CISO Series Podcast
They’re Not AI Mistakes, They’re Happy Little Incidents

Everyone wants to implement AI, but no one feels ready for it. This disconnect stems from both concerns about technical debt hindering the infrastructure needed to fully realize the benefits of AI, as well as the simple fact that we don't yet know how to secure it.

This week’s episode is hosted by David Spark, producer of the CISO Series, and Andy Ellis, partner of YL Ventures. Their sponsored guest is Jadee Hanson, CISO of Vanta.

Listen to the full episode here.

Find a partner to work with

Many CEOs are eager to adopt AI, but a vast readiness gap is slowing them down; only a small fraction feel prepared. Concerns over security and technical debt are leading to hesitation, according to a recent Cisco study. While increased investment in cybersecurity is part of the solution, companies are also grappling with where and how to effectively integrate AI. Integration partners have a nuanced role to play here. There is a definite need for AI-savvy experts who can offer vision and help organizations reimagine what’s possible. Actual AI adoption isn’t about layering on a new tool—it’s about cultural and operational transformation, guided by internal creativity and external innovation. Companies must also proactively support employees experimenting with AI to harness insights securely and coherently across the business.

Fixing the root of burnout

Burnout in cybersecurity is often mischaracterized as simple fatigue. In reality, it’s a systemic organizational issue tied to chronic workplace stress, misaligned expectations, and unresolved cultural dysfunctions, not an individual failing, noted Chad Loder on LinkedIn. While common solutions focus on giving employees time off, this merely delays a return to the same unhealthy environment. Burnout arises when there's a mismatch between what someone expects from their role and the realities they face. In cybersecurity, where threats are constant and perfection is unattainable, those who expect they can “fix everything” are more prone to burning out. Leaders need to help their teams reframe expectations, recognizing that their role is to manage risk, not eliminate it. Burnout can be mitigated by developing clarity around responsibilities, setting realistic expectations, and encouraging honest conversations that dig into the root causes of stress.

The limitations of human vigilance

Traditional cybersecurity training—especially phishing simulations—often falls short by creating adversarial dynamics between employees and security teams, rather than building true resilience. Once marginally useful, phishing simulations are outdated due to the increasing sophistication of attacks, which often make them indistinguishable from legitimate communications. Expecting employees to serve as the frontline defense misunderstands their role and the limitations of human vigilance. Instead, the focus should shift to endpoint protections, continuous monitoring, and creating environments where mistakes are expected and safely managed. While there’s a shared responsibility for security, the burden must be on the systems and processes designed to protect people as they do their jobs.

Balancing openness and control

Transparency around compliance documentation, especially SOC 2 reports, is increasingly expected—but not always practiced. On the cybersecurity subreddit, a redditor complained about a vendor with red flags for compliance. Requests were deflected by the vendor, who pointed to public trust portals, which may feel evasive to buyers seeking assurance. But how and what to share is often left to the vendor's discretion, and the reluctance to provide complete reports (e.g., SOC 2) may stem from concerns about scope limitations, misinterpretation, or excessive scrutiny from overly rigid security teams. Gated access through NDAs and layered trust portals can be a helpful balance between openness and control; buyers and sellers benefit from a culture of transparency.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jay Dance from Stubhub for contributing this week’s “What’s Worse?!” scenario.

Huge thanks to our sponsor, Vanta

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Beating the Bots with Kasada

Automated attacks are growing in speed and sophistication, far outpacing the human defenses most organizations rely on. Whether it’s credential stuffing, scraping, or denial-of-wallet attacks, bots can drain your resources before they even steal a cent.

In this episode, Sam Crowther, founder of Kasada, discusses how their bot detection and mitigation solution flips the economics of attacks. By disrupting automated behavior at wire speed—without impacting user experience—Kasada ensures you’re doing business with real people, not fake clicks. Joining him are panelists Jimmy Sanders, president of ISSA International, and Jason Elrod, CISO at MultiCare Health System.

Listen to the full episode here.

Thanks to our podcast sponsor, Kasada

Subscribe
Subscribe to Security You Should Know Podcast

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best advice for a CISO?

“Your security program shouldn't scale headcount at the same rate as the overall organization. Instead, proactively invest in automation and AI-driven security solutions to streamline your operations and reduce your manual workloads. By taking these simple steps now, you're going to future-proof your team, ensuring it can grow with the company while maintaining strong security as complexity increases.“ - Jadee Hanson, CISO of Vanta

Listen to the full episode of "They’re Not AI Mistakes, They’re Happy Little Incidents" 

How Much Should Salespeople Know About Their Product?

"I saw a salesperson the other day achieve a CISP certification. Now, I thought, this person is going out of their way to understand the very things that we do every day. And that’s incredibly important." - Jay Jay Davey, vp of cyber security operations, Planet

Listen to the full episode of "How Much Should Salespeople Know About Their Product?"

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Join us for CISO Series Podcast LIVE in Boston (05-15-25)

We're super excited to be heading back to CISO Series founder David Spark's hometown of Boston, MA to do a live audience recording of CISO Series Podcast with fellow co-host and local, Andy Ellis, partner, YL Ventures and Sam Curry, global vp, CISO in residence at Zscaler.

REGISTER on LinkedIn and/or with the official event registration.

HUGE thanks to our sponsor, Zscaler

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Dan Holden, CISO, BigCommerce.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Super Cyber Fridays!
Enhancing Compliance Audits with Gen AI

How can Gen AI be better utilized for compliance and audits? How can we be sure our models aren’t hallucinating and we can trust their output?

I spoke with Chris Strand, global security and compliance officer at Thoropass, about the benefits and challenges of integrating Gen AI into this vital process. We dig into the limitations of current AI models in understanding and respecting corporate data, IP policies, and data protection rules. While skepticism about these models is reasonable, selective training could improve AI’s efficacy, ensuring more accurate and automated results while adhering to security and compliance standards.

REGISTER for 5-9-25 Super Cyber Friday

Join us on May 9, 2025, for “Hacking the Validity of GenAI: An hour of critical thinking about embracing these new tools while still meeting your compliance requirements,” at 1pm ET/10am PT on Super Cyber Friday. Joining David and Chris is Rob Gormisky, infosec lead and founding engineer, Forage.

Thanks to our Super Cyber Friday sponsor, Thoropass

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.