The market for a slightly used CISO have never been harder. On the one hand, more CISOs seem to be leaving the profession due to a mismatch of responsibility and authority. At the same time, organizations seem quick to prefer first time CISOs, rather than paying for dearly earned experience. Is this market dynamic ever going to turn around?
This week’s episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining is Megan Samford, vp product and supply chain security, Schneider Electric.
Join the conversation on LinkedIn.
Huge thanks to our sponsor, Native
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO, go!
[Megan Samford] Get a third-party independent report. If you’re coming into a company, new to a program, new to a role, you want to make a big splash in the first six months, get a third-party report to baseline where your program’s at, and that’s something that you can immediately hand off and present to your board, and that’s going to add a lot of credibility to whatever strategy you’re trying to form.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of said CISO Series. And joining me as my cohost for this very episode, it’s one of your favorites. You tell me it’s one of your favorites. It’s Andy Ellis, principal for Duha.
Andy, say hello to the audience.
[Andy Ellis] [Foreign language 00:00:54]. That would be Slovak in honor of we are recording during the Olympics and tomorrow, the US team will be playing Slovakia in hockey.
[David Spark] Well, by the time everyone hears this, it’ll be months past.
[Andy Ellis] I know.
[David Spark] And we will know who won that. [Laughter]
[Andy Ellis] But my mother-in-law was born in, at the time was Czechoslovakia, but on the Slovak side. So, we’re going to be doing a watch party together with them, I think, tomorrow or three months ago, depending on how you think about it.
[David Spark] Audience, we are available also at CISOseries.com, where you can find all of our other wonderful programming. So you should spend, I would say, one to two hours. That’s what most…
[Andy Ellis] A day.
[David Spark] …professional doctors order, one to two hours of CISOseries a day. I would strongly recommend it. Our sponsor for today’s episode is Native Security. Unify, manage, and maximize built-in cloud security controls and achieve secure-by-design consistency across cloud environments.
That is Native Security, and we’re going to talk more about that later in the show. But first, Andy, I want to talk about actually a quote that I saw, that I posted, that there was a certain phrase in this quote that both hit us. And this comes from Igor Tomičić who is an associate professor at the Faculty of Organization and Informatics, and he said, “CISO Series is my go-to choice during my solo car trips.
You and Andy have a certain addictive chemistry and above-average mindsets and themes that are engaging, educative, and enjoyable for me. This is basically the only podcast I am listening to.” So the phrase “above-average mindsets.”
[Andy Ellis] I loved it. I loved it. That was fantastic.
[David Spark] I don’t think I’ve ever heard that phrase before at all. And you definitely doubled down. Why? What is it? First of all, I’m a big fan of compliments in general, as I’ve said.
[Andy Ellis] Yep.
[David Spark] I’m the Floyd Merriweather of compliments. You can hit me with them constantly and I can take every single one of them. So, what did you like about that “above-average mindsets”?
[Andy Ellis] First of all, I like it because it’s an unusual phrasing, so it stands out. Like if you just said, “You both are brilliant.” Everybody says stuff like that, and you sort of take it with a grain of salt. I mean, he’d be lying too, but you know.
[David Spark] Well, [Laughter] I’m not brilliant. Let me also qualify anybody who says that of me. That is far from me.
[Andy Ellis] Yeah, and it’s possible someone might look at this and assume negative intent and be like, “Oh,” like damning with fan praise. I don’t think that’s the case. I’m never going to go there. I liked it because it’s like, huh, it made me think.
And I’m like, hmm. If you think about the average mindset, I think people are so used to thinking about it like bell curves. Like, well, average is 50%, but sometimes actually average is this whole range in the middle. It’s like 60% of the people are average.
[David Spark] To each standard deviation.
[Andy Ellis] Right. And so above average, I’ll totally take that because it’s about your mindset. I don’t need somebody to say like, “You have the most amazing mindset out there,” because I don’t think I do. It just hit me because I had to stop and think about it.
Like, I like this compliment. Plus, if he’s on a solo car ride and listening to the two of us, that’s amazing.
[David Spark] It’s great. It cracked me up too because also, if you say someone’s above average, it’s a mild compliment in general too.
[Andy Ellis] It is.
[David Spark] It’s a mild compliment. Oh, he’s above average.
[Andy Ellis] And look, he’s going to put it on LinkedIn and let lots of people see it. I’m totally good with that.
