This shift isn’t optional. According to research from EY, CISOs contribute up to 20% of the value of strategic projects—yet they are too often excluded from the earliest decision-making stages. The same study found that effective cybersecurity initiatives can add $36 million of enterprise value per project[1]. Leaving CISOs out of the conversation doesn’t just weaken security—it leaves money on the table.

Speaking the Language of Business

When Chirag Shah reflected on his MBA journey during Episode 3, he wasn’t celebrating a credential. He was describing a new lens.

“MBA gave me the comprehensive understanding of various business functions… Now I can actually sit with finance and understand their motives and incentives. Cybersecurity operators exist in this context because the things around it need to function together.”

It was a reminder that credibility in the C-suite isn’t earned through technical detail—it’s earned by speaking the same language as finance, sales, and operations.

Mandy Andress, in Episode 9, drove this point home from a leadership perspective:

“It’s the opposite of command-and-control. It’s building trust, rapport, and understanding the business drivers… Successful CISOs really understand how to navigate those components of an organization.”

The best CISOs don’t fight for relevance—they create it, by showing how security supports revenue growth, market trust, and operational resilience.

Boardroom Conversations That Stick

Season 1 also revealed a candid truth: many boards still see cybersecurity as a black box. The leaders who break through are those who translate complexity into clarity.

Jason Elrod, in Episode 10, reframed the question of how to “speak to the board” in very human terms:

“Let’s say I’ll put it in the context of speaking to a board of directors. A lot of people say like, how do you speak to the board, right? The board. You know, the board is actually made up of people. So you need to understand the people.”

This reminder cuts through the intimidation that often comes with boardroom interactions. It’s not about delivering a flawless performance; it’s about understanding each director’s background, preferences, and decision-making style.

That simplicity is powerful. According to NACD, boards now expect CISOs to move beyond threat reports and instead link cybersecurity to business continuity, M&A activity, and strategic growth[2].

The strongest leaders don’t overwhelm boards with jargon or dashboards. They tell a story—where security isn’t just defense, but an enabler of enterprise resilience.

Proving ROI: From Cost Center to Value Creator

If aligning with the business and engaging boards are essential, proving ROI may be the hardest and most necessary evolution. Security leaders are being asked to show that every dollar invested generates measurable outcomes.

In Episode 4, Aysha Khan explained how she reframed the role of security inside her organization:

“Security needs to be a function of enablement… We run in parallel to innovation, not against it.”

This mindset is key to proving return on investment. CISOs must show that security not only prevents losses, but also enables innovation and accelerates business initiatives.

That’s the focus of Identient’s upcoming Strategic Finance for Cybersecurity Leaders workshop, which explores how CISOs can:

• Translate security investments into risk-adjusted returns.

• Build financial scenarios that demonstrate value creation.

• Move conversations from cost avoidance to enterprise impact.

And it’s also a central theme of my book, The CISO on the Razor’s Edge. The next generation of security leaders won’t just manage controls—they’ll manage capital, proving that resilience is a business multiplier.

The Takeaway from Season 1

Season 1 of Candid CISO left us with a clear message: CISOs are no longer technicians at the edge of the network—they are strategic multipliers at the center of enterprise value.

The ones who succeed will:

• Align security initiatives directly with business outcomes.

• Simplify complexity into board-level conversations.

• Prove ROI with the same rigor as their peers in finance.

The job still demands technical expertise, but leadership now requires something deeper: storytelling, influence, and financial fluency.

Call to Action

If these insights resonate, here are three ways to continue the journey:

🎙️ Explore more episodes from Season 1 of the Candid CISO

📊 Join the upcoming webinar on Strategic Finance for Cybersecurity Leaders.

📖 Grab a copy of The CISO on the Razor’s Edge from Amazon or Barnes & Noble.

And if your company is interested in sponsoring Season 2 of the podcast, message me and let’s talk.

Footnotes

1. “EY study: How cybersecurity adds $36M value per initiative.” Cyber Magazine, June 2, 2025. Retrieved from: https://cybermagazine.com/news/ey-study-how-cybersecurity-adds-36m-value-per-initiative

2. “How CISOs can drive strategic board conversations.” NACD Directorship Magazine Online Exclusive, Q2 2025. Retrieved from: https://www.nacdonline.org/all-governance/governance-resources/directorship-magazine/online-exclusives/2025/q2-2025/CISO-board-conversations/

That’s what Season 1 of The Candid CISO turned into. I didn’t set out to run a research project—but after 12 deep conversations with security leaders across industries, it started to feel like one. An oral history of cybersecurity leadership in 2024, told one brutally honest story at a time.

