CISO Series Podcast — Episode Summary

Episode Title: Do You Think These Compliance Boxes Check Themselves? (LIVE in Clearwater, FL)
Hosts: David Spark, Mike Johnson (co-host), Andy Ellis (frequent co-host; not directly quoted), plus guest Pam Lindemone (CSO and VP of Strategy for Retail & Hospitality ISAC) and Jason Mayer (Deputy CISO, Raymond James Financial)
Date: March 31, 2026
Location: Live at National Cybersecurity Alliance Convene Conference, Clearwater, FL
Main Theme: Bridging the gap between compliance, real security outcomes, and business value in cybersecurity—especially in the context of security awareness, human risk management, security theater, and cultural transformation.

Overview

This episode explores how security and compliance initiatives often fall short when they’re treated as box-ticking exercises, failing to drive meaningful risk reduction or support business objectives. Featuring seasoned security leaders, the conversation tackles evolving approaches like human risk management (HRM), strategies for overcoming security theater, techniques for proving ROI, and the critical interplay between company culture, executive buy-in, and frontline training. Memorable games and audience Q&A add energy and practical insights for security practitioners.

Key Discussion Points & Insights

1. Security Awareness vs. Human Risk Management

Pam Lindemone: Emphasizes that the name doesn’t matter ("I don't care what you call us…" [03:37]); what’s important is embedding targeted, timely, and evolving training into daily business processes to keep up with changing threats (e.g., threat actors posing as IT).
Jason Mayer: Sees value in combining compliance-driven training with active measurement of behavior, such as tracking real-world phishing click rates as parallel metrics to annual training ([04:14]–[05:00]).
Consensus: The shift to HRM is productive only if metrics inform practical adaptations, not just new branding (“Same wine, new bottle?”).

"Listen to your SOC. Understand what the threats are, marry them up with your phishing, your exercises and make it matter. Same thing to me. Don’t care what you call it.” — Pam Lindemone [05:10]

2. Security Theater: Recognizing and Transforming Ineffective Controls

Examples discussed:
- Announced phishing tests
- Users downgrading data classifications to bypass controls
- DLP in “report only” mode, actionable only after a breach [05:33]
Jason Mayer: Questions if standard third-party security questionnaires are anything but theater if not customized to real business and risk context ([06:35]).
- Argues for evolving these processes to add “measurable, tailored value,” not just documentation.
Pam Lindemone: Advocates for using “theater” moments as coaching opportunities, transforming poor exercises into teachable moments and culture-building activities ([08:19], [09:15]).
- Measuring success by real behavioral change and translating risk in business terms.

"If your only output of that risk assessment process is the questionnaire… and not tailored specific controls… then I think a lot of that is security theater." — Jason Mayer [06:35]

3. ROI and Value of Security: Proving It Beyond Compliance

ROI as a “dark art”: Explored via financial risk models (e.g., FAIR), qualitative storytelling, and business enablement ([21:10]–[21:56]).
Jason Mayer:
- Culture first: ROI conversations must align to company ethos (“very relationship-based" at his organization).
- Suggests focusing on business enablement, e.g., secure mobile access for investment bankers ([23:15]).
Pam Lindemone:
- Stresses storytelling, business alignment, and catering to different audiences—moving away from pure “nothing happened” logic.

"It has to align with your business culture. …I think it would not resonate well today if we walked in …and started throwing around numbers... Where we would like to be is to have some of those data points to supplement that relationship-based discussion…" — Jason Mayer [22:58]

4. The Role of Culture in Security Success

Both guests agree: Culture is foundational; without it, even the best controls may be resisted or fail ([25:17]–[25:58]).
Pam Lindemone:
- Recommends “Five Whys” (Japanese philosophy) to probe any control or alert until its rationale meets a business need ([29:13]).
- Encourages the team to sit with business units, rotate roles, and build empathy for operational realities.
Jason Mayer:
- Suggests exposing practitioners directly to business meetings, even as silent observers, to close the gap in mutual understanding ([31:14]–[32:24]).

5. Handling “Always Clickers” and Executive Training

“Three strikes, you’re out” (phishing) vs. weekly training debates:
- Both guests agree weekly mandatory training is worse for effectiveness and morale than a strict consequence model ([13:01]–[14:58]).
- Consensus is to combine supportive environments, personalized coaching, and, where needed, HR intervention ([38:03]–[40:13]).
- Executives should never be exempt from training, and showing them how easy deepfakes are can be compelling ([37:04]).

"If there are people that will not listen, …you have to help them from themselves… we need controls around them that protect them… If it’s your CEO, maybe it’s time to have one of his peers talk to him…” — Pam Lindemone [38:25]

6. High-Risk Users: Surprising Data

Jason Mayer: Not surprised, but notes post-COVID insider threat monitoring needed rapid recalibration; “business as usual” behavior changed ([40:32]).
Pam Lindemone: Surprised by drops in SLAs after outsourcing, but not much else surprises anymore ([41:04]).

Memorable Moments & Quotes (with Timestamps)

On business alignment and risk storytelling:
“Your job is to articulate the risk to the business. …How do you translate that so that your business hears you, understands you, and they're changing their behavior?” — Pam Lindemone [08:30]
Game segment:
“Weekly training.” [13:01] — Immediate and emphatic answer to what's worse than a punitive consequence model; laughter and audience agreement follows.
Humor:
“I don’t do anything weekly. I don’t even work out weekly!” — Pam Lindemone ([13:10]), on why weekly training is demotivating.
On security culture:
“I would say it’s insurmountable, I would imagine… Even the foundational security programs … come with some sort of way that they’re enabling the business. You just have to figure out how to identify those and make those very clear.” — Jason Mayer [25:34]
Personal wins:
"I'm a hero with my husband because of a password manager." — Pam Lindemone [26:59]
Audience energy: Game show-style questions about security terms with David Spark’s mom add a lighthearted touch ([16:45]–[18:45]).

Audience Questions Speed Round Highlights ([35:15]–[41:20])

How to get C-suite buy-in:
- Use live data (SOC metrics, phishing trends), stories of executive-targeted attacks, and personal risk examples.
- Show deepfakes to highlight unique vulnerabilities of leadership.
Dealing with persistent “clickers”:
- Layer supportive coaching with controls—if issues persist, escalate to HR/performance management.
- CEOs are rarely held to the same consequences; peer influence suggested as a remedy.
Data surprises?
- Major shifts (e.g., post-pandemic remote/hybrid work) can upend prior risk models and require quick adaptation.

Noteworthy Timestamps

03:27: Start of HRM vs. security awareness discussion
05:33: Security theater examples
12:02: “What's Worse” scenario: Weekly training vs. 3 strikes, you’re out
21:44: Proving ROI in cybersecurity
29:13: Japanese "Five Whys" and building business culture on security teams
35:15: Speed round audience Q&A: C-suite, clickers, behavioral metrics

Conclusion

This lively, interactive episode underscores that real security is about people, culture, and business context—not just checkboxes. Security practitioners must adapt their language, approaches, and measurement to align with business goals, cultivate strong relationships, and use every compliance and training moment as an opportunity to build goodwill and resilience. The conversation—punctuated by energetic games, audience input, and candid war stories—unpacks fresh thinking around HRM, ROI, security culture, and the art of C-suite persuasion.

For more details and further episodes, visit: cisoseries.com