David Spark

Biggest mistake I ever made in security. Go.

Jason Mayer

Biggest mistake I ever made was stopping my pursuit of understanding the business. Obviously, we talk a lot about knowing your business very well. I think I got to a point in my career where I thought I knew the business well enough. Long story short came to a head in a very senior risk management discussion where I had sort of lost sight and loss of my business understanding, which resulted in me telling a very different story about a particular risk category when the business was viewing that risk category very, very differently at the time.

David Spark

You're listening to CISO Series Podcast recorded in front of a live audience in Florida.

Welcome to the CISO Series podcast. My name is David Spark. I am the host and producer of the CISO series. Joining me sitting directly to my left is is the CSO and VP of strategy for retail and hospitality, isac, Pam Lindemone. Let's hear it from Pam. Say hello to the audience, Pam. So people know your voice.

Pam Lindemone

Hi. The Southern voice.

David Spark

That is your voice right there. Our sponsors for today's episode are Adaptive Security, KnowBe4 and Zippo. Let's hear it for our sponsors. They're the reason we're here. And let's hear for the National Cybersecurity Alliance. Stay safe on. They are putting on this huge conference convene. That is where we are. We're here our fourth time coming. Thanks to Lisa Plagmire and also Cliff, thank you so much for bringing us out here.

Co-host (possibly Mike Johnson or another co-host)

You have come to this conference before? Yes, Pam, I have. You actually saw this show last year?

Pam Lindemone

I did.

Co-host (possibly Mike Johnson or another co-host)

And what did you think of it last year? And you're hoping it's gonna be better this year?

Pam Lindemone

It was very energetic.

David Spark

Good.

Co-host (possibly Mike Johnson or another co-host)

And can you hold up that energy?

Pam Lindemone

I'm hoping so.

David Spark

I hope you can as well. All right, we're gonna jump into this. Cause we have of show packed. And I want to introduce our guest as well on the far end here who is the deputy CSO over at Raymond James Financial. It is Jason Mayer. Jason, say hello to the audience.

Jason Mayer

Hello. Thanks for having me.

David Spark

Why has this topic suddenly become the center of attention?

Quote, despite regulatory compliance requirements and significant investment, security awareness training seems to deliver marginal benefits. Now, I know this is heresy in this room, but that's John Oltzik of Silicon Angle calling out the security awareness training. Paradox organizations spent 6 billion on security awareness training in 2025. Yet 70 to 90% of breaches still stem from human error. This audience knows that human risk management seems to be the industry solution, focusing on what employees do rather than what they know using AI power, personalization and real time behavioral nudges. Many training vendors have already rebranded themselves as human risk management. But and I'm going to start with you, Pam, on this, is this solving the problem or just repackaging it? And for those who've moved to a human risk management approach, are they seeing measurably better outcomes or is it the same wine but new bottle? What do you think?

Pam Lindemone

I'm of the belief that there is ROI and security awareness. And I'll tell you a few things,

Co-host (possibly Mike Johnson or another co-host)

but specifically with the shift to hrm, human risk management.

Pam Lindemone

Yeah. I don't what you call us.

Co-host (possibly Mike Johnson or another co-host)

All right.

Pam Lindemone

I don't care what you call us. But I think it depends on what I've heard today. Having supportive, targeted, it's embedded into daily work and it's not just a compliance check mark. And that you're changing your dialogue based on the threats of today. Like threat actors posing as IT workers, like making sure you're addressing that right now when it's happening. So there's value. Absolutely.

Co-host (possibly Mike Johnson or another co-host)

All right, Jason. Value. But I'm very interested in the shift from what was just security awareness to human risk management. Have you seen there is a significant leap or change or the same old thing?

Jason Mayer

Yeah, I would say there is a little bit of a change. I think part of our approach to kind of combine the two things, the traditional awareness training with sort of measuring the human risk changes over time, they're really powerful. When you start to put two metrics side by side, just as an example where sort of the regulatory requirements of you got to do annual training and all those types of things where maybe the RI isn't as clear. But when you think through what behavioral changes do we expect to see based on this training and you put those two things side by side. For example, real world click rates when bad things land in user's email. Ideally those are going down over time because your training program is actually being successful. So I think when you combine those two things and really look at them as one package, I think you start to see the benefits.

Co-host (possibly Mike Johnson or another co-host)

You're looking at me, Pam, as if I have a solution to this. I'm not the ciso. So he's making an argument that the two combined. You say name it, whatever the heck you want.

Pam Lindemone

Yeah, look, it's all metrics. You know, I think I heard today, like listen to your soc. Understand what the threats are, marry them up with what you're seeing in terms of your fishing and your exercises and your training and make it matter. Same thing to me. Don't care what you call it.

David Spark

They didn't think that through all the way, did they?

