CISO Series Podcast
With AI, Don’t Think Like a Hacker, Think Like the Whole of Society

Most of our tools are getting an AI upgrade whether we like it or not. "Going AI" is seen as a means to stay competitive. The increased productivity also requires increased scrutiny. Traditional security penetration testing efforts suddenly look very different when dealing with an LLM.

This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining us is our sponsored guest Nathan Hunstad, director, security at Vanta.

Thinking like AI

Red teaming generative AI systems requires a broader perspective than traditional cybersecurity testing. Since nearly anyone can misuse GenAI tools, red teaming must account not just for threat actors but also everyday users who may unintentionally exploit system weaknesses, argues a report from Data and Society. That scope makes it tempting to treat AI as something radically new. But don't get trapped into believing AI is some existential threat. It's just another type of software application—subject to familiar application vulnerabilities and security principles. Start with identifying unacceptable failure modes—such as generating harmful or offensive content—and working backward to test those risks.

Building off a solid foundation

Is SOC 2 compliance more theater than substance? A thread digging into that idea recently blew up on the cybersecurity subreddit. While the SOC 2 certification may seem excessive for small startups, many customers demand it before doing business. Companies should only pursue formal certifications once asked. But they should still build strong foundational security practices early on. Good hygiene—like MFA, access controls, and monitoring—is essential regardless of whether or not a compliance report is in hand.

Start with ownership

Vulnerability management gets into trouble when it can’t effectively implement prioritization. Security teams often inherit the burden of patching when, in reality, maintaining software should be a core engineering duty, not a security function. Can you bypass the need for patch management? Could it be replaced with a philosophy of regularly updating your systems? Would that be a better way to approach vulnerabilities? Some argue that knowing what's risky isn't what's holding up your security program. The real bottleneck is the lack of automation and a robust asset management program.

Following the leader

When security leaders enforce strict policies but break them themselves, the leadership hypocrisy can cause real damage. Such behavior undermines team morale and credibility, as evident from a discussion on the cybersecurity subreddit. Security leaders should be the first to adopt new policies and tools, acting as a pilot group to vet feasibility. Minor violations can sometimes be strategic when pushing back on impractical policies. But if leaders won’t eat the "security" dog food, they can't expect anyone else to. 

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Aaron Stanley of dbt Labs for contributing this week’s “What’s Worse?!” scenario. 

Listen to the full episode here.

Huge thanks to our sponsors, Vanta

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Getting Visibility into SaaS with Nudge Security

SaaS visibility remains a mixed bag. Within company-sanctioned tools, we have visibility. But when it comes to visibility across tools, we struggle. And don’t forget all of the SaaS apps your employees use that you don’t know about. How do you start to address that SaaS visibility gap?

In this episode, Russell Spitler, co-founder and CEO of Nudge Security, discusses how using email as the foundation for SaaS visibility makes the whole situation much easier to manage. Russell is joined by our panelists, Steve Zalewski, co-host of Defense in Depth, and Nick Espinosa, host of the nationally syndicated Deep Dive Radio Show.

Listen to the full episode here.

BIG thanks to our sponsor, Nudge Security.

What’s a great approach from a security vendor?

"So, I love it when a security vendor will just shut up, ask me what problems I’m having, and then honestly tell me whether they can help me with those problems or say, “Nope, we can’t help you, you are better looking elsewhere,” because it’s so rare." - Nathan Hunstad, Director, Security at Vanta.

Listen to the full episode of "With AI, Don’t Think Like a Hacker, Think Like the Whole of Society"

Can AI improve Third-Party Risk Management (TPRM)

"I really appreciate these comments because, I mean, I think it sounds like everyone agrees we have to move beyond the checkbox. I think that’s what we all want. Getting the historical data sometimes is tricky." - Nick Muy, CISO, Scrut Automation

Listen to the full episode of "Can AI improve Third-Party Risk Management (TPRM)”

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

ANNOUNCEMENT: CISO Series Podcast LIVE in San Francisco 4-27-25

The CISO Series Podcast returns once again to the Bay Area on the eve of RSA Conference as part of the entertainment at BSidesSF! Joining me on stage will be Andy Ellis, partner, YL Ventures, and Alexandra Landegger, global head of cyber strategy & transformation, RTX.

Tickets for BSidesSF are available here.

WHERE: City View at Metreon and AMC Metreon 16, 135 Fourth Street, San Francisco, California, 94103 (MAP)

Huge thanks to our sponsors, Nudge Security, SecurityScorecard, and Vanta

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Carla Sweeney, SVP, InfoSec, Red Ventures.

Thanks to our Cyber Security Headlines sponsor, Nudge Security.

Super Cyber Fridays!
Managing the New Normal of Social Engineering Attacks

How do you stay ahead of social engineering when Gen AI allows for an almost infinite number of attacks?

While the number of attacks may reach a new scale, their ultimate goal remains unchanged. I spoke with Michael Scott, CMO at Trustmi, about how knowing that these attacks are all ultimately based around getting your money gives you a way to build effective defense in depth. By focusing on the financial motivations of threat actors, organizations can better prioritize their defenses against an increasing barrage of sophisticated attacks.

REGISTER for 4-11-25 Super Cyber Friday

Join us on April 11, 2025, for "Hacking Social Engineering" at 1pm ET/10am PT on Super Cyber Friday. Joining Rich and Michael is Phil Beyer, head of security at Flex

Thanks to our Super Cyber Friday sponsor, TrustMi

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.