CISO Series Podcast
We’ll Worry About Recovering From the Attack Once We Ace This Audit

How can we bridge the disconnect between compliance and building meaningful resilience? The business can understand compliance, so the focus is at least understandable. But how can CISOs better communicate that there's a much wider range of risks they need to account for?

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is Peter Clay, CISO, Aireon.

Listen to the full episode here.

Purple teaming evolution misses operational realities

The cybersecurity industry's push toward unified "purple teaming" reflects theoretical ideals that don't align with practical needs. Joe White's argument that "blue and red has outlived its function" advocates for a "whole of cyber defense mentality." He cites sophisticated adversaries who maintain long-term compromises. However, this overlooks the reality that the blue team also exists for real-time incident response, while red team activities must think more creatively, and don't necessarily align with traditional SOC environments. Most organizations still face straightforward smash-and-grab attacks that benefit from traditional red team assessments. More significantly, artificial intelligence threatens to automate red team functions far more rapidly than blue team can catch. This will cause a misalignment causing the purple team to be far more red.

Effective postmortems require systematic failure analysis

Learning from cybersecurity failures demands moving beyond simple "root cause" narratives to comprehensive systematic analysis. "Every failure is a rehearsal for success," noted in a cybersecurity subreddit discussion. Don't let a criss go to waste, right? That requires a very structured lessons-learned postmortem. Start by acknowledging failure without blame, then systematically dig into where the failure lies. You may see one failure point (e.g., somebody screwed up a configuration). But that's not the final picture. Dig down deeper. Why did that misconfiguration happen? What were the steps that led up to it? It's never so simple. Our environments can become a complex web of system failures, process gaps, and organizational issues that enable incidents. Organizations should treat incidents as having "proximate triggers" rather than root causes, recognizing that when someone with administrative permissions causes damage, the real failures lie in access control policies, training processes, and oversight mechanisms rather than individual human error.

Risk expertise requires business context over methodology

The concept of hiring "risk experts" often reflects vendor positioning rather than practical organizational needs. Richard Cromwell of RiskQuanTech recommendation of hiring "deeply experienced risk experts" raises obvious questions. What the heck is that? Don't you want storytelling? That will help you make wiser risk decisions, won't it? "A deeply experienced risk expert" must first know the business to be a decision maker. There is no grand risk guru. You need to translate security concerns as they pertain to the business. There is no external framework that works for all businesses. Sure, start there, but then continually adapt.

Compliance and resilience serve different purposes

The disconnect between audit-focused compliance and operational cyber resilience reflects different orientations that rarely align. Levi Gundert of Recorded Future observed that "risk registers win audits, resilience wins crises." In order to keep the doors open, businesses spend enormous upfront effort on compliance while managing operational disruption, financial fraud, brand impairment, and competitive intelligence risks are second-tier concerns. Compliance systems focus on past-proofing against known failure modes, similar to building codes addressing previously identified hazards rather than future threats. Effective security leadership should treat compliance as a product requirement that is handled quickly, demonstrating regulatory adherence. The real security conversation should center on business-specific threats and organizational resilience capabilities, recognizing that passing audits provides no meaningful indication of an organization's ability to survive actual attacks.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Jim Nitterauer, Graylog for contributing this week’s “What’s Worse?!” scenario.  

Huge thanks to our sponsor, Safe Security

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Navigating Cloud Security with TrustOnCloud

Implementing new technologies for the business is already a daunting task. Cloud and SaaS have made some of the implementation easier, but it also makes it easier to not fully comprehend the risks you’re taking on. All it can take is a company credit card. Organizations struggle with shadow IT, misconfigurations, and unauthorized access across multiple cloud environments, often lacking visibility into their actual cloud assets.

In this episode, Tyson Garrett, CTO of TrustOnCloud, explains how their platform provides constantly updated threat models for major cloud services, helping organizations implement controls based on their risk appetite. Joining him are Derek Fisher, director of the cyber defense and information assurance program at Temple University, and Davi Ottenheimer, vp, digital trust and ethics at Inrupt.

Listen to the episode and find the transcript here.

Huge thanks to our sponsor, TrustOnCloud

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Biggest mistake I ever made in security…

“The day I decided that I was really going to test the limits and boundaries of the enterprise firewall. By the time I got done entering 23,000 rules into the enterprise firewall, it turned out that the enterprise firewall didn’t work anymore and had collapsed. So instead of blocking anything, it was basically doing nothing. Second only to the time that I turned an enterprise firewall completely around, so I was protecting the internet from us, but allowing everything from the internet in.“ - Peter Clay, CISO, Aireon

Listen to the full episode of “We’ll Worry About Recovering From the Attack Once We Ace This Audit”

What Are the Cybersecurity Trends We Need To Follow?

"We are still very reactive in how we protect, but adversaries are getting faster at chaining attacks and finding cracks." - Sneha Parmar, former information security officer, Lufthansa Group Digital

Listen to the full episode of “What Are the Cybersecurity Trends We Need To Follow?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Bearded Faces, Bald Heads, and Bold Cyber Insights

Every month, we host a cybersecurity-focused AMA (Ask Me Anything) on Reddit.

In June, ten security leaders—who all happened to be bald men with beards—joined us for a tongue-in-cheek themed AMA that sparked serious conversations. They shared candid insights on leadership, burnout, vendor lock-in, and how the CISO role is evolving in a changing threat landscape.

A BIG thanks to our AMA participants!

• Todd Hughes, senior compliance analyst, Harbor IT

• Josh Harguess, co-founder, CTO, Fire Mountain Labs

• Jason Fruge, cybersecurity advisor, Risksilience LLC

• Andrew Wilder, CISO, Vetcor

• Rob Allen, chief product officer, ThreatLocker

• Jerich Beason, CISO, WM

• Michael Farnum, founder and president, HOU.SEC.CON.

• Edwin Covert, vp of advisory services, Fenix24

• Gary Hayslip, CISO, SoftBank Investment Advisers

• Fredrick Lee, CISO, Reddit

We’ve pulled together their best takeaways in this article. Curious to join the conversation? Our next AMA kicks off Sunday, July 27. Stay tuned for details!

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Nick Espinosa, host, The Deep Dive Radio Show.

Thanks to our Cyber Security Headlines sponsor, Nudge Security

Super Cyber Fridays!
Join us Friday for “Hacking the Security Poverty Line”

Join us on Friday, July 25, 2025, for Super Cyber Friday: “Hacking the Security Poverty Line: An hour of critical thinking about minimum viable security.”

It all kicks off at 1 PM ET / 10 AM PT, when Rich Stroffolino will be joined by Samantha Jacques, vp, clinical engineering, McLaren Health Care, and Ross Young, CISO-in-residence, Team8, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.