CISO Resources

  • How to CISO, Volume 1: The First 91 Days

    How to CISO, Volume 1: The First 91 Days

    Just want to download the eBook? Head over to How to CISO, Volume 1: The First 91 Days! It seems to be a rite of passage for all CISOs to, at some point in their career, write down their advice for other CISOs starting a new job, whether they are a first-time or veteran CISO.…

    Read more…


Security Talks

  • This talk delves into the intersection between security–helping make wiser risk choices–and leadership–getting more done with a lower energy cost. It draws on the lessons of the Six Leadership Disciplines and Humans are Awesome at Risk Management talks, providing a handful of examples of specific leadership skills to practice. The 24 skills in the matrix…


  • Summary Everybody sells, right? Wrong. Unless you’re taking an order and retiring your quota, you don’t sell – instead, you market. If you’re selling to a CISO, you need to understand the organizational dynamics that surround a CISO’s decision-making process. This talk walks through nine critical questions that CISOs need to understand the answers to…


  • The Untold Story of Fantastical Social Engineering. Hidden inside the story of Harry Potter is a most subtle of social engineering attacks. Explore how J.K. Rowling hid the world’s greatest villain in plain sight. This talk explores the world of Harry Potter from a different angle: that of the villain. In this talk, given in…


  • How do you know what to invest in next, or whether the time and energy that you’re spending on a security technology or program is a good investment?  Learn how veteran CSOs think about security investments, and develop your own rubric for evaluating where to best make your next security improvement.


  • How do you design defenses against DDoS? And how do you think about them from a policy perspective?


  • How do humans make risk decisions, and are they good, bad, or something else?


  • How do the grand challenges of the future look like the grand challenges of the past?


  • What does a Zero Trust journey look like? Explore how we migrated Akamai to a zero trust network access model, before that was even a phrase people knew.



Security Panels

  • Investing in Solutions for Tomorrow’s Attacks

    Potential investors in the cybersecurity sector need a deep understanding of what the pinch points are for cybersecurity practitioners. Andy Ellis, a 20-year CSO at Akamai who is now an operating partner at YL Ventures, discusses what cybersecurity sectors are attracting investment – and why.


  • Scaling Security Programs in High Growth Companies

    This webinar discusses the challenges of scaling security programs in high-growth companies, featuring insights from security experts from HashiCorp and Robinhood.



Security Blog

  • Virtual Patching

    Virtual patching, adding rules to a WAF to filter out traffic exploiting known vulnerabilities, is beneficial. While it shortens the mitigation window, the real debate lies in managing the underlying vulnerability. Some argue for fixing the specific vulnerability, while others advocate fixing the entire category of vulnerabilities for long-term benefits.

  • DDoS Thoughts

    DDoS attack efficiency is typically measured in bits-per-second ratios. To extend this measurement, we can use “flits per second” to gauge cost and impact. Reducing attack ratios and increasing client costs are key defensive strategies. Traffic filtering and capacity increases offer potential solutions.

  • Compliance, Security, and the relations therein

    As an amateur hairdresser, I’ve learned that just like the diverse disciplines within information security, there are countless techniques and specialties in hairstyling. It reminds me to approach other professionals with humility, acknowledging their expertise in their respective fields. We all have valuable knowledge to contribute.

  • Security and hairdressing

    Being an amateur hairdresser has taught me a valuable lesson about the diverse disciplines within information security. Just like braiding hair, where I’ve only scratched the surface, I’ve realized that I may only know bits and pieces about the various security specialties. It’s important to approach other professionals with humility, recognizing their expertise in their…

  • The Problem with Password Unmasking

    There is a disagreement regarding whether passwords should be shown in clear text or masked while being typed. One perspective argues that password masking reduces usability and offers limited protection against snoopers. However, the opposing view emphasizes the importance of security and raises questions about the effectiveness of unmasking passwords. The ultimate solution lies in…

  • Sanitization vs. crypto

    Bruce Schneier disagrees with NIST’s stance on encryption as a means of sanitization. He argues that properly implemented encryption, with secure key management, can effectively sanitize data. While NIST has removed the paragraph, Schneier acknowledges the numerous qualifications required for encryption to be fully secure, suggesting that sanitization should still be performed when possible.

  • Security and Obscurity

    The mantra “Security through obscurity is no security at all” originated from concerns about proprietary cryptographic algorithms. However, in the context of security systems and architectures, obscurity plays a crucial role. No system is perfectly secure, so a good security professional aims to reduce vulnerabilities and make exploitation costly. Layered security and maintaining architectural details…

  • Social Engineering Self-training

    In contrast to traditional security systems, social engineering has an interesting advantage: the more unsuccessful attempts made to deceive someone, the better prepared they become to resist future attacks. Each failed social engineering attempt serves as valuable training for the target, enhancing their defenses.

  • Phishing
    Phishing

    While we prioritize phishing prevention in banking, other sites like LinkedIn may become targets for identity thieves. The ease of phishing login information and the potential to exploit trust within a professional network highlight the need for heightened vigilance beyond banking. Personal experiences remind us to be more cautious.

  • Invisibility Cloak
    Invisibility Cloak

    As the possibility of invisibility draws nearer, its potential implications become apparent. Scary applications include concealed weapons, bombs, and potential traffic hazards. However, in the cool category, it opens doors for urban renewal, architectural innovations, and even portable privacy umbrellas, although such technologies may also have concerning uses.


Security Podcasts

  • We Built This City on Outdated Software
    We Built This City on Outdated Software

    https://cisoseries.com/we-built-this-city-on-outdated-software/ “The biggest threat to national security is that many of the most vital systems on the planet CURRENTLY run on outdated and insecure software,” said Robert Slaughter of Defense Unicorns on LinkedIn. That’s at the core of the third-party security issue.This week’s episode is hosted by David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating…

  • Wrong Answers to Revealing Interview Questions
    Wrong Answers to Revealing Interview Questions

    https://cisoseries.com/wrong-answers-to-revealing-interview-questions/ Security leaders will often ask challenging or potentially gotcha questions as barometers to see if you can handle a specific job. They’re looking not necessarily for a specific answer, but rather a kind of answer and they’re also looking to make sure you don’t answer the question a specific way. Don’t get caught in…

  • I Pity the Fool Who Builds a Homogeneous Cyber A-Team
    I Pity the Fool Who Builds a Homogeneous Cyber A-Team

    https://cisoseries.com/i-pity-the-fool-who-builds-a-homogeneous-cyber-a-team/ If you want to build a successful cybersecurity team, you need to be diverse, mostly in thought. But that diversity in thought usually is the result of people with diverse backgrounds who have had different experiences and have solved problems differently. It’s actually really hard to hire a diverse team because what people want…