CISO Series Podcast
We Gave the CISO Risk and Liability, and Now They Want Authority. The Nerve.

Being a CISO can feel like a no-win situation. While the role is now common in organizations, they often face an imbalance of responsibility and authority. How did the situation get so bad, and what can be done to empower CISOs?

This week’s episode is hosted by David Spark, producer of CISO Series and Steve Zalewski. Joining them is Tammy Klotz, CISO, Trinseo.

Listen to the full episode here.

Accountability without authority

CISOs are increasingly held responsible for business risk outcomes: recovery speed, financial exposure, operational continuity. What makes it worse is the rub. Their decision-making power hasn't caught up, argues Sanjiv Cherian of Microminder Cyber Security. Accountability gets real fast when you're the named executive signing off on an audit. Plenty of CISOs rush to claim that authority without understanding what they're taking on. The smarter framing is risk advisor, not risk owner. The CISO's job is to make sure the right business leaders understand what they're accepting, not to personally absorb every risk on the company's books. This is a relationship you're establishing, not a burden you're volunteering for.

Kill your hacklore

Outdated security advice, like changing your password every 90 days and never use public Wi-Fi, persists not because it's effective but because it used to be. It's the cybersecurity equivalent of warming up your car engine for five minutes before driving. The technology moved on; the habits didn't. Hacklore.org is now cataloging these stubborn myths with backing from over 80 security professionals. The most damaging myth might be the one that's hardest to shake: that employees are your weakest link. That framing is demoralizing and counterproductive. Flip it. Make people your strongest link by explaining the "why" behind what you're asking them to do. People follow rules they understand. Talk about passwordless authentication instead of password rotation. Talk about conditional access instead of blanket restrictions.

Voice is no longer enough

With just 20 seconds of audio and a few dollars, attackers can clone a voice convincingly enough to fool help desk analysts, coworkers, and even family members. As such, the cybersecurity subreddit was full of examples of voice authentication failing to meet the AI moment. The old playbook of callback procedures, security questions, and manager verification still helps. But voice as a trusted factor in multi-factor authentication is effectively dead. Security teams are now scrambling for alternatives: biometric wearables, hardware tokens, and removing humans from password resets entirely. We know this all adds friction, but the easy way doesn't work anymore. Pretending otherwise is worse than the inconvenience. Just ask MGM.

Studies that tell us what we already know

You'll never guess what the latest vendor-funded security research found! Threats are rising, budgets are too small, and organizations are underprepared! None of this is news. It's fear, uncertainty, and doubt dressed up as insight, designed to drive sales. PR teams pitch it, lazy journalists write it up, and the cycle continues. These reports rarely contain real intelligence. They just rearrange the same percentages year after year, like deck chairs on the Titanic. Even well-regarded reports largely confirm that the threat landscape isn't flipping upside down, just shifting in degree. If you want to make a budget case internally, skip the scare stats. Talk about operational risk in terms the business already cares about. What it costs per day when you can't ship product, fulfill orders, or keep systems running. That's the conversation that moves money.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jay Dance, StubHub for providing our "What's Worse" scenario.

Thanks to our podcast sponsor, ThreatLocker

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Best advice for a CISO…

“My best advice for a CISO is to never let a good crisis go to waste and to ensure that you're using any learning opportunities from those crises to improve your incident response and recovery procedures.“ - Tammy Klotz, CISO, Trinseo

Listen to the full episode of “We Gave the CISO Risk and Liability, and Now They Want Authority. The Nerve.”

Cybersecurity's Broken Hiring Process

"I don't think that the issue is a talent shortage. I think our expectations are unrealistic." - Brett Conlon, CISO, American Century Investments

Listen to the full episode of “Cybersecurity's Broken Hiring Process”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series reporter Sarah Lane, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Jon Collins, field CTO, GigaOm, and Adam Palmer, CISO, First Hawaiian Bank. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Conveyor

Super Cyber Friday
Join us Friday for “Hacking the Future of Log Data”

Join us on Friday, February 20, 2026, for Super Cyber Friday: “Hacking the Future of Log Data: An hour of critical thinking about why your traditional SIEM is telling only a fraction of the story.”

It all kicks off at 1 PM ET / 10 AM PT, when Rich Stroffolino will be joined by Tim Leehealey, vp of corporate strategy and operations, Strike48, and Nick Falzarano, director, information security, TE Connectivity, for an hour of insightful conversation and engaging games. And stick around for our always-popular meetup, hosted right inside the event platform.

Register for the Super Cyber Friday event series on Airmeet. Join us for just this episode, or choose to register for all of our upcoming episodes in this ongoing event series.

Thanks to our Super Cyber Friday sponsor, Strike48

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.