CISO Series Podcast
Why Architect for Human Error When We Can Make People Feel Really Bad About It?

We keep hearing that humans are the weak link in a security program. If that's the case, why do we put so much strain and reliance on our people? No one will claim that humans are perfect, yet we continue to design security systems as if they were.

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining them is Richard Rushing, CISO, Motorola Mobility.

Listen to the full episode here.

Mindset over tools

Who doesn't love a good listicle? Phil Venables, host of the Google Cloud podcast, crafted a useful "good CISO versus bad CISO" framework that captures key differences between the two. Business executives manage technology risk while IT managers just manage security tools. Good CISOs have deep technical foundations but use them for empathy, not as weapons. Leadership versus management makes the real difference. As security increasingly takes a more prominent seat in the business, CISOs need this kind of framework to evaluate what practices need to evolve as they move out of technical roles.

When hygiene becomes risk

Security hygiene and vulnerabilities aren't the same thing, but both belong in vulnerability management programs. Low-probability, low-impact issues shouldn't receive the same treatment as critical scenarios. Think of them like litter on the street; you don't analyze each piece individually, you sweep it all up. The problem isn't any single piece of trash; it's having so much that something dangerous might be hiding in there. Street sweepers solve that, not forensic analysis of every wrapper. A vulnerability is a software defect, a class of hazards. The exploit path is that collection of hazards leading to business impact. Stop using high-severity language for hygiene problems and just clean everything up systematically.

Systems for actual humans

If one click destroys everything, the system failed, not the person. Humans click links, that's what links are for. Calling it human error misses the point, argues Joshua Copeland of Crescendo. DocuSign arrives constantly, so DocuSign phishing shows up too. That's a mail server failure, not a user problem. Zero trust means validating everything continuously, not expecting passwords to keep people safe. The device and the person together form identity, making phishing irrelevant because there's nothing to steal from a click. Authentication needs a hard look at session lengths, cookie lifetimes, and machine identification alongside user identity. If bad stuff reaches users, that's a tool configuration problem, not a training gap.

Conversations over compliance

People don't change from PowerPoint pressure. They change through conversations, peer influence, and accountability from someone they respect, as pointed out by Maman Ibrahim of EugeneZonda. Annual training doesn't work, except to put people to sleep. Security teams aren't psychologists, so identify the right individuals in the organization and ask for help. Your organization has supply chain experts, factory operations folks, and whoever knows the domain you're securing. Projects don't need to be purely security initiatives. Multiply impact through others. Build relationships so people come to you when problems emerge.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now. 

Thanks to Erik Bloch of Illumio for providing our "What's Worse" scenario.

Thanks to our security tip sponsor, Anvilogic.

Huge thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Why Architect for Human Error When We Can Make People Feel Really Bad About It?

“Thinking that malware and ransomware works the same way today as it is going to work tomorrow, and the controls that work today are going to be effective as tomorrow's controls as well. So, the mistake I made was assuming that this system was totally compromised, shut it down, get rid of it, and that was the only effection. In fact, we had file systems that were in the process of being ransomwared up due to their connectivity to their original machine.“ - Richard Rushing, CISO, Motorola Mobility

Listen to the full episode of “Why Architect for Human Error When We Can Make People Feel Really Bad About It?”

In the Age of Identity, is Network Security Dead?

"It's not going away. It's really changing. We're talking about connectivity, and connectivity is so dependent on identity management now." - Davi Ottenheimer, vp, trust and digital ethics, Inrupt

Listen to the full episode of “In the Age of Identity, is Network Security Dead?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

LIVE!
Cyber Security Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Keith Townsend, chief technology advisor, The Futurum Group, and Howard Holton, CEO, GigaOm. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cyber Security Headlines sponsor, KnowBe4

Super Cyber Fridays!
Join us again on December 5 for “Hacking AI Data Readiness”

Join us on Friday, December 5, 2025, for Super Cyber Friday: “Hacking AI Data Readiness: An hour of critical thinking about what you have to do before you turn on your shiny new tool.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Matt Goodrich, director of information security, Alteryx, and Doug Mayer, vp, CISO, WCG, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thanks to our Super Cyber Friday sponsor, Alteryx

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.