CISO Series Podcast: "We Can Either Build Resilience or Just Always Be Perfect"

Release Date: June 24, 2025
Hosts: David Spark, Mike Johnson, Andy Ellis
Guests: Eddie Contreras (CISO at Frost Bank), Ryan Bachmann (EVP and Global CISO at GM Financial)
Sponsor: Doppel

Introduction and Listener Outreach (00:00 – 04:59)

The episode opens with David Spark introducing the CISO Series Podcast and its purpose: to engage security practitioners and vendors in discussions aimed at enhancing collective security measures. Eddie Contreras, the CISO at Frost Bank, joins virtually due to a canceled live event. David emphasizes the breadth of the CISO Series network, mentioning five shows and eleven weekly episodes available at audience@cisoseries.com.

Key Points:

• Audience: Aspiring cybersecurity professionals, board members, C-suite executives, and technology enthusiasts.
• Content Scope: Five shows with extensive coverage on security topics.

Notable Quote:

"Anybody who's aspiring for a career in cybersecurity... to people that are venturing into this field or the technology field and want to learn more." — Ryan Bachmann [00:04]

Public Service Announcement: Combating Scams (04:00 – 04:59)

David shares a personal story about a family member falling victim to financial scams, emphasizing the importance of proactively educating loved ones. He urges listeners to send informative emails about the latest scams to their extended family and friends to prevent similar incidents.

Key Points:

• Personal Impact: Highlighting real-life consequences of cyber scams.
• Actionable Advice: Sending personalized emails to educate and protect family and friends.

Notable Quote:

"Please write up an email like this and just send it to all your extended family and any very close friends." — David Spark [02:52]

Eddie's Response: Eddie cynically notes the challenges of communicating effectively with younger family members, particularly his own children, who often disregard his messages.

"Sometimes I'll send messages through others and my intent is that might work." — Eddie Contreras [03:29]

Discussion: Identity Management – Consolidation vs. Simplification (05:00 – 12:54)

The hosts delve into the fragmentation of the identity management space, referencing Francis Odom's categorization of identity tools into visibility and hygiene, governance and posture, and threat detection and response. They explore whether the cybersecurity community desires consolidation of these tools or favors simplification.

Key Points:

• Vendors' Perspective: Desire for consolidation to capture larger market shares.
• Users' Perspective: Preference for simplification to reduce complexity and management overhead.
• Challenges: Integration difficulties, varying business needs, and cost-effectiveness.

Notable Quotes:

"Vendors absolutely want to have market cap. Right. And they want to be able to say, we've sold you our entire skew of offerings here." — Eddie Contreras [06:05]

"There's no one single solution or solution set that's going to take care of the challenges that CISOs... face." — Ryan Bachmann [07:40]

Insights:

• Case-by-Case Evaluation: Even with promises from large vendors like Microsoft, replacing multiple tools requires thorough risk assessment and cost-benefit analysis.
• Integration Hurdles: Acquisitions by companies like Google and Palo Alto complicate seamless integration of newly acquired tools.

Entry-Level Cybersecurity Careers: Myths and Realities (12:55 – 17:03)

The conversation shifts to the misconceptions surrounding entry-level positions in cybersecurity. Ira Winkler's LinkedIn perspective is discussed, emphasizing that entry-level roles typically require foundational experience in programming, networking, help desk support, project management, or compliance.

Key Points:

• Misconception: Online influencers promoting quick entry into high-paying cybersecurity roles with minimal qualifications.
• Reality: True entry-level roles require relevant experience or foundational skills in related IT disciplines.
• Pathways: Help desk support, SOC positions, internships, and academic programs are viable entry points.

Notable Quotes:

"Entry level doesn't mean no experience required." — Ira Winkler (Referenced)
"We've taken people from other areas of traditional IT, we've taken people from engineering backgrounds." — Ryan Bachmann [14:38]

Eddie's Perspective: Contrary to Winkler's stance, Eddie argues that entry-level positions do exist for newcomers without prior experience, particularly through internship and graduate programs.

"We have an amazing graduate program where we hire people that are in their undergraduate or their graduate program and we're the first job they've ever had." — Eddie Contreras [15:50]

Ryan's Addition: He highlights the success of high school internships as a pipeline for future cybersecurity professionals.

"We've actually had success with high school internships in certain cases." — Ryan Bachmann [17:03]

Game Segment: "What's Worse?" – Nation State Cyber Attack vs. Disinformation Campaign (19:00 – 24:47)

In an engaging segment, the hosts and guests debate which scenario poses a greater threat:

1. Nation State Cyber Attack: Targeting an organization's systems and disrupting operations due to geopolitical conflicts.
2. Disinformation Campaign: Spreading false narratives about the company, damaging stock prices and eroding customer trust.

Key Points:

• Eddie's Stand: Prefers disinformation campaigns as they are more insidious, harder to track, and continuously disrupt trust and operational integrity.

  "With disinformation, you have to essentially account for everything. ... it's going to be very disruptive." — Eddie Contreras [21:35]

• Ryan's Agreement: Aligns with Eddie, emphasizing the lack of a playbook for disinformation and its multifaceted impact on various company facets.