Security theater, it's real and savvy security professionals just shake their heads when they see it. So I'm going to wonder what are some of the worst you've all seen? And I'm going to give you some examples straight from the cybersecurity subreddit. Here are three phishing tests that had to be announced in advance. Data labeling systems where users downgrade classifications to bypass controls. Or the DLP solution left in report only mode. And it was only used once they realized they actually had to make a public data breach notification. Now the obvious response to a lot of this is, quote, you know, this isn't doing anything. But you say that and you sound like a pest. So I'm going to start with you, Jason. How do you make real change in security theater controls?

Co-host (possibly Mike Johnson or another co-host)

We've all seen it.

David Spark

Even if they argue back, well, this is the way we've been doing it for years.

Co-host (possibly Mike Johnson or another co-host)

You've seen it. How do you politely say, we got to stop this, it's not effective?

Jason Mayer

Yeah, I would position it more as not we have to stop this, but we have to change this to make it more valuable. The example, and as a disclaimer, the third party risk team reports into my organization. So this is going to come off as a pretty hot take. But the third party risk process, sort of the security questionnaire, collecting a policy or standard, I think for the last decade or plus, I would categorize as almost security theater. Right. Just to make sure we have something on file that we've done some due diligence. The way that we've tried to position that or change it is if your only output of that risk assessment process is the questionnaire, the completed questionnaire in a policy or standard and not tailored specific controls based on your assessor's understanding of not only your business but that third party. Then I think obviously a lot of that is security theater. So to me it's, it's not stopping, but it's repositioning it or, or changing it to have that, that benefit to your business.

David Spark

But I, I'll just put, I mean

Co-host (possibly Mike Johnson or another co-host)

we could do a whole show on third party risk management, but it's really, for many, it's like we got to do something here. We know it's a giant hole that's screaming at us that it's going to get us. So doing something better than nothing, even if it is a little bit of security theater, what do you think or no?

Jason Mayer

Yes. You have to do something in that space for. And obviously, as you said, this is a problem statement that every firm in every sector, I think, has. Has faced for the last 10 years. But again, to me, I'm trying to set up a team that does these risk assessments in a way that we are doing it slightly different. Right. And we will be in a slightly better position than the other consumers of that particular vendor when and if something bad happens.

Co-host (possibly Mike Johnson or another co-host)

All right, Pam, what do you think? First of all, any good example of security theater you can give us and how you've dealt with it?

Pam Lindemone

There's a lot of security theater out there with everything we do. And I think it's just by the

Co-host (possibly Mike Johnson or another co-host)

way, phishing tests, by the way, can be a great example of security theater just in themselves if they're so poorly designed.

Pam Lindemone

Absolutely. You have to raise the bar with what you have, and you have to treat like a fishing exercise as, like, coaching. And what I would say is use what you've got. Do something. If you don't, you're not doing your job. And your job is to articulate the risk to the business. That's your job as a security professional. And we lose sight of that all the time. But basically, how do you translate that so that your business hears you, understands you, and they're changing their behavior. They know the why behind what you're telling them to do.

David Spark

Okay, well, that's a great example, because you can, like in a security theater,

Co-host (possibly Mike Johnson or another co-host)

you can say, this is not reducing risk. And I mean, do you just boil it down to that or does that scare them or it comes off as obnoxious?

Pam Lindemone

I use it as a coaching period. Right. Like when I do phishing test todays or someone on my team does them and it causes and spurs a lot of consternation or really panic. I use that and say, hey, you're in a safe place right now. Aren't you glad that you learned in a safe place? I use it as coaching, and here's what could have happened, here's what did happen. Here's what you can do better. And then you get that voice throughout your organization. I used to walk through the halls of an organization and they would see me and say, you didn't get me this time, Pam. You didn't get me. When you have that kind of a culture that's they're changing their behavior and they understand why you're asking them to do what you want them to do.

David Spark

I like that.

Co-host (possibly Mike Johnson or another co-host)

You could do better, which in a very positive way, not in a scolding way. And kind of like what you were just saying, Jason, it's like, well, we know we need third party risk management, but we can do better than this.

Jason Mayer

That's right.

David Spark

Who's our sponsor this week?

We have lots of wonderful sponsors and this is the first one I'm going to tell you about. You know, security teams don't lose sleep over firewalls anymore, they lose sleep over people. Because even with all the tools in the world, nearly 70% of breaches still involve human behavior. Just talking about that in the last segment. And now AI is accelerating the problem. Phishing, vishing, deepfakes, voice cloning. The attacks are faster, smarter and built to exploit trust. That's why more than 70,000 organizations worldwide trust KnowBe4. KnowBe4 is the global leader in human risk management for over 15 years. They focus on the most targeted part of your security stack the workforce. Not just training people to spot phishing emails, but helping organizations measure, manage and reduce human risk across the entire enterprise. And the workforce is changing. Tomorrow's workforce isn't just people. It's people plus AI agents working side by side. KnowBe4's HRM is the only platform built to secure that hybrid future, protecting both humans and AI agents as trusted colleagues. With nearly a decade of production AI experience, 50 plus security patents, and the industry's only production ready AI defense agents. They're not experimenting with AI, they're leading know before secure the next generation workforce. Knowbefore.com and it's spelled K N O W b e the number4.com and when you go there, let them know you heard about them from the CISO series.

