CISO Series Podcast
Remember, Every Underappreciated Risk Is Just a Crisis Waiting to Be Discovered

Quantitative risk management promises to be the missing piece of the cybersecurity puzzle, allowing CISOs to better connect their work to tangible business outcomes. But is it moving the needle or just making it easier to push technical debt down the road?

This week's episode is hosted by me, David Spark, producer of CISO Series Podcast and Andy Ellis, principal of Duha. Joining us is Hilik Kotler, svp, CISO and IT, Expedia Group.

Listen to the full episode here.

The numbers game

Critics of quantitative risk management see it as sophisticated theater, a way to make boards feel comfortable while real security work gets deprioritized. Dr. Sam Liles, interim CISO at Blue Cross Blue Shield Mass, argued the sharper critique isn't that the numbers are wrong, but that they become a crutch. When organizations treat risk scoring as a decision-making machine rather than as an aid, they stop doing the hard work of defining what level of loss is unacceptable. The stronger case for QRM is that it forces conversations most organizations would rather avoid, like what the company's actual risk appetite is and whether security investment matches that tolerance. Without those conversations, security sets its own guardrails in a vacuum, and everyone wonders why the program never feels aligned to the business. 

What makes a vendor worth your time

Most security startups don't fail because they lack innovation. They fail because they underestimate what it takes to operate inside a large enterprise. Ross Haleliuk of Venture in Security argues there's no such thing as a good market in security anymore, only markets where you have a meaningful advantage. Pay attention to the vendor who understands the problem at 2 a.m., not the pitch deck version, and tailor their value proposition accordingly. Generic pitches are a red flag. So is a product that gets smarter only because the underlying AI model gets smarter. The best vendors also think beyond the sale, treating integration into real workflows as a design requirement rather than an afterthought.

Humanity in the loop

The risk with AI governance frameworks isn't that they aim too high. It's that they often underestimate the mess involved in getting them operationalized. Karen Pfeifer of Pythian argues that embedding ethics into AI systems isn't an abstract debate. It requires governance before deployment, instrumentation to detect model drift, and explicit breakpoints where human judgment re-enters the loop for high-stakes decisions. Ultimately, values don't belong inside the model. They belong inside the institution that deploys it. AI scales whatever incentives and structures it inherits. Organizations that haven't resolved their own internal priorities will find AI making those gaps visible faster and at greater scale.

Alignment is a prerequisite, not a nice-to-have

Teams across the business are optimized for different things, such as velocity, risk minimization, and compliance. That tension is by design. For Joshua Copeland of Crescendo, the problem isn't that departments disagree, it's that most organizations haven't defined how those disagreements get resolved. AI doesn't fix that ambiguity; it amplifies it. A model trained on organizational dysfunction will optimize for whatever signal is loudest in the data. AI requires enterprise-level priorities, with clear answers to questions like "when growth and privacy conflict, which one wins?"

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven't subscribed to the CISO Series Podcast via your favorite podcast app, please do so now (also see links below).

Thanks to Dustin Sachs of PsyberCog Labs for providing our "What's Worse" scenario.

Huge thanks to our sponsor, Vanta

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
The Same Person Keeps Showing Up. Here's What He Keeps Saying.

Eight episodes. Eight ThreatLocker products. One chief product officer who doesn't sugarcoat anything.

Rob Allen, chief product officer for ThreatLocker, has appeared on Security You Should Know more times than almost anyone. Across conversations covering application control, network control, patch management, MDR, and more, he keeps making the same argument: the industry is stacking detection tools on top of detection tools while ignoring the more fundamental question of what's allowed to run in the first place.

We rounded up our favorite moments from those eight episodes. Read the full article here.

Thanks to our podcast sponsor, ThreatLocker

Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

What I love about cybersecurity…

“What I love about cybersecurity is that it forces us to reinvent ourselves every few years. Very few professions demand that level of evolution. The threat landscape changes, technology shifts, business models transform, regulation evolves, and if we are doing the same job the same way two years later, we are already behind. Cybersecurity doesn't reward comfort, it rewards curiosity.“ - Hilik Kotler, svp, CISO and IT, Expedia Group

Listen to the full episode of "Remember, Every Underappreciated Risk Is Just a Crisis Waiting to Be Discovered"

How to Be Less Busy and More Effective in Cyber

"Frameworks are a means to an end. It's not the end itself. People get in trouble with frameworks when they think that it's the end-all be-all. If frameworks equal outcomes, you have a problem. Because in reality, it's frameworks plus incentives plus human behavior equals outcomes." - Dan Walsh, CISO, Datavant

Listen to the full episode of "How to Be Less Busy and More Effective in Cyber"

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

5 Considerations That Separate Great Vendors From Forgettable Ones

Hilik Kotler, svp, CISO & IT, Expedia Group, breaks down exactly what separates the vendors who earn long-term partnerships from the ones who leave without a deal.

Operational understanding. A tailored value prop. Friction reduction. Proprietary data gravity. Enterprise fluency. Startups don't fail due to lack of innovation, they fail because they underestimate what it actually takes to operate inside an enterprise.

Listen to the full episode here.

Join the CISO Series Podcast LIVE in Boston (4-30-26)

CISO Series Podcast is recording live at the offices of Aqueduct Technologies in Canton, Massachusetts. David Spark will be joined on stage by Andy Ellis, former CSO at Akamai and Principal at Duha, and Dmitriy Sokolovskiy, Senior VP of Cyber Resilience at Semrush.

All are welcome — whether you're just getting into cybersecurity or you're a seasoned veteran. Space is limited.

It's all happening on Thursday, April 30, 2026 at 5:00 PM. Register here.

Huge thanks to our sponsors, Dropzone AI and Strike48.

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Sarah Lane, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Jack Kufahl, CISO, Michigan Medicine, and Adam Palmer, CISO, First Hawaiian Bank. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Vanta

Super Cyber Friday
Join us Friday for “Hacking Vendor Trust”

Join us on Friday, April 10, 2026, for Super Cyber Friday: “Hacking Vendor Trust: An hour of critical thinking about how to build a partnership that spans people and products.”

It all kicks off at 1 PM ET / 10 AM PT, when Richard Stroffolino will be joined by Nick Espinosa, host, The Deep Dive Radio Show, and Michael Bickford, CISO, New York State Gaming Commission, for an hour of insightful conversation and engaging games. And stick around for our always-popular meetup, hosted right inside the event platform.

Register for the Super Cyber Friday event series. Join us for just this episode, or choose to register for all of our upcoming episodes in this ongoing event series.

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.