CISO Series Podcast
We All Agree That Prevention Is the Best Advice We're Never Going to Follow

Everyone talks about the need for prevention in cybersecurity. But the dirty secret is it's rarely practiced because it introduces productivity friction. Will prevention always be cybersecurity lip service, or is there a way to achieve meaningful prevention without interrupting the business?

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is Jason Loomis, CISO, Freshworks.

Listen to the full episode here.

Making organizations take their security medicine

The cybersecurity industry suffers from a classic case of "physician heal thyself" syndrome when it comes to prevention. It's a good idea except for your organization. The challenge isn't just that it's technically hard, said Ross Haleliuk of Venture in Security. Meaningful prevention can clash with productivity. And let's face it, when preventative security clashes with an impatient executive, we all know who wins that fight. This is where CISO's building influence is key.

Building CISO support systems

Two types of posts are a mainstay on the cybersecurity subreddit: day-to-day security frustrations and people saying they are burned out. However, a recent post went beyond the day-to-day, wondering if CISOs need more intentional support systems, and what does that even look like? There is no shortage of Slack and LinkedIn groups for security leaders. But whether it's virtual or small in-person meetings, it's not enough to commiserate. These spaces only succeed when you can establish genuine trust and learn from those who have been there before.

Holding the door for humans

On paper, replacing security analysts with AI seems obvious. Machines analyze faster, never take lunch breaks, and you don't have to talk to them at the water cooler. But this reductive thinking mistakes the visible task for the full value, just like assuming automatic doors make doormen obsolete, noted Nick Romanos of Rivers Agency. It turns out humans are still good at things! The doorman can screen sketchy people and read the room. In cybersecurity, humans know when that alert is just the CEO using sketchy hotel WiFi in Ibiza... again. That kind of institutional knowledge can't be automated away yet.

Underappreciated risks: beyond the headlines

APTs and ransomware attacks are staples for our Cyber Security Headlines podcast. Those are important to keep track of (please keep listening), but many, many more fundamental risks remain underappreciated by security teams. The cybersecurity subreddit ran through some of the classics: overprivileged users, weather-related flooding of data centers, or plain old human error. The math isn't that hard. If you do 85 percent of the foundational security controls, you reduce about 85 percent of your cybersecurity risk.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Ozren Bogovac of Generac for providing our "What's Worse" scenario.

Huge thanks to our sponsor, Safe Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Harnessing AI-Native PAM with Formal

Why does least privilege keep failing? It’s not the tech—it’s the politics.

In this episode, Mokhtar Bacha, CEO, Formal joins Howard Holton, COO and industry analyst, GigaOm, and Arvin Bansal, a Fortune 100 veteran CSO to discuss why privilege access management so often falls short, how AI agents are complicating identity, and whether automated enforcement at the packet level can finally break through the friction.

Read more and listen to the full episode here.

Huge thanks to our sponsor, Formal

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best advice I ever got in security…

“Probably the best advice I ever got was from my old CTO - It’s overused, I’ve seen it on T-shirts. It’s ‘Fake it ‘til you make it.’ It’s really about always saying ‘yes.’ So when you’re faced with a new challenge or a new opportunity or something you’ve never done before… When they go “Hey, do you want to take over privacy operations?” I can’t spell privacy. ‘I’ll take it, yes!’ Always say ‘yes.’” - Jason Loomis, CISO, Freshworks

Listen to the full episode of “We All Agree That Prevention Is the Best Advice We're Never Going to Follow”

How Are You Managing the Flow of AI Data

"I think what's interesting with AI agents is that we basically fall right in between where you have those identities that are somewhat deterministic, but that are still non-deterministic in their behavior. It's between a human and a machine, where you have a predefined job and task that needs to be done by an agent… and you want to make sure that it's not doing the wrong thing at the wrong time or accessing the wrong data." - Mokhtar Bacha, founder and CEO, Formal

Listen to the full episode of “How Are You Managing the Flow of AI Data”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

What Don't They Teach You About Dealing With a Cybersecurity Incident?

At Blackhat 2025, David Spark asked cybersecurity professionals about what you can only learn from dealing with a real cybersecurity incident. Some related that the psychological stress is something no tabletop can prepare you for, and others shared tips about how to prioritize communication and keep your staff from burning out.

Watch the video here.

Huge thanks to our sponsor, Doppel

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Rob Teel, CTO, Oklahoma Department of Commerce.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
Join us Friday for “Hacking Managed Services”

Join us on Friday, September 12th, 2025, for Super Cyber Friday: “Hacking Managed Services: An hour of critical thinking about what questions to ask when you’re looking for a provider.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Buddy Pitt, vCSO, Logically, and Jay Wilson, CISO and CIO, Insurity, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thanks to our Super Cyber Friday sponsor, Logically

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.