CISO Series Podcast
Our Data Security Policy Is Transparent in That It Doesn't Exist

The current crop of data security tools are built like X-rays. They spot the credit card numbers in the S3 bucket and call it a day. What they miss is the soft tissue: who touched the data, where it came from, and whether anyone should have had access in the first place. Policy, context, and security are all fragmented. Nobody's looking at the same picture. Are AI agents about to make that impossible to ignore? 

This week’s episode is hosted by David Spark, producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining is Mike Melo, CISO, TMX Group.

Listen to the full episode here. 

The weight of old controls

Security programs accumulate controls the way old codebases accumulate technical debt. Every point of friction has a cost, and if it isn't earning its place, it has no business being there. That's a guiding principle for Brett Conlon of American Century Investments. The problem is that adding controls feels safe while removing them feels dangerous. That asymmetry is how you end up with workarounds everywhere and users bypassing the protections you built. A good approach is to apply three questions to every control your team runs: does it have to exist, is it being done the best way possible, and is it delivering the expected value? The catch is that you need evidence to retire a control, not just instinct. New team members and technology shifts are natural moments to ask whether your controls are still pulling their weight.

Data you can actually see

Most data security tools work like X-rays: they spot obvious patterns but miss everything underneath. Pranava Adduri of Bedrock Data frames the real problem as one of fragmentation. This mess might seem manageable today, but it will become dangerous as AI workloads start moving data in ways nobody explicitly approved. The fix is building data lineage and shared accountability before agentic systems expose every gap you didn't know you had. If you don't know where your data comes from, who touched it, or whether that access made sense, you can't govern it.

68 vendors and counting

There are now 68 vendors selling an AI SOC solution, up from 54 not long ago, and showing no signs of stopping. Ross Young of CISO Tradecraft offers a practical "CPR" test for any of them. First, confidence, can you see why a decision was made? Precision, can it fix the right thing without taking out a domain controller? And Reversibility, is there an undo button? AI SOC technology is promising, but the groundwork is harder than the pitch. The volume of adversarial automation is already beyond what human analysts can absorb. AI in the SOC is necessary and already here. Have you done the work to make it useful?

Authority you never had to claim

The debate over where the CISO sits on the org chart keeps resurfacing. This always stirs up passions in the security community. But if your program only works when you sit high enough in the hierarchy, it was fragile to begin with, argues Brian Blakley of Bellini Capital. Security is a horizontal function in a vertical world. You don't control engineering, legal, or operations regardless of title. You get things done through credibility, consistency, and risk communication that actually lands. To build influence, a CISO must show up as someone who solves real problems for real people and doesn't create noise in the process.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Neil Saltman of AHEAD for providing our "What's Worse" scenario.

Huge thanks to our sponsor, Vanta

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Automating Offensive Security with XBOW

In this episode, Nico Waisman, CISO at XBOW, explains how XBOW uses autonomous AI agents to run continuous, incremental penetration testing without triggering false-positive avalanches or taking down production systems. Joining him are Jacob Combs, CISO at Tandem Diabetes Care, and Davi Ottenheimer, president at Flying Penguin.

Want to know:

• Why can’t traditional pen tests keep up with modern attack surfaces?

• How XBOW’s attack credit model maps to the way security teams already size testing effort?

• What stops an autonomous pen testing agent from causing real damage in production?

• How incremental testing works when a new pull request changes the application?

• Where XBOW is headed on prompt injection and LLM-specific vulnerabilities?

• How you audit what the AI actually did during an assessment?

• What novel vulnerability chains are emerging as AI reasoning models get more capable?

More and listen to the full episode for the answers you need.

Thanks to our podcast sponsor, XBOW

Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

What I hate about cybersecurity…

“I think that we've ultimately normalized looking secure instead of actually being secure in the industry, and what I really mean by that is how organizations are really good at passing audits, checking boxes, and showing fantastic dashboards, but if you actually simulate a real attack path, a lot of that is going to fall apart really quickly.“ - Mike Melo, CISO, TMX Group

Listen to the full episode of "Our Data Security Policy Is Transparent in That It Doesn't Exist"

What Does the Next Generation of Cloud Security Look Like?

"Most of these organizations for the last 10, 15, 20 years have never written down and have never formalized. And now we're expecting an agent to make those decisions that were never formalized in the past 20 years." - Dan Benjamin, vp product – data, identity, and AI security, Palo Alto Networks

Listen to the full episode of "What Does the Next Generation of Cloud Security Look Like?"

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Customer Identity Is the Blindspot in AI Security Strategy with Transmit Security

David Mahdi, chief identity officer at Transmit Security, explains why customer identity is the overlooked side of the AI agent conversation. While the industry fixates on enterprise agents, consumers can already download an AI browser today and have it act on their behalf without any IT policy standing in the way.

That creates authentication and fraud challenges that existing identity stacks were never designed to handle. Transmit Security is working to adapt proven identity and fraud techniques for this new non-human reality before it arrives faster than anyone expects.

Thanks to our video sponsor, Transmit Security

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Friday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ve been having at work all week long.

Friday’s episode will feature Robb Dunewood, host, Daily Tech News Show, and David Cross, CISO, Atlassian. Join us on YouTube and catch up on what shaped the week in security.

Thanks to our Cybersecurity Headlines sponsor, Vanta

Super Cyber Friday
Join us Friday for “Hacking Agentic Access”

Join us on Friday, June 5, 2026, for Super Cyber Friday: “Hacking Agentic Access: An hour of critical thinking about the new world of NHI.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Adam Ochayon, Director of Product Strategy & GTM, Oasis Security, and Steve Zalewski, co-host, Defense in Depth, for an hour of insightful conversation and engaging games. And stick around for our always-popular meetup, hosted right inside the event platform.

Register for this episode on Crowdcast!

Thanks to our Super Cyber Friday sponsor, Oasis Security

Participate! Add our live shows to your calendar

Learn more about all of the fun ways you can participate, and add our events to your calendar.

Google Calendar, iCalendar, Outlook, or export an .ics file

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We don’t just say we appreciate your feedback; we incorporate it into our programming. Learn more about all of the fun ways you can participate.

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing on social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.