"Resilience means knowing you’re going to get hit—what matters is whether you get back up or roll over."

Signal to Noise: An Interview with Joe Evangelisto, CISO at NetSPI

In this edition of Signal to Noise, I had the pleasure of speaking with Joe Evangelisto, CISO at NetSPI. With more than 25 years of experience in technology and six years dedicated to cybersecurity, Joe shared deep insights on balancing proactive security efforts with realistic expectations, managing vendor relationships, and building resilience in today’s threat landscape.

Below are highlights from our conversation, framed to cut through the noise and focus on what security teams can take away to improve their operations today.

On Signal to Noise: What Does It Mean for Security Teams?

Joe’s take on “signal to noise” boils down to finding that critical insight among a sea of information.

"What you’re really trying to do is proactively identify that one piece that matters, without having to react to every alert. If you miss those signals and they sit unnoticed, that’s when bad days happen."

Joe emphasized the importance of removing distractions—focusing only on actionable alerts that require response. His advice aligns with the idea that security isn't about catching everything but filtering out what’s meaningful.

Red Teaming: Closing the Gaps Before They Matter

Joe described NetSPI’s approach to proactive security through red teaming, which aims to find weaknesses before they become liabilities.

"We all leave doors unlocked from time to time. What matters is having someone check behind you—making sure windows are closed and doors are locked. That way, when someone does try to break in, they don’t succeed."

NetSPI not only conducts assessments for clients but applies the same rigorous testing to their internal environment. This ensures both accountability and credibility—“walking the walk and talking the talk,” as Joe put it.

The Value of Long-Term Partnerships Over Fear-Driven Marketing

Joe is critical of FUD-based (fear, uncertainty, and doubt) marketing that scares customers into buying products. Instead, he champions collaborative, long-term relationships with vendors.

"You might scare someone into buying today, but they won’t be a customer tomorrow. Building a partnership based on trust is harder, but it’s the right way."

NetSPI recently rebranded to move away from FUD tactics, focusing instead on honest, value-driven conversations with customers. Joe's advice for vendors: Know your customer's needs and show how you can address them without the buzzwords.

Risk Management: Quick Wins vs. Long-Term Roadmaps

When it comes to risk management, Joe believes in a balanced approach—addressing both quick wins and long-term strategies.

"Sometimes, you find that making a small tweak—like adjusting a product setting—reduces risk immediately. Other times, the right move takes months of planning, communication, and careful execution."

For Joe, risk management means prioritizing resources effectively. He stresses that the easy tasks—like patching and logging—should run smoothly and require minimal effort. This frees up time for more nuanced conversations with other teams about complex risks and their impact.

How to Stand Out as a Vendor: The Importance of Proven Value

Joe shared candid feedback on what separates good vendors from noisy ones: concrete, measurable results.

"If you’re pitching me on reducing phishing attacks, tell me what metrics you’ve seen—20%? 80%? And how long does implementation really take?"

He emphasized the importance of honest, data-driven conversations. Vendors should be upfront about limitations—admitting when they don’t have all the answers—and avoid overpromising on deliverables.

Resilience: It’s Not About Avoiding Every Incident

When asked how he defines resilience, Joe gave a simple yet powerful response:

"Resilience means knowing you’re going to get hit, but are you going to get back up or roll over? Incidents will happen—what matters is that they don’t become breaches."

This underscores the need for redundancies and layered defenses, ensuring that small mistakes don’t escalate into major issues. Nobody can be perfect all the time, but with the right processes, companies can recover quickly and prevent long-term damage.

Final Thoughts: Building a Community of Accountability and Trust

Joe wrapped up our conversation by reflecting on the importance of community in cybersecurity.

"We’re all here to protect each other’s environments and grow together. If more of us paid it forward, the industry would have fewer issues."

He also emphasized accountability as a core value, both for his team and his vendors. His advice? Under-promise and over-deliver—because trust is the foundation of any long-term relationship.

Wrapping Up

My conversation with Joe Evangelisto was a reminder that security is about more than just tools and tactics—it’s about people, partnerships, and proactive thinking. From red teaming to risk management strategies, Joe's insights reflect a balanced approach that prioritizes what matters most.

For Joe, the focus is always on reducing risk with minimal friction, building trust-based partnerships, and ensuring resilience in the face of inevitable challenges.

Stay tuned for more conversations like this, where we cut through the noise and surface the insights that matter most. Stay secure, and stay curious, my friends!

– Damien