
[David Spark] Before I go on any further, I do want to tell you about our brand-new sponsor, and that is Recorded Future. Now, in cybersecurity, your greatest fear isn’t the threats you see coming. It’s the critical signals lost in the noise, the ones that could have prevented damage to your reputation, business, and trust.
Every day, security teams face an impossible challenge sorting through millions of threats, each potentially critical, but somewhere in that noise are the signals you can’t afford to miss. That’s why Recorded Future was built – to give you the power to outpace threats through precision intelligence tuned specifically to your needs.
Advanced AI detects patterns human eyes might miss while threat intelligence experts, veterans of military and intelligence services, provide context that machines alone cannot. With Recorded Future, you gain the confidence to know what matters most and the precision to act when it matters most. Learn why more than 1900 customers, including more than 45 sovereign governments, trust Recorded Future to increase their ability to detect a new threat and get, listen to this, 350% ROI in just one year.
You could do that, too. Just go to their website and check it out at RecordedFuture.com.
What are the elements that make a great solution?
16:24.466
[David Spark] Jared Kurtz of Flexamat said, “Promote a sense of ownership and a responsibility for security throughout the organization.” Kind of like what we were just talking about at the end of the last segment. Neha Malhotra of JPMorgan Chase said, “Building a great team that’s not just technically sound, but more so has the attitude of taking ownership and working with least supervision is so crucial to meet all the objectives and the roadmaps.
A CISO can achieve this by providing/ensuring a great culture, by being an empathetic leader who cares and leads by example.”
And Diane Calderon of Upvest said, “Empathy, kindness, ability to translate technical requirements into business requirements, basic knowledge of cloud technologies and tech stacks, strong knowledge of security frameworks, and ability to create and define a security strategy and security culture aligned with and supporting the business.” All right.
Again, more things listed, and I can’t say any of these are wrong. But let me ask you, Geoff, when you see long lists of these, we’ve already hit a lot of these already. Do you feel overwhelmed? I mean, heck, that’s what you do have to put it in a CISO job requirement. Yes?
[Geoff Belknap] Do I feel overwhelmed? I mean, no, I think each one of these is not something you have to study long hours for. You just have to ask yourself as a leader, am I building an authentic culture? Am I representing the things that I think are valuable and modeling those behaviors? Like I said, it’s part of leadership.
The number of things of, I think, useless facts that I am walking around knowing from a security perspective is innumerable, and it would be overwhelming thinking about them. But I think it’s very similar in the what we might pejoratively call the soft skills space. There’s a lot of things you have to know and be good at to be a very senior leader, and I think this is maybe the first time people are thinking about articulating them.
It’s a lot, just like in technology. There’s a lot of tech you got to know. There’s a lot of soft tech you need to know.
But I also think the other thing to keep in mind is not every leader needs every one of these things, right? Your different organizations, the different phases in your career, whether your company’s public or private or a startup or a giant enterprise, they sort of dictate which of these things you need to work on.
And I think everybody’s at a different point in their career where, like David, you and I are really good at people skills and we’re easy to talk to, but maybe we got to work on giving large talks or something like that. Like everybody’s got something they got to work on. Just like if you’re in the technology space, maybe people got to be better at Windows or Unix.
It’s just one of those things. It’s a continuous improvement cycle and you always got to be ready to learn. So, I don’t think it’s intimidating so much as just an acknowledgment. These jobs are really complicated and it’s not just the technology.
[David Spark] Dennis, I’m going to throw you a little bit of a curveball.
[Dennis Pickett] Okay.
[David Spark] I get the sense that when I see a CISO job listing, that it’s literally, say, let me just take every security job listing I’ve seen, put it all in one, and it’s like throwing everything and the kitchen sink. What have you seen in job listings, for a CISO specifically, you’re like, “That really doesn’t need to be there”?
[Dennis Pickett] Oh, things that don’t need to be there in a job listing. Nobody can be an expert on everything. So, I think we’re talking about like everything and the kitchen sink may be in that job listing. I’m trying to think of one that I wouldn’t want there.
[David Spark] And by the way, Geoff, I’m going to quote something you’ve said. I’m going to throw this to what you said is it’s not my job to know everything.
[Geoff Belknap] That’s correct.
[David Spark] But it’s building the team that knows everything, correct?
