Page de couverture de The New CISO

The New CISO

The New CISO

Auteur(s): Steve Moore
Écouter gratuitement

À propos de cet audio

 The New CISO is hosted by Exabeam Chief Security Strategist, Steve Moore. A former IT security leader himself, Steve sits down with Chief Information Security Officers to get their take on cybersecurity trends, what it takes to lead security teams and how things are changing in today’s world.517748 Économie
Épisodes
  • Architect and Firefighter: How a Modern CISO Leads in Crisis

    Architect and Firefighter: How a Modern CISO Leads in Crisis
    Mar 12 2026
    Alan Lucas always wanted to be an architect or a firefighter — as CISO of Worldstream and Greenhouse Datacenters, he has become both. In this episode, he joins host Steve Moore to explore leading cybersecurity at the intersection of design and crisis response.Alan traces his path from Fox-IT through a Dutch cryptocurrency exchange where he arrived post-breach to an organization under near-constant attack from nation-state threat actors. Leading a technically sophisticated but security-anxious leadership team, he learned the lasting power of transparency and directness — and his most memorable measure of success was not a technical control, but a CTO who finally slept through the night.The conversation goes deep into crisis communication. Alan and Steve discuss how the industry has matured from reflexive silence around breaches to embracing transparency as a trust-building tool, the danger of well-meaning legal edits that send customers chasing the wrong narrative, and why the CISO should hold final review over all public incident communications. He also shares his Security Champions Program, tabletop exercise design, and why knowing who to call in a crisis must be mapped out before that crisis arrives.Alan also covers his volunteer work with the DIVD, coaching ethical hackers and supporting responsible disclosure worldwide — an extension of his belief that security, done well, creates trust and enables growth for everyone.The episode closes on "bouncing forward" — the idea that true resilience means using every incident as a forcing function for improvement, not just a return to baseline. Alan frames lessons learned as the most important resilience KPI a security team can own. A masterclass in leading through both calm and chaos. Key Topics• The architect-and-firefighter mindset: building security programs while fighting live fires• Alan's career path from Fox-IT (MSSP) to post-breach CISO at a cryptocurrency exchange• Leading security post-breach — and what "sleeping well again" actually means• The unique threat landscape facing cryptocurrency companies, including nation-state adversaries• The Dutch Institute for Vulnerability Disclosure (DIVD): coordinated, ethical vulnerability disclosure worldwide• Mentoring young ethical hackers: communication, confidence, and responsible disclosure process• Crisis communication: balancing transparency with operational security during active incidents• Why legal edits to breach notifications can mislead customers and create dangerous distractions• The CISO's role as final reviewer of all incident communications• Security Champions Programs: bridging the gap between security and non-technical departments• Tabletop exercise design: running effective simulations in under an hour with non-technical staff• Writing the breach notification letter before the breach happens• Bouncing forward, not bouncing back: using lessons learned as a resilience KPI• Security as a business enabler: positioning the CISO role for organizational growth and confidenceGuest BioAlan Lucas is CISO at Worldstream and Greenhouse Datacenters, two of the Netherlands' leading cloud and data center infrastructure providers. With over a decade of cybersecurity experience, he leads security strategy for mission-critical IT and cloud environments. Prior roles include Fox-IT (MSSP) and LiteBit, a Dutch cryptocurrency exchange where he served as CISO post-breach. Alan also volunteers as a coach at the Dutch Institute for Vulnerability Disclosure (DIVD), mentoring ethical hackers and supporting responsible disclosure globally. He is passionate about security as a catalyst for innovation — and about building a safer digital society, one step at a time.LEARN MORE:👉 Connect with Alan on LinkedIn.GET A DEMO:👉 Get a hands-on demo of the Exabeam products: https://www.exabeam.com/demo🔔 Subscribe for more product demos and cybersecurity insights!ABOUT EXABEAM:Exabeam is a leader in intelligence and automation that powers security operations for the world’s smartest companies. As a global cybersecurity innovator, Exabeam provides industry-proven, security-focused, and flexible solutions for faster, more accurate threat detection, investigation, and response (TDIR). Cutting-edge technology enhances security operations center performance, optimizing workflows and accelerating time to resolution. With consistent leadership in AI innovation and a proven track record in security information and event management (SIEM) and user behavior analytics, Exabeam empowers global security teams to combat cyberthreats, mitigate risk, and streamline operations.Real Intelligence. Real Security. Real Fast. Learn more at: https://www.exabeam.com/CONNECT WITH US:X/Twitter: https://x.com/exabeamInstagram: https://www.instagram.com/exabeam/LinkedIn: https://www.linkedin.com/company/exabeam/Facebook: https://www.facebook.com/Exabeam/Blog: https://www.exabeam.com/blog/
    Voir plus Voir moins
    49 min
  • Six Steps for Better Communication as a CISO

    Six Steps for Better Communication as a CISO
    Feb 19 2026

    In this episode of The New CISO, host Steve Moore speaks with Dean Sapp, CISO and Data Protection Officer at Filevine, about one of security's most critical yet overlooked skills—written communication. Drawing from a brutal college English class that failed students for a single typo and over 20 years building security programs in the legal tech industry, Dean reveals why the ability to articulate security findings clearly separates average professionals from exceptional leaders who drive real business impact.

