All links and images for this episode can be found on CISO Series (https://cisoseries.com/tell-me-were-secure-so-i-can-go-back-to-ignoring-security/)

I don't know anything about our state of security. I don't want to know either. But I do want to know you know about security and there's nothing I have to worry about. You can do that, right?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Dan Walsh, CISO, Rally Health.

Thanks to our sponsor, Capsule8.

Capsule8 is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure.

On this week's episode

Why is everybody talking about this now

How do you respond to "Are we secure?" It's a loaded question that we've addressed previously. Daniel Hooper, CISO, Varo Money brought up this topic again that caused a flurry of discussion on LinkedIn. In the past Mike has mentioned that he talks about the state of his security program and where it's heading. The core of this question is anxiety about something a non-security person doesn't understand. How does a security leader break down this question into small parts, and what question should a CEO be asking if not "Are we secure?"

There’s got to be a better way to handle this

The engineering team at Rally Health is around 800 and our guest Dan has a security team of 30+ of which only 5 of them are application security people. Those five are definitely going to need some help if they're going to have an impact on how secure the applications are. I ask Dan Walsh what he's doing with the engineers that's turning them into application security force multipliers.

What's Worse?!

How damaging is a bad reputation?

What do you think of this vendor marketing tactic?

CISOs have ways to retalilate against aggressive sales tactics. George Finney, CISO at Southern Methodist University told a story on LinkedIn about an unsolicited sales invite that was sent to 65 people at his school. He blocked the email. He asked the community if that was too harsh. Similarly Steve Zalewski, deputy CISO of Levi's said if he sees aggressive tactics by a company, the security team has the ability to block the whole domain from their servers. Are these tactics too harsh? Have Mike and our guest taken similar tactics, and/or is there something else they do in response to extremely aggressive sales tactics?

If you haven’t made this mistake, you’re not in security

How prepared do you need to handle your next cyber job? A question was asked on reddit from someone who wasn't sure they should take a job because they didn't have all the skills to do the job. Most people just said, "Do it." How would Mike and our guest answer this question as an employee and a manager. What level of unpreparedness for a job is acceptable and possibly even exciting? Could too much result in imposter syndrome?