CISO Series Podcast
Our Theoretical Controls Work Great Against Hypothetical Attacks

Cybersecurity frameworks are a great starting point for any organization. But none will survive first contact with a production environment without accounting for local context. So why do we keep missing that point?

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining is David Nolan, former CISO, Asurion.

Listen to the full episode here.

Influence, not control

The CISO walking into an executive meeting isn't there to present a status update. They're there to move something forward. Geoff Hancock of Unacast argues that means controlling the narrative, the tempo, and the decision itself. The practical implication is arriving with decisions to be made, not problems. But "control" is a bit of a stretch. What's really happening is influence. The stronger move is framing options so there's no catastrophically bad choice on the table, just a better one and a more tolerable one. Executives who demand certainty are a real constraint, and the answer isn't to manufacture certainty to appease those executives. Instead, redirect toward how the risk is being managed so the business can keep moving.

The initiative gap

The argument around "entry-level" cybersecurity jobs seems endless. It's not that entry-level candidates don't exist; it's that employers want mid-level experience at entry-level pay, according to a recent post on the cybersecurity subreddit. But there's a real skills gap underneath the focus on compensation. The candidates who get hired start their cyber training before their first job. They build home labs, participate in CTF (capture the flag) events, contribute to open-source projects, and volunteer for nonprofits. The degree and the certification can clear a filter, but they don't make someone SOC-ready. Demonstrating initiative and the ability to articulate what you've built or broken means a lot more.

Skip the framework, patch the server

Best practices are largely aspirational, built for greenfield environments that most organizations will never have. Ross Haleliuk of Venture in Security argues organizations would be better off obsessing over the basics, such as MFA, patching legacy systems, cleaning up stale and overprivileged accounts, and eliminating dark, untouched corners. It's not a glamorous security posture, but it's what closes the doors attackers use most. The hardest part for security leaders isn't knowing the basics; it's defending a "start with fundamentals" strategy without appearing to set the bar low.

Confident code with no owner

AI doesn't own outcomes, and it can't distinguish between confidence and correctness. It can only simulate both, pointed out Keith Townsend of CTO Advisor. AI-generated code lands without an accountable author, the same challenge organizations faced when cloud shifted infrastructure ownership to application teams who never managed it before. We need to apply the same CI/CD controls that are already in place. The accountability gap is the real issue, not a lack of a specific AI policy. If a product owner uses AI to build something, they own what it does. Making that explicit before deployment is the part most teams are skipping.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Joseph Carson, Segura for providing our "What's Worse" scenario.

Thanks to our podcast sponsor, ThreatLocker

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Best advice for a CISO…

“You definitely have to obsess over the business you serve. My advice is get out there, get your hands dirty, get on the front lines where revenue is actually made, and get to know what that success looks like. Talk to your executives and your business peers and help them achieve what their goals are but do it in a secure way. The cool thing is not only does that help you to translate your risk in their business terms, but it helps you identify potential impacts and those opportunities that your strategy on security may cause.“ - David Nolan, former CISO, Asurion

Listen to the full episode of "Our Theoretical Controls Work Great Against Hypothetical Attacks"

How Should We Measure the Performance of a CISO?

"Clarity creates metrics, not the other way around. It begins with understanding what is the goal of the goal of this business. Metrics aren't the goal. They're just a tool to help reduce the probability of material impact and bring it to a language that everybody can align on." - Jason Richards, vp, information security, CHG Healthcare

Listen to the full episode of "How Should We Measure the Performance of a CISO?"

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Join the CISO Series Podcast LIVE in Boston (4-30-26)

CISO Series Podcast is recording live at the offices of Aqueduct Technologies in Canton, Massachusetts. David Spark will be joined on stage by Andy Ellis, former CSO at Akamai and Principal at Duha, and Dmitriy Sokolovskiy, Senior VP of Cyber Resilience at Semrush.

All are welcome! Whether you're just getting into cybersecurity or you're a seasoned veteran. Space is limited.

It's all happening on Thursday, April 30, 2026 at 5:00 PM. Register here.

Huge thanks to our sponsors, Dropzone AI and Strike48.

What AI-Generated Malware Actually Looks Like with ThreatLocker

Kieran Human, security enablement lead at ThreatLocker, demonstrates how easily AI can be used to generate functional malware, and why that reality makes a deny by default approach more critical than ever.

Listen to the full episode here.

Huge thanks to our sponsor, ThreatLocker

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know is moving from Mondays to Fridays. We go live at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ve been having at work all week long.

On Friday’s episode, we’ll welcome Eduardo Ortiz-Romeu, vp, global head of cybersecurity, Techtronic Industries, and Andrew Storms, security engineering, Kilo Code. Join us on YouTube to wrap up the week in security.

Thanks to our Cybersecurity Headlines sponsor, Conveyor

Super Cyber Friday
We’ve updated the link to register for Friday’s show: “Hacking AI Trust”

Join us on Friday, April 17, 2026, for Super Cyber Friday: “Hacking AI Trust: An hour of critical thinking about how to have confidence in your LLM's output.” We’re moving our event platform from Airmeet to Crowdcast.

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Jacob Combs, CISO, Tandem Diabetes Care, and Keith Townsend, host, CTO Advisor Podcast, for an hour of insightful conversation and engaging games. And stick around for our always-popular meetup at the end of the hour.

Register for this episode of Super Cyber Friday on Crowdcast!

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.