CISO Series Podcast
Step 1: Deploy New AI Tool. Step 2: Discover Security Flaws. Step 3: Repeat. (LIVE in Orlando)

The rush to keep up with the latest AI tooling is creating a vicious cycle. Is there any way to enable teams to use these new tools without abandoning security best practices?

This week's episode is hosted by David Spark, producer of CISO Series and Michelle Wilson, CISO, Movement Mortgage. Joining is sponsored guest Rob Allen, chief product officer, ThreatLocker.

Listen to the full episode here.

This show was recorded in front of a live audience at ThreatLocker's conference, Zero Trust World 2026.

Risk as a daily habit 

Most security teams have a risk register. Far fewer have a risk culture, the kind where someone flags a concern before it's a problem, not because a meeting is scheduled but because it feels safe to do so. That gap is what Maman Ibrahim and Gavriel Schneider explored in a CSO Online piece, framing effective risk culture around four questions. Do people notice risk early? Do they name it clearly? Do they know who decides? And can they act without fear of blowback? The goal isn't a perfect process. It's making risk conversation feel routine enough that people don't wait for a meeting to raise something uncomfortable. The harder question is whether the leader's reaction, when someone does speak up, makes it more or less likely they'll do it again.

AI agents talking to AI agents 

Handing an AI agent access to your email, files, calendar, and browser sounds like a bad idea when you say it out loud. Plenty of people did it anyway with OpenClaw, a locally run AI personal assistant. For Cassio Goldschmidt of Reflex Security, this prompted a basic sanity check. Then came Moltbook, a social network for AI bots, where agents began to prompt-inject one another to steal API keys and rewrite identities. Autonomous systems that hold sensitive personal data are increasingly talking to each other at machine speed, with no human in the loop. The value proposition for agentic AI tools is real. The question is whether there's a version of this that doesn't also hand attackers a fully loaded weapon.

The code on the lock 

Security professionals are trained to spot the gap between what a control is supposed to do and what it actually does. But they're less trained to ask whether the control still needs to exist. David Travis of the City of Auburn posted a photo of a combination lock with the code printed directly above it. The initial instinct is to mock the sham of security. At some point, that door needed to be locked. But systems changed, and the path of least resistance was taping the code to the hardware rather than removing a control nobody needs anymore. That's not laziness. It's a symptom of controls that outlive their purpose because auditing them is harder than ignoring them. Walking in users' footsteps means asking not just "is this control in place?" but "what would actually break if it weren't?"

Words that shape decisions 

The language security teams use to describe threats isn't just simple communication. There's a lot of leaning into metaphors. But the ones you choose can lead the mice astray. Phil Venables of Ballistic Ventures dug into this dynamic, starting with a Stanford study. Give people the same crime report, frame the criminal as either a "wild beast" or a "virus," and they recommend completely different responses. The beast gets enforcement and punishment. The virus gets systemic solutions. Venables applies the same logic to security's favorite shorthand. "Cyber war" pushes teams toward reactive, tool-heavy thinking. "Castle and moat" overbuilds the perimeter while leaving the interior exposed. "Cyber hygiene" quietly shifts blame onto users rather than on architecture. The metaphor shapes budgets, team structure, and what gets built. If the framing is wrong, the investments follow.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven't subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jared Mendenhall, CISO, Armature Systems, for providing our "What's Worse" scenario.

Huge thanks to our sponsors, ThreatLocker

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Biggest mistake I ever made in security…

“I may have accidentally once left a O.MG cable at a security conference that I was demonstrating with, and I forgot to put it in my bag and I left it around. So, there's probably somebody now charging their phone with an O.MG cable. So, I'm sorry.“ - Rob Allen, chief product officer, ThreatLocker

Listen to the full episode of "Step 1: Deploy New AI Tool. Step 2: Discover Security Flaws. Step 3: Repeat. (LIVE in Orlando)"

What Makes a Successful Security Vendor Demo?

""For me, the demo is the discovery. I want to see your UI, your UX. I want to see the workflow and that's going to generate more questions. But if I'm just seeing PowerPoint or slides or just theoretical talk, it really doesn't help me at all." - Kenneth Beasley, BISO, Kaiser Permanente

Listen to the full episode of “What Makes a Successful Security Vendor Demo?”

Detection vs. Prevention: Why Zero Trust Is Essential in the Age of AI

Sponsored article

EDR solutions are struggling to keep pace with modern AI-driven threats like living-off-the-land attacks, fileless malware, and credential-based intrusions.

ThreatLocker's latest guest post on CISO Series makes the case for why that's a structural problem, not a product gap. Detection will always trail prevention. Zero Trust flips the model by enforcing default-deny, least privilege access, and application allowlisting before an attacker ever gets the chance to exploit a trusted process.

Read the full article here.

Huge thanks to our sponsors, ThreatLocker

Join the CISO Series Podcast LIVE in Boston. This Thursday!

Last chance! The CISO Series Podcast is recording live in two days at the offices of Aqueduct Technologies in Canton, Massachusetts. David Spark will be joined on stage by Andy Ellis, principal at Duha, and Dmitriy Sokolovskiy, svp of cyber resilience at Semrush.

All are welcome, whether you're just getting into cybersecurity or you're a seasoned veteran, but space is limited. It's happening Thursday, April 30, 2026 at 5:00 PM. Register here.

Huge thanks to our sponsors, Dropzone AI and Strike48.

Ask Me Anything - April 2026

Our monthly AMA on r/cybersecurity on Reddit has begun! Our topic is "I'm a security professional in the healthcare industry. Ask me anything about the unique challenges of working in this space."

Healthcare security professionals face a distinct set of challenges. From protecting patient data and clinical systems to navigating regulatory pressures and the unique risks that come with life-critical infrastructure. This month's panel brings together CISOs and security leaders from across the healthcare space to share what it's really like to work on the front lines of this industry.

Please ask questions for our participants here.

This month's participants are:

• Errol Weiss, (u/SecretaryWise6205), CISO, Health-ISAC

• Jack Kufahl, (u/AccidentalCISO1817), CISO, Michigan Medicine

• Samantha Jacques, (u/MedDevGuru786), VP of clinical engineering, McLaren Health Care

• Jason Elrod, (u/CISO_Jason), CISO, MultiCare Health System

• Montez Fitzpatrick, (u/Beneficial-Expert635), CISO, Navvis

• Gary Longsine, (u/IntrinsicSecurity), CEO, Intrinsic Security

Thanks to all of our participants for contributing!

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Friday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ve been having at work all week long.

Friday’s episode will feature Janet Heins, CISO, ChenMed, and TC Niedzialkowski, head of IT & security, Opendoor. Join us on YouTube and catch up on what shaped the week in security.

Thanks to our Cybersecurity Headlines sponsor, Guardsquare

Super Cyber Friday
Join us Friday for “Hacking the Death of Entry-Level Jobs”

Join us on Friday, May 1, 2026, for Super Cyber Friday: “Hacking the Death of Entry-Level Jobs: An hour of critical thinking about how to get your foot in the door in the age of AI.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Kathleen Mullin, former CISO, and Mathew Biby, director of cybersecurity, TixTrack, for an hour of insightful conversation and engaging games. And stick around for our always-popular meetup, hosted right inside the event platform.

Register for this episode on Crowdcast!

Participate! Add our live shows to your calendar

Learn more about all of the fun ways you can participate, and add our events to your calendar.

Google Calendar, iCalendar, Outlook, or export an .ics file

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We don’t just say we appreciate your feedback; we incorporate it into our programming. Learn more about all of the fun ways you can participate.

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing on social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.