[Dennis Pickett] Yeah. You want to have the team and rely on them. You’ve got to trust your talented people. And we touched on team building for a moment earlier, but the team that you build will be the greatest thing to help you with your success long term. Out of all these different things you’ve got in this job description, if you can’t build an effective team that you can rely on and trust, who is capable of letting you know when you’re wrong, and you’ve got to be willing to consider that and change your position based on that.
If you don’t have those people working with you and for you, you’re not going to be successful long term.
[David Spark] And we’ve had CISOs who did not come from a technical background, have been on our show before, and there are a good number of them that don’t come from a technical background. Rarely does a CISO job listing does not show some desire or requirement for a technical background. But could you just omit the need for a technical background in a CISO job listing?
Or how do you feel? Because I know some people who feel very strongly about it.
[Dennis Pickett] Yeah, I think you’d be at a serious disadvantage if you didn’t have some technical understanding. But again, you don’t need to be an expert in everything. You may have come up through an engineering path or from some other path. But if you don’t understand the security frameworks, the commercial ones, the federal ones, if you don’t understand how the networking and the firewalls and the technology interoperate, how are you going to develop plans and effective solutions or evaluate the plans and solutions your team presents to you in order to guide the organization on the optimal path?
What must a security leader be able to do?
21:43.291
[David Spark] Bryan Miott of First Republic said, “One thing I would add is crisis management. If a breach does occur, the CISO needs to be able to mobilize a crisis response team. This may involve stakeholders from the Board, Legal, Marketing, PR, FBI, IS, and other groups. I also believe at the CISO level, response plans need to be in place long before an actual breach occurs.” So, I think there’s no disagreement here, but I’m going to start with you, Geoff, and go, all of these things that we’ve been mentioning are good.
They’re great. But I’m going to say this. I think you could be any kind of security leader with all the things we said here. But if the CISO can’t do crisis management, they can’t be a CISO. What do you think, Geoff?
[Geoff Belknap] That’s a tough one. I want to hedge here, but I think the short answer is no. You have no business being a CISO if you can’t handle a crisis.
[David Spark] Okay, so actually you’re saying yes to my question. [Laughter]
[Geoff Belknap] Yeah, my only hesitation here is like, look, with anything in a big enough world, you can hire a team that’s your crisis management team and let them run with it. But at the end of the day, if you’re the seniormost security leader, the buck stops with you. You need to be able to make final decisions and represent what’s going on to the board without having to pass the buck off to somebody else.
And like it or not, at the end of the day, it is your job to deal with these incidents, crises, emergencies, whatever you call them, and you also have to recognize that these things don’t just happen once in a lifetime. The mini crises happen every day, several times a day. They just might not be company ending and then you’re notifying people about them, but you’re dealing with this a lot.
So, if you can’t handle it both personally and professionally, you should find a different role.
[David Spark] So, I’m going to throw another curveball at you. Give me two to three CISO must-haves because I’m thinking crisis management is one of them, but two or three CISO must-haves and CISO nice-to-haves, it would be really good, but I guess we could kind of work around if you don’t have it fully, like having it kind of half.
But having crisis management at an A level, and you could have like a B to B-minus level on some other things. Give me two, three things that are must-haves and nice-to-haves for a CISO. What do you think, Geoff?
[Geoff Belknap] Oh, let’s see. I think the ability to think on your feet. So, whether that be making decisions in a crisis or whether it’s just reacting.
[David Spark] These are the must-haves.
[Geoff Belknap] These are the must-haves. You’ve got to be able to adapt to changing information. I think you have to be able to synthesize very complicated sets of facts into things that are easy to understand for people that may not be technical or translate non-technical requirements and do something deeply technical for your security folks when it comes to the business.
I think communication skills are a must-have. You have to be able to communicate, to Dennis’s point, up and down the organization and across from your technical to non-technical people.
[David Spark] Okay, but now I’m going to force you into a nice-to-have that isn’t critical. And by the way, it’s not that they don’t have it. It’s more they kind of have it at a B level.
[Geoff Belknap] Yeah. And this might be controversial. I’d say a nice-to-have is any depth in any specific technical area. If you have breadth, that’s great, but if you have depth in AppSec or cloud security or network security, whatever it is, that’s great. That’s really nice-to-have. It’s not a need-to-have.
