CISO Series Podcast
I'm Worried That We're Not Worried About the Right Worries With AI

It can be overwhelming just thinking about what you have to do to secure an LLM (large language model). But what if your AI needs aren't so deep or sensitive? Are your security concerns less cumbersome or just as painful?

This week’s episode is hosted by David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining them is their sponsored guest, Danny Jenkins, CEO, ThreatLocker.

Listen to the full episode here.

AI for AI's sake

We don't know what we want to do with AI a lot of the time, but we know we want to do it quickly. Board pressure to "do something with AI" is pushing security teams to implement AI-powered tools without first identifying what needs defending. As Calendly CISO Yassir Abousselham pointed out, it forces CISOs to worry about higher-level AI threats that wouldn't be an applicable concern. The obsession to "rush in" with AI security tools means teams aren't first looking at their business problems. Take a breath and first identify the top security concerns, then determine whether AI offers a preferable solution. Don't let the solution precede the need. That results in teams scrambling to match it to a problem. Luckily, finding a business use for new shiny technology isn't new with AI, but the hype around it is.

Stop selling, start protecting

Return on investment discussions around investments in cyber misinterpret security's value to the business. Security is a cost center, not a profit center, and that's perfectly fine—just like finance, legal, and plenty of other essential functions that don't generate revenue. The real conversation should be about risk, not ROI, argued Defense in Depth co-host Steve Zalewski in a recent cybersecurity subreddit AMA. Companies buy insurance and building security without demanding ROI calculations, because everyone understands that they prevent catastrophic losses. Security deserves the same framing. Every business spends money on necessary functions that don't directly generate profit. The push for ROI metrics undermines security's value by forcing it into the wrong comparison. Security isn't optional in business. The challenge isn't proving ROI, it's determining the right amount of security. That's a risk conversation, not an ROI one.

Stop calling everything sophisticated

The industry's reflexive labeling of breaches as "sophisticated attacks" obscures an embarrassing truth. Most major compromises stem from basic security failures. When companies with tens of thousands of endpoints go down, it's rarely the work of an advanced persistent threat with novel techniques. It's poorly secured VPNs. Open RDP servers. Untrusted software running where it shouldn't. The fundamentals get ignored while everyone talks about sophisticated adversaries. Basic security controls could stop most attacks at the initial access stage. Shift focus from detection theater to tangible fundamental controls.

Least privilege, rebranded

Zero trust has become meaningless noise argued a discussion on r/cybersecurity. Frustration with vendors slapping the label on their product regardless of what it does boiled over in the thread. The term means so many things to different people that it's lost any practical value. Strip away the marketing, and zero trust is just least privilege with a fresh coat of paint. Organizations have practiced elements of this for decades, like restricting sensitive file access to specific teams. The problem is that marketers create messaging, not practitioners. Generic terms don't help IT and security teams understand what they're actually implementing. The philosophy of default deny rather than default allow predates the zero trust buzzword and will outlast it.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Anna Liv Christensen of Compliance Partner for providing our "What's Worse" scenario. 

Thanks to our security tip sponsor, Tenable.

Thanks to our podcast sponsor, ThreatLocker

Join CISO Series Podcast live at ThreatLocker's Zero Trust World 2026, March 4-6th, 2026 in Orlando, FL. Use coupon code ZTWCISOSERIES26 to get $200 off your ticket.

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
What We Learned in 2025: The Top 3 Things CISOs Want to Know from Vendors

This year, we launched Security You Should Know. A podcast that puts CISOs and vendors in a real conversation, without the sales funnel, without the pitch decks, and without the noise. After 38 episodes across dozens of categories, a clear pattern emerged: CISOs are all asking the same core questions.

In this video, Rich Stroffolino breaks down the top three things every CISO wanted to know from vendors in 2025. It’s the stuff that actually drives purchasing decisions, not buzzwords.

If you're evaluating solutions (or building one), this is your shortcut to what matters most.

Explore the full Security You Should Know catalog: cisoseries.com/security-you-should-know-solutions

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

10-second security tip…

“Simply block remote desktop clients from being able to reach out to the internet because attackers are using it to connect to remote servers and exfil data.“ - Danny Jenkins, CEO, ThreatLocker

Listen to the full episode of “I'm Worried That We're Not Worried About the Right Worries With AI”

How To Tell When a Vendor is Selling AI Snake Oil

"The policy that you may have wrote a year ago is no longer applicable because a year ago we were focused on generative AI. Now, there's a whole other new niche or new hype out now with agentic AI. And so agentic AI now has access to the same things that you have access within your organization." - Crystal Chatam, vp of cybersecurity, Speedcast

Listen to the full episode of “How To Tell When a Vendor is Selling AI Snake Oil”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

How Stellar Cyber Helps SMBs Can Manage a SOC like an Enterprise Company

Sponsored video

In this video, David Spark chats with Subo Guha, svp of product at Stellar Cyber about how focusing their AI SOC tool for MSSPs has this wonderful trickle-down effect for SMBs to have the security watchdog power of an enterprise corporation.

Currently, Stellar Cyber touts 1/3rd of the global top 250 MSSPs and over 14,000 customers worldwide.

Watch the video, and listen to the episode Stellar Cyber recently sponsored, “How To Tell When a Vendor is Selling AI Snake Oil”

Thanks to our sponsor, Stellar Cyber

LIVE!
Cyber Security Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Jason Shockey, CISO, Cenlar FSB, and Mike Lockhart, CISO, EagleView. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cyber Security Headlines sponsor, Adaptive Security

Super Cyber Fridays!
Join us Friday for “Hacking AI Workflows”

Join us on Friday, December 12, 2025, for Super Cyber Friday: “Hacking AI Workflows”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by James Rice, vp of product strategy and GTM, Protegrity, and Doug Mayer, vp, CISO, WCG, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thanks to our Super Cyber Friday sponsor, Protegrity

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.