A barefoot ultramarathon through the woods. A career that started in compliance and landed in the boardroom. A hacker turned government CISO. A virtual CISO rethinking how work gets done. These weren’t just résumés—they were signals. Signals of a role in motion, an industry under pressure, and a leadership archetype that’s still being figured out in real time.

By the end of the season, it was clear:
The job description was obsolete.
The pressures were mounting.
And the people doing the work? Still showing up—with humor, grit, and surprising clarity.

The Year Before the Pivot

2024 wasn’t a breaking point—but you could feel something bending.

It was a year of friction. Pressure from the board. Pressure from regulators. Pressure from inside the org to "just make it work." And underneath it all, a growing tension: the job was getting bigger, but the support wasn’t catching up.

You could hear it in conversations with people like

Mandy Andress, who talked about how AI was already reshaping the threat landscape—and how security teams were expected to respond without skipping a beat. Or Tyler Pinckard, who made the case that compliance isn’t just table stakes anymore—it’s a competitive advantage, if you know how to use it.

And then there was Aysha Khan, who reminded us that leadership isn't just about technology—it’s about empathy, clarity, and the willingness to face fear head-on. These weren’t abstract theories. These were real reflections from people navigating real tradeoffs.

Nobody framed 2024 as a crisis year. But almost every guest hinted at the same thing:
The role was shifting.
The noise was rising.
And the window to reimagine leadership—before the job hardened into something unrecognizable—was starting to close.

Seven Things That Stood Out from Season 1

1. Everyone’s Figuring It Out in Real Time

There was no consensus on what it means to “do the CISO job well” in 2024. Not because people weren’t trying—but because the expectations keep shifting.
Mandy Andress described how the role has become more defined in terms of business impact—but also more volatile. In her experience, the job requires continuous recalibration based on technology trends, regulatory pressure, and evolving organizational needs.

Joel Fulton offered a different angle. He spoke openly about the transition from being an individual contributor to leading people—and how that shift demands not just skill, but self-awareness. The takeaway across the board was this: there is no steady state. The modern CISO is expected to evolve in place.

This wasn’t about lack of competence. It was about the reality of a job that outpaces its own definition. The best leaders weren’t chasing a perfect model—they were staying adaptive, curious, and grounded in their own values.

2. Security is Becoming a Business Conversation—Not Just a Technical One

Several guests described the need to reposition security—not as a blocker, but as an enabler.

Rinki Sethi spoke about how security can actually reduce business friction, especially when it comes to compliance and sales. By integrating with the business early, rather than coming in as an afterthought, she was able to shorten sales cycles and build stronger stakeholder trust.

Tyler Pinckard echoed this, arguing that compliance—when used proactively—can become a growth engine. He framed SOC 2 and ISO not just as requirements, but as trust signals that accelerate customer acquisition.

This shift—from "protecting" to "partnering"—was one of the clearest signals of the year. CISOs aren’t just being asked to manage risk. They’re being asked to connect the dots between security, revenue, and reputation.

3. Communication is Now a Core Leadership Skill

It’s no longer enough to be technically competent or strategically aligned. Every guest, in their own way, emphasized the importance of clear, candid communication.

Jason Elrod described his approach to board conversations as radically human. He doesn’t lead with jargon—he leads with clarity. He talks about risk in ways that make people care. And he’s not afraid to admit what he doesn’t know.

Carlota Sage, reflecting on her work as a virtual CISO, pointed out how boundary-setting and communication go hand in hand. In roles that often span multiple teams or organizations, being explicit—about priorities, limitations, and tradeoffs—is essential.

The conversations reminded us that security doesn’t scale through control. It scales through trust—and trust starts with how you communicate, especially when the stakes are high.

4. Diversity of Thought Isn’t a Slogan—It’s an Operating Principle

This wasn’t about checking boxes. It was about how diverse perspectives actually shape better security outcomes.

Aysha Khan spoke about leading with humanity—not as a style, but as a necessity. She shared how her personal journey shaped her leadership, and how creating space for different viewpoints wasn’t just inclusive—it was strategic.

Mandy Andress described how being a gay woman in cybersecurity has influenced how she leads. She didn’t frame it as a challenge to overcome. She framed it as an advantage—something that made her more empathetic, more attuned to cultural dynamics, and more equipped to build resilient teams.

Others, like

Chirag Shah, emphasized the value of inclusivity in boardrooms and M&A discussions, where multiple dimensions of risk—financial, technical, cultural—collide. The strongest leaders weren’t just diverse themselves. They actively sought out different ways of thinking and built environments where those voices were heard.