It's time to play what's Worse.

For those of you who are not familiar with this, what's worse, It's a game we've been playing since episode one of the CISO series and it is

Co-host (possibly Mike Johnson or another co-host)

exactly what it sounds like.

David Spark

Pretty simple to follow our fans.

Co-host (possibly Mike Johnson or another co-host)

They send in scenarios, horrible scenarios. They both stink.

David Spark

And you have to determine, and we will get the audience's vote as well,

Co-host (possibly Mike Johnson or another co-host)

which one of these two scenarios is worse? All right, I will have you Pam Antifers, and we want to hear your

David Spark

reasoning on this comes from Jonathan Waldrop, CISO over at Acoustic. And here are his two scenarios. Scenario number one, an enforce policy on phishing simulations. Three strikes, you're fired.

Co-host (possibly Mike Johnson or another co-host)

Not good.

David Spark

Or security awareness training conducted weekly for one hour, mandatory attendance.

Co-host (possibly Mike Johnson or another co-host)

Oh God, that one got some murmurs.

David Spark

Which one's worse?

Pam Lindemone

Weekly training.

David Spark

Okay, I want to hear your rationale Because I'm gonna. I'll argue back on the other one.

Co-host (possibly Mike Johnson or another co-host)

So why is weekly training so much worse?

Pam Lindemone

People will get numb to it. They'll just ignore you. Weekly training. I don't want to do anything weekly. I don't work out weekly.

David Spark

All right, so it essentially, the effectiveness

Co-host (possibly Mike Johnson or another co-host)

will just start to decline and decline.

Pam Lindemone

Absolutely.

David Spark

You don't think, like, what if you had the best, most creative weekly training and people would look forward to, like, you get these fun videos that we saw before?

Co-host (possibly Mike Johnson or another co-host)

That still wouldn't work.

Pam Lindemone

I don't watch anything that much.

Co-host (possibly Mike Johnson or another co-host)

Nothing. You don't have a series you like to watch?

Pam Lindemone

Yeah, but not every week. I watch it when I want to watch it. I'm a human.

David Spark

I don't know. I think many of the vendors here would argue that their training is so

Co-host (possibly Mike Johnson or another co-host)

entertaining, they would want to watch it every week.

Pam Lindemone

Okay, try me. Don't think so.

David Spark

All right, well, I don't think so. You heard that she's up for the challenge vendors, by the way. All right. I would also argue that the other scenario is pretty bad because you've now

Co-host (possibly Mike Johnson or another co-host)

created a sort of a fear economy at your company.

Pam Lindemone

So I totally agree, but you made me choose one that is true.

Co-host (possibly Mike Johnson or another co-host)

So you think that's worse than the fear economy that you've created?

Pam Lindemone

Yes, because no one's gonna listen to you. They're just gonna be numb to you. At least I'm giving somebody three chances and they're out. At least they get three chances. I don't have a choice to watch something every single week.

David Spark

That is good points because it's mandatory,

Co-host (possibly Mike Johnson or another co-host)

but mandatory that you're fired.

Jason Mayer

A little healthy fear is not a bad thing either, I would say.

David Spark

All right, so what do you think?

Co-host (possibly Mike Johnson or another co-host)

Do you agree or disagree here with Pam?

Jason Mayer

I would agree, honestly. I know we're not talking about ROI yet, but.

Co-host (possibly Mike Johnson or another co-host)

Well, no roi, that could be a factor.

Jason Mayer

The cost of those meetings, when you're talking about bringing in your business users would get very high, very fast. And I think it would be nearly impossible to show the ROI of those weekly meetings if at some point you were asked to do so. So I agree with Pam on this one.

Co-host (possibly Mike Johnson or another co-host)

I'm guessing the audience agrees because of the gasps that we heard when I mentioned it. But I'm going to just argue.

David Spark

You don't think the fear that was

Co-host (possibly Mike Johnson or another co-host)

created by the three strikes and you're out wouldn't be worse? You still think the other one would be worse?

David Spark

I do.

Co-host (possibly Mike Johnson or another co-host)

Yeah.

Jason Mayer

It's your podcast, but I'm going with Pam. On this one.

David Spark

All right, I'm going to the audience here. I want to see by applause, how many people think essentially the first scenario, three strikes and you're out. That is worse than the mandatory hourly training.

Co-host (possibly Mike Johnson or another co-host)

By applause.

David Spark

If you think that one's the worst. All right, three to four. About four people, I think. I see. All right, for those of you who

Co-host (possibly Mike Johnson or another co-host)

gasped, how many people think like my

David Spark

two guests on stage? The mandatory hourly training every week is far worse. By applause.

Co-host (possibly Mike Johnson or another co-host)

Yes. There we go.

David Spark

All right, you got agreement from the audience.

What is Dave's mom talking about?

