In March 2026, six security leaders gathered on r/cybersecurity to field questions about the human side of the job: hiring, culture, team structure, and what it looks like to build security organizations that function well inside a business.
Participants:
- Charles Blauner, u/OG_CISO, operating partner, Crosspoint Capital
- Joshua Scott, u/threatrelic, CISO, Hydrolix
- David B. Cross, u/MrPKI, CISO, Atlassian
- Shaun Marion, u/MarshaunMan, vp, CSO, Xcel Energy
- Derek Fisher, u/Electronic-Ad6523, director of the cyber defense and information assurance program, Temple University
- Caleb Sima, u/CalebOverride, builder, Whiterabbit
Got feedback? Join the conversation on LinkedIn.
Stop being the ‘Department of No,’ and the ‘Department of Know’
How can security teams raise uncomfortable truths without becoming an obstacle? The answers converged on the same idea from different angles: The problem isn’t the message, it’s how security positions itself inside the organization.
“For me, this starts and ends with leadership. The culture within the security team and the security culture we create across the organization are my responsibility. If people don’t feel safe raising uncomfortable truths, that’s a signal I haven’t done enough work with stakeholders yet.” โ Shaun Marion, (u/MarshaunMan)
Marion offered a set of practical principles his team operates by: frame risk not rules, normalize dissent, no surprises at the board level, and default to “yes, if…” instead of “no, because.” The goal, he wrote, is for security to be the department of engagement, one that seeks to understand business objectives before shaping its message, controls, and investments around them.
Charles Blauner pushed the same point from a team design angle. The meaningful distinction isn’t between “yes” and “no” answers. It’s between teams that drop problems on the CIO’s desk and teams that bring answers.
“I always used to tell my BISOs that you never start a conversation with ‘no.’ You may get to say ‘let’s talk about the risk and how we can tweak things a bit.'” โ Charles Blauner, (u/OG_CISO)
Security’s job is to make the secure path the easy path
For an infosec team embedded in a technology department, how do you navigate the shift from risk and advisory to a platform-based model that rhymes with DevOps and Agile?
Joshua Scott’s answer reframed what security teams are actually there to do.
“The shift is mostly about changing how security delivers things. Instead of reviewing everyone else’s work, you start building security capabilities that teams can use directly. Stuff like paved-road CI/CD controls, identity guardrails, logging pipelines, secure defaults, and self-service tooling. The mindset moves from ‘security reviews your work’ to ‘security builds platforms that make the secure path the easy path.'” โ Joshua Scott, (u/threatrelic)
Derek Fisher zeroed in on the cultural prerequisite for making that shift stick. You should figure out a way to fit into the engineering world rather than standing apart from it.
“Understand how the technology teams work, their pain points, their tools, and their processes. Figure out how to work within those same confines. Model your behavior the same way a QA team would.” โ Derek Fisher, (u/Electronic-Ad6523)
Hire slow. Fire fast is the failure mode.
A community member with a newly doubled budget asked for advice on rapidly scaling a CISO team.
Caleb Sima kept it short.
“Hire slow and set an extremely high bar. During this time frame lean heavily if you need to on your engineering and IT partners to help.” โ Caleb Sima, (u/CalebOverride)
The “rapidly” in the question, he noted, was the trap. For teams that do need to scale, David Cross pointed toward a counterintuitive talent pool: skip the pure security hires.
“In a talent-starved market, hunting for someone with 15 years of specific cloud security experience is a slow game. Look for high-performing SysAdmins, DevOps Engineers, or Developers who have a ‘security mindset.’ They already know your tech stack; they just need the security overlay.” โ David B. Cross, (u/MrPKI)
Wins and failures tend to rhyme
Asked about their biggest wins and biggest failures, participants consistently said lessons almost always came back to people.
Charles Blauner’s biggest failure was straightforward. He hired senior people who didn’t fit the team culture, which poisoned the environment until he had to let them go. Joshua Scott described a harder-won version of the same realization.
“One realization I had early on is that security is often the team that creates work for everyone else. We show up pointing out problems in other teams’ tools, processes, or practices. What we changed was shifting from just identifying problems to helping solve them. In some cases, we would even bootstrap the first version of a solution and then hand it off to the team that owned the system. Security stopped being seen as an adversary with bad news and started being viewed more like a partner that helps teams move forward safely.” โ Joshua Scott, (u/threatrelic)
Guerrilla tactics for smaller teams and vendors trying to earn trust
Two threads touched on a less-discussed corner of the industry: what smaller security teams and MSSPs can do when they don’t have the brand recognition or budget of a larger firm.
On vendor tool accumulation, Derek Fisher cut to the heart of why shelfware persists. Most purchasing organizations don’t know what risk problems they’re trying to solve. His standing advice to vendors reflects that.
“I’ve always told vendors that ‘I can solve security problem X a dozen different ways, and it doesn’t have to include your tool.'” โ Derek Fisher, (u/Electronic-Ad6523)
For MSSPs trying to earn enterprise trust, David Cross pointed to SOPs (standard operating procedures) and incident playbooks as the fastest credibility signal. Enterprises fear the single point of failure, and documentation is proof you’ve thought past the rockstar. Joshua Scott agreed with Derek Fisher’s separate point about being customer zero. Showcase the maturity of your own environment before asking clients to trust you with theirs.
Takeaway
Security leaders who build durable teams aren’t the ones with the biggest budgets or the most aggressive posture. They’re the ones who figured out how to make security feel like a resource rather than a roadblock, and who hire slowly for the people who reinforce that culture, not undermine it.
The April 2026 CISO Series Reddit AMA is coming up. It starts this Sunday, April 26. We’ll be focusing on the unique challenges of security professionals in the healthcare industry. Follow r/cybersecurity to catch it live.