5. Resilience Doesn’t Come From the Job—It Comes From Outside It

One of the most striking patterns across the season was how many guests had found grounding outside their day job.

Jason Elrod told the story of getting lost on a trail run and finishing 19 miles barefoot. It wasn’t a planned metaphor—but it became one. For him, running wasn’t just fitness—it was reflection, perspective, and emotional reset. That kind of physical and mental discipline translated directly into how he leads under pressure.

Carlos De Leon talked about community—how participating in hacker culture, networking events, and groups like Hacker Summer Camp have been essential to his longevity in the field. The job can be isolating. Community makes it sustainable.

And Carlota Sage pointed to burnout directly—how boundary-setting and peer connection weren’t just self-care, but strategic necessities for staying in the work. For many guests, resilience wasn’t a character trait. It was a practice—and it almost always involved stepping away from the screen.

6. AI Was Already Changing the Job—Even if Nobody Had the Full Picture

By mid-2024, AI had moved beyond theoretical conversation. It was changing workflows, surfacing new threats, and raising hard questions about accountability and readiness.

Mandy Andress spoke to the pressure to respond quickly and intelligently to AI-driven threats, even while the rules of engagement were still being written. She acknowledged that while the hype was everywhere, the operational impact was real—and often outpacing what most teams were prepared to handle.

Tyler Pinckard was more direct. He saw AI and automation as necessary tools—not just for detection and response, but for keeping pace with the speed of business. He advocated for using AI to increase efficiency in areas like static analysis and case summarization, while staying mindful of human oversight and judgment.

Across these conversations, one thing was clear: AI wasn’t a separate topic from cybersecurity. It was becoming part of the fabric—both as a capability and a challenge. And CISOs were trying to figure out what that meant for hiring, tooling, and strategy in real time.

7. There’s No One Way to Lead—And No One Path In

Perhaps the most encouraging insight of the season was this: the role of CISO is being shaped by the people in it, not the other way around.

Jimmy Sanders shared how his journey started with an internship at a beef jerky company—hardly a traditional on-ramp into security. From there, he moved into leadership roles at Netflix, Samsung, and eventually ISSA, always bringing an unconventional but fearless mindset to the work.

Carlota Sage, now a respected vCISO, came into the role through a non-linear path as well, and emphasized that her multifaceted background has been one of her greatest strengths—not a liability to overcome.

Even Joel Fulton, with years of executive experience, spoke openly about avoiding toxic environments and choosing to work with people whose values align with his own. Leadership, in his view, begins with that kind of intentionality.

Together, these guests showed that there’s no archetype. No singular mold. The most effective security leaders were defining their own terms—rooted in who they are, what they care about, and how they show up for their teams.

The Real Takeaway

Looking back on Season 1, what stuck with me wasn’t a framework or a trend. It was the tone.

These conversations weren’t theoretical. They were human. A little messy. Sometimes conflicted. Often hopeful.

What I heard, again and again, was a kind of quiet courage—CISOs who knew the role was broken in places, who felt the pressure rising, but who still chose to lean in and lead anyway. Not because they had all the answers. But because they cared. About the work, about the people, and about making security better—on their own terms.

There was no single way to lead. No agreed-upon future. But there was a shared willingness to keep going, even when the map ran out.

That’s what I’ll remember from this season. Not the job title. The posture.

And that’s why I’m grateful to every guest who showed up—not just to talk, but to tell the truth.

What’s Next?

If you’ve made it this far, thank you.

If Season 1 gave you something to think about—or helped you feel a little less alone in the chaos—consider subscribing to The Candid CISO wherever you listen to podcasts. It helps more than you know.

And I’d love to hear from you:

• What stuck with you from Season 1?

• What topics or themes do you want more of in Season 2?

• And which CISO should we sit down with next?

Drop your thoughts in the comments—or even better, swing by our website and check in via the Chat feature. We’d love to know what you're seeing in the field and how we can shape the next season together.

And if you’d like to support the podcast and help us keep this work going, click on Membership and contribute in whatever way makes sense for you. Every bit helps.

Thanks for being part of the journey. Season 2 is coming soon.

Want to Sponsor Season 2?

We’re currently lining up sponsors for Season 2 of The Candid CISO. If your company believes in honest conversations, thoughtful leadership, and elevating the voices of real practitioners in cybersecurity, we’d love to partner with you.

Check out the Sponsorship Deck for details—then reach out if it resonates. Let’s build something meaningful together.

If you’ve been with us since Season 1—or even just joined recently—thank you for subscribing, listening, and hanging in there while we found the right moment to return. Your support means the world.

