CISO Series Podcast
Managing Risk Has Been a Priority Ever Since You Asked About It (LIVE in NYC)

Starting from square one on risk management isn't easy. Most GRC tools assume a degree of process maturity that many organizations don't have. So, how do you get the ball rolling so that you can use those tools down the line?

This week’s episode is hosted by David Spark, producer of CISO Series and Matthew Southworth, CSO, Priceline. Joining them is sponsored guest, Saket Modi, CEO, Safe Security. This episode was recorded live at FAIRCON25 in NYC.

Listen to the full episode here.

AI won't stay broken

Investing in flawed AI security tools beats avoiding AI entirely, even when those tools currently underperform. When comparing a million-dollar AI copilot that escalates too many alerts versus skipping AI and facing nine-month analyst onboarding cycles, the broken technology represents the better path forward, argued Lisa Begando of Health Catalyst. History shows that even fundamentally flawed technology will improve through iteration. Remember when the iPhone didn't launch with copy-paste? The alternative of hiring analysts willing to work without AI tooling likely means attracting the wrong talent pool. At a minimum, a budget allocated to AI tools creates the possibility for future improvements, while standing still offers no path forward.

Identity before intelligence

Autonomous AI agents require governance frameworks similar to human employees, adapted for their unique risks and capabilities. On CIO.com, stealth startup CEO, Ritu Jyoti noted that treating agents as identities means implementing appropriate access controls, defining what data they can access, and establishing boundaries for their actions. It's the same for an LLM or a new hire. Intelligence requires governance regardless of its source. But let's not kid ourselves, AI agents differ from humans in critical ways: bugs don't stay fixed, unexpected outcomes occur regularly, and results require human validation. Organizations can't deploy agents in scenarios where wrong results are unacceptable. The approach should mirror onboarding new employees or interns who need oversight. Agents can scale your blast radius as easily as productivity without the proper checks.

People decide their risk appetite

Risk management programs fail when leadership doesn't genuinely prioritize risk, regardless of processes or tools currently in place. This topic sparked a sprawling conversation on the cybersecurity subreddit. Culture flows from the top. Some leaders wing it while others make security non-negotiable, even at the cost of business opportunities. When executives publicly state they don't care about business impact if it compromises security, that signals real commitment and transforms the organization's risk posture. Ultimately, risk ownership belongs to business unit leaders, not security teams. The CISO's role mirrors the CFO's: holding up a mirror to show each business unit its risks, rather than owning those risks. Building effective programs requires identifying who understands the business, then discussing risk from a business perspective rather than leading with security frameworks.

Automate with oversight

Help desk agents are a persistent social engineering vulnerability. A cybersecurity subreddit post lamented that the best-laid security plans often fail after a 10-minute support desk call. But eliminating human judgment creates worse user experiences that people end up routing around. The solution isn't to remove humans but rather to augment them with better tools and training. Frontline help desk staff should feel like part of the security team, empowered with clear guidance and regularly drilled on worst-case scenarios through tabletop exercises. AI can serve a role here by flagging potential scammer behavior in real time without replacing the humans.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISOSeries Podcast via your favorite podcast app, please do so now. 

Thanks to Erik Bloch of Illumio for contributing this week’s “What’s Worse?!” scenario.

Thanks to our podcast sponsor, Safe Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Bridging the Cloud Security Gap with Trend Micro

In this episode, Franz Fiorim, field CTO at Trend Micro, explains how Trend Vision One consolidates multiple cloud security tools across AWS, GCP, Azure, Oracle Cloud, and Alibaba Cloud to streamline management, automate controls, and reduce integration overhead. Joining him are Nick Espinosa, host of the Deep Dive Radio Show, and Jason Shockey, CSO at Cenlar FSB.

Want to know:

• Why do organizations still struggle with cloud visibility despite years of cloud adoption?

• How does Trend Micro reconcile security visibility with privacy laws across different jurisdictions?

• What security frameworks does Trend Micro use to measure and define acceptable risk?

• How does cyber risk quantification tie technical security metrics to business impact analysis?

• What questions help determine the financial impact of potential security incidents?

• How long does implementation take for fully cloud versus hybrid environments?

• What safeguards prevent overdependence on a single security vendor?

• Where does Trend Micro draw the line between automated decision-making and human oversight?

• How does Trend Micro protect AI infrastructure and prevent sensitive data exposure in prompts?

Read the full article and listen to the episode here.

Thanks to our podcast sponsor, Trend Micro

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Biggest mistake I ever made in security…

“Thinking security is a technical problem and not a business problem. “ - Saket Modi, CEO, Safe Security

Listen to the full episode of “Managing Risk Has Been a Priority Ever Since You Asked About It (LIVE in NYC)”

What Makes a Successful CISO?

"Most CISOs still don't have a seat at the table where critical business decisions are made. And they step in too late after the direction and strategy’s already set, which creates friction and feeds the misalignment of the goals later on. So many CISOs are waiting to be invited to that table, but why would we wait for that?" - Ejona Preci, group CISO, LINDAL Group

Listen to the full episode of “What Makes a Successful CISO?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

LIVE!
Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Miranda Ritchie, CISO, Orbia, and Jason Shockey, CISO, Cenlar FSB. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, ThreatLocker

Super Cyber Friday
Join us next week for “Hacking Past Mistakes”

Join us on Friday, January 23, 2026, for Super Cyber Friday: “Hacking Past Mistakes: An hour of critical thinking about what we can do better in 2026.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Tom Hollingsworth, organizer, Tech Field Day, and one other special guest, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.