They're Less "Best Practices" and More "Sounds Good on LinkedIn"

Author

Josh Peets
March 17, 2026

CISO Series Podcast
They're Less "Best Practices" and More "Sounds Good on LinkedIn"

Security thrives on context. So why does cybersecurity as an industry get so caught up with universal concepts that often can't be applied?

This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining is Rebecca Harness, CISO, Deltek.

Listen to the full episode here.

Let it fail 

Ninety-five percent of AI pilot projects never make it to production. Enrico Signoretti of Cubbit presented this MIT finding as a warning sign. But that's not a crisis, it's the system working. The real problem is organizations that treat every pilot like a commitment, setting the bar so high that nothing experimental ever gets tried. Forget the advice to organize, secure, and catalog all your data before touching AI. That's a recipe for paralysis. The teams seeing results are the ones putting tools in everyone's hands, learning fast, and killing what doesn't work. The dangerous part comes later: the projects that do stick were built with shortcuts, and nobody's going back to clean them up.

The CIO seat is empty. Now what? 

Every time a CIO leaves, the same cycle restarts: a new hire, a new relationship, and months lost rebuilding trust. But CISOs can break the loop by pitching their executive team a different model: fold IT infrastructure and support under security, and hire a transformation-focused leader instead. Becca Harness tried this. Six months in, with 150 people now reporting up through security, the teams are tightly blended: SOC managers running network operations and security engineers embedded in infrastructure. The real unlock wasn't the org chart. It was protecting operational teams.

Design for how people actually work 

Security controls that look airtight in design reviews routinely blow up on contact with real users. The cybersecurity subreddit recently shared some horror stories. Zero-trust network migrations expose decades of layered network rules nobody fully understands. Removing local admin reveals shadow tool sprawl nobody expected. The pattern isn't that controls are wrong. Nobody asked how people actually use the systems before flipping the switch. Instead, run premortems. Let users opt in before you force them to opt in. The teams that get adoption right aren't the ones with the best tools. They're the ones that default to yes when a user needs something at 3 a.m. and sort out the policy questions in the morning.

"We found 23 issues. That'll be $15,000." 

Unsolicited pentest emails demanding payment for vaguely described vulnerabilities are security sales at their most desperate. The playbook was familiar to former BISO Nick Ryan: blast the same scare email to hundreds of companies and hope someone panics. A responsible disclosure program gives you a clean response, point them to it and move on. But the bigger nuisance is legitimate vendors who discover that employees are using the free tiers of their tools and then pressure you into an enterprise license. Even worse, vendors who go over your head to other executives or down the chain to your analysts to manufacture urgency.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven't subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Ryan Rene Rosado, RSM for providing our "What's Worse" scenario.

Thanks to this episode's security tip sponsor, Qualys.

Huge thanks to our sponsor, Strike48

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Transitioning to Quantum-Safe Encryption with enQase

In this episode, Rajesh Patil, CTO at enQase, explains how enQase's full-stack platform helps enterprises implement quantum-safe security through a structured, integrated approach. This covers everything from cryptographic asset discovery and governance to out-of-band key generation for network appliances, without requiring organizations to rip and replace existing infrastructure. Joining him are Ross Young, co-host at CISO Tradecraft®, and Adam Palmer, CISO at First Hawaiian Bank.

Want to know:

  • Why is the post-quantum cryptography transition harder than simply implementing new standards?

  • What three factors should frame every CEO conversation about quantum risk?

  • Where should a highly regulated enterprise start, and what can reasonably wait three to five years?

  • Why should we be planning for "harvest now, decrypt later" attacks right now?

  • How do you build and track a cryptographic bill of materials across hundreds of applications and devices?

  • Why is crypto agility more important than picking the perfect algorithm?

Check out the episode for the answers you need.

Huge thanks to our sponsor, enQase

Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best advice I ever got in security…

“Best advice I ever got was years ago from Alan Paller. He said the most important thing is that people trust you. So, job number one, when you start a new job is just establish that trust with the board, the executive team, your peers, anyone and everyone. That was absolutely true.“ - Rebecca Harness, CISO, Deltek

Listen to the full episode of ”They're Less "Best Practices" and More "Sounds Good on LinkedIn"

Are Your Security Tools Creating More Work for Your Team?

"A lot of us in security leadership get in to fight hackers, break things, or focus on technology, but eventually you get to a point where you have to have this rigor as a business leader to hold your organization accountable to delivery and report on how you're doing." - Evan McHenry, CISO, Robinhood

Listen to the full episode of “Are Your Security Tools Creating More Work for Your Team?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

March AMA - "I've built diverse, high-performing security teams. Ask Me Anything about hiring, culture, and talent management in cybersecurity."

Our monthly AMA on r/cybersecurity on Reddit has begun! Our topic is "I've built diverse, high-performing security teams. Ask Me Anything about hiring, culture, and talent management in cybersecurity."

This month we're exploring the human side of security — how leaders recruit and retain top talent, build inclusive teams, and shape the cultures that make security organizations thrive. Whether you're a hiring manager, a job seeker, or just curious about what makes great security teams work, this is your chance to ask directly.

Please ask questions for our participants here.

This month's participants are:

Thanks to all of our participants for contributing!

How to Manage a Cyberattack that Wants YOU

Rob Allen, chief product officer at ThreatLocker, breaks down the two types of attackers you're up against: those hunting for easy targets who are after money, and those coming after you specifically. For most organizations, the winning strategy is the same — make yourself too difficult, too costly, too much hassle to be worth pursuing. Every port you expose and every application you allow to run expands your attack surface. Shrink it.

Listen to the full episode here.

Huge thanks to our sponsor, ThreatLocker

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Jonathan Waldrop, CISO, Acoustic, and Chris Ray, Field CTO, GigaOm. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Adaptive Security

Super Cyber Friday
Join us every Friday in April for “Trust Month”

Trust is at the core of everything we do in cybersecurity — and this April, we're dedicating an entire month to it on Super Cyber Friday.

Throughout April, each episode will tackle a different dimension of trust: building it within your security team, knowing when a vendor becomes a true partner, gaining confidence in AI output, and earning a seat at the table as a business enabler rather than a blocker.

Four Fridays. Four conversations. One theme that touches every corner of the industry. Register for the full series, and get notified whenever new episodes are scheduled.

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.