We’ve spent the past year watching the world shift beneath our feet. The economic signals are noisy. AI is moving faster than governance frameworks can catch up. CISOs are facing contradictory expectations: deliver transformation without friction, ensure airtight security while cutting costs, be technical, be strategic, be everywhere—but don't burn out.

These pressures—and the widening gap between what CISOs are expected to be and what the role actually requires—compelled us to come back.

So here we are—Season 2 of Candid CISO is on the way.

This time, we’re not just reacting—we’re helping shape the narrative.

🎙️ What We’re Talking About This Season

This year, the stakes are higher—and the conversations are deeper. Here’s a glimpse of what we’ll be unpacking together in Season 2:

• AI meets cybersecurity: How do we manage AI security posture when most orgs are still figuring out their cloud posture?

• Data governance as a business enabler: It’s not just compliance—it’s strategy. Let’s talk about how smart CISOs are shifting the conversation.

• Culture and team health: Burnout is real. So is toxicity. How do we build resilient security teams that don’t self-destruct?

• Tech debt and transformation politics: Security doesn’t live in a vacuum. We’ll dig into the real power dynamics behind modernization efforts.

• Strategic leadership in the age of AI: What does it mean to lead when the rules keep changing? Spoiler: it’s not just about tech.

• Identity, trust, and resilience: From governance to boardroom dynamics, we’re exploring how trust is built—and broken—in today’s orgs.

We’re not here to chase hype. We’re here to explore the real stuff—what’s working, what’s not, and what it really means to lead in security right now.

💬 What’s New This Season (Launching Q3)

Season 2 is coming soon—dropping in Q3—and we’re building something bolder, smarter, and more connected than ever before. Here’s what’s new:

• We’ll be posting more frequently—sharing insights, behind-the-scenes updates, and quick reflections between episodes.

• Chat is open—so listeners, guests, and curious leaders can connect directly, ask questions, and discuss each episode in real time.

• You’ll get notified about new episodes, live Q&A opportunities, and the occasional hot take from the front lines.

• And for those who want to go deeper—
  🔒 You can now support us financially. Become a Founding Member and get access to:

  • Private briefings on the state of cybersecurity leadership

  • Exclusive strategic playbooks and frameworks from the Candid CISO vault

  • And early invites to future live events, panels, and more

Your support helps us keep the conversation candid, independent, and ad-free—and it means the world to us.

We’re excited to be back—and we’re just getting started.
If you're leading security today, or plan to tomorrow, this season was made for you.

Let’s go.

—Steve & John
Hosts of Candid CISO

In this episode of the Candid CISO Podcast, John Donovan sits down with Jimmy Sanders, a cybersecurity leader whose journey from interning at a beef jerky company to leading security teams at Netflix and Samsung is nothing short of inspiring. Join us as Jimmy shares his experience of leading fearlessly in high-growth environments, where the pressure to innovate never stops and the stakes are sky-high. He reveals how he balanced security and rapid development, motivated teams beyond monetary incentives, and built proactive, resilient defenses in environments where risk was a given. We also explore Jimmy's unique perspective on diversity in tech, the grit required to overcome obstacles, and his current role as International President of ISSA, where he’s shaping the future of cybersecurity leadership. Whether you’re a security professional or a business leader, this episode will provide practical insights and thought-provoking strategies to lead cybersecurity teams and programs with courage and vision.

Key Takeaways

• Integrate security into development in ways that accelerate innovation, making protection a catalyst rather than a constraint.

• Harness individual intrinsic motivators to inspire your team, transforming engagement from compliance to passionate commitment.

• Embed security as a shared objective early, ensuring risk discussions influence key decisions rather than follow them.

• Think ahead of threats by building a culture of continuous testing, turning defense into an anticipatory advantage.

• Align your leadership approach with organizational values to drive influence and lasting change across cultural differences.

• Forge alliances across teams to dismantle silos, using trust as the foundation for more resilient security strategies.

• Leverage your position to challenge status quo thinking and push for diversity that enriches the entire industry.

• Shift from pure technical talk to storytelling and empathy, making complex security issues relatable and urgent for all.

• Future-proof talent by immersing them in the technologies reshaping security, fostering adaptability over mere expertise.

• Don’t just wait for doors to open; cultivate opportunities by acting decisively and positioning yourself for growth.

IdRamp is a sponsor of the Candid CISO podcast. Visit their website at: https://www.idramp.com/candidciso

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

For show notes, transcripts, links, and more episodes visit https://www.candidciso.com

The Candid CISO podcast is produced by Nonconformist Innovation Media.

