CISO Series Podcast
AI Is Very Efficient at Making Us Forget the Value of Humans

When the glut of LLM-based tools started cropping up, many assumed they could never match the human creativity required to be effective red teamers. But these tools are proving remarkably effective. So what’s left for the human red team that can’t be automated?

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining them is Jacob Combs, CISO, Tandem Diabetes Care.

 Listen to the full episode here.

Hold developers accountable

The AppSec vendor market remains overcrowded because it addresses a fundamental misalignment: treating code security as the CISO's problem when software leaders should own it. As Nielet D'Mello of Datadog pointed out, security teams are held accountable for outcomes they can't control since they don't push code or choose software functionality. Software leaders have convinced organizations that security owns code security. Shouldn’t it be the developers? More than 100 vendors at Black Hat compete in this space. Are they all getting it wrong or only partially correct? Are vendors not meeting customer needs? Does anybody know what they need? Stop holding security accountable for software outcomes. Instead, focus on governance that exposes when development fails to meet security standards.

Credibility through candor

Vendors consistently lose trust through overselling. Yet many sales teams haven't learned that CISOs value honesty. We’ve heard this again and again from our CISO guests and CSO Rinki Sethi at Upwind Security, echoed the sentiment in a LinkedIn post. CISOs have great BS detectors so claiming you can do it all or it’s all coming up on your roadmap fails the credibility test. Would someone still buy your product if they knew exactly how it worked? If yes, sell to that reality. You’ll have more success acknowledging what competitors do better. There are misaligned incentives when salespeople fixate on closing deals while also doing field marketing. When vendors honestly communicate what they're working on and what exists on the roadmap, it builds far more trust than claims of having every capability today.

Be strategic with AI deployment

We're in the messy middle with AI in cybersecurity. It holds out the promise of letting us move beyond just focusing on simply protecting infrastructure, argued Deneen DeFiore, CISO at United Airlines. At the C-Suite level, these tools have helped uplevel productivity, opening the door to more time for discussing risk management. They key is to not treat AI as a one-size-fits-all solution. Organizations need to identify where AI works well, such as helping leaders quickly shift context between projects and meetings. Trying to throw AI at everything in cybersecurity is a great way to get a hard "no" from your team. Identifying and optimizing specific use cases makes the value a lot more obvious to everyone.

Resources don't guarantee security

Are large organizations able to scale security efforts? New research from the Cyentia Institute found that the largest organizations are seeing significant risk reductions, while smaller players are seeing incident probability double. That sounds a lot like the rich getting richer. But its important to keep in mind that even with that reduction, large organizations are still far more targeted than SMBs. It's part of the double-edged sword of modern business. Democratization of tools is helping everyone, even small companies without dedicated security teams. But everyone being online all the time raises everyone's risk.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Howard Holton, CEO of GigaOM, for contributing this week’s “What’s Worse?!” scenario.

 Thanks to our podcast sponsor, ThreatLocker

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Best advice I ever got in security…

“The best advice I ever got was from a fellow CISO, and it was the old improvisational trope of, “Instead of saying no, you say yes, and…” So you take the request from the business, you help them figure out a way to solve the problem, and you work together with them.“ - Jacob Combs, CISO, Tandem Diabetes Care

Listen to the full episode of “AI Is Very Efficient at Making Us Forget the Value of Humans”

Don't Try to Win with Technical Expertise. Win by Partnering.

"Stakeholders have to leave a security discussion understanding that they've made that decision and that they feel accountable for it. Not like they were teched to death." - Pam Lindemoen, CSO and VP of Strategy, Retail & Hospitality-ISAC

Listen to the full episode of “Don't Try to Win with Technical Expertise. Win by Partnering.“

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Experience the CISO Series Podcast at Convene in Clearwater, FL 3-3-26

You’ve listened to the CISO Series Podcast for years but if you’ve never joined us for a live show, you haven’t gotten the full experience. We’ll be recording an episode on March 3, 2026 at the Convene conference. You’re got to join us for the fun!

Here’s what you need to know:

WHAT: Convene Conference, organized by the National Cybersecurity Alliance. You can see the full agenda here.

WHERE: Sheraton Sand Key, 1160 Gulf Blvd Clearwater Beach, FL 33767 [MAP]

WHEN: Two-day conference from March 3 through March 4, 2026. Our recording begins at 4:15pm ET on March 3rd.

Joining me on stage for the recording will be Jason Mayor, Deputy CISO at Raymond James Financial, and Pam Lindemoen, CSO and vp of Strategy at RH-ISAC.

If you’re interested in attending, get your tickets here. Use code CISOPodcast for 15% off!

Huge thanks to our sponsors, Adaptive Security, KnowBe4, and Zepo

LIVE!
Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT. This week features CISO Series reporter and guest host, Sarah Lane, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Dmitriy Sokolovskiy, senior vice president, information security, Semrush, and Nick Espinosa, host, The Deep Dive Radio Show. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Dropzone AI

Super Cyber Fridays!
Join us Friday for “Hacking Past Mistakes”

Join us on Friday, January 23rd, 2026, for Super Cyber Friday: “Hacking Past Mistakes: An hour of critical thinking about what we can do better in 2026.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Tom Hollingsworth, organizer, Tech Field Day, and Nick Espinosa, host, The Deep Dive Radio Show, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.