[David Spark] All right. We, by the way, only invite above-average guests. Did you know that? That’s our policy. We don’t invite average guests or subpar guests.
[Andy Ellis] Subpar guests, yeah, no, definitely not.
[David Spark] No, no, we don’t do that. We only invite above average. And in fact, guess what? I have another above-average guest. It’ll be up to our audience to decide how far above average our guest is today. Not too much pressure on our guest right now.
All right. It is the VP of Product and Supply Chain Security over at Schneider Electric, Megan Samford. Megan, thank you so much for joining us.
[Megan Samford] Thank you so much. It’s awesome to be here with you all.
Walk a mile in this CISO’s shoes.
5:08.359
[David Spark] “The CISO’s craft is about striking a delicate balance, building a security program that is both meticulously engineered and organically resilient.” That was Phil Venables, host of the Google Cloud podcast, framed these as two different modes.
Are you a watchmaker obsessing over every control and policy document or a gardener cultivating culture and trusting your teams to make good choices? The watchmaker gets you audit ready and predictable, but risks rigidity when threats evolve. And the gardener builds resilience and distributing ownership, but good luck explaining to your board why you can’t produce a neat control matrix.
So, I’ll start with you, Andy, here. Are we all operating as hybrids of these two approaches? And when do we need to shift further to one side, the gardener versus the watchmaker? And by the way, I love these metaphors here.
[Andy Ellis] So, I get the metaphors, but for me, I grew up in a maybe slightly different era, and watchmaker has a very specific connotation from The Mote in God’s Eye by Larry Niven. Very different culture than what is being posited here by Phil, where the watchmakers absolutely did not obsess over policy and controls, [Laughter] and they were the ones who went out and just built random stuff until it worked and then abandoned it.
[David Spark] Well, you have to be meticulous to make a watch.
[Andy Ellis] But there was a very specific speech. If you haven’t read the series by Larry Niven, you really ought to. The Gripping Hand, this is I think the second book. Anyway, sorry, divergent there, but sometimes important thing to learn, which is sometimes your analogies run into somebody else’s mental model and just don’t land correctly because they have something else sitting there.
I actually think that you’re in both of these modes all of the time, but it’s mostly the gardener mode. Like if you’re going to say the watchmaker’s obsessing over policy, policy’s a reflection of culture, and the problem that most people have is they think it goes the other direction.
People who write policy think you can change culture by policy. You can’t. You change culture by having tools that work and then you write policy to match your tools that work. And so if you’re going to make me pick one, I’m going to say I want to be the gardener because I’m obsessing over how my policy is a reflection of culture, but I change culture before I change policy.
[David Spark] All right, very good. I take this one to you, Megan. Yes, I would agree that most CISOs are gardeners cultivating a team, but you have to kind of lean into the watchmaker. What do you think, Megan?
[Megan Samford] Yeah, I think it’s really more about achieving the balance between high alignment and high autonomy, right? And for large organizations, what I’ve seen work successfully is this concept of a three lines of defense strategy. So, the first line of defense needs to be where the risk actually originates.
So, if you’re a company like mine that develops products and sells them to global markets, our first line of defense is typically considered developers and divisions and individual P&Ls unto themselves. And so that’s really where the risk originates.
It’s the best opportunity you have to mitigate that risk directly. The key thing with the first line of defense is that anyone in the first line of defense, just like a factory floor from the 1970s, they should be empowered to have what’s called stop-the-line capability.
If anyone observes behavior that is out of bounds for the company’s values, for their policies, what it clearly says we’re going to do with our secure development lifecycle and the way that we make products, anyone should be empowered to raise their hand and say, “I don’t agree with this behavior and this needs to be looked at more thoroughly.”
That being said, there’s also the second line of defense. That’s really where CISO SID is the second line of defense. We are risk overseers. And so our job is to set policies, set successful governance structures, empower that first line of defense, make their lives easier, create clear escalation paths when we’re not seeing behavior that we want to see, how do the right folks get eyes on it, and how is that risk disposition properly with escalations that hopefully don’t need to have a motion about them, right?
When things are going wrong, everyone should be free to say that this is something that we need to take a closer look at. But you’re really running more like air traffic control.
And then your third line of defense, perhaps my favorite line, is that third party internal audit, making sure that the risk overseers and that first line of defense are doing what they said that they were going to do and they’re not accepting more risk than is appropriate at their level.