V2

Support the show

In this insightful Candid CISO episode, John Donovan interviews Carlota Sage, a vCISO with a unique, multifaceted background in tech and cybersecurity. They discuss the strengths and challenges of the vCISO role versus full-time CISO positions, emphasizing the flexibility and affordability vCISOs bring to organizations that can't justify a full-time CISO. Carlota shares her experiences at major security conferences, the increasing role of compliance in driving security initiatives, and the critical importance of community, diversity, and boundary-setting in tech. Her candid stories reveal her journey from unconventional beginnings in tech to her current advocacy for strong security programs. This episode is particularly valuable for its real-world advice on leveraging compliance as a business enabler and the power of community and diversity in cybersecurity.

Key Takeaways:

• vCISOs provide flexible, high-quality security expertise – Ideal for companies needing CISO-level support without full-time costs.

• Compliance often drives SMB security efforts – Many startups only implement security when clients or contracts require it.

• Boundary-setting is crucial in cybersecurity – Protecting personal time preserves energy and prevents burnout in demanding roles.

• Security as a sales enabler – Compliance readiness can differentiate startups and drive new business.

• Community combats cybersecurity burnout – Engaging in networks like B-sides and Diana Initiative supports career longevity.

• Diversity of thought strengthens security – Unique perspectives, not just backgrounds, drive more resilient cybersecurity programs.

• Introverts and extroverts complement in cybersecurity – Collaboration can bring quieter, skilled professionals into the spotlight.

• Third-party compliance impacts everyone – Big enterprises push smaller vendors to meet higher compliance standards.

• Speaking at conferences builds visibility – Being a security speaker, even at small events, raises professional credibility.

• Leverage security metrics for funding – Know customer acquisition costs and use them to justify security budgets.

IdRamp is a sponsor of the Candid CISO podcast. Visit their website at: https://www.idramp.com/candidciso

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

For show notes, transcripts, links, and more episodes visit https://www.candidciso.com

The Candid CISO podcast is produced by Nonconformist Innovation Media.

Support the show

In this episode of The Candid CISO, Rinki Sethi, a trailblazing cybersecurity leader, shares her incredible journey from an unexpected start in the industry to her rise as a prominent figure in security leadership with host John Donovan. Rinki opens up about the challenges she faced, the importance of mentorship, and how vulnerability and communication have been crucial to her success. She provides insightful guidance on building strong security teams, navigating crisis management, and fostering a supportive cybersecurity community. Tune in for practical advice and inspiration for advancing your own cybersecurity career.

Key topics include

1. Discovering your specific passion within the broad field of cybersecurity is crucial for a fulfilling career, as Rinki Sethi’s own journey from compliance to developer training demonstrates.

2. Mentorship can be found in unexpected places, from peers to senior leaders, and actively seeking guidance from those around you can significantly shape your career path.

3. Securing executive buy-in is essential for building a strong security culture, and aligning security goals with business objectives helps demonstrate the value of security initiatives.

4. To effectively advocate for security investments, it is crucial to present security as a business enabler, highlighting its ability to improve efficiency, reduce friction, and even create a competitive advantage.

5. Sharing real-world examples of how security programs have reduced business friction, such as streamlining compliance processes or shortening sales cycles, can help garner support for future security initiatives.

6. Transparency and clear communication are vital when implementing security programs, especially those that may be perceived as intrusive, to ensure understanding and minimize resistance.

7. Prioritizing mental health in the demanding field of cybersecurity is crucial, and creating a supportive environment where team members feel comfortable seeking help and addressing mental well-being is essential.

8. Crisis management exercises, including surprise breach simulations, can be invaluable for preparing executive teams and other stakeholders to effectively navigate real-world security incidents.

9. Networking outside of your immediate professional circle can lead to unexpected mentorship opportunities, board positions, and valuable connections that can benefit your career in the long run.

10. Giving back to the cybersecurity community by mentoring others, sharing your experiences, and encouraging newcomers is crucial for fostering a strong and inclusive industry.

IdRamp is a sponsor of the Candid CISO podcast. Visit their website at: https://www.idramp.com/candidciso

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

For show notes, transcripts, links, and more episodes visit https://www.candidciso.com

The Candid CISO podcast is produced by Nonconformist Innovation Media.

