CISO Series Podcast
Don’t Worry, We’ll Get to Solving Your Problem on Slide 87

No CISO cares about a vendor's technical innovation for its own sake. They care about how the vendor's solution can help solve their problems. It's a simple concept, yet so many vendors miss the mark when they make their pitch.

This week’s episode is hosted by David Spark, producer of CISO Series, and Andy Ellis, principal of Duha. Joining them is Daniel Liber, CISO, Monday.com.

Listen to the full episode here.

AI security's blind spot problem

Artificial intelligence has created a gap in cybersecurity defenses that traditional tools can't address. These LLM black boxes are stored in formats that most security systems weren't designed to read or analyze, noted Brian Fox of Sonotype. This creates a scenario where malicious code can hide inside files masquerading as AI models, while prompt-sharing platforms become vectors for stealing API keys. Detecting these types of threats isn't easy. But that's not even the hard part. We now need to secure assets that are fundamentally unscannable. And new wannabe developers are "vibe coding" their way into security incidents. Volume is up and this just calculates to more work for security teams.

Vendors don't understand the assignment

Companies are so focused on claiming they're "autonomous, automated, agentless, agentic, or AI powered" that they've forgotten to explain what problems they solve. At Black Hat this year, Patrick Garrity of VulnCheck saw vendors competing to demonstrate they were "first" with AI. But that doesn't matter at all to their customers. The disconnect becomes obvious when sales teams show up without understanding the customer's actual challenges. Most vendors are quick to tell you what they think the solution is without taking the time to understand the problem. This creates frustrating conversations where technical capabilities get pitched to problems that may not even exist.

Marketing budgets overshadow actual innovation

It turns out just because a vendor can make a lot of noise, it doesn't mean they are solving the biggest problems. Cybersecurity's current state resembles a "self-licking ice cream cone of misery," according to Dr. Chase Cunningham of Demo-Force.com. Major vendors put up big bucks to say they are the best, while smaller innovative companies get drowned out by the noise. The next time you're at an industry trade show, just look at booth after booth delivering nearly identical pitches about continuous testing, contextual analysis, and automatic remediation. The industry has created a situation where differentiation happens through marketing campaigns rather than meaningful technical differences.

Accuracy versus effectiveness

The most ineffective CISOs confuse being technically correct about threats with being effective at managing organizational risk. The job isn't about proving you're right all the time. And it's not a failure for the business to accept risk. It's functional risk management, argued Carraig Stanwyck of 3 Tree Tech. But how do CISOs know their risk assessments are accurate when feedback loops may take years or never materialize? This requires understanding how your organization operates before presenting a risk analysis. This is the only way to gauge executive risk appetite. The real skill lies in translating technical risk into business decisions rather than just being right about potential threats.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jonathan Waldrop, former CISO, The Weather Company for providing our "What's Worse" scenario.

Huge thanks to our sponsor, Material Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Tackling Misconfigurations with ThreatLocker

In this episode, Rob Allen, chief product officer at ThreatLocker, explains how their Defense Against Configuration (DAC) solution addresses these challenges through automated daily security checks across Windows endpoints that identify common misconfigurations before they lead to breaches. Joining him are Andy Ellis, principal at Duha, and Montez Fitzpatrick, CISO at NavVis.

The conversation explores how DAC’s automated checks map misconfigurations against compliance frameworks, while ThreatLocker’s broader platform consolidates multiple security functions into a single low-impact agent that can replace multiple endpoint tools.

Read the full article and listen here.

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best advice I ever got in cybersecurity…

“So, the best advice I got for security is when you start a new job as a CISO is to adapt to the organizational culture, but not at any price. It means that you need to be aware of where your boundaries are and to assure that they're not being crossed, even if it means you need to pull the organizations a bit towards you.“ - Daniel Liber, CISO, Monday.com

Listen to the full episode of “Don’t Worry, We’ll Get to Solving Your Problem on Slide 87”

Data Governance in the Age of AI

"Technology governance has been a placebo for years. Policies and due diligence questionnaires often function more as legal mechanisms than true security controls. Historically we could get away with it, but AI has forced security organizations to rethink their entire control architecture." - Ash Hunt, vp, strategy, EMEA, Cyera

Listen to the full episode of “Data Governance in the Age of AI”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

CISO Series Podcast LIVE in NYC (10-23-25)

The CISO Series Podcast is heading to New York City for a special live recording at Mimecast Elevate25.

Joining me on stage will be Matthew Southworth, CSO at Priceline, and Leslie Nielsen, CISO at Mimecast.

The event takes place October 22–24, 2025, at Convene 30 Hudson Yards, with our live podcast recording happening on October 23.

The event is free to attend! Register here.

Huge thanks to our sponsor, Mimecast

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guests will be Dustin Sachs, senior manager, information security risk management, World Fuel Services, and Christina Shannon, CIO, KIK Consumer Products.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

We’ll be back Friday [10-17-25], for "Hacking Next Gen Data Threats"

Join us again on Friday, October 17, 2025, for “Hacking Next Gen Data Threats: An hour of critical thinking about what you need to setup your AI guardrails.”

Joining us will be Abhi Sharma, CEO and co-founder, Relyance AI. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Thanks to our Super Cyber Friday sponsor, Relyance AI

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.