All right, this is our next game. And here is how this game is played. My mother is going to be surprised. Not so savvy about cybersecurity, but she is supportive of her son. And when I come up with a stupid idea for a game, she's happy to play along. So what I'm going to do now, I have four clips here. I just said the term. By the way, everyone in this room knows these terms. Everyone here knows them.

Co-host (possibly Mike Johnson or another co-host)

My mother doesn't necessarily know them.

David Spark

They're varying degrees of correct or completely wrong.

Co-host (possibly Mike Johnson or another co-host)

You have to try to determine what the heck she's talking about.

David Spark

She just given the words, she tried her best guess effort as to what it is. All right, here's the first one. I got four. I'll have them try at it. If they can't get it, I'll go to the audience. Here we go. And I can play them multiple times because they come on quick.

David Spark's Mom

Some people get into your information and they're really bad news.

Co-host (possibly Mike Johnson or another co-host)

Hackers and that specific kind, though, because not a hacker is just negative. It would be a malicious hacker.

David Spark

Black hat hacker.

Co-host (possibly Mike Johnson or another co-host)

Yes.

David Spark

Black hat hacker. We'll take that. All right. Good answer. All right, let us hear. In fact, let me give you the proper kudos. All right, Kudos for you on that one. All right, here comes the next one.

David Spark's Mom

When information is purposely corrupted.

Co-host (possibly Mike Johnson or another co-host)

This is pretty much on target. What is that?

Jason Mayer

Encryption.

Co-host (possibly Mike Johnson or another co-host)

No, purposely corrupted. Oh, it can be encrypted.

David Spark

Yes, it can be encrypted.

Co-host (possibly Mike Johnson or another co-host)

Corrupted that way. Another purposely corrupted.

David Spark

Play it again.

David Spark's Mom

When information is purposely corrupted.

Jason Mayer

Anonymized, obfuscated.

Co-host (possibly Mike Johnson or another co-host)

I think you know this. She's on target with this.

David Spark

My mother actually got this one right.

Pam Lindemone

Ransomed.

David Spark

No. I'm going to throw in this to the audience. What the heck is she talking about? Not malware poisoning. Poisoning, Correct. Yes, it's data poisoning, sir. Yes, sir. Good job.

Jason Mayer

You can have my job.

Co-host (possibly Mike Johnson or another co-host)

All right.

Pam Lindemone

And mine.

David Spark

Okay, I'm gonna warn you.

Co-host (possibly Mike Johnson or another co-host)

This One is completely incorrect.

David Spark's Mom

Rear end information.

Jason Mayer

Say that again.

David Spark's Mom

Rear end information.

Co-host (possibly Mike Johnson or another co-host)

Rear end information backup.

David Spark

You just got. Just heard it. Someone yelled it out. It is backdoor. Good job. Good, good job. All right, last one. Our audience is quicker than the two of you. All right, last one.

Co-host (possibly Mike Johnson or another co-host)

I think you can get this one.

David Spark

This one's. This one's reasonably on target. Here we go.

David Spark's Mom

It's technology in which you have no faith in people.

David Spark

Someone just yelled it out. Zero trust. Again. You guys, you can't.

Jason Mayer

We got off the hook for those.

David Spark

Thank you. Yeah. The two of you. Our audience, unfortunately, this is my effect for you.

Co-host (possibly Mike Johnson or another co-host)

All right.

David Spark

You tried your heart out. You just wasn't as good as you could have been.

Co-host (possibly Mike Johnson or another co-host)

Our audience is smarter than you.

Jason Mayer

They are, no doubt.

David Spark

Who's our sponsor this week?

For decades, cybersecurity has relied on a defensive strategy focused heavily on technical controls and mandatory compliance. But as attack strategies evolve, checking boxes is no longer enough. The critical determinant of your organization's resilience isn't just your firewall. It's your people.

Co-host (possibly Mike Johnson or another co-host)

So it's like this line, the people are the weakest link.

David Spark

No, they're actually your greatest asset. It is time to transform the paradigm with Zippo Intelligence. Now, Zippo is a human risk management platform that that moves you beyond simple compliance tracking to building verifiable human capability. They don't aim to just fix your employees.

Co-host (possibly Mike Johnson or another co-host)

Ever try to fix a spouse? That never works.

David Spark

They enable their mastery. I like that mastery. Through hyper personalized multi vector simulations, Zippo reveals precisely how your workforce performs in moments of actual risk. They turn everyday behavior into measurable security metrics, allowing you to close capability gaps faster, improve the ROI of your security investment. Stop viewing your workforce as a vulnerability. Start building a proactive culture where security feels intuitive. Zippo. Go to their website at Zepo AI,

Co-host (possibly Mike Johnson or another co-host)

but they pronounce it Zippo Z E

David Spark

P O A I and let them know you heard about them from the CISO series.

It comes down to the fundamentals.

Explaining ROI for cyber is a dark art, said Defense in Depth co host Steve Zaluski in a recent CISO series ama. That's an ask me anything on the cybersecurity subreddit. By way the way we do those

Co-host (possibly Mike Johnson or another co-host)

CISO series, we do them every month.