And that risk is being surfaced up to the board and all of that. And then of course, I’m also a fan, as I mentioned earlier, of third-party independent reports. So, that could come in the form of like a 62443 certification or an independent consulting firm helping you out, just to get an external view on what you’re doing and making sure that everything is coming to light.
How would you handle this situation?
10:13.770
[David Spark] “If a third party can handle your process faster than your own engineers during a crisis, then you’re leasing your control system. This is why OT security is such a different beast. In most plants, vendors hold more system authority than internal teams,” noted Muhammad Ali Khan of Toyota Tsusho Systems.
Continuous uptime demands, decades-old equipment, and safety constraints mean vendors get persistent remote access, shared credentials, and privilege control because “that’s how it works.” OT assumes you can’t touch anything without risking millions in downtime.
Good luck getting business buy-in to take equipment offline to patch. So, Megan, this is your world with Schneider Electric. I actually did some work with Schneider Electric well, well before CISO Series days. This sounds like some “best practices” simply aren’t going to work in OT.
What has to change? What do you think?
[Megan Samford] Sure, this is a topic if you had eight hours, I could talk to you about this. But I think the first thing is you’re going into the problem set viewing it correctly in that, yes, OT is different. We say this every single day. But there’s a term that’s emerging called industrial realism, okay?
[David Spark] All right, that’s new for me.
[Andy Ellis] That’s new to me too, I’m very excited.
[Laughter]
[Megan Samford] Yes, and what this is, is recognizing that yes, the controls are going to look very different within OT environments. We have been adopting a lot of the good security practices from our friends on the IT side, and this IT/OT convergence has been happening, I think, for the past 5, 10, 15 years, depending on who you ask.
But where we really need to start is actually looking at the data and what had been proven to be effective controls in OT environments versus ones that we’re kind of porting over from the IT side of the house and saying, “Yeah, you absolutely need to do this because if you don’t, it’s security heresy,” or something.
So, on the topic of patching, most attacks that happen in OT environments have nothing to do with a vulnerability in a product whatsoever. They deal more with the porous nature of the networks. And so if we walk back from the place of, yes, patching is important.
Megan Samford is not on this show today telling you not to patch. That’s not what I’m saying at all.
[Andy Ellis] Oh, I was so hoping we had that quote.
[Laughter]
[Megan Samford] But if the data tells us that there are other things that should be addressed first in security and hardening of the networks and network segmentation and visibility in OT and use of all these different technologies that are proven and are very effective or quite simply just getting devices that are directly exposed on the internet today.
If you go to Shodan or Censys or any of these websites, you will see very apparent attack surface that is existing in global critical infrastructures every single day.
But when it comes to patching, again, back to the point of the attacks aren’t coming from lack of patching, folks. We’re not seeing that, but within patching, and back into the conversation of downtime that you need to take factory floors and assembly lines down for patching, there are ways to do this.
You can prioritize the patches and really understand what’s going to give you the most bang for your buck. I would definitely prioritize patching HMIs and engineering workstations and things. But for other products, I think that OEMs are considering partnerships with cybersecurity vendors where if we know that the customer can apply the patch immediately or we know that it could come in the next quarter or we know that they have limited patch windows, we should be directly deploying patch signatures to firewall companies so that the customer is protected even if they’re not able to patch yet.
So, I think we can achieve the same outcome and result. It just may not look the same in OT as it traditionally does in IT, if that makes sense.
[David Spark] You have run into this as well. I mean, I think you explained pretty clearly, Megan. What would you add to this, Andy?
[Andy Ellis] So, I think one of the nuances in what Megan just said, and I love the framing of it, is OT systems historically are very bespoke, narrowly built systems. They’re not general purpose computers. They have a task that they do, which is one of the things that limits their vulnerability profile is they don’t have a billion pieces of software that are just running a general purpose computer.
And IT systems aren’t general purpose computers that do a lot of stuff. And 90% of your patching has nothing to do with what you bought the computer for. It’s just you have to deal with patching Windows. If you’re not running Windows on a machine, like you’re not patching Windows or Linux, I’m not trying to pick on Microsoft here.
And the convergence challenge is, as OT systems are embedding general purpose computers on board, that’s where we run into the challenge.
