Five security leaders on forensics, fallout, and what matters most when things go sideways
“I’m a security professional who had to clean up a mess. Ask me anything.”
That was the prompt for September’s AMA on r/cybersecurity, and five seasoned pros showed up to unpack everything from zero-day triage to philosophical team conflicts, visibility gaps, and explaining ROI to execs who’ve never been breached.
Nick Espinosa (u/NickAEsp), host, The Deep Dive Radio Show
Bil Harmer (u/wilharm3), information security advisor, Craft Ventures
Here are some of the best lessons they shared about what happens after “the worst day” begins.
You can’t automate your way out of accountability
What’s the best way to pitch automation in security workflows—without spooking your staff? Dan Holden put it bluntly:
“Efficiency is key to scale or speed. Anyone in an engineering or software field should understand this. Speed, affordability, quality, pick 2 as they say. Automation is how you gain all 3. It’s all an assembly line. Treat it like one.”
But as Steve Zalewski pointed out, implementation often fails because it focuses solely on efficiency:
“If the people and process are not aligned with simply increasing efficiency, the pushing the org will result in perceived friction and can backfire on you… But if you look at the effectiveness of the role in accomplishing a key business metric… you open a door to a more productive dialogue.”
Lesson: Security teams need to frame automation around effectiveness, not just speed—and communicate how it helps the business.
Measuring ROI in a world where success means “nothing happened”
Multiple users asked how CISOs demonstrate return on security investment when the value is often invisible. Nick Espinosa made the connection to risk modeling:
“To really understand ROI, financial risk modeling that dovetails with cyber risk modeling is beyond important in my opinion… [It helps ensure] the vision of the CEO comes to fruition without harm of some kind.”
Dan Holden added that controls must reduce risk in measurable ways:
“It’s about ensuring controls are doing what they were intended to do and are operating at a level that reduces your annualized loss expectancy.”
The shared takeaway: translate “no incident” into avoided costs, and use language your CFO recognizes.
Forensics first, panic never
When a Redditor asked how to respond to a zero-day exploit and identify what was taken, Nick offered a detailed blueprint grounded in the “Identify, Contain, Eradicate, Recover” framework. Among the many steps:
“From the attacker side of the attack surface… what is the attacker looking for? What is the objective? This helps with predicting whether the breach is software or failure of 1ZC, etc. and then air blocking ICS and traffic via ACLs, DNS sinkholing, killing any discovered C2 traffic…”
On cleanup priorities, he didn’t mince words:
“In my opinion, and my esteemed colleagues may disagree, I think it’s ALWAYS harder to clean up a human mess.”
Steve echoed this human-first mentality and added a reminder about prioritization:
“Before mitigating the breach, try to determine the attack vector… this becomes your containment priority. Then you move to data protection strategies.”
Team alignment: mentor or move on?
Some of the AMA’s most upvoted questions focused on team dynamics—specifically, what to do when team members resist change or don’t share your security philosophy.
Bil Harmer shared a pragmatic and human approach:
“Decide how valuable the person is to the company and the mission, that will help you determine how much time to put into bringing them around.”
Steve noted that this tension often stems from perceived threats to job security:
“So much of our daily job is repetitive process and procedures… For many folks, this is seen as threatening to their job security, so they push back… This can often get to the root cause of their reticence.”
His advice? Empathy first, but have a threshold. Eventually, you may need to “bite the bullet and involve HR.”
What really matters in vendor selection
Asked whether to prioritize “best of breed” tools or consolidated vendor platforms, the panel offered a nuanced take. Bil noted:
“Best of breed will require differing skill sets… but UX/UI is generally consistent and the ‘tools all work together’… That then leads to a hybrid world where you use the platform for the majority and best of breed for specific tasks.”
Montez Fitzpatrick preferred a strategic hybrid:
“I like consolidated as much as possible for integrations sake, then sprinkle on top some of those stalwarts that are just at the top of the game.”
Steve, in true Steve fashion, brought in a metaphor:
“If I were to ask you ‘how often do you clean out your closet to sell the clothes that are out of fashion and throw away the worn out clothes to do more with less clothes?’, what would you do?”
Measurement and maturity: what’s changed?
Dan, Nick, and Steve all weighed in on how to make security measurement matter. Dan pointed to attacker sophistication metrics and loss expectancy, while Nick emphasized risk quantification over control audits.
Steve cut to the heart of the matter:
“This has been successful in the past, but corporate boards are now demanding that security show a business use, since they cannot just keep pouring money into security as a continuous improvement exercise.”
Translation: It’s no longer enough to say “we’re better than last year.” You have to say, “we’re protecting this business outcome.”
Final takeaways
Security messes don’t just require logs and firewalls—they require leaders who can prioritize, communicate, and clean up with clarity. This month’s AMA reminded us that the real test isn’t just stopping the breach. It’s how you steer the company through the fog of fallout.
The advice from our panel? Connect your work to the business. Be able to explain what you’re doing and why. And when in doubt, don’t forget that sometimes, the hardest thing to remediate… are people.
Join us for our next Reddit AMA starting Sunday, October 26, “I’m a CISO who worked on many mergers and acquisitions (MNA). Ask me Anything.”
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