David Spark

Companies are demanding that security demonstrate business value rather than just pouring money into continuous improvement exercises. Answers for showing ROI varied. Some suggested financial risk modeling that dovetails with cyber risk. Another relied on quantitative frameworks such as fair, focusing on whether controls reduce annualized Loss expectancy and these methodologies exist, are well documented and debated. And I'm going to start with you, Jason, on this. Where do you think we should show the value of cyber?

Co-host (possibly Mike Johnson or another co-host)

And I think actually the answer varies depending on what industry you're in.

David Spark

Can we show that it's helping us make money or is it better ROI about demonstrating the cost of not doing it?

Co-host (possibly Mike Johnson or another co-host)

I mean, where do you begin to determine that?

Jason Mayer

I would never start with the cost of not doing it. Honestly, I don't think that would go over very well.

Co-host (possibly Mike Johnson or another co-host)

And honestly that goes into the fud. The threat.

Jason Mayer

Yeah. And honestly the industry I think does that for us. Right. I mean, the cost of not doing it is on the front page of the news most weeks anyway. So I don't know that you need to oversell that. My response here, I think is first and foremost, however you approach this, it has to align with your business culture. Right. At Raymond James at least, we are very, very much relationship based, especially at the senior management sort of risk committee level and board level where a lot of these discussions might be taking place. I think it would not resonate well today if we walked in or my boss Todd Ferguson walked in and started throwing around numbers, whether they were generated through fair analysis or otherwise. Where we would like to be, I think is to have some of those data points to supplement that relationship based discussion with your board or senior leadership in terms of the ROI on the security program in general. But to me, it has to align with the business culture first and foremost.

David Spark

So I'm going to drill down on it. Like they hire you because they trust

Co-host (possibly Mike Johnson or another co-host)

you and trust you to explain the situation, but they still want to understand

David Spark

if we're spending this money, how is

Co-host (possibly Mike Johnson or another co-host)

it going to change the business? Like how do you have that conversation?

Jason Mayer

Yeah, I have some examples here too, I think, which will maybe highlight what I'm describing. But what we do when we're thinking through our roadmap from a cybersecurity perspective, we're not spending a ton of time on what do we expect the ROI to be. Maybe that's, maybe we're doing that wrong, but we're just not. Today we put that effort into, in business terms, trying to describe how this effort is going to sort of enable the business. And the example that we have from many years ago and more recently is around sort of mobile access, right where we wanted to get better and more mature in sort of our mobile capabilities. Well, guess what? We have business areas think of like our investment bankers that are on the road all the Time who want that mobile capability probably as much as we want it to secure and mature our mobile capabilities. So when you describe it in business sort of enablement ways versus just a numbers way, I think they pick up on that very quickly and very easily.

Co-host (possibly Mike Johnson or another co-host)

All right, how have you approached this, Pam? And also, being that you're with this isac, I'm sure this conversation comes up. Have you heard varying stories?

Pam Lindemone

Of course, of course. I think this is one of those decisive conversations that CISOs have is how do you do it? And that's the beauty of an isac, is you get to share best practices. Like this worked with my board or this worked with my executive leadership. And a lot of times, because success often looks like nothing happened, that's not a really great story to tell. You do have to have stories about what's going on in the business and how you're either not implementing friction like you described, which I thought was lovely, or you're reducing exposure. And you can just like you said, you can look at that from a business perspective, like your business line. It really does matter how you describe that to your different audiences. And it's an art. It's definitely something that you have to understand how the business runs. You have to be deep in it, in the business language so that you can describe it for your audience.

David Spark

So I want to go back to something you said, Jason, about the culture. I get the sense that you can't

Co-host (possibly Mike Johnson or another co-host)

build anything unless the culture is on board. I mean, like, I mean, just let me ask you, like, if you didn't

David Spark

have a security culture, how much of

Co-host (possibly Mike Johnson or another co-host)

a mountain are you climbing at this point?

Jason Mayer

Yeah. I would say it's insurmountable, I would imagine.

Co-host (possibly Mike Johnson or another co-host)

Yeah. Because you could start spending money that

David Spark

technically on paper, if used properly, would

Co-host (possibly Mike Johnson or another co-host)

work, but you might have essentially the company fighting against you and it may just all fail. Yes. I mean, let me ask you, have you or anyone you know, seen this? Like, I'm fighting a culture. I mean, I hear this from CISOs all the time.

Jason Mayer

Keep in mind the sector or industry that I'm in, obviously that doesn't really exist in today's world. It can't. But through sort of the networks we have heard and experienced, some of our partners in our roles in other organizations where some of the security program is not directly driven by, you know, the industry that they're in, I think you have to look for and find small wins. Again, sort of building that trusted advisor relationship with your board or senior management. And again, I go back to even the foundational security programs or controls or expectations, they all come with some sort of way that they're enabling the business. You just have to figure out how to identify those and then how to make those very clear to the business. And those small wins start to add up over time and hopefully eventually you get to a position where it's so trust based at the CISO and board level that very few times are we sort of challenged to. There is some healthy challenging going on, of course, but very few times do we communicate that we need something for our program that we don't get.

