Showing 8 episodes for Ciso
#247
October 13, 2025
EP247 The Evolving CISO: From Security Cop to Cloud & AI Champion
Guest:
- David Gee, Board Risk Advisor, Non-Executive Director & Author, former CISO
Topics covered:
- Drawing from the "Aspiring CIO and CISO" book's focus on continuous improvement, how have you seen the necessary skills, knowledge, experience, and behaviors for a CISO evolve, especially when guiding an organization through a transformation?
- Could you share lessons learned about leadership and organizational resilience during such a critical period, and how does that experience reshape your approach to future transformations?
- Many organizations are undergoing transformations, often heavily involving cloud technologies. From your perspective, what is the most crucial—and perhaps often overlooked—role a CISO plays in ensuring security is an enabler, not a roadblock, during such large-scale changes?
- Have you ever seen a CISO who is a cloud champion for the organization?
- Your best advice for a CISO meeting cloud for the first time?
- What is your best advice for a CISO meeting AI for the first time?
- How do you balance the continuous self-improvement and development with the day-to-day pressures and responsibilities?
#237
August 4, 2025
EP237 Making Security Personal at the Speed and Scale of TikTok
Topics covered:
- Security is part of your DNA. In your day to day at TikTok, what are some tips you’d share with users about staying safe online?
- Many regulations were written with older technologies in mind. How do you bridge the gap between these legacy requirements and the realities of a modern, microservices-based tech stack like TikTok's, ensuring both compliance and agility?
- You have a background in compliance and risk management. How do you approach demonstrating the effectiveness of security controls, not just their existence, especially given the rapid pace of change in both technology and regulations?
- TikTok operates on a global scale, facing a complex web of varying regulations and user expectations. How do you balance the need for localized compliance with the desire for a consistent global security posture? How do you avoid creating a fragmented and overly complex system, and what role does automation play in this balancing act?
- What strategies and metrics do you use to ensure auditability and provide confidence to stakeholders?
- We understand you've used TikTok videos for security training. Can you elaborate on how you've fostered a strong security culture internally, especially in such a dynamic environment?
- What is in your TikTok feed?
#212
February 24, 2025
EP212 Securing the Cloud at Scale: Modern Bank CISO on Metrics, Challenges, and SecOps
Topics covered:
- Tell us about the challenges you're facing as CISO at NuBank and how are they different from your past life at Spotify?
- You're a big cloud based operation - what are the key challenges you're tracking in your cloud environments?
- What lessons do you wish you knew back in your previous CISO run [at Spotify]?
- What metrics do your team report for you to understand the security posture of your cloud environments?
- How do you know “your” cloud use is as secure as you want it to be?
- You're a former Googler, and I'm sure that's not why, so why did you choose to go with Google SecOps for your organization?
#209
February 3, 2025
EP209 vCISO in the Cloud: Navigating the New Security Landscape (and Don’t Forget Resilience!)
Guest:
- Beth Cartier, former CISO, vCISO, founder of Initiative Security
Topics covered:
- How is that vCISO’ing going? What is special about vCISO and cloud? Is it easier or harder?
- AI, cyber, resilience - all are hot topics these days. In the context of cloud security, how are you seeing organizations realistically address these trends? Are they being managed effectively (finally?) or is security always playing catch up?
- Recent events reminded us that cybersecurity may sometimes interfere with resilience. How have you looked to build resilience into your security program?
- The topic is perhaps 30+ years old, but security needs to have a seat at the table, and often still doesn’t - why do you think this is the case?
- What approaches or tips have you found to work well in elevating security within organizations?
- Any tips for how cyber professionals can stay up to date to keep up with the current threat landscape vs the threats that are around the corner?
#208
January 27, 2025
EP208 The Modern CISO: Balancing Risk, Innovation, and Business Strategy (And Where is Cloud?)
Topics covered:
- Can you briefly walk us through your CISO career path?
- What are some of the key (cloud or otherwise) trends that CISOs should be keeping an eye on? What is the time frame for them?
- What are the biggest cloud security challenges CISOs are facing today, and how are those evolving?
- Given the rapid change of pace in emerging tech, such as what we’ve seen in the last year or so with gen AI, how do you balance the need to address short-term or imminent issues vs those that are long-term or emergent risks?
- What advice do you have for how CISOs can communicate the importance of anticipating threats to their boards and executives?
- So, how to be a forward looking and strategic yet not veer into dreaming, paranoia and imaginary risks? How to be futuristic yet realistic?
- The CISO role as an official title is a relatively new one, what steps have you taken to build credibility and position yourself for having a seat at the table?
#204
December 23, 2024
EP204 Beyond PCAST: Phil Venables on the Future of Resilience and Leading Indicators
Guest:
- Phil Venables, Vice President, Chief Information Security Officer (CISO) @ Google Cloud
Topics covered:
- Why is our industry suddenly obsessed with resilience? Is this ransomware’s doing?
- How did the PCAST report come to be? Can you share the backstory and how it was created?
- The PCAST report emphasizes the importance of leading indicators for security and resilience. How can organizations effectively shift their focus from lagging indicators to these leading indicators?
- The report also emphasizes the importance of "Cyber-Physical Modularity" - this sounds mysterious to us, and probably our listeners! What is it and how does this concept contribute to enhancing the resilience of critical infrastructure?
- The report advocates for regular and rigorous stress testing. How can organizations effectively implement such stress testing to identify vulnerabilities and improve their resilience?
- In your opinion, what are the most critical takeaways from our PCAST-related paper for organizations looking to improve their security and resilience posture today?
- What are some of the challenges organizations might face when implementing the PCAST recommendations, and how can they overcome these challenges?
- Do organizations get resilience benefits “for free” by using Google Cloud?
#189
September 9, 2024
EP189 How Google Does Security Programs at Scale: CISO Insights
Topics covered:
- What were you thinking before you took that “Google CISO” job?
- Google's infrastructure is vast and complex, yet also modern. How does this influence the design and implementation of your security programs compared to other organizations?
- Are there any specific challenges or advantages that arise from operating at such a massive scale?
- What has been most surprising about Google’s internal security culture that you wish you could export to the world at large?
- What have you learned about scaling teams in the Google context?
- How do you design effective metrics for your teams and programs?
- So, yes, AI. Every organization is trying to weigh the risks and benefits of generative AI–do you have advice for the world at large based on how we’ve done this here?
#163
March 11, 2024
EP163 Cloud Security Megatrends: Myths, Realities, Contentious Debates and Of Course AI
Guest:
- Phil Venables, Vice President, Chief Information Security Officer (CISO) @ Google Cloud
Topics covered:
- You had this epic 8 megatrends idea in 2021, where are we now with them?
- We now have 9 of them, what made you add this particular one (AI)?
- A lot of CISOs fear runaway AI. Hence good governance is key! What is your secret of success for AI governance?
- What questions are CISOs asking you about AI? What questions about AI should they be asking that they are not asking?
- Which one of the megatrends is the most contentious based on your presenting them worldwide?
- Is cloud really making the world of IT simpler (megatrend #6)?
- Do most enterprise cloud users appreciate the software-defined nature of cloud (megatrend #5) or do they continue to fight it?
- Which megatrend is manifesting the most strongly in your experience?