And I think it applies across a bunch of areas. It’s great to be experienced, but what you really need is a little bit of everything.
[David Spark] Great answers there. All right. I’m throwing this also to you, Dennis. I mean, Geoff took a lot of good ones. What would you add?
[Dennis Pickett] Well, I do have to reflect the communication one. I think that’s absolutely important, and we touched on team building, but those are ones we’ve already done. So, I’ll throw another one out there also, but the ability to set goals and then see the path, create that plan to achieve those goals.
It’s one thing to say, “We need X,” but especially in a large, complex organization where you’re going to have to collaborate and get buy-in from multiple teams, make sure the budget is there for it, you’ve got to be able to see that goal and make a plan to achieve that goal in order to execute on that.
That’s not something you can rely on other people for. I really do, on the nice-to-haves, absolutely agree with Geoff that depth in technical areas is nice-to-have, but when you’re now operating at that level, you’re not the one who’s configuring that firewall anymore. You don’t have to have that level of detail in your skills.
Another nice-to-have one would be the ability to do podcasts and communicate these things in a public forum. While this is great fun for us all and I love sharing this knowledge and information, I don’t know that that’s a critical skill.
[David Spark] And also, it helps with employment branding. Let me say if you have a large following, if you do a good podcasting, this is good employer branding for like, “Oh, I’d like to work with that CISO.” Like when they hear them or see them online. So, that is, again, I agree. Total nice-to-have.
I’m going to summarize what I’ve heard so far. We’re really doubling down on the leadership element of a CISO here, and leadership element means dealing with crisis and leading the program towards a goal, and then all the sort of the communication elements that are around that. Are we sort of in agreement on this, that that is really what has to be in this sort of job description for a CISO?
The doubling down on the leader element?
[Geoff Belknap] Oh, yeah. You need to be a leader first and a technologist second. All right. Good point.
Closing
27:19.163
[David Spark] All right. Now, Dennis, I’m throwing this to you. Your favorite quote from all of these quotes, lots of good ones. The one that sort of best hit you, either a simple element that people missed or best sums up our discussion. Which quote was your favorite?
[Dennis Pickett] I really liked the quote about promoting the sense of ownership and responsibility throughout the organization. I feel like you get so much benefit overall from that once that’s pervasive throughout the company.
[David Spark] All right. That was from Jared Kurtz of Flexamat. All right, Geoff, your favorite quote and why?
[Geoff Belknap] I’m going to go with one that mentioned our friend Shawn here. Dustin, who’s, “A good CISO needs to be able to help craft solutions that effectively balance key security principles, meeting his team where they are, but they also need to make security fun.” And I just want to double down this because Shawn, I miss you, buddy, really made security fun.
He couldn’t find anything to not make fun. And when you’re doing a hard job, this is part of your job as a leader to recognize that this is very hard and to find an outlet for your team and to help them acknowledge that they’re doing something hard and we need to support them and we need to both give them the resources they need and the room to decompress from that.
And I think anybody who can do that is a phenomenal leader.
[David Spark] Shawn Bowen was one of those kind of people. I’m glad we were able to close with Shawn. That’s awesome. That’s great. Hey, I also want to close and thank our sponsor, Recorded Future. Get ahead of present and future attacks with Recorded Future. Go to their website, RecordedFuture.com.
Thank you very much. We had Dennis Pickett, who is the CISO over at Westat. Thank you so much. And also, our good friend, Geoff Belknap, always awesome. Three times a CISO.
[Geoff Belknap] So far.
[David Spark] So far. So far. I believe three times. Am I correct? Three times a CISO?
[Geoff Belknap] Who’s counting, really?
[David Spark] I am counting. That’s why I’m asking you.
[Laughter]
[David Spark] I think.
[Geoff Belknap] Let’s see. Yeah, I mean, so technically CISO’s in my title now, but it’s not “the” CISO. So, it’s…
[David Spark] I know. I know. I’m counting this one.
[Geoff Belknap] Oh, well, then it’s four.
[David Spark] Four times a CISO? Then we’re going back to three because that’s what matches the song.
[Geoff Belknap] All right. Perfect. Yeah. No.
[David Spark] Okay, fine. All right. Thank you very much, Geoff. Thank you very much, Dennis. And thank you to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.