Pam Lindemone

Also find a way to show that security is an enabler of the business. Like a good example is a password manager because everybody hates passwords, right? Or implementing passwordless throughout your organization, which is hard to do. But if you can find those quick wins, easy wins, you're a hero. Like I'm a hero with my husband because of a password manager. So have you.

David Spark

You know my co host Mike Johnson, CISO of Rivian, his thing is he tries to talk to the employees about

Co-host (possibly Mike Johnson or another co-host)

their personal security and if he does

David Spark

that first, then they get understand business security.

Co-host (possibly Mike Johnson or another co-host)

Because if you can't get them to

David Spark

understand their own security, I mean that's

Co-host (possibly Mike Johnson or another co-host)

a crazy logical leap to business security. Yes, you're both nodding your heads.

Pam Lindemone

I don't think it's a crazy leap. I use it all the time.

Co-host (possibly Mike Johnson or another co-host)

No, no, I'm saying if you don't do it, it's a crazy leap.

Pam Lindemone

Absolutely. Yes. I think that' Way to get a win and to be seen.

Co-host (possibly Mike Johnson or another co-host)

Have you done that Jason?

Jason Mayer

100% actually, on our intranet, not only do we have information about our standard enterprise security program, but we actually have a tab that says Click here to kind of view some personal recommendations for your day to day life.

David Spark

Managing security changes for business Optimization

when you can show the value of security, it can drive a big impact. Now a well developed security program influences go to market strategy, product velocity, customer trust and brand reputation, said Rinky Sethi, who's a CISO over at Upwind Security. Knowing this, CISO should be operating as business architects rather than just being in charge of their division. The days of relying on dashboards for health checks are over. It's not about visibility but context to business operations. So security leaders are measured on velocity, adaptability and decision making under pressure, AKA resilience, rather than proving maturity or compliance. Now if we're trying to build a security culture across the business, shouldn't we first be creating a business culture within the security team? So I'll start With you, Pam, we already expect CISOs to be doing this, but how do you get the rest of the security team involved of having a business culture?

Pam Lindemone

I had a leader once that I looked back to when I read this question early on, and it was this person would ask us why, like no less than five times. Every answer they would say, why? So if you think about this, like not in a gotcha way, but to force you to think through and to slow down and to really, why are we doing this? What's the reason why this control, why this alert? Why now? And eventually, why does the business care?

Co-host (possibly Mike Johnson or another co-host)

This is the Japanese philosophy, also the five whys too, that digs down deep

Pam Lindemone

and it can get uncomfortable because it's just not natural. But it does work. It really does work.

David Spark

It also works really well when you're doing post mortems of a breach and you're trying to understand why something happened and you don't just go with the first answer.

Co-host (possibly Mike Johnson or another co-host)

You have to keep digging down deeper.

Pam Lindemone

And it's kind of like a snowball effect. If one person does it and you start hearing the team say it, it's kind of interesting, right? You're building that within your security team and it becomes a muscle that they all have and they all share and then they start talking to each other and then they start learning the business, sitting with the business, like we used to do rotations with the business to kind of understand what the business leaders were going through, to kind of help us understand what our controls were doing to them. So it's a real easy way to get that culture changed.

David Spark

And for those of you not familiar with the Japanese philosophy, I believe it's the five whys. Yes, five. The way it was described to me. So I wear a Fitbit. And so like, if you ask someone why do you wear a Fitbit, it's like, oh, I want to count my steps. And then you ask the question of why there? Why do you want to count your steps? Well, I want to stay healthy. Well, why do you want to stay healthy? Well, I want to be healthy for my kids. Well, why do you want to be healthy for your kids? Well, I don't want to die. So you realize, like, no one's going to say, why do you wear a Fitbit? I don't want to die, as their first answer. But you can get to it if you keep asking.

Co-host (possibly Mike Johnson or another co-host)

Jason.

David Spark

I'll go back to the original question I asked for, Pam. How do you get the security team

Co-host (possibly Mike Johnson or another co-host)

to have a business culture, which is what you have to do As a

Jason Mayer

ciso, mandatory one hour weekly meetings to talk about business. No, I will say we do some, some of that mandatory training in our firm just to sort of give some credibility to a lot of our security practitioners on the business side. So think of like FINRA registrations. We actually have some requirements for some of our roles to achieve that business training over time. But to me maybe take a little bit of a different route. Information is power. I also think exposure is power a lot of times. And so finding opportunities for your security practitioners to get exposed to the business, even if it's sitting in as a fly on a wall on a meeting, so they can really understand and hear from the business, oftentimes how little they know about security and sort of start to connect some dots on what they do in their day to day and why it's important for them to truly understand how the business thinks and how they operate. Because we all know you really can't be successful obviously from every role in security without understanding that.

