In our last Super Cyber Friday, “Hacking the Security Poverty Line: An hour of critical thinking about minimum viable security,” we examined what it means for an organization to operate without enough resources to meet basic security standards.
Our conversation focused on how to identify cybersecurity poverty, the hidden costs of operating below the line, and how teams can make smart trade-offs and advocate for the support they need—without relying on buzzwords or fear.
Joining
Richard Stroffolino
for this conversation were
Samantha Jacques, PhD, FACHE, AAMIF
, vp, clinical engineering,
McLaren Health Care
, and
Ross Young
, CISO Tradecraft.
Watch the full video here
Join us next Friday, August 1, for “Hacking the Talent Myth”
Super Cyber Friday will be back Friday, August 1, 2025, for our discussion “Hacking the Talent Myth: An hour of critical thinking about why the “skills shortage” might be a hiring problem.” It all starts at 1 PM ET/10 AM PT.
Did you know that we have an events calendar?
Visit our events page to subscribe (look at the dropdown in the upper right) so you can stay up to date on Super Cyber Friday and other CISO Series content.
Best quotes from our guests
“We don’t focus on spend—we focus on materiality. If something going down prevents us from delivering care, that’s what I protect. I don’t care if the parking garage fails, but if we shut the ED doors and divert patients, we’ve failed.” – Sam Jacques, McLaren Health Care
“We always need to frame cybersecurity as protecting the company’s ability to make money. If you’re seen as reducing revenue, you’re dead in the water. Always sell security as a safeguard of business continuity.” – Ross Young, CISO Tradecraft
“We’ve added a fourth pillar beyond people, process, and technology: what to stop doing. You reduce risk not just by adding tools, but by removing pointless integrations and standardizing what’s essential.” – Sam Jacques, McLaren Health Care
“Find your gravediggers—where the wasted effort lives—and run murder boards. Cut what doesn’t drive outcomes, and you’ll reclaim people, process, and dollars that you can use where it matters.” – Ross Young, CISO Tradecraft
“You can’t always afford the best point solution, so you go for tools that give wide coverage—even if they’re average. In under-resourced orgs, good enough across the board beats excellent in just one spot.” – Sam Jacques, McLaren Health Care
“If you’re always begging for money, the organization tunes you out. Redefine your role from cost center to value driver—and stop being the security version of someone panhandling outside the boardroom.” – Ross Young, CISO Tradecraft
Quotes from the chatroom
“Open Source software and free learning platforms help me to “Hack the Security Poverty Line” 🤑” –
Fredy Alvarez
, SOC Cybersecurity Manager
“I often say to my C-suite, “the more secure we are, the more viable we are, and the more viable we are, the more profitable we can be.”” –
Aman S.
, executive security lead, vp, Elsevier
“My 2 cents on this: almost every proposal can be described in terms of risk avoidance (lower odds of the bad thing happening) or in terms of opportunity (improved odds of the good thing). People listen more to the latter.” –
Duane Gran
, director of information security,
Converge Technology Solutions Corp.
“I think the industry has to move beyond constantly trying to prove security is important… and begging for resources (people, process, tech investment) …companies need to treat this domain/function similar to HR, Finance, IT, Sales, Marketing, etc.” –
Kumar Dasani
, us regional CISO,
B. Braun Medical Inc. (US)
“If you have visible shelfware, clean it up first. It’s hard to justify new tools or claim security is a priority when current ones aren’t being used.” –
Ozren B.
, director cybersecurity operations and architecture,
Generac
“If you index the DB correctly and run your queries to take advantage of the indexes, you can reduce the performance hit you take by storing all logs.” –
Andrew Aken, PhD, CISSP
, CIO/vCISO,
DocDrew, LLC
“What tone does that set when vendor says you are too small. For me, they miss / lose the opportunity to work with us later. I am not ashamed to admit to almost begging vendors for a path to growth. The one that said yes, are the vendors I will keep for a long time. Those that say no, the ones being transactional, are ones I share my concerns about with my peers.” –
Evan B.
, Security, Privacy, IT, Engineering & Compliance Executive