And so as Megan said, you always patch your HMI, your human-machine interfaces, your engineer workstations, those are general purpose. If your OT system also is general purpose, now you sort of run into that challenge. Especially if you’re also exposing it out onto either the open internet, big problem, or even on your private intranet, but it’s not actually that private or well-protected.
So that’s maybe a mental framework that would help people is IT and OT are also different beasts under the covers, but that difference, I think, is starting to go away more and more.
[David Spark] It is industrial realism, as they say.
[Andy Ellis] I love industrial realism. I’ve got to now wrap my brain around that one for a while.
[Megan Samford] Yeah, and the last point I’d add there, and it’s a good quip is in many cases, the OT products, the relays, the sensors, things that are operating down at like level one, level two, budding into level three of the traditional OT model, they’re not the murder weapon, folks.
They’re the dead body.
[Andy Ellis] Oh, I love that.
[David Spark] [Laughter]
Sponsor – Native
16:14.732
Before I go on any further, let me tell you about our spectacular sponsor, and that would be Native Security, brand-new sponsor with the CISO Series. So, let’s talk about cloud providers. They ship powerful built-in controls, but most teams struggle to turn security intent into consistent enforcement across AWS, Azure, Google Cloud, and OCI.
Different policy models force security teams into manual translation and one-off exceptions, which get brittle fast as accounts, services, APIs, and AI workloads change.
Native is the secure-by-design control plane for cloud security. It helps teams operationalize provider-native enforcement, manage intent centrally, and roll out changes safely at scale. Native works through the cloud’s own mechanisms, so guardrails are enforced natively while teams can preview impact before deployment and reduce drift over time.
Now with Native, security isn’t bolted on after the fact. It becomes part of how you operate the cloud. Go to their website, check out what they’re doing. It’s native.security. That’s it, and when you go, let them know that you heard about them from the CISO Series.
It’s time to play “What’s Worse?”
17:33.882
[David Spark] Megan, do you know how this game is played?
[Megan Samford] I know that you’re going to give me a horrible scenario and I’m going to have to choose between the lesser of two evils.
[David Spark] You know exactly how it’s played. Perfect.
[Andy Ellis] He makes me go first, so you at least have time to think about it.
[David Spark] And you can agree or disagree with Andy.
[Andy Ellis] And the one rule that we have is you don’t get to immediately pivot and say, “Well, I’ll accept situation A because I’m immediately going to then do something totally different.” You’re stuck in the situation.
[David Spark] And you can agree or disagree with Andy. I always prefer it when you disagree with Andy.
[Andy Ellis] I, of course, prefer the opposite.
[David Spark] So decide who you want to be nicer to. All right. This comes from Dave Ratner over at Silent Push, and here are your two scenarios, Andy. Knowing all the security gaps in your program and not being able to close them. So you’re just staring at it and it’s like, “Okay, I can’t deal with this.”
[Andy Ellis] But at least I know what they all are.
[David Spark] That’s the positive of it.
[Andy Ellis] Okay.
[David Spark] But it’s happening. Or…
[Andy Ellis] It’s half of a CISO’s life already, so.
[David Spark] There you go. Your staff keeps responding to random texts on their corporate mobile devices.
[Andy Ellis] [Laughter] Okay, I know sometimes they give us things that aren’t even related, but like…
[David Spark] Yeah, well, it’s interesting. Just so you know, Dave gave me two different sets, and I literally picked one from one and one from the other and I put them together. So, this is me literally Frankensteining two different “What’s Worse?” scenarios, yeah.
[Andy Ellis] What does responding mean in this case, David? Because like…
[David Spark] They could be clicking on links. They could be having conversations. Who the heck knows what they’re doing? Essentially, they could be being pig butchered and God knows what’s going on right now.
[Andy Ellis] I mean, this one’s weird.
[David Spark] Yeah. Yeah, it’s going to make your brain go in a few directions here.
[Andy Ellis] I don’t know. I’m trying to even figure out how do I compare these two? Sorry, Megan, normally I have like a coherent thought process, but…
[David Spark] Right, because it’s usually the flip side of the other thing, but…
[Andy Ellis] Right.
[David Spark] I purposely am doing these as two very divergent things, so you have to figure out the risk environment of each.
