Stephen and Rich answer our viewers' questions. This month...

"As the head of our IT department, I'm constantly getting pushed back from the development team about our security protocols being too restrictive."

Question: How can we find middle ground that keeps our system secure without stifling innovation and making our developers jobs harder?

Stephen and Rich answer our viewers' questions. This month...

"I'm a consultant working in various vCSO roles for multiple companies. Recently, I've noticed a troubling trend. Vendors are blatantly lying to SME's that lack cyber representatives and they're getting away with it. One of my customers recently reduced my hours to just a couple per month because the provider of a prominent tool assured them that they had eradicated all cyber risk. When I tried to explain that this was nonsense, they dismissed it as me trying to hold on to my hours. It feels like Cyber Security is the Wild West. Companies can't use fake eyelashes and mascara ads but in Cyber Security anything seem to go. I'm embarrassed and frustrated."

Question: What is happening and how can I address this without looking jealous or like I'm trying to upsell things for myself?

Stephen and Rich answer our viewers' questions. This month...

"I work in incidence response, I'm absolutely burnt out, have lost all interest in keeping abreast of the latest security knowledge and I just don't care about cyber anymore. I'm incredibly tempted to just quit and go and do training and awareness or GRC. Something none technical that requires less research and investment. The thing that's stopping me is that I'm a woman and it's such a cliche that women in cyber aren't technical and I don't want to add to those appalling stats but I'm just so tired of this shit. It's so hard and i can't be bothered. From burnt out Becky."

Question: What should I do about it?

Stephen and Rich answer our viewers' questions. This month...

Question: Does a CSO need to be technical to be successful?

Stephen and Rich answer our viewers' questions. This month...

"I'm a SESO across the pond in the States. I have a relatively high profile, a ton of followers on LinkedIn. I'm invited to speak at conferences and I've got a great job. However, I cannot shake this feeling that I don't know what I'm doing. I know people talk about imposter syndrome a lot in Cyber Security and I don't think it's that. I genuinely think, no, I know that I'm not very good at my job. My knowledge is superficially deep but my employer keeps me around because of my reasonably high profile. I'm far too into my career to start back at basics with certifications. Also, my employer isn't going to fund certs that somebody new to the industry would be doing, not to mention that would give the game away. I'm just not good at this and nobody has seemed to notice yet!"

Question: What do I do? Where do I start?

Stephen and Rich answer our viewers' questions. This month...

"I have recently started working in Cyber Security and while I love the challenge and the constant learning, I can't help but feel the constant pressure to keep up with rapidly advancing technology. It seems like every day there's a new vulnerability or a tac vector to worry about."

Question: How do I maintain a healthy work-life balance to prevent burnout in an industry where the stakes are so high and the pace is relentless?

Stephen and Rich answer our viewers' questions. This month...

"I am the Head of Information Security at a company that supplies to the public sector. It is large enough that people should know who we are but dull enough that nobody does. We aren't public sector though. I listen to this podcast and you guys seem pretty switched on. So I hope that you'd think of something that I hadn't yet. I've got a wretched relationship with our CFO. It's safe to say he hates me and this feeling is very much mutual. He is able to squash every aspect of my security strategy. None of which is necessary by the way. In fact a lot of it is basic funding for cyber hygiene. It's baffling how we get the contracts we get. When we literally don't even enforce 2FA. I completely understand that CFO seek to strike a balance between investing enough in Cyber Security to mitigate risks and ensuring cost effectiveness. They often want to understand the justification for Cyber Security budgets and how the organisation can measure the ROI on Cyber Security investments. I get it. I empathise. But he's just being difficult, it's 100% personal but there's no point in me saying this because I have no evidence of it. My entire strategy was denied the same day I had submitted it. Normally it takes 2 or so weeks. I escalated it, was told the ROI wasn't clear, so I resubmitted it and again it was denied. There's a guy in HR who has got funding for in office standing desks and we all work from home! Can you see my frustration! I am actually desperate."

Question: Would either of you confront this person? Or is there avenue around this that I could be exploiting but aren't.

Stephen and Rich answer our viewers' questions. This month...

"I'm the Head of Information Security. It's a title in name only because quite frankly I don't have any authority. I'm just the person people point at when things go wrong or when something scary or unrelated crops up int the news. I love my job though but I do find I have a repeat issue, in that I don't seem to get a sign off for any budget ever. I know other none security departments have managed to, so it's not like the company doesn't have the funds or the inclination to spend money. I spoke to your CEO Eliza at a conference about this and she gave me great advice about approaching a topic of budgets in the language of finance and business risk rather than security. I tried this and I still can't get sign off. I'm one of three people in the security team and the burden of responsibility is on my shoulders but I can't get any tooling, can't get more people and it feels kind of pointless. It's almost like I've been in this role to impress our investors because nothing I do seems to work. I'm not asking for the earth, I'm literally asking for vulnerability management of key assets and login and monitoring of key assets first."

Question: How can I relay the new fees basic measures in a way that gets me somewhere?

Eliza and Rich answer our viewers' questions. This month...

"I've been in the IT field for 8 years and 2 years ago I transitioned into a Cyber Security consultant role at one of the big four consultancy firms. Whilst I acknowledge that I am not the most experienced, I've been continuously improving and hold a CISSP certification. So here's the dilemma. I was given a small team of direct reports all with the same job title but in a lower pay band than me, or so I thought. During the interview process for a new team member, we agreed on a woman with one years experience in compliance who came through from a training bootcamp. Surprisingly she's being paid the same as me, despite being my direct report and she's earning 15K more than her male colleague with more experience than her. I don't want to jump to conclusions and assume this pay gap is solely because of her gender but it's hard to ignore the possibility. We have ambitious quotas to meet and this situation is causing me a lot of frustration. On one hand I understand that she may need time to gain experience but her pay grade implies a certain level of expertise. I can't help but feel a tinge of jealousy because I worked hard to reach my salary, while it seems she was handed hers. I want to support the women in cyber movement but incidents like this make it challenging. I've considered sharing my thoughts on LinkedIn but I'm worried it might harm my career. I'm so angry and I'm starting to dislike her even though it's not her fault. I've genuinely considered leaving because it feels so unfair."

Question: What should I do to handle this situations without driving myself mad with jealousy and how do I stop myself disliking her so much?

Stephen and Rich answer our viewers' questions. This month...

"I'm new to a company as the Head of IT, it's my second head of IT role but it's the first time I've had Cyber Security in my remit. This is great, and it's one of the reasons I took the role because I'd really like to move into Cyber Security. Some decisions were made prior to me starting, for example their AV & MDR, their not critical national infrastructure. I think that it's overkill, as they both perform similar functions and AV would have been fine. There is no SIEM but there are a bunch of SAS products but there is no security alerting on that. The previous guy put out a tender for a SIEM provider, he selected one but the contract wasn't signed. Needless to say everyone here was onboard with it and I've come in and I'm questioning things. I think if we have a SIEM, great. But who has time to monitor it? Not me. There been a lot of buying here and no use made of those purchases. I've come in and I look like I'm being difficult for the sake of it. I feel I need to take a breath and actually look at the problems before blowing my small budget that was given to the previous trigger happy guy."

Questions: Do we kill off the login we currently have? What should I do here? Move forward with SIEM to keep my position politically not literally or trample on it and start again knowing that I'm going to piss off a whole bunch of people?