CISO Series Podcast
I’m Not Looking Down at You, I’m Looking Down at What You’re Doing

When does passion for cybersecurity best practices turn into smugness for anything that falls short? Too often, professionals lose the forest for the trees, insisting on perfection instead of encouraging practices that are still a net positive for organizations. How can we be better about embracing meaningful improvements instead of demanding purity?

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Their sponsored guest is Saket Modi, co-founder and CEO, SAFE Security.

Elevating AI to table stakes

A growing gap exists between organizations’ awareness of AI-related cybersecurity risks and the steps they’re taking to mitigate them. While 66 percent recognize AI as a relevant threat, according to the Stanford AI Index Report, only about half have begun addressing it, often due to the absence of clear compliance frameworks and the rapid pace of AI adoption. Many incidents likely go unrecognized, as AI is now deeply embedded in workflows, making its presence and impact harder to isolate. As generative AI introduces new risks, like unintended data exposure through user prompts, organizations must shift from passive awareness to proactive risk management.

Security for the real world

Cybersecurity professionals let rigid adherence to best practices—and a sense of superiority—undermine practical risk reduction. One example is the dismissal of physical password notebooks, which are not technically a best practice, can reduce real-world risk by discouraging password reuse and weak credentials, as Ira Winkler of CYE pointed out. In reality, the chance of a notebook being stolen is far lower than the threat of credential stuffing. This reveals a broader problem: Security is too focused on isolated controls and compliance checklists rather than on how controls work together in real-world scenarios. Failing to account for layered, interdependent protections—akin to understanding physiology rather than just anatomy—leaves organizations vulnerable. Security must evolve to embrace pragmatic, contextual approaches, recognizing the human element and planning for real-life needs, including legacy access and family preparedness. Treating users as separate from the systems they're part of perpetuates unrealistic expectations and ineffective defenses.

Using dynamic models for TPRM

Third-party risk management remains mired in outdated practices, including checklists, questionnaires, and security ratings that fail to reflect actual exposure. Many vendors have mastered the art of gaming these systems, using automation to provide polished but uninformative answers. The real risk lies not just in the vendor’s security posture, but in how their services are used, what data or access they’re given, and how that creates opportunities for misuse or compromise. Traditional frameworks overlook this context, treating all controls and vendors equally regardless of impact. Instead, organizations need a dynamic model that ranks risk based on business relationships and usage scenarios. Emerging solutions use autonomous AI agents to streamline vendor onboarding, assessment, and monitoring, removing manual bottlenecks and making risk insights contextual and scalable. These agents analyze contracts, trust centers, public disclosures, and usage patterns, and even handle follow-ups and parse uploaded documents.

The agentic AI augmentation

Agentic AI—autonomous agents that make decisions and take action without human intervention—is quickly emerging as the next frontier in business automation. While the productivity potential is enormous, it also introduces new risks around accountability, bias, and system overreach, said Mark Akins on LinkedIn. Guardrails are essential, but implementation remains difficult. Organizations must define what agents can do, constrain their capabilities, and ensure human oversight, primarily when decisions affect contracts, liability, or sensitive data. The goal isn’t to replace humans, but to augment them—empowering analysts with intelligent, task-completing assistants rather than unchecked automation. As the technology evolves, the balance between autonomy and control will be critical. Real-world adoption is already accelerating, with some companies using agentic AI to scale operations, cut costs, and manage risk faster than ever before, making human-in-the-loop governance not just a best practice but a business imperative.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Aaron Stanley of dbt Labs for contributing this week’s “What’s Worse?!” scenario. 

Huge thanks to our sponsor, SAFE Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Getting Linux Visibility with Sandfly Security

In this episode, Craig Rowland, founder and CEO of Sandfly Security, introduces an agentless approach to EDR purpose-built for Linux systems. By operating over SSH and running rapid, randomized checks without traditional kernel hooks, Sandfly can monitor unprotected Linux endpoints, detect fileless and dormant attacks, and uncover SSH key-based lateral movement—all without tipping over sensitive systems.

Joining Craig are Jerich Beason, CISO at WM, and Steve Zalewski, co-host of Defense in Depth, dive into where this solution fits in the broader Linux security conversation and why it might be the missing piece for OT and critical infrastructure teams.

Listen to the full episode here.

Thanks to our podcast sponsor, Sandfly Security

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best advice for a CISO…

“As Simon Sinek says, start with the why. I think that is a fundamental question we don’t ask in cybersecurity. We want a new tool. We want to patch a new vulnerability. We want to run a new phishing campaign. So what? And who cares? Why are we doing this? I think that’s a fundamental missing question.

And that’s the delta between somebody being technical and being a business enabler, which really CISOs and the security teams need to elevate themselves to.“ - Saket Modi, co-founder and CEO, SAFE Security

Listen to the full episode of "I’m Not Looking Down at You, I’m Looking Down at What You’re Doing"

Can You Have a Secure Software Environment Without Traditional Vulnerability Management?

"Assume a breach is inevitable or has already occurred. Assume the software you’re using is full of holes. And it’s just a question of when and where that’s going to be exploited.” - Rob Allen, chief product officer at ThreatLocker

Listen to the full episode of "Can You Have a Secure Software Environment Without Traditional Vulnerability Management?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Nick Espinosa, host, The Deep Dive Radio Show.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
Join us Friday, 05-30-25, for "Hacking Provable Security"

Join us Friday, May 30, 2025, for “Hacking Provable Security: An hour of critical thinking on how to go beyond security ratings and questionnaires.”

It all begins at 1 PM ET/10 AM PT on Friday, May 30, 2025, with guest Sravish Sridhar, founder and CEO, TrustCloud. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT), we'll do our meetup.

Register 

Thanks to our Super Cyber Friday sponsor, TrustCloud

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.