Defense in Depth
Are Your Security Tools Creating More Work for Your Team?

Security tools are supposed to solve problems and make our lives easier. Why does it seem like they're doing the opposite and creating more work?

Check out this post by Caleb Sima of WhiteRabbit for the discussion that is the basis of our conversation on this week's episode, co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is Evan McHenry, CISO, Robinhood.

Listen to the full episode here.

The information paradox 

Security tools inherently create work because they generate information that requires action. Erik Cabetas of Include Security laid out the fundamental dynamic: "Most every security tool is going to cause 'more work' because it gives you more information. You've got results, awareness, observation/insight, detections, etc. for you to make risk decisions on." He emphasized that since all tools produce something new to process and act on, the best ones are "optimized to give you the least amount of additional work with the highest quality information (i.e., high signal to noise)." Greg Notch, CSO at Expel, broke down the core capabilities every security tool provides: visibility, detection, prevention, and response, and noted that only prevention might not require additional effort, "but that's only true if its false positive AND false negative rates are very close to zero. (which I have never experienced)." The reality, he said, is that "the entire industry is about providing treatments not cures, because the cures are (usually) out of security's scope."

Setting realistic expectations 

Vendors who are honest about implementation effort win in the long run. Mo Sadek of ActiveFence framed it as an expectation problem. Organizations wouldn't overestimate a tool's value if vendors were upfront about the baseline effort required before seeing real value. The vendors that ultimately succeeded "were always the ones that had a clear path to success that our teams were able to roadmap and resource." Jon Rose, CISO at IOmergent, reinforced this point: "Very few security tools work well out of the box; they almost all require some level of tuning and configuration. Often time much more effort than what the sales team promises." He stressed that teams should leverage vendor technical support for configuration reviews and operational processes, but if the tool remains a time sink after that effort, it's likely the wrong choice.

Prioritization over noise 

The right tool is rarely the most expensive. "All tools result in more work, but having no tool creates risk," said Anthony Harrison. The distinction, he said, is that better tools help prioritize work while worse ones "just give you data (lots!) with no actionable insights." He added a crucial reminder that cost doesn't determine quality. Jad Elahmad of Century Supply Chain Solutions illustrated this with a GRC platform evaluation, where a top-market tool with strong brand recognition would have created "more administrative overhead than value. The framework was powerful, but the configuration effort, maintenance requirements, and workflow complexity would have added work for every team involved without meaningfully improving our risk posture."

The cart before the horse 

Tools deployed without understanding the underlying process create more problems than they solve. Todd Hammond of Pace University identified this as an order-of-operations problem rather than a tool problem. "Too often, cybersecurity practitioners ignore basic business principles in this case, operations management," he explained. His prescription: identify the actual problem first, understand the end-to-end process without considering technology, map the workflow, then determine where technology creates velocity and efficiency. "Fit the tool capabilities to process, not the other way around," he emphasized. Drawing a sharp analogy, he noted that "a manufacturer would never install automation before designing the production line. In cybersecurity, tools are often purchased first and the process built later. That inversion is why tools end up creating more cost, complexity, and risk than they resolve."

Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you're not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Endor Labs

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Friday
Join us every Friday in April for “Trust Month”

Trust is at the core of everything we do in cybersecurity — and this April, we're dedicating an entire month to it on Super Cyber Friday.

Throughout April, each episode will tackle a different dimension of trust: building it within your security team, knowing when a vendor becomes a true partner, gaining confidence in AI output, and earning a seat at the table as a business enabler rather than a blocker.

Four Fridays. Four conversations. One theme that touches every corner of the industry. Register for the full series, and get notified whenever new episodes are scheduled.

>>> REGISTER for single episodes or the whole Super Cyber Friday series <<<

Live at BSidesSF: CISO Series Podcast Recording

On the eve of RSA Conference, CISO Series Podcast returns to BSidesSF for a live audience recording in San Francisco. David Spark will be joined on stage by Mike Johnson, CISO, Rivian, and Sara Madden, CISO, Convera. 

You can get all the information you need here. Tickets are available here.

Huge thanks to our sponsors, Nudge Security, QuilrAI, and Zenity

AMA Recap: What changes when you’ve been a CISO more than once?

Our February Reddit AMA has wrapped — and the recap is live. The topic: What changes when you've been a CISO more than once?

Three CISOs who've held the role across multiple organizations spent the week fielding questions and sharing things like: why leaders leave roles, whether a security playbook travels between orgs, and what actually gets a CISO's attention as a vendor.

You can read all of the Q&As straight from the source, but we've distilled the key takeaways for you. Read the full article here, and get insights from:

• Andrew Wilder, (u/CyberInTheBoardroom), CISO, Vetcor

• David Cross, (u/MrPKI), CISO, Atlassian

• Peter Clay, (u/cpthuah36), CISO, Aireon

Thanks to all of our participants for contributing! Join us for our next AMA, starting Sunday March 15 on r/cybersecurity: “I’ve built diverse, high-performing security teams. Ask Me Anything about hiring, culture, and talent management in cybersecurity.”

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured John Barrow, CISO, JB Poindexter & Co, and Derek Fisher, Director of the Cyber Defense and Information Assurance Program, Temple University. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Dropzone AI

Cyber chatter from around the web...
Jump in on these conversations

"'Mysterious' leaked US government tool is breaking into iPhones" (More here)

"How to improve my incident response" (More here)

"Waste Management is a Cybersecurity Job: An Awareness P.S.A." (More here)

Coming up on Super Cyber Friday:

• [04-03-26] “Hacking Trust in Leadership”

• [04-10-26] “ Hacking Vendor Trust”

• [04-17-26] “Hacking AI Trust”

• [04-24-26] “Hacking Trust in Security”

Register for the Super Cyber Friday event series on Airmeet. You can register for all upcoming episodes in this ongoing event series. After you register, you can add events to your calendar right on our event series page.

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.