David Spark

That's a really good point of sitting in to understand and again, not to mock them and not to be shocked,

Co-host (possibly Mike Johnson or another co-host)

but to understand where they are at their understanding and acceptance of security. Quick example, I was at a physical security conference and the highest level of cybersecurity sort of awareness or sessions they had was the lowest possible, like 100 level. And I was like, oh my, this, the physical security environment is so kind of out of touch. Like it kind of shocked me.

David Spark

But this was a number of years ago.

Co-host (possibly Mike Johnson or another co-host)

I got to think they're more up to speed now.

Jason Mayer

What have you seen on physical security? Yeah, I have some opinions on physical security, quite honest.

David Spark

Come on, let's hear them.

Jason Mayer

Look, I mean a lot of that stuff is not keeping sisos up at night, generally speaking. I mean the days I think of sort of breaking into premises to try to steal a hard drive or whatever the case is, I think is way past us at this point. Right. I mean, what we're seeing is completely different. You know, somebody sitting on the complete opposite side of the world is our number one threat for the most part. So I think it is definitely taking a back seat. But, you know, maybe rightfully so at this point, although I'm sure there's some differing opinions in the room.

Co-host (possibly Mike Johnson or another co-host)

You want to throw in a quick opinion.

Pam Lindemone

In our industry, some of them fold together because the cyber actors are working with criminals locally and they're stealing. Fraud is just rampant in retail and hospitality. So I would say some of it's coming together.

David Spark

We're in our industry There definitely is convergence.

Who's our sponsor this week?

CISOs know the playbook has changed. Attackers don't need malware to get in anymore. They can use AI to impersonate your CFO on a call, clone a vendor's voice, or send a perfectly written email that looks like it came from inside your organization. The new attack surface is trust. Adaptive is built for that reality. Their platform runs realistic deep fake and social engineering simulations. So your team experiences these attacks the way they happen in the wild and learns how to spot them and respond fast. And with Adaptive's AI content creator, security teams can take a breaking thread, a policy update or a compliance requirement and instantly turn it into interactive, multilingual training without designers, without delays. Adaptive is trusted by Fortune 500s and backed by Andreessen Horowitz and OpenAI. You can learn more by going to their website. Adaptivesecurity.com it is spelled exactly the way it sounds. Adaptivesecurity.com and as always, when you go there, let them know that you heard about them from the CISO series.

It's time for the audience question. Speed round.

All right, in my hand I have a handful of questions and we got a good amount of time, so we, we'll be able to get through a few of these questions right now from our audience and they have not seen these questions at all. So we're going to try to get

Co-host (possibly Mike Johnson or another co-host)

quick responses to both of them.

David Spark

Pam, Jason, you ready? Here we go. First one, this comes from Bianca Palacio of Western alliance bank. What's the CISO's challenge to get the C suite to buy into security awareness.

Co-host (possibly Mike Johnson or another co-host)

And I know that varies company to

David Spark

company, but how does that sort of begin? Assuming you don't know what the culture

Co-host (possibly Mike Johnson or another co-host)

is, you know, you're a brand new

David Spark

ciso, how do you begin that?

Co-host (possibly Mike Johnson or another co-host)

Either one of you want to jump in?

Jason Mayer

Pam?

Pam Lindemone

I think it's table stakes, and I think any CISO would say that it's table stakes. So it's the art of convincing the C suite that it's necessary. It's absolutely necessary. I would say this. I would use metrics out of the SoC. I would use metrics out of what you're seeing in terms of fishing and some of the competitors like, absolutely necessary.

Jason Mayer

All right, I would say start with the data, which I know earlier I said don't say what will happen if you don't invest in things, but there's enough data out there on how much of these bad things start with a click of an email that shouldn't been clicked. That I think that's a pretty easy sell at this point. Then, then over time, you sort of start to layer in some of the metrics that we talked about earlier that are actually showing behavioral changes in the firm.

Pam Lindemone

Do those personal touches, you know.

David Spark

All right, well, here, as dovetailed from that question from Morgan Gardner of Tektronic Industries, how do you convince a C suite that they're not exempt from security training?

Pam Lindemone

That's easy.

Co-host (possibly Mike Johnson or another co-host)

Okay, how easy is it?

Pam Lindemone

Show them a deep fake. Show them exactly who's paying millions of dollars with deep fake.

Co-host (possibly Mike Johnson or another co-host)

You know, so essentially try to, essentially try to fish them with a deep fake or.

Pam Lindemone

No, just show it to them. Just show it to them. Show them how easy it is and how vulnerable they are in a, in a non fud way.

David Spark

Not, you know, just to show like, I created this.

Co-host (possibly Mike Johnson or another co-host)

Took me an hour, it took me

Pam Lindemone

two minutes to create this. And this is how they're going to get you. And you are at risk. Like, we need to lower your risk profile. I think most executives know today.

Jason Mayer

But yeah, we have a, we have a category of emerging threats as a section of our board update yearly. And it's very, very easy to find examples of C suite members being specifically targeted. And obviously the impacts can be much bigger when those are, those individuals are targeted. So again, it's communicating, it's showing those examples. Agree with Pam 100%.