Support the show

In this episode of the Candid CISO, Co-Host John Donovan sits down with Jason Elrod, CISO of MultiCare Health Systems, who shares how getting lost on a trail run and running barefoot for 19 miles became a metaphor for leadership in cybersecurity. Jason dives into the tough realities of protecting critical infrastructure, balancing security and compliance, and tackling imposter syndrome head-on. He also reveals why being fiercely dangerous (ethically, of course) is essential for a successful cybersecurity career. From personal lessons on resilience to high-candor takes on navigating boardrooms, Jason keeps it real—and a bit ironic—by showing how getting off track can sometimes lead to the best insights. Follow along for an unexpected and entertaining ride!

Key topics include 

• How getting lost on a trail run turned into a lesson on leadership and staying present.

• Why facing your fears and doing what scares you leads to growth—both on trails and in cybersecurity

• The power of fierce, mission-driven cybersecurity professionals and why being 'ethically dangerous' matters

• How imposter syndrome is universal—and why accepting it can make you a more confident leader

• Balancing security and compliance: How to prioritize safety without getting lost in the checkbox mentality

• Jason's candid take on communicating cybersecurity risks to executives and boards in a way they’ll understand

• How ultra-running teaches resilience, focus, and mindfulness—and how that applies to a high-stress CISO role

• The importance of finding a restorative practice to reset and thrive in high-pressure leadership positions

• Why being both the smartest and 'dumbest' in the room drives better teamwork and collaboration

• How showing vulnerability and high candor can help you lead more authentically and inspire your team

Thanks to our season sponsors

IdRamp is a sponsor of the Candid CISO podcast. Visit their website at: https://www.idramp.com/candidciso

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

For show notes, transcripts, links, and more episodes visit https://www.candidciso.com

The Candid CISO podcast is produced by Nonconformist Innovation Media.

Support the show

In this episode of the Candid CISO podcast, host John Donovan sits down with Mandy Andress, an experienced CISO, investor, and board member, to explore her career journey in the cybersecurity industry. Mandy discusses how her diverse roles have shaped her perspective on implementing security measures tailored to different organizations, taking into account their culture, communication styles, and technological infrastructure. She also opens up about her personal experiences as a gay woman working in tech, offering insight into how diversity has influenced her leadership approach and decision-making processes.

The conversation touches on the evolving responsibilities of a CISO, especially in the context of remote work and the rise of AI-driven cyberattacks. Mandy reflects on her experiences balancing compliance and security in both traditional and tech-forward industries, sharing her strategies for building effective security teams and fostering collaboration.

Key Takeaways

• Mandy emphasizes the importance of aligning security strategies with an organization's unique culture, communication style, and tech stack to ensure they are effective and sustainable.

• She talks about how her experience as a gay woman in cybersecurity shows that diversity enhances problem-solving, fosters collaboration, and strengthens team performance.

• Mandy believes in creating a safe and supportive environment for team members by being a good listener, sharing personal experiences, and being open to vulnerability.

• The role of a CISO continues to evolve, and while it has become more defined in terms of business impact, it still requires constant adaptation due to the fast-paced changes in technology and cyber threats.

• Remote work presents unique challenges for leadership and team cohesion, but it also offers opportunities to redefine communication and collaboration through virtual means.

• Mandy advocates for taking on lateral career moves, as they can provide valuable learning experiences that contribute to broader skill sets, particularly in leadership and security roles.

• Building trust and rapport within an organization is crucial for a CISO, especially when influencing security decisions and balancing the organization's risk appetite with technical considerations.

• Mandy underscores the importance of balancing compliance and security, recognizing that they do not always align perfectly, and making informed decisions on when to prioritize one over the other.

• The rise of AI-driven cyberattacks is a growing concern, and security teams need to rethink their approach, focusing on speed, adaptability, and leveraging AI tools for defense.

• Lastly, Mandy encourages cybersecurity professionals to stay curious, remain open to learning, and take calculated risks in their careers, always keeping an eye on long-term growth and opportunities.

IdRamp is a sponsor of the Candid CISO podcast. Visit their website at: https://www.idramp.com/candidciso

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

For show notes, transcripts, links,

Support the show

In this episode, John Donovan sits down with cybersecurity expert and entrepreneur Dr. Joel Fulton for an insightful conversation covering leadership, resilience, and career growth. Joel shares his journey from an unconventional upbringing to becoming a successful CISO and startup founder. He discusses the challenges of transitioning from individual contributor to leader, the evolving nature of the CISO role, and the importance of self-awareness in leadership. Listeners can expect actionable advice on building balanced teams, effective communication, and leveraging professional communities for growth and support.

Takeaways

• Pursue Passion Projects Cautiously: Dream projects like writing require patience, planning, and multiple efforts to gain traction.

• Learn from Personal Struggles: Overcoming tough life experiences can build resilience and redefine success in your career.

