Do You Think These Compliance Boxes Check Themselves? (LIVE in Clearwater, FL)

Mar 31, 2026

Jason Mayer, Deputy CISO at Raymond James Financial, shares views on third-party risk and aligning security with business needs. Pam Lindemoen, CSO and VP of Strategy for Retail and Hospitality ISAC, focuses on industry collaboration and security awareness. They discuss why training often fails. They explore security theater, measuring behavior change, business-aligned messaging, and handling repeat risky users.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ADVICE

Pair Training With Behavioral Metrics

Combine traditional awareness training with measurable human risk metrics like real-world phishing click rates.
Jason Mayer compares annual compliance training plus behavioral metrics to show progress over time.

ADVICE

Convert Third-Party Questionnaires Into Controls

Turn security theater into value by redesigning the output and tailoring controls to business and third-party context.
Jason says questionnaires alone equal theater; add tailored controls based on third-party understanding.

ADVICE

Use Phishing Tests As Coaching

Treat phishing exercises as coaching, not punishment, and use failures to teach concrete consequences and fixes.
Pam Lindemoen walks halls hearing colleagues say “you didn't get me this time,” showing culture change.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

All links and images can be found on CISO Series.

This week's episode is hosted by David Spark, producer of CISO Series and Pam Lindemoen, CSO, vp of strategy, Retail and Hospitality-ISAC. Joining them is Jason Mayor, deputy CISO, Raymond James Financial.

This episode was recorded in front of a live audience at the National Cybersecurity Alliance's Convene conference in Clearwater, Florida.

In this episode:

Coaching security
Planned security theater
Making "nothing bad happened" a compelling story
Getting security teams to think like the business

A huge thanks to our sponsor, Adaptive Security

Sponsored by Adaptive Security – the first security awareness platform built to stop AI-powered social engineering. AI impersonation and deepfakes have made trust the new attack surface. Adaptive runs social-engineering simulations and instantly turns threats, policies, and compliance needs into interactive, multilingual training. Trusted by Fortune 500s. Learn more at adaptivesecurity.com.

A huge thanks to our sponsor, Zepo

Zepo Intelligence transforms employee behavior into measurable security capability. Moving beyond check-box compliance, our human risk management platform uses hyper-personalized simulations to turn your workforce into a proactive defense layer. We don't just improve human behavior; we enable mastery against modern social engineering threats. Learn more at zepo.ai.

A huge thanks to our sponsor, KnowBe4

KnowBe4 empowers workforces to make smarter security decisions every day. Trusted by over 70,000 organizations worldwide, we help strengthen security culture and manage human risk. Our comprehensive AI-driven HRM+ platform includes modules for awareness and compliance training, cloud email security, real-time coaching, crowdsourced anti-phishing, AI Defense Agents, and more. As the only global security platform of its kind, KnowBe4 utilizes personalized and relevant cybersecurity content, tools, and techniques to keep the modern workforce—both humans and AI agents—cybersafe from phishing, vishing, deepfakes, and all forms of social engineering. Learn more at knowbe4.com.