[Andy Ellis] I mean, so here’s the entertaining thing about this, which is the first state is actually the ultimate goal of every CISO. You actually want to be in a world where you know all of your gaps, and you can no longer fix them because you fixed all the fixable things, and what’s left is the stuff you can’t fix.
[David Spark] And then you buy insurance at that point.
[Andy Ellis] Right. Basically, you’re like, “Okay, here’s the hazards that we just accept.” Simply because we have consumers, we can’t fire our consumers, and they present a bunch of problems because of account takeover, etc., blah, blah, blah. So, in one sense, you can argue one is an ideal world, but I don’t think that’s what’s intended here.
But you should always remember that that is your end state. You will always have vulnerabilities and risks you can’t deal with.
[David Spark] Mm-hmm.
[Andy Ellis] People are responding to texts on their mobile devices? That one’s just kind of weird.
[David Spark] Well, then think about all the spam texts you get. All of a sudden, your staff is just responding to all of them. So, they’re engaging with someone who’s looking forward to do harm to them.
[Andy Ellis] Yeah. [Sigh] I think I’m going to go with, I’m going to take the first one in the spirit it’s intended of you have a lot of gaps that you should fix, but you can’t.
[David Spark] And that being the worst scenario.
[Andy Ellis] And I think that is actually the worst scenario.
[David Spark] Even though you said very positively about it at the beginning.
[Andy Ellis] Right, because I think the way it’s intended is you have a lot of gaps that are fixable, but you’re not able to fix them. And so I want to take it in the spirit it is and not define it into something that’s not bad. And so I’m going to say that’s the worst one because if people are just responding to texts, look, if I’ve got great phish-proof authentication, then I’m not worried about them clicking on links as much.
So, yeah, no, that’s a problem, mostly it’s a problem for them.
[David Spark] Wait, a lot of this like pig-butchering techniques is to get them offline to do other things kind of thing, like, “Download this app, start doing this,” that kind of stuff.
[Andy Ellis] Yeah. I’ll rely on the fact that I’ve fixed my security problems because I’m not in situation one. So, if they download an app, we’ll catch it with our EDR, we’ll block the app, we’ll be fine.
[David Spark] You think those are the gaps you’re going to be able to fix unlike all the ones you do know? [Laughter]
[Andy Ellis] Yeah, I think I’ll be able to fix those because I’m not stuck in situation one.
[David Spark] All right.
[Andy Ellis] So, I’m going to go, situation one is worse because this would be included in the gaps that I have is, “Oh, look, people respond to things on their devices and I can’t control it.”
[David Spark] All right, Andy, that was an above-average answer. Okay. [Laughter]
[Andy Ellis] Barely.
[David Spark] Megan, give us your above-average response, please.
[Megan Samford] Sure. So, I will also address point number one. So, what I heard there, the Reader’s Digest notes was we uncovered a lot of risk and we’re aware of the gaps. Great. That’s every day on the CISO job. Like, this is great that we actually know what the gaps are.
I mean, this almost felt like a softball question because we do this every single day. So, if you’ve identified all of your gaps, a CISO should never be owning risk, number one, they are a risk overseer. So there should be other executives within the company that need to be aware of the risk, and they would be responsible for either dispositioning that risk and coming up with a timeline for when remediation and everything else needs to happen, or they need to formally sign their name on the document that they are accepting the risk for a period of time, and that needs to be time bound, right?
Like we can’t perpetually accept risks that are a danger to the company or increasing risk to the board or anything like that.
I think question number one is pretty softball. We disposition, assign, have people review, sign off on risk, escalate the risk, or otherwise come up with a roadmap for how they’re going to deal with it every single day. No one should be stumped by that question whatsoever.
On question number two, with the thing you have going on there with the potential phishing and the mobile apps team, number one, I’m impressed that the CISO was notified quickly. I’m impressed that people have come to you with this.
[Laughter]
[Andy Ellis] Oh, no, you don’t necessarily know it’s happening. You just are aware that this is the reality.
[David Spark] Yes.
[Megan Samford] Okay. So we’re sitting in this reality again. Then I would say you need to, number one, determine potential initial impact in that golden hour. Figure out if you need to formally declare an incident that would need to be investigated, the level of that incident.
[David Spark] Hold it. So which scenario are we talking about here?
[Megan Samford] For the mobile app.
[David Spark] Oh, for the mobile app.
