CISO Series Podcast
Why Learn Security Fundamentals When We Could Just Chase Our Tails?

Don't aim for perfect security, don't trust systems, don't trust people, and don't rely on a single line of defense. Those might sound like "modern" cybersecurity principles, but they date back to a 1995 talk by cryptography pioneer Adi Shamir. The landscape is changing, but the fundamentals have been around for decades. Why are we still struggling to understand that?

This week’s episode is hosted by David Spark, producer of CISO Series and Jesse Whaley, CISO, Amtrak. Joining them is Vaughn Hazen, CISO, CN.

Listen to the full episode here.

The classics endure

Despite new threats and technologies, cybersecurity's core principles have remained unchanged over the decades. Foundational guidance like the 1995 "10 Commandments of Commercial Cybersecurity" and Microsoft’s “10 Immutable Laws of Security” still hold up today, emphasizing defense in depth, distrust by default, and the need for layered controls, as pointed out by Ross Haleiuk on Venture in Security. Practices like patching, strong authentication, limiting attack surfaces, and understanding asset exposure remain essential, regardless of whether threats come from malware or modern AI models. What’s often perceived as “new” in cybersecurity, such as zero trust, is frequently just a relabeling of time-tested concepts. The underlying objective remains: Reduce risk by assuming systems, people, and single points of defense are inherently unreliable.

The rules of the rail

The TSA’s evolving cybersecurity directives for the rail industry—now moving toward formal regulation—have sparked concern among operators for being inconsistently applied, operationally burdensome, and lacking in collaborative execution. While intended to enhance security across critical infrastructure, issues have emerged around misaligned expectations, vague definitions of critical systems, and rigid requirements that don’t reflect operational realities. For example, the mandated 24/7 cybersecurity coordinator must be a U.S. citizen, challenging cross-border rail operators with Canadian teams. Frustrations are apparent with one-size-fits-all vulnerability assessments and a lack of transparency into how incident reporting benefits the broader industry. Though the directives initially aimed for outcome-based security, many feel they create tension between compliance demands and practical cybersecurity outcomes.

"Prove It. With data."

While AI is widely promoted as transformative for cybersecurity, practitioners say the impact remains modest and hard to quantify. The measurable results of AI often amount to only single-digit percentage gains. Revolutionary claims must be backed up with data, challenged Christofer Hoff, CSO and CTO at LastPass. On the defensive side, generative AI hasn’t yet delivered significant breakthroughs, though it shows promise in streamlining tasks like querying security data or generating executive-level summaries. However, threat actors leverage AI to craft more convincing phishing and social engineering campaigns, eliminating many traditional red flags. Existing AI applications, like machine learning in anti-malware, have proven effective. Still, the real test for newer tools is whether they improve team efficiency without demanding all-in-one tech ecosystems that few organizations use.

It's all just software 

Security tools are often treated as inherently trustworthy, yet they carry the same risks as any other software, sometimes more, given their elevated privileges and critical access. Many of the most commonly exploited vulnerabilities originate in security products, yet these incidents rarely impact a vendor’s reputation or market share, noted Chris Hughes of Aquia. Mature organizations now recognize that every tool added to the environment expands the attack surface. Thus, security tools must be evaluated, maintained, and monitored like any other part of the software supply chain. Purchasing decisions are increasingly shaped by how vendors handle breaches—transparent, proactive communication and rapid remediation are strong indicators of trustworthiness. At the same time, denial, silence, or hostility toward researchers are major red flags. Effective security teams now scrutinize vendor history, require accountability, and integrate security tools into regular risk reviews, rather than assuming they are inherently safe.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Edward Frye of Luminary Cloud for submitting this episode's "What's Worse" scenario. 

Huge thanks to our sponsor, Doppel

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Navigating Unauthorized Site Access with ThreatLocker

Unauthorized site access remains a significant security concern for organizations. But why does this issue persist, and how can it be effectively addressed?

In this episode, Rob Allen, chief product officer at ThreatLocker, discusses the core functionality of ThreatLocker’s Web Control solution: blocking access to unauthorized sites without meddling with DNS servers—a common pitfall among other tools. Rob explains that the simplicity of defining where employees can and cannot access is pivotal. This approach not only helps keep users away from malicious sites but also steers them clear of non-productive ones, thereby enhancing resource allocation. Rob is joined by our panelists, TC Niedzialkowski, Head of IT & Security at Opendoor, and Sasha Pereira, CISO, WASH.

Listen to the full episode here.

Thanks to our podcast sponsor, ThreatLocker

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

What Would Happen If Your CISO Wasn’t Around During a Cyberattack?

What would happen if you were away from your company and out of touch for a day or more, exactly when a crisis happens? How well could your company cope without you?

This is the topic of a new article we released just this morning - a short read, but packed with valuable insights from three of our CISO colleagues.

Click the link and read the article, “What Would Happen If Your CISO Wasn’t Around During a Cyberattack?”

Thanks to our sponsor, Palo Alto Networks

Biggest mistake I ever made in security…

“The biggest mistake that I ever made was believing that all tools are the same. About 20 years ago I was working with Qualys vulnerability scanners, and our MSSP partner said, “Hey, we just penned a commercial deal with this new partner, it’s going to save you a ton of money.” So we went ahead and took advantage of it.

That organization, which is no longer in business, had this unique aspect where they would scan adjacent IP addresses, and we had specifically blocked out certain IP addresses not to scan because at that time the voice applications were transitioning from serial to TCPIP, and they were running on TCPIP, but they really were not ready for primetime.

So if we scanned them, it created problems. Well, when this thing was scanning adjacent IP addresses, it shut down our call centers. So, yeah, that was probably the biggest mistake I’ve made.“ - Vaughn Hazen, CISO, CN

Listen to the full episode of “Why Learn Security Fundamentals When We Could Just Chase Our Tails?”

The CISO's Job Is Impossible

"If you are a CISO and you feel like you’re the one who’s making all those decisions without input from others, then you’re actually doing it wrong." - Joey Rachid, CISO, Xerox

Listen to the full episode of “The CISO's Job Is Impossible”

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Reddit AMA on r/cybersecurity

Our monthly AMA on r/cybersecurity on Reddit is underway.

Our topic is “I’m a Chief Information Security Officer (CISO). I also happen to be a woman. Ask me anything.”

Join the conversation here. The discussion is going on all week.

Our participants are:

• Krista Arndt, Associate CISO, St. Luke's University Health Network

• Renee Guttmann, Founder & Principal, CISOHive

• Mandy Huth, SVP, CISO, Ultra Clean Technology

• Bethany De Lude, CISO emeritus, The Carlyle Group

• Patty Ryan, Sr. Director & CISO, QuidelOrtho

• Hadas Cassorla, Principal Consultant, SideChannel

• Janet Heins, CISO, ChenMed

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be George Finney, CISO, The University of Texas System.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Super Cyber Fridays!
Join us Friday, 05-30-25, for "Hacking Provable Security"

Join us Friday, May 30, 2025, for “Hacking Provable Security: An hour of critical thinking on how to go beyond security ratings and questionnaires.”

It all begins at 1 PM ET/10 AM PT on Friday, May 30, 2025, with guests Sravish Sridhar, founder and CEO, TrustCloud, and Tony Spinelli, former CISO, Capital One. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT), we'll do our meetup.

Register 

Thanks to our Super Cyber Friday sponsor, TrustCloud

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.