Join us TOMORROW, Friday [04-17-26], for "Hacking AI Trust"

Join us Friday, April 17, 2026, for “Hacking AI Trust: An hour of critical thinking about how to have confidence in your LLM's output.”

It all begins at 1 PM ET/10 AM PT tomorrow, with guests Quincey Collins, CISO, Sheppard, and Keith Townsend, host, CTO Advisor Podcast. We'll have fun conversation and games, plus at the end of the hour we'll do our meetup in breakout rooms.

Register for this episode of Super Cyber Friday on Crowdcast!

Defense in Depth
Should You Use Native or 3rd Party Cloud Management Tools?

"Secure by Design" gets thrown around in the cloud a lot, but what do we actually mean by that? And is it even achievable?

Check out this post from Steve Zalewski for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is sponsored guest, Gal Ordo, co-founder and CPO, Native.

Listen to the full episode here.

More sources, not one 

Multi-cloud environments don't lend themselves to a single source of truth. "As your environment scales, so too do your tools," said Nathan Koester of Ironclad. "What works for one environment/component may not scale effectively, or you need truthing and confirmation. This is why at every org I've been at, we have more than one source of truth, and we attempt to normalize to drive our focus." Chetan Mane of Rajdharma Technologies said the tooling debate is a distraction. "The real gap is governance clarity. Most organizations don't struggle with tools — they struggle with consistent risk translation across AWS, Azure, and GCP into something leadership can actually act on."

Design, operation, and the gap between them 

Secure by Design and Secure by Operation rest on different foundations. Heather Hinton, CISO at Sitecore, explained: "Secure by Design's root of process trust is in the threat modeling. Secure by Operation's root of process trust is in the procedures that support secure operations and how those tools are incorporated into those procedures. The citizen developer angle makes worse the fact that we don't have a good SbD, SbO or SbD->SbO transition and we likely aren't doing a good job of catching the citizen developer or their output in these disciplines." Venkat Paruchuri of Deloitte added that the deeper questions are organizational. "Often security's hands are tied and our choices aren't ours to make."

Governance over growth 

Citizen developers and SaaS sprawl have outpaced the governance structures meant to contain them. "We need secure by design processes with solutions that help developers meet security team and overall compliance/framework adherence obligations," said Tony Gonzalez of Innervision Services. "Along with that, we need monitoring and governance solutions that catch what was missed/introduced to our environments by internal developers and SaaS solutions." Russell Spitler of Nudge Security noted where the risk has actually moved. "The interesting challenge these days is that 'citizen developers' are not pushing to the public cloud. Products like Replit, Base44, Lovable, etc. mean that the citizens are building without ever having to dirty their hands with code, much less AWS."

Competence over complexity 

The gap between tool capability and operator competence is where security breaks down. "Tools are abundant, and skilled operators of those tools are not," said Dave Kelly of SensCy. Security failure, he argued, is usually operational rather than architectural. "Most breaches don't happen because the tool lacked capability. They happen because it was misconfigured, unmonitored, or misunderstood. Complexity compounds risk." Every tool beyond a team's comprehension adds cognitive load, he said, and cognitive overload is the enemy of secure operations. "No CFO chooses a financial system that requires expertise the company doesn't have. We, in cybersecurity, shouldn't do it either."

Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you're not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Native

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Friday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ve been having at work all week long.

Tomorrow’s episode features Andrew Storms, security engineering, Kilo Code and Eduardo Ortiz-Romeu, vp, global head of cybersecurity, Techtronic Industries. Join us on YouTube and catch up on what shaped the week in security.

Join us again next week, and every Friday.

Thanks to our Cybersecurity Headlines sponsor, Conveyor

How do you build workflows where human judgement and AI are complementary?

The real challenge with AI in your workflow isn't the technology, it's designing around how humans actually think and work.

AI accelerates thinking, it doesn't replace it. Workflow design has to fit the human first, trust-but-verify is non-negotiable, and the best outcomes come when AI surfaces patterns and humans interpret intent and risk.

Thanks to our guests for sharing their perspectives:

• Mark Eggleston, CISO, CSC

• Montez Fitzpatrick, CISO, Navvis

• Krista Arndt, associate CISO, St. Luke's University Health Network

• Sam Jacques, vp, clinical engineering, McLaren Health Care

Join this conversation TOMORROW for Super Cyber Friday, 04-17-26, for "Hacking AI Trust."

Register here: https://www.crowdcast.io/c/hacking-ai-trust

LIVE CISO Series Podcast Recording in NYC

New York-area cybersecurity professionals, this one's for you.

CISO Series Podcast is recording live at Intezer's AI SOC Live event at Nasdaq in New York City. David Spark will be joined on stage by Mitchem Boles, Field CISO, Intezer, and Nick Vigier, CISO, Oscar Health.

This is an invitation-only event capped at 70 attendees — space is extremely limited.

It's all happening on April 27, 2026 at 3:30 PM.

Request your invite here.

Huge thanks to our sponsor, Intezer

Join the CISO Series Podcast LIVE in Boston (4-30-26)

Boston-area cybersecurity professionals unite for an evening of networking and a live audience recording of the CISO Series Podcast on Thursday, April 30, 2026 at 5 PM.

Hosted by me, David Spark, founder of CISO Series, I'll be joined on stage by Andy Ellis, principal at Duha, along with Dmitriy Sokolovskiy, svp of cyber resilience at Semrush. All are welcome, whether you're new to cybersecurity or a seasoned veteran.

Register here.

Huge thanks to our sponsors, Dropzone AI and Strike48.

Cyber chatter from around the web...
Jump in on these conversations

"Disgruntled researcher leaks "BlueHammer" Windows zero-day exploit" (More here)

"Microsoft blocks accounts WireGuard and Veracrypt" (More here)

"FBI extracted the notification database of Suspect's iPhone to read Signal messages." (More here)

Coming up on Super Cyber Friday:

• [04-17-26] “Hacking AI Trust”

• [04-24-26] “Hacking Trust in Security”

• [05-01-26] "Hacking the Death of Entry-Level Jobs"

Register for the Super Cyber Friday event series. You can register for all upcoming episodes in this ongoing event series. After you register, you can add events to your calendar right on our event series page.

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.