• Work with People You Respect: Prioritize working with individuals who align with your values to avoid toxic environments.

• Self-awareness in Leadership: Understand your strengths and weaknesses to better lead and collaborate with others.

• Avoid Comparison in Leadership: The CISO role is evolving—don’t compare yourself to others; create your own leadership path.

• Build Balanced Teams: Combine technical skills, risk tolerance, and leadership within your team for maximum effectiveness.

• Communicate Clearly as a Leader: Ensure your brainstorming sessions are not misinterpreted as directives; leave space for team input.

• Delegate to Empower Growth: As a manager, trust and empower your team by avoiding micromanagement.

• Startups Require Flexibility: Starting a business involves unexpected challenges; embrace uncertainty and adapt quickly.

• Leverage Peer Communities: Build and engage in professional communities to access advice, mentorship, and problem-solving support.

IdRamp is a sponsor of the Candid CISO podcast. Visit their website at: https://www.idramp.com/candidciso

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

For show notes, transcripts, links, and more episodes visit https://www.candidciso.com

The Candid CISO podcast is produced by Nonconformist Innovation Media.

Support the show

In this episode of the Candid CISO podcast, Tyler Pinckard, Head of Security and Data Protection Officer at Support Logic, shares his provocative insights on the evolving landscape of cybersecurity. Tyler challenges the traditional view of security as merely a cost center, arguing that when leveraged correctly, compliance and AI can become powerful competitive advantages. He delves into the critical role of preparation and rehearsals, emphasizing that many security failures stem from a lack of planning rather than the complexity of threats. Tyler also advocates for embracing AI and automation to stay ahead in the fast-paced tech environment, urging CISOs to disrupt rather than be disrupted. This episode is a must-listen for security leaders looking to sharpen their strategic edge and rethink their approach to modern cybersecurity challenges.

Takeaways

• Security as a Strategic Advantage: Compliance and AI can turn security into a competitive edge.

• Preparation is Key: Many security failures result from poor planning, not just complex threats.

• Embrace Disruption: CISOs should leverage AI and automation to disrupt, rather than be disrupted.

• The Power of Rehearsals: Regular rehearsals and preparation prevent failures during critical security incidents.

• Compliance as a Crowbar: Compliance like SOC 2 and ISO is essential for customer trust and retention.

• AI's Role in Cybersecurity: AI can enhance efficiency, particularly in tasks like static analysis and case summarization.

• Practical Use of AI: AI should assist with tasks while maintaining human oversight for critical decisions.

• Startups and Security: Aligning security with business goals is crucial for success in fast-paced startups.

• Leadership in Cybersecurity: Effective leaders delegate and empower teams rather than micromanaging technical tasks.

• Diversity Drives Success: Diverse teams offer varied perspectives, reducing risks and improving security outcomes.

• Pragmatic Use of Tools: Use tools like GitHub Co-Pilot to maximize team efficiency and effectiveness.

• Security for the Modern CISO: CISOs must continuously adapt, applying both traditional strategies and modern tech solutions.

IdRamp is a sponsor of the Candid CISO podcast. Visit their website at: https://www.idramp.com/candidciso

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

For show notes, transcripts, links, and more episodes visit https://www.candidciso.com

The Candid CISO podcast is produced by Nonconformist Innovation Media.

Support the show

In this episode of the Candid CISO podcast, Co-Host John Donovan interviews Carlos de Leon, CISO at the Washington State Department of Revenue. They discuss various topics related to cybersecurity leadership and strategy, including the challenges and rewards of the CISO role, the importance of compliance, and the need for strong communication and people skills. They also touch on incident response and threat management, highlighting the lessons learned from the CrowdStrike incident and a cloning incident at Carlos' agency. The conversation concludes with a discussion on the impact of technology and organizational factors on the CISO role, as well as Carlos' personal career journey. Also in this conversation, Carlos shares insights and advice on thinking creatively, his early hacker days, and career development in cybersecurity. He emphasizes the importance of an adversarial mindset and thinking outside the box to solve problems. Carlos provides advice for those looking to enter the cybersecurity field and become a CISO. The conversation concludes with a discussion on Hacker Summer Camp and the importance of networking and community in the cybersecurity industry.

