Milestones are often worth celebrating — delivering affirmation that a vision made good on its promise. And so we celebrate a milestone for the CISO Stories podcast: the 100th episode, which welcomes guest Gene Spafford, known by many as Spaf, to share his own experiences as an infosec expert and founder of Purdue University's Center for Education and Research in Information Assurance and Security.
But this is about more than a number. CISO Stories, developed by peer-to-peer CISO membership organization Cybersecurity Collaborative and hosted by information security veteran and author Todd Fitzgerald, delivers an education to security leaders or aspiring leaders anchored in experience; it provides inside baseball for the cyber community by way of compelling, inspiring storytelling.
SC Media caught up with Fitzgerald to get his take on the show's success.
Let’s look backward. What made you want to do this?
It really started off with the CISO Compass book that I wrote, "Navigating Cybersecurity Leadership Challenges with Insights From Pioneers." I was trying to create a roadmap for CISOs. What is this job? What does a CISO do? And whether we're talking about a new CISO, a current CISO, or an experienced CISO, I wanted something that would appeal to all of those groups. One of the things that I did in the book was bring in other viewpoints. I invited other top CISOs and cybersecurity leaders to write a one page gray box that I would put in different sections in the book. Some people got a couple pages, depending on what the material was. I wanted actionable advice — what was the situation? What did you do about it? What was the result? What would you do differently next time? And what were those lessons learned?
Then, we were thinking one day with the Collaborative about sharing information, and bringing people together. “Wouldn't it be great to do a podcast where we have short conversations with CISOs?” We started with the CISO Compass book and those gray boxes and said, "Well, let's reach out to them, and let's do a deep dive.” We recorded 20-, 25-minute podcasts. That’s how it started. And we've actually done about 85-90% of the contributors of the book have recorded podcasts. And so, now we've moved into other top CISOs and industry leaders to share their experiences.
How has the response been from the cyber community?
It’s been a lot of word of mouth across the CISO community and their teams. It's not just for the security leaders. There's a lot that people can learn, and especially people that do want this career. What I find valuable is that you're getting access to people that have been successful in their careers, and have made it to that level, and are functioning at that level. You can get this snippet of information from a CISO without being at an event, where you might not get that chance to meet them personally. Now you can hear it in their own words.
What areas struck you as the most memorable moments?
I was going back through some of these, a hundred episodes, and what's amazing is that we haven't really duplicated too many topics. And when we have, the perspectives have been different, and they've come from different sides. And so, I find that to be very rewarding. Joyce Brocaglia has been recruiting security professionals for over three decades now, and she recorded a podcast called “The inside view of the CISO search.” Tim Brown, the CISO for SolarWinds, recorded “Inside the breach and the aftermath,” and was very transparent about what happened, and what they've done to mitigate the breach. I had Ann Cavoukian, the creator of the Privacy by Design framework that's built into laws such as GDPR. And Valerie Lyons talked about doing privacy right versus privacy rights.
What kind of trends bubbled up, over and over in these conversations?
What the CISOs are interested in has become less technical issues, oddly enough, and a lot more around the issues of working with senior management, how we sell our vision and our strategy, and how we get the right funding. And those things a lot of times are a little more nuanced. I even had James Chris Jansen talk about when you get too much budget for security. He laid out his three-year plan, he took it to senior management, and then senior management said, "Great. You know what? We're going to fund all of it, but we want it done within the next year." Then it gets into the change management issues with the rest of the organization and how much change can they assimilate at one time.
I've brought in people intentionally to talk about the frameworks — that is, the people that have actually developed the frameworks. So we have Tony Sager, the pioneer of the Critical Controls. We had Steve Durbin who leads the Information Security Forum. I've had Jim Reavis who leads the Cloud Security Alliance. I've had people from NIST that were responsible for developing the NIST Cybersecurity Framework and the NIST Privacy Framework. They've talked about how those things were developed and why they were developed, and those are insights nobody is going to get from going to a lot of different conferences.
So then looking ahead, what can we expect for the next 100 episodes?
Running out of material, in my mind, isn't going to happen for a long time because there's always somebody, a CISO, that has experience in something different.