[Megan Samford] Where people are responding to text messages, could be phishing, not quite sure, not sure how many people, all of that. That’s why you stand up incidents to kind of get the full scope of what’s going on and you begin to tackle it, and I would say, depending on the nature of the phish or how sophisticated you think the phishing attack was, just start an incident.
When you’re in doubt, just declare an incident and begin to investigate it, and you can always de-escalate the incident and say, “Okay, well, this wasn’t as big of a deal as we thought it was going to be.” But you can huddle all the teams together that would be responsible for providing some immediate stopgaps and then longer term things like more education and things like that for your employees.
So, that’s how I think about that.
[David Spark] So, hold it. I’m getting the sense that you think both of these are great scenarios. [Laughter]
[Megan Samford] Yeah.
[Andy Ellis] They’re both manageable.
[David Spark] Both manageable. Okay, well, which one is the worst, then, do you think, from the risk perspective?
[Megan Samford] Probably the mobile one in the immediate until you get your arms around the scenario because the first scenario, the way you described it to me, I mean, if people aren’t doing this stuff every day, what are they doing?
[David Spark] They aren’t doing what stuff every day? Hold on, I’m not following.
[Megan Samford] Identifying risk and dispositioning risk, right?
[Andy Ellis] Right. Yeah.
[Megan Samford] Because the whole scenario is, hey, we’ve uncovered some risk. We’re aware of it. We’re not sure what we’re going to do about it.
[David Spark] Yeah, I mean, it could be a whole host of reasons. You don’t have enough staff. You don’t have the tooling. Who knows what the heck it is that you can’t? But you just can’t deal with it.
[Andy Ellis] Right, where Megan is, and Megan is in my sort of ideal state on that, first one, which is ultimately the job of the CISO is not to fix risk. There are small places where we own fixing risks, but most of what we do is incentivize the rest of the business to do so.
If the rest of the business chooses not to do so, but the CEO and the board is aware of that and is fine with that, you have done your job. The single biggest stressor in the CISO world is the belief that you get to decide what risks get closed. And you don’t.
That’s the business’s job. And Megan’s saying, “I’m good with that.”
[Megan Samford] Yes.
[David Spark] All right, Megan, which one are you choosing? Which one’s the worst scenario then?
[Andy Ellis] She took number two. She took…
[Megan Samford] Yeah. I took number two, but I mean, I don’t…
[David Spark] So you disagree with Andy. So that’s great.
[Andy Ellis] Yeah, David’s happy. You disagreed with me. But I want to pull something out that Megan said because I think a lot of people need to hear this one, which is it’s okay to declare an incident to get focus and attention and then de-escalate.
You can say, “Ooh, we just heard about this thing. We’re declaring an incident,” and we discover it’s culture wide, shouldn’t be managed at incident tempo, so we’ll just go de-escalate. But you can use that as a way to sort of gather focus, figure out what’s going on, and then move into normal project management.
[Megan Samford] That’s exactly right.
[Andy Ellis] And I think too many people don’t know that they can de-escalate incidents.
[Megan Samford] And with things like NIST 2 and CRA and global regulation, you better build some muscle memory in to where if you know that there is a potential for greater risk in your company and you know that a select population has been spear-phished on the mobile and there’s a good potential that there could be something on your network or that risk is moving laterally.
Yeah, absolutely. You need to declare an incident to huddle around that so that you can understand if you have any reporting obligations.
Remember, data protection, data privacy. There are about a million things that can come into play there. DFARs, I mean, the point of declaring an incident sometimes is to make sure that you are gathering the right people, gathering the right data, and you are running everything down so that a small incident doesn’t end up cascading into a larger catastrophe because you tried to sweep it underneath the rug.
Managing security changes for business optimization.
27:40.333
[David Spark] “The core issue is economic, not technological.” Jen Easterly’s post-CISA piece in Foreign Affairs leans into a core tension in cybersecurity we don’t talk enough about. Software vendors know buyers can’t measure security directly. Why go to the expense on building it in when it doesn’t move the needle on revenue?
The cybersecurity industry exists entirely to compensate for insecure software that should never have shipped. It’s 2026, which means the answer is AI. Easterly argues AI can finally make secure code economically viable at scale through prevention and secure by default, framing it as an end to cybersecurity as we know it.
Kind of a bold statement there. So, let’s say Easterly’s cyber nirvana actually happens, Andy. What does the security vendor landscape look like now?
