CISO Series Podcast
You Can't Fall Behind in AI if You Never Start

No organization wants to fall behind on using AI. But securing it remains a challenge. The tools are so new that everyone seems to be starting from square one. How do you staff up AI expertise when so few currently have it?

This week’s episode is hosted by me, David Spark, producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining us is John Barrow, CISO, JB Poindexter & Co.

Listen to the full episode here.

Building unicorns, not hunting them

The AI talent shortage seems intractable for cybersecurity. Organizations need to find someone who understands both security architecture and AI engineering well enough to threat model risks that nobody fully comprehends yet, as pointed out by Chris Matthews of Prezzee. Right now, security professionals struggle with systems they can't firewall or patch, while AI engineers treat security as an afterthought. The solution isn't chasing mythical external hires who are probably being courted by three other companies. Instead, invest in your own teams and look for eagerness and potential. Provide the funding and room for them to learn on their own. They'll become the unicorns you want, doubled with your company's unique business context.

Cold War frameworks for modern threats

The CIA (Confidentiality, Integrity, and Availability) triad has been the foundation of cybersecurity since the 1970s. It's tried, true, and widely respected. But Loris Gutic of CSO Online dared to argue it's become a rigid relic forcing security teams to retrofit modern concepts into outdated structures. The framework lacks vocabulary for the staples of modern cybersecurity. It doesn't speak to authenticity, accountability, resilience, or engineering for failure. But the triad's survival is its proscriptive simplicity. The breadth that critics call a weakness actually gives security leaders the flexibility to frame modern challenges in business terms. It remains a consistent communication tool even if it's no longer driving day-to-day security decisions.

Trading dollars for stories

GRC needs to move beyond compliance checkboxes and into boardroom conversations about protecting revenue. This requires partnership with vendors. Jimmy Arbelaez of Methodist Le Bonheur Healthcare shows how this works. He partnered with AI startups to slash his budget while actually improving his program. These founders value early-adopter credibility more than immediate cash. Startups desperate for blue-chip customers and real-world testing will offer steep discounts in exchange for what established security leaders provide: experience and exposure. Security teams get cutting-edge capabilities at reduced cost. Startups get validation they can't buy anywhere else. 

Mirror, mirror on the wall

Most security failures blamed on human behavior reflect bad design rather than intent. Joshua Copeland of Crescendo argues that consistent "bad behavior" actually provides honest feedback about where friction lives in your systems. Security leaders who lean into design thinking build programs that accommodate inevitable human mistakes without catastrophic consequences. The approach requires recognizing that employees represent the majority of the company's investment. Their productivity matters. So security must minimize operational impact and design explainable controls that people can actually follow. Otherwise, workarounds are inevitable.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Dustin Sachs of the CyberRisk Collaborative for providing our "What's Worse" scenario.

Thanks to our security tip sponsor, Tenable.

Thanks to our podcast sponsor, Vanta

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Verifying Identity with Incode Technologies

Traditional identity systems weren’t built to handle AI-powered fraud. Criminals have become the most successful adopters of digital transformation, deploying deep fakes, voice cloning, and synthetic identities faster than enterprises can respond. The problem isn’t just detecting fake credentials. It’s that identity access management platforms authenticate devices and credentials without confirming who’s actually behind them.

Fake candidates with stolen or AI-generated IDs sail through interviews because their profiles, videos, and voices appear legitimate. After onboarding, attackers can impersonate employees using cloned voices or deep fake calls to reset MFAs at the help desk. Identity has become the new attack surface, and the systems companies rely on still trust the human layer far too easily.

In this episode, Fernanda Sottil, senior director of strategy at Incode Technologies, explains how their solution adds a real-world identity layer that integrates seamlessly with existing IAM systems. Joining her are Nick Espinosa, host of the Deep Dive radio show and Bozidar Spirovski, CISO at Blue dot.

Listen to the full episode here.

Thanks to our podcast sponsor, Incode Technologies

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

You Can't Fall Behind in AI if You Never Start

“Security vendors, they need to play the long game. Most CISOs have a very fine-tuned filter when it comes to transactional conversations. And so, CISOs are going to buy from people that they trust and they like.“ - John Barrow, CISO, JB Poindexter & Co

Listen to the full episode of “You Can't Fall Behind in AI if You Never Start”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

LIVE!
Cyber Security Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Mathew Biby, director of cybersecurity, TixTrack, and Derek Fisher, director of the cyber defense and information assurance program, Temple University. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
Join us Friday for “Hacking AI Data Readiness”

Join us on Friday, December 5, 2025, for Super Cyber Friday: “Hacking AI Data Readiness: An hour of critical thinking about what you have to do before you turn on your shiny new tool.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Matt Goodrich, director of information security, Alteryx, and Doug Mayer, vp, CISO, WCG, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thanks to our Super Cyber Friday sponsor, Alteryx

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.