David Spark

Okay. This comes from both.

Co-host (possibly Mike Johnson or another co-host)

Two people had to write these questions.

David Spark

Brian Brushwood of Modern Rogue and also Perry Carpenter of KnowBefore. How are you managing the always clickers?

Co-host (possibly Mike Johnson or another co-host)

The people just click on every damn

David Spark

fish that comes in. You can't do it. And adding to that, if a company has a three strike and you're out

Co-host (possibly Mike Johnson or another co-host)

rule, does it apply to the CEO?

Pam Lindemone

You know, this is a very controversial topic. Should you have consequence models or not?

David Spark

I will just tell you, my co

Co-host (possibly Mike Johnson or another co-host)

hosts hate the three strike and you're out model.

David Spark

They're not a fan of it.

Pam Lindemone

I mean, I'm a big fan of making it a supportive environment. However, if there are people that will not listen, do not listen. I think you have to put guardrails around them and you have to help them from themselves. Like we need controls around them that protect them from themselves. And if it's your CEO, maybe it's time to have one of his peers talk to him or her. That's a hard one.

Co-host (possibly Mike Johnson or another co-host)

Get a peer to talk.

Pam Lindemone

Yeah, that's a hard one.

Co-host (possibly Mike Johnson or another co-host)

Find a peer that's been convinced and

Pam Lindemone

have them talk to you and help them Help themselves. Right. It's your job too.

David Spark

I like that tip.

Jason Mayer

Yeah. I doubt the CEO. I doubt it would apply to the CEO if that were true at our firm at this point. Yeah.

Co-host (possibly Mike Johnson or another co-host)

By the way, I worked for a

David Spark

company and this is early, early days

Co-host (possibly Mike Johnson or another co-host)

where we were literally reporting on this malware that was going on and he literally clicked on the thing that we were reporting on to the public. Stunning.

Jason Mayer

Yeah. Just to expand, I would say you have to be giving that information to that individual. Talking about the repeat sort of never ending clicker at some point becomes a management performance issue that they need to manage as their direct supervisor or manager. So you really should have a process to engage in that HR management discussion to share those data points as part of that at some point. Otherwise, obviously, you're putting the broader firm at risk over a single individual's behavior.

Pam Lindemone

I would turn up the monitoring on those individuals too, just to get direct alerts. And I would give them my personal phone number so that they could call me whenever they feel like they need to.

David Spark

Oh, that's good. I like that. All right, last question from Flavius Plessu of Outthink. Has data ever surprised you about high risk user behavior?

Co-host (possibly Mike Johnson or another co-host)

So, like, you saw something like, whoa, I had no idea. Have you ever seen anything about user

David Spark

behavior, high risk user behavior, anything like that?

Jason Mayer

Not surprising. But after Covid, you know, our insider threat program had to change dramatically. So I think that was obviously sort of on the, on the day. One month, one, six months into everybody's favorite RTO efforts at firms, there were some surprising data points that were coming up as part of the insider threat program. Obviously that just took some tuning to sort of adapt to the new day to day and business as usual. But just one example that came to mind, that, yeah, you've got to be paying attention to that and obviously tuning some of these things over time as the data and behaviors change.

Pam Lindemone

All right, last, I've had some outsourcing data for surprise me before where the. The SLAs went way down when we started outsourcing to a different organization. So that surprised me, but not much surprises me anymore.

David Spark

All right, you can't shock these CISOs. That brings us to the tail end of the show. Let's hear it from my two guests. Cam Lindemone, who's the CSO VP of Strategy for Retail and hospitality, isac. And also we have Jason Mayer. Come on, keep it going for him. Deputy CISO for Raymond James Financial. Huge thanks to our sponsors, Adaptive Security Know before Zippo go to their websites. Let them know that you heard about them from the CISO series. Let's hear from them. We're here because of them.

Co-host (possibly Mike Johnson or another co-host)

I do want to ask both of you, are you hiring over Raymond James? Yes.

David Spark

Yes they are hiring.

Jason Mayer

How would someone find out information raymondjames.comcareers

Co-host (possibly Mike Johnson or another co-host)

raymondjames.comcareERS and can someone contact you directly?

Jason Mayer

100% connect with me on LinkedIn. I'm happy to happy to spend time.

David Spark

We will have the link to his profile on the episode.

Co-host (possibly Mike Johnson or another co-host)

And Pam, I don't think retail and hospitality, but all your members, I'm sure they're hiring plenty.

Pam Lindemone

We have over 350 members and you

David Spark

get a list of them and I'm sure you can go dig deep and find possible jobs there. Well, a huge thanks to the National Cybersecurity alliance for bringing us out.

Co-host (possibly Mike Johnson or another co-host)

I hopefully will come out again next year.

David Spark

And a huge thanks to our audience for being here as well. Thank you for listening and contributing to the CISO Series podcast.

That wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual Meetup and Cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.