[Andy Ellis] So, I love that AI can finally make secure code economically viable. “Can” is a really important word in there. It reminds me of a sketch Yoram Bauman who’s a standup economist did a long time ago in which he riffs on the 10 principles of economics, one of which is trade can make people better off.
He says, “Well, the fact that you say can instead of will means that trade can also make people not better off.”
[David Spark] [Laughter]
[Andy Ellis] And similarly, AI can also not make secure code happen.
[David Spark] Yes, so we have also seen and what I’ve seen is that the internet and AI can be a race to the bottom too. [Laughter]
[Andy Ellis] Right. And so the reality is what did AI get trained on, right? The LLMs are trained on the code written by humans, the code that we know is full of vulnerabilities and insecurities, and so that AI has learned how to write bad code. So, it is possible for us to train an LLM on secure coding practices and on secure architecture practices, which I think most people don’t think about.
It’s not just, “Oh, do I not have buffer overflows and format vulnerabilities?” No, have I also built an architecture that is resilient? And it is possible to do that, but I don’t actually see that happening right now. So, I suspect the answer is it’s going to get a lot worse before it gets better from a security perspective, and that’s okay from our industry’s model because, hey, it means we get to still be employed.
[David Spark] By the way, I’m all for Jen Easterly’s cyber nirvana.
[Andy Ellis] But I don’t see the economic drivers currently pointed in that direction.
[David Spark] No, and I’m 100% in agreement on that, too. All right, Megan, I’m sure you’d love a nice cyber nirvana like this, which fixes all cybersecurity problems in code. Do you see there’s a way we can push towards Easterly’s vision?
[Megan Samford] Sure. So, I think and again, I’m speaking from the industrials, right?
[David Spark] Mm-hmm.
[Megan Samford] We’re already adopting use of AI for secure coding. I think that most companies are. I think that most companies have been kind of anxiously looking at those percentages. You know, what percent of our code is being AI-assisted where it’s AI assisting the developer in that coding, which I believe can solve for a lot of the nuisance buggy code and things like that, code quality.
I think that that’s great. Within industrial environments, though, again, we have to start from a place of industrial realism.
[David Spark] I love it.
[Megan Samford] Where we should not at first assume that the issues in OT environments are coming from individual products necessarily or vulnerabilities there with them because that’s not what the data tells us. Instead, we would be looking for application and use of AI to support more of the hard work that still has to be done by human beings and cannot be automated to that extent with AI.
That’s good network security. That’s exposure management. That’s understanding if you have devices inadvertently directly exposed to the internet. It’s network hardening. It’s upgrading products from legacy comms to secure communications. This is not something that AI can do for us.
The OT environments are still going to require a lot of rolling up our sleeves and getting in there and just human beings are still going to have to go in there and manually do the hard work of securing these porous environments. That’s number one.
The second interesting conversation occurring in OT with use of AI is whether or not or should AI be allowed to directly control products in an OT environment. And so if we’re following traditional NERC CIP strategies where you have an electronic security perimeter, right now, most thought leaders in OT are saying AI is great for analyzing data coming off of industrial products.
They can tell you when the products need to be serviced, how the product is performing, etc., etc. It’s good data that AI can analyze for the customer’s benefit. But AI should not directly instruct onto an OT environment and say, “Open up a valve by 20%,” because AI believes that it should do that.
There is this principle that we will maintain in OT called human-in-the-loop, where a human being has to review what the AI is recommending and then decide if it’s appropriate to allow those constructs in the OT environment. So, AI is coming to OT, but it’s going to look different.
So that would be my thought on that.
I tell ya, CISOs get no respect!
33:21.537
[David Spark] If the math doesn’t add up anymore for a CISO, too much responsibility with no authority to execute, it might be time to hit the bricks. Now, a recent IANS Research and Artico security survey found that 69% of security executives are open to leaving the role within the year.
Many are exiting the enterprise entirely for consulting or compliance functions where accountability and authority align. But Megan, you’ve recently highlighted that roughly about 1,500 CISOs are currently out of work and the market isn’t exactly rolling out the welcome mat.
Organizations would rather hire a first-time CISO at a discount than pay for someone who’s actually done the job. So we’ve built a role that burns people out, exposes them to personal SEC liability, strips them of budget and procurement authority, and then devalues their experience the moment they leave.