  "Disinformation has no symmetrical response. ... you have to bring to bear all kinds of different resources within your company to try to battle it." — Ryan Bachmann [21:50]

• David's Counterpoint: Suggests that disinformation might be temporary as public attention shifts, potentially making nation state attacks more sustainable in the long term.

  "Wouldn't it be better if they asked the question what would it take for us to shut down these six products in your environment?" — David Spark [24:14]

• Eddie's Rebuttal: Argues that disinformation can deeply undermine internal trust and operational processes, making it a more persistent threat.

"If you think about that within a security program, can you trust your own logs? ... where does it end?" — Eddie Contreras [23:27]

Conclusion: Both Eddie Contreras and Ryan Bachmann agree that disinformation campaigns present a more complex and enduring challenge compared to direct nation state cyber attacks.

Evolving Role of the CISO: From Risk Management to Business Resilience (25:00 – 34:40)

The discussion explores whether the CISO role should transition from traditional risk management to a broader focus on business resilience, aligning security with overall enterprise continuity and strategic objectives.

Key Points:

• Randolph Barr's Proposition: Suggests redefining the CISO as an architect of business resilience, bridging IT and senior management.

• Ryan's Perspective: Acknowledges the evolving complexity but argues against splitting the CISO role, emphasizing the need for holistic security leadership.

  "Security is very similar. It is complex, and it's going to be driven by your regulatory components that Eddie was speaking to." — Ryan Bachmann [26:27]

• Eddie's Insights: Notes regulatory mandates, particularly in the financial sector, that separate information security from operational leadership to mitigate conflicts of interest.

  "There's an update to our regulatory guidance... there's a separation between information security and the executive." — Eddie Contreras [28:04]

Conclusion: While the CISO role is naturally expanding to encompass broader business resilience, the consensus is that maintaining security as a distinct, integrated function remains essential, especially under regulatory frameworks.

Simplifying Cybersecurity: Balancing Occam's Razor with Complex Realities (34:00 – 36:59)

The hosts examine the applicability of Occam's Razor—preferring simpler solutions—to the inherently complex field of cybersecurity. They discuss areas where simplification is feasible and acknowledge aspects that must retain complexity.

Key Points:

• Eddie's Example: Discusses cost-effective control implementations, such as NIST's authentication guidelines, which aim to simplify user requirements without compromising security.

  "The cost of a control cannot outweigh the risk that you're trying to protect." — Eddie Contreras [30:16]

• Ryan's Input: Advocates for leveraging team insights to identify inefficiencies and potential simplifications within security operations.

  "Trusting them and giving them the opportunity to say, these are opportunities where we could make things a lot more efficient." — Ryan Bachmann [31:55]

• Business Alignment: Emphasizes that business aspirations and diversification inherently add complexity to security measures, which must be managed rather than simplified away.

  "Companies have to increasingly, in a more competitive environment, have to figure out ways to differentiate... And it's our job to come up with ways to protect it." — Ryan Bachmann [34:19]

Conclusion: While simplification is achievable in specific areas, the dynamic and multifaceted nature of cybersecurity demands a balance between streamlined processes and the necessary complexity to address diverse threats and business needs.

Hiring and Career Opportunities (36:00 – 37:29)

Wrapping up, Eddie Contreras and Ryan Bachmann announce that their respective organizations, Frost Bank and GM Financial, are actively hiring for various cybersecurity roles, including entry-level positions. They encourage listeners to visit their company websites and mention that referrals from the podcast can give applicants an advantage.

Key Points:

• Opportunities: Positions available at multiple experience levels.
• Application Process: Directed through company career pages with premium consideration for referrals via the podcast.

Notable Quotes:

"If they come and say we heard about this on David's show... That will give you a gold star." — Eddie Contreras [36:07]
"We're hiring in cybersecurity at a number of different levels." — Ryan Bachmann [37:04]

Closing Remarks and Sponsor Message (37:29 – End)

David thanks the guests and listeners, reiterates the availability of multiple shows on the CISO Series network, and promotes the sponsor, Doppel—a social engineering defense platform designed to disrupt impersonation threats.

Sponsor Highlight:

"Doppel is the first social engineering defense platform purpose built to dismantle impersonation threats before they cause harm... Doppel makes digital deception unprofitable, protecting your people, your reputation, and your revenue."
— David Spark [18:58]

Call to Action: Listeners are encouraged to subscribe to the podcast, participate via the website, and consider sponsorship opportunities.

Overall Insights: This episode of the CISO Series Podcast navigates through pivotal topics in cybersecurity, from the intricacies of identity management and career pathways to the evolving responsibilities of CISOs in building resilient enterprises. The engaging discussions underscore the balance between simplification and necessary complexity in security operations, while also addressing real-world challenges like disinformation and the importance of proactive education against cyber scams. The collaborative dialogue between industry leaders provides valuable perspectives for both seasoned professionals and those aspiring to enter the field.