    After abandoning architecture when he learned it would take six years to become licensed, Dean leveraged his dual skills in computer-aided drafting and IT to launch a career at Novell, eventually earning nine certifications in two years and a master's degree from SANS Institute. His background in design thinking shapes how he approaches security program development—viewing it like building a structure that requires solid foundations, functional systems, and even window dressing like SOC 2 compliance.

    After interviewing over 100 candidates for SOC positions, Dean identifies the biggest missing skill as the inability to translate security findings into business language executives understand and act upon. He introduces the BLUF (Bottom Line Up Front) principle from military communications, explaining why security professionals have roughly eight seconds to capture executive attention. Dean champions radical transparency through simple frameworks—using stoplight systems or report card grades to communicate security posture, deliberately giving his own program failing marks in areas needing improvement to build trust.

    Dean tackles operational communication breakdowns that create real security risk, emphasizing mandatory peer review before escalating incidents. This two-person rule dramatically improves report quality while reducing false positives that waste senior leadership time. He shares how this high-standards approach helped Filevine achieve best-in-class cyber insurance rates, with underwriters calling their security program superior to any SaaS provider they'd evaluated. Drawing on Erik Durschmied's "The Hinge Factor," he illustrates how small communication failures doom missions—just as cavalry troops charging cannons failed because not one rider carried the nails and hammer needed to disable them.

    Throughout the discussion, Dean emphasizes holding yourself to impossibly high standards so that external auditors find you excellent. He advocates for brutal honesty about program gaps, documenting accepted risks clearly, and using tools like Grammarly Premium to improve writing quality. His philosophy combines military precision, architectural thinking, and pedagogical discipline—all in service of making security programs that actually work rather than just looking good on paper.

    Key Topics Discussed:

    * Why written communication is security's most critical missing skill

    * BLUF (Bottom Line Up Front): Capturing executive attention in 8 seconds

    * Using stoplight or report card systems for transparent board reporting

    * Giving your security program honest grades to build executive trust

    * Mandatory peer review before escalation to reduce false positives

    * How Filevine achieved best-in-class cyber insurance rates

    * The two-person rule for improving incident report quality

    * Lessons from "The Hinge Factor" about preparation and tools

    * Holding impossibly high standards so external auditors find you excellent

    * Translating technical findings into business impact language


    LEARN MORE:

    👉 LinkedIn: https://www.linkedin.com/in/deansapp

    Company Website: https://www.filevine.com


    GET A DEMO:

    👉 Get a hands-on demo...
    Voir plus Voir moins
    49 min
  • The Four Cs: Why a Schoolteacher Makes a Great CISO

    The Four Cs: Why a Schoolteacher Makes a Great CISO
    Jan 29 2026

    In this episode of The New CISO, host Steve Moore speaks with Manuel "Manu" Ressel, CISO at SAUTER Group, about his unconventional journey from classroom teacher to cybersecurity leader—and why the "Four Cs" of modern education provide a powerful framework for building effective security programs. Drawing from years as both a teacher and school principal in Germany, Manu introduces Critical Thinking, Communication, Collaboration, and Creativity as essential leadership skills that fundamentally challenge how the industry approaches awareness training and incident response.

    After growing frustrated with Germany's outdated education system that prioritized memorization over critical thinking, Manu left his position as principal and reinvented himself as a digital transformation consultant. Working with schools and mid-sized companies to adopt cloud technologies, he eventually landed the CISO role at SAUTER, an international building automation company with 4,000 employees across multiple countries.

    The conversation tackles security's most persistent failure: awareness training that doesn't work. Manu reveals that 37% of security incidents in Germany could be prevented if users made better decisions, yet most organizations rely on boring click-through programs. He advocates for scenario-based, role-specific training—an approach now mandated by Europe's NIS 2 regulation—that treats people as the biggest opportunity in cybersecurity rather than the weakest link.

    One of the episode's most practical frameworks is Manu's Observation-Description-Interpretation method for analyzing security incidents. He explains how humans naturally jump from observation directly to interpretation, skipping the crucial middle step of accurately describing what actually happened. This leads to finger-pointing, misdiagnosis, and hasty decisions. By training security analysts to pause and describe incidents factually first, teams make better decisions and build trust with the business.

    Manu challenges the punitive approach many organizations take toward security failures, particularly companies that fire employees for repeatedly clicking phishing simulations. He champions building positive fault cultures where employees feel safe reporting mistakes. His three crisis questions—Is anyone dying? Major financial impact? Will someone be hurt?—provide a simple framework for staying calm and deciding when immediate action is necessary versus taking time to think strategically.

    Key Topics Discussed:

    1. Why the "Four Cs" (Critical Thinking, Communication, Collaboration, Creativity) define effective security leadership
    2. The Observation-Description-Interpretation framework for incident analysis without bias
    3. Transforming ineffective awareness training into engaging, scenario-based programs
    4. Building positive security cultures where employees report issues without fear
    5. NIS 2's mandate for role-specific cybersecurity training across organizational levels
    6. Why Germany and European mid-market companies lag in cloud adoption
    7. Three critical crisis questions: Is anyone dying? Financial impact? Risk of harm?
    8. Why punitive phishing training destroys trust and cultural engagement
    9. Applying teacher skills to security leadership and de-escalation...
    Voir plus Voir moins
    54 min
Pas encore de commentaire