Megan, that seems like a structure broken by design. How the heck did we get here? What do you think?
[Megan Samford] Well, I really hate to go back to COVID on this one. But to me, I started to notice that the market was changing during COVID times and a lot of people were nervous for all the reasons that they should have been in the world at that time.
But people really were like, “You know what? I’m pretty happy in my role. I’ve got a good team. I understand the company. I feel like we’re making progress,” where for most CISOs and other cybersecurity executives, it was like unless there is something horribly wrong here, I’m probably staying in my position.
Staying in my position feels safe. And so there have been other papers and news articles written about this, but people that are pretty happy in their roles, I think, are staying put.
And when I’ve talked to other friends in the industry that may be looking or maybe they’re impacted by layoffs and horrible things like that, everyone is waiting for the game of musical chairs to begin in the industry, if you’ve ever heard of this construct, but essentially in CISO world, if one CISO was the CISO for a large Fortune 500 and they moved roles, then you would see another CISO from another Fortune 500 move laterally into that role or maybe get a little bit of a bump or a promotion, and this game of musical chairs would start.
And it only took like one or two people to move from these big roles, and then the game begins, and then we’re all moving jobs.
And I have friends that are executive recruiters, and they’re saying, “Every six months, we’re saying that the game’s going to start in January, the game’s going to start in June, and the game just hasn’t started in two or three years.” So, again, I think for most people, if you’re an executive, if you feel good in your role, if you feel like you’re getting stuff done, you like your boss, you like your team, probably staying put.
And it is this attitude and I think this anxiety is why the game hasn’t started and no one’s moving chairs.
[David Spark] I will also throw out, and we were going to do a segment on this instead, but Hitch Partners comes out with a CISO salary index, and the wide range of salaries, it’s like four to five X. It’s pretty humongous, Andy.
[Andy Ellis] It’s bigger than that. Depends on who you’re looking at.
[David Spark] Well, this was from their survey too. Yeah.
[Andy Ellis] It’s crazy numbers there. One of the things I see a lot of, because I talk to a lot of folks outside the Fortune 500 as well, and I’m seeing a lot of places where there are companies that basically want to have a throat to choke, right? They want to have a CISO.
They don’t always want to call it a CISO, but they want somebody first time who doesn’t have massive salary expectations, where maybe they’ll trade off, “Oh, we pay you a little bit less, but we give you the title CISO.” And you think that’s a steppingstone to another CISO role elsewhere, but the answer is no because after you’re done with that gig, you’ll look around and the gigs that you think you’re qualified for, you probably are, are all the ones who are hiring first-time people because they can get that discount at this point.
In a sense, we’ve done a good job of building up a workforce of people who are ready for these roles. So in one sense, maybe we’ve saturated the almost-CISO roles. And then at the same time, as Megan points out, there’s a lot of people who are basically comfortable in their role and they’re saying rather than move laterally and have to relearn a company, I’ll stick it out for another three to five years and then I’ll go be a consultant or a field CISO.
I see a lot of people who…
[David Spark] Yes, yes.
[Andy Ellis] …I think, 10 years ago, you would have said there’s no way this person will ever accept the marketing job of being a field CISO who are having a blast going and doing that now.
Closing
38:08.343
[David Spark] Excellent. Good button on today’s discussion. This was packed, absolutely packed today. Megan, thank you so much. Andy, thank you so much. And also, most importantly, as much as I love you, I have to thank our wonderful sponsor, and that’d be Native Security – unify, manage, and maximize built in cloud security controls and achieve secure-by-design consistency across cloud environments.
You in more than one of them? You went into Azure, Google Cloud, AWS? I’m sure you are. You’re all over the place. Take a look what they’re doing over at Native Security, native.security. Megan, I’m going to let you have the very last thought for today.
Any last thoughts you have for our audience?
[Megan Samford] I think it’s a great time to still be in the game with cybersecurity. We all love it. And thanks so much for having me on today. And thanks as well to my company Schneider Electric. We want to be your partner for technology and energy management.
[David Spark] As someone who’s worked with them before, they are a great, great group. And here’s the thing that I’ve found, and I find this also in the airline industry. When I met some people there, they would go, “Well, I haven’t been here this long, only about 15 years,” and that always cracked me up.
[Laughter] So, thank you again, Megan. Thank you very much, Andy. And thank you to our audience. As we always say, we greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.