Segments

00:00 - Introduction and Background

03:03 - CISO Role: Challenges and Rewards

07:02 - Compliance in the CISO Role

09:57 - Lessons from Incident Response and Threat Management

13:24 - Balancing Technology and Organizational Factors as a CISO

20:30 - Insights from a Personal Career Journey

29:19 - Thinking Creatively and Developing an Adversarial Mindset

31:34 - Career Development in Cybersecurity

35:27 - The Importance of Networking and Community in Cybersecurity

Support the show

Steve Tout has a conversation with Aysha Khan, the CISO and CIO at Treasure Data in Mountain View, California. Aysha has 20 years of experience in Information Technology and Security at Fortune 500 companies. She is passionate about aligning strategy with agile execution to drive business results and customer satisfaction. Aysha has successfully built and led technology, security, compliance, risk, and operations functions from scratch. She has also turned around disjointed organizations into cohesive and collaborative environments.

Get ready to hear about her unexpected journey into cybersecurity and how she's transforming the field with empathy and bold leadership. Aysha shares the surprising twists that led her to become a Chief Security Officer and how she views cybersecurity not just as a technical challenge but as a vital business risk. During the conversation we discuss her unique leadership style, where humanity and empathy take center stage, and hear real-life stories of how this approach has shaped her decisions and projects.

Aysha will reveal personal turning points that helped her break barriers and offer strategies for aspiring leaders to make a meaningful impact. She'll also talk about her fearless approach to facing tough challenges, sharing how she tackles fear head-on and turns obstacles into opportunities.

Plus, she'll discuss the importance of giving back and her vision for a future where diversity and high performance go hand in hand.

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

IdRamp is a sponsor of the Candid CISO podcast. Visit their website at: https://www.idramp.com/candidciso

Candid CISO is produced by Nonconformist Innovation Media

Support the show

In this episode, Steve has a conversation with Chirag Shah. Chirag is the the Global Security Officer and Data Privacy Officer at Model N, a publicly traded software company in San Mateo, California. Chirag is a security and technology leader with over 24 years experience building leading-edge information security, security compliance, IT & network initiatives from the ground up. He is an inclusive leader with a passion for information security management, cooking, and continuous learning.

Steve and Chirag discuss his career journey and the evolving role of the CISO. He emphasizes the importance of integrating the security program with the business and providing value beyond technical aspects. Chirag also highlights the role of the CISO in the boardroom, particularly in mergers and acquisitions, and the need for transparency and accountability. He discusses the expanding responsibilities of CISOs, including AI, DEI, and privacy regulations. Chirag also touches on the role of a chief identity officer and the importance of ethics in cybersecurity.

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

IdRamp is a sponsor of the Candid CISO podcast. Visit their website at: https://www.idramp.com/candidciso

Candid CISO is produced by Nonconformist Innovation Media

Support the show

Welcome to the Candid CISO podcast, illuminating your path to impact. Get straightforward insights from seasoned CISOs and leaders who are not just talking about change, but driving it.

The Candid CISO podcast is supported by our sponsors:

IdRamp: IdRamp offers an integrated, comprehensive identity orchestration solution that automates operations, integrations, compliance, security, and digital transformation. 

TrustLogix: The TrustLogix Cloud Data Security Platform provides data owners and security owners with a single point of visibility and control of sensitive data access across all clouds and data platforms. 

The Candid CISO podcast is produced by Nonconformist Innovation Meda, LLC.

Support the show

In this episode, Ganesh Kirti, the founder and CEO of TrustLogix, discusses the challenges of securing data in the cloud and the need for comprehensive data security solutions. He explains how the modernization of data platforms and the increasing amount of data being stored and accessed in the cloud has made data security a complex problem. Ganesh also highlights the importance of security observability and granular access controls in protecting sensitive data. Ganesh emphasizes the need for collaboration between CISOs and CDOs and adopting interoperable and cloud-native solutions. Additionally, Ganesh discusses the partnership between TrustLogix and Snowflake and the role of AI in data security. He concludes by offering advice on protecting personal and enterprise data in an increasingly breached world.

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

Visit https://www.candidciso.com for show notes and more episodes. 

Candid CISO is produced by Nonconformist Innovation Media.

Support the show

In this episode of Candid CISO, host John Donovan has a conversation with Chris Roberts, CISO at Boom Supersonic. Together they discuss the importance of being candid and authentic in the cybersecurity industry. He emphasizes the need for CISOs to protect not only the organization but also the people within it. Roberts also shares advice for those looking to break into the security field, suggesting that they get involved in the community, contribute to research, and attend conferences. He also highlights the importance of articulating ideas effectively and understanding the business side of cybersecurity. Overall, Roberts encourages open communication and a willingness to learn and adapt in order to be successful in the industry.

Visit https://www.candidciso.com for show notes and more episodes.

Candid CISO is produced by Nonconformist Innovation Media

Support the show