CISO Series Podcast
It’s a Little Hard to Evaluate New Solutions When You’re Screaming “AI” at Me All the Time (Live in Houston)

At some point, all the hype around AI has made it hard to identify meaningful innovation. In a space where everyone can't stop talking about how they are integrating AI, how do we find what's worth our attention?

This week’s episode is hosted by David Spark, producer of CISO Series and Jerich Beason, CISO, WM. Joining them on stage is Jack Leidecker, CISO, Gong. This episode was recorded live at HOU SEC CON 2025.

Listen to the full episode here.

The open source sustainability problem

Organizations treat open source as a naturally recurring resource rather than human labor requiring support. Justin Warren from Pivot Nine noted that most organizations consume far more than they contribute to open source. To rebalance the scales, he entertained the idea that the open source maintainers should go on strike. Sounds dramatic, but Log4J showed how a small maintainer group can impact millions of systems. When MITRE faced defunding, companies proved they'll pay to avoid losing critical infrastructure like the CVE database. One potential solution is the Wikipedia model, giving paths to contribute without commercial SLAs that kill open source's spirit and practicality.

AI levels the geopolitical playing field

Generative AI allows smaller nations and non-state actors to emerge as near-peer cyber threats. Threat actors no longer need deep expertise or vast resources. As Jerich Beason, CISO of WM, pointed out, threat actors only need intent and access. Skill is no longer necessary. A few hundred dollars lowers the barrier to cyberattacks for nearly anyone. In this reality, risk assessments require answers to these questions: What are our critical operations and supply chain dependencies? Are nation states targeting our industry? Do any business activities put us on the wrong side of a conflict? Cyber risk can't be siloed. For small companies, open source threat intelligence is a good place to start.

Cutting through AI vendor hype

"What can your AI do that conventional methods can't?" For Caleb Sima of WhiteRabbit, that one question can cut through most hype. Look for red flags if someone doesn't know what they're talking about when it comes to AI. Bogus claims include 98-100 percent detection rates, single-platform promises, or evasive answers about implementation timelines. Before you buy, ask what makes their models fail. Vendors with the best failure analysis have the best products. If they don't ask about data governance when selling tools based on your data, they're offering automation, not true AI. Most vendors depend on three or four popular models. No basic understanding of AI means walk away... fast.

Why the fundamentals still hurt

The hardest part of vulnerability management isn't discovery, it's everything after the scan. The problem isn't better CVE data or contextualization. It's that security doesn't own deployment or maintenance, according to Rinki Sethi, CISO at Upwind Security. Organizations often skip the basics: asset management lifecycle, patch management process, and who owns each component. Security provides intelligence. But it is IT that patches at the business's behest. CISOs can get blamed when, in reality, they have no patching authority. It's like blaming doctors when patients ignore taking their prescribed medicine.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Erik Bloch from Illumio for providing our "What's Worse" scenario.

Huge thanks to our sponsor, Vorlon Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Securing Your Attack Path with SpecterOps

Identity has become the new battleground in cybersecurity. Attackers don’t need to break in when they can simply log in. In this episode of Security You Should Know, Justin Kohler, chief product officer, SpecterOps, joins Angela C. Williams, CISO, UL Solutions and Brett Conlon, CISO, American Century Investments to unpack how BloodHound Enterprise helps organizations uncover and eliminate hidden attack paths before adversaries can exploit them.

Learn how attack path management goes beyond traditional identity governance and why mapping privilege relationships is key to staying ahead of evolving identity-based threats.

Listen to the full episode and read more here.

Thanks to our podcast sponsor, SpecterOps

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best advice I ever got in security…

“The best advice to me initially started as the worst. So, I had a previous boss who wanted us to fix our phishing issues, and we're going to fire everyone after they get phished three times. I had to say, ‘Actually, we would end up firing you.’ But more importantly, it helped us reevaluate what we wanted to do for phishing, which is changing behavior, and if someone thinks they're going to get fired, they're not going to tell you, they're not going to report.“ - Jack Leidecker, CISO, Gong

Listen to the full episode of “It’s a Little Hard to Evaluate New Solutions When You’re Screaming “AI” at Me All the Time (Live in Houston)”

Sales Follow Up Sequences: What Works Best in Cyber?

"In security, it’s kind of like, ‘All right, what do you got? Who are you again, and what do you have here?’ And then it’s a swing and a miss if you don’t have the right person in security. If I’m trying to sell EDR to somebody who’s focused on policy, I’m barking up the wrong tree." - Alex Guilday, BISO, Royal Caribbean Group

Listen to the full episode of “Sales Follow Up Sequences: What Works Best in Cyber?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Preventing AI-Enabled Spear Phishing at Scale with Jericho Security

AI-generated phishing is changing the game, and traditional training can’t keep up.

In this conversation, David Spark talks with Sage Wohns, CEO of Jericho Security, about how AI-powered training can help organizations defend against AI-crafted threats.

Sage explains how Jericho uses generative models to simulate realistic attacks, personalize learning for each employee, and measure resilience across the organization.

Watch the video here.

Huge thanks to our sponsor, Jericho Security

PREVIEW: CISO Series Podcast LIVE in NYC 11-5-25

The CISO Series Podcast will be recording live at FAIRCON25 in New York City. David Spark will be joined on stage by Saket Modi, CEO of Safe Security, for a candid and entertaining conversation about the biggest challenges facing security leaders today.

The event takes place November 4–5, 2025, at The Glasshouse in New York.

Use promo code FC25CISOSERIESCODE for 75% off.

Register here.

Watch the short video filmed in Times Square for a preview, and join us for the live recording at FAIRCON25.

Thanks to our sponsor, Safe Security

Reddit ‘Ask Me Anything’ – October 2025

Our monthly AMA on r/cybersecurity on Reddit has begun! Our topic is "I'm a security professional who worked on many mergers and acquisitions. Ask me Anything."

We’ve assembled a panel of security leaders to discuss navigating cybersecurity during mergers and acquisitions. They’re here all week to share their experiences on due diligence, integration, and risk management throughout the M&A process, and to answer your questions about what it really takes to make it work.

Please ask questions for our participants here.

This month’s participants are:

• Geoff Belknap, (u/GeoffBelknap), co-host, Defense in Depth

• Ty Sbano, (u/security-Ty) CISO, Webflow

• Jason Loomis, (u/SchrodingersFirewall), CISO, Freshworks

• Don Paquin, (u/ok-macaron-335) director, cyber mergers, acquisitions, & divestitures, RTX

• Leslie Nielsen, (u/cyberguy1729) CISO, Mimecast

Thanks to all of our participants for contributing!

LIVE!
NEW SHOW: Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Yesterday’s inaugural episode featured Sasha Pereira., CISO at WASH, and Bil Harmer, Information Security Advisor at Craft Ventures. Missed Monday’s episode? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Super Cyber Fridays!
Join us Friday for “Hacking CISO Self-Interest”

Join us on Friday, October 31, 2025, for Super Cyber Friday: “Hacking CISO Self-Interest.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Howard Holton, CEO, GigaOm, and Angela Williams, svp and CISO, UL Solutions, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.