David Spark

Best advice I ever got in security. Go.

Jacob Combs

The best advice I ever got was from a fellow ciso. And it was the old improvisational trope of instead of saying no, you say yes. And so you take the request from the business, you help them figure out a way to solve the problem, and you work together with them. And so it's instead of becoming the gatekeeper, you become an enabler.

David Spark

It's time to begin the CISO Series Podcast.

Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO series. My co host for this episode, it is none other than Andy Ellis, who does not want to be known as a cockroach, which is something we did in a previous recording, which is the title I bestowed upon him. He would like to be seen and known as the Principal Duja or legendary ciso.

Andy Ellis

I'll take that.

David Spark

Yes. Correct. You do not want to be known as a cockroach.

Andy Ellis

That is correct. Unless you're going to sing La Cucaracha.

David Spark

Yes. He wrote this. Says his name on our recording platform right now. Cucaracha. Squish it. Nobody wants to squish you, Andy.

Andy Ellis

Oh, no, that's definitely not true.

David Spark

We're available@cisoseries.com where you can find all of our wonderful programming. Spend some more time there, why don't you? We also have videos up there that are also a lot of fun to watch. Our sponsor for today's episode is Threat Locker, the world's leading Zero Trust platform. Allow what you need, block everything else by default, including ransomware and rogue code. And guess what? We CISO series will be at Zero Trust World, hosted by ThreatLocker in March. More information about that later in the show. But first, Andy, I want to talk about something I was discussing in our meetup. I run the San Diego Cyber Group Meetup. If there's any listeners that lives in San Diego, you should please attend. Go to meetup.com and look up San Diego Cyber Group. But this is the discussion I had. When I was in college, I interned at an advertising agency, and I watched one of the people who worked there, one of the salespeople that worked at the agency. And I learned a lot about sales purely by watching how he operated. And I was like, wow, that guy's good. He never taught me anything. I learned purely through observation. So my question is, when you were college, maybe an internship you had, or what did you learn purely through observation?

Andy Ellis

Oh, I think I learned almost everything purely through observation. Now, that's not fair. I had A lot of great people do mentoring, but I'll say some of the best observations were just watching how somebody operated. We had a sales rep who we bundled all of our packages, product marketed all of this thing. They're like, we don't want to do the Chinese food menu thing with a million things on it. There's just four packages buy. And his sales rep basically just ignored him. He didn't pick fights, he just went. And he would go to a customer and you'd find out what their problem was and he would sell them one feature because he's like, why should I have them buy a Bundle that has 30 features that they only want one of? And now like my next 29 attempts to upsell them, they'll be like, well, I already have that, so I'll just turn it on. So instead, like, I'll sell them each feature at like half the cost of the bundle. And at some point we'll be like, oh, look what I can do for you. I'll bundle some stuff together. And this guy was amazing sales rep because he basically went and found out what somebody's problem was, found the technology that they needed and only sold them that he didn't try to sell them things they didn't need.

David Spark

He wasn't trying to upsell out of the gate, which you often see he.

Andy Ellis

Was upselling, but he wasn't trying to over upsell. So he would come in and be like, oh, you are a customer who has X. You still have a problem that's not solved. Let me sell you. Why? For that one problem. Not, let me sell you the platinum package that solves a million problems. And he got way better commissions off of it. We had much better revenue as a result of it. His deal cycles were really tight. And what it taught me from the security side is when you're selling projects internally, only sell what is needed to solve the problem. If you want to go solve other things, great. But do not waste your political capital on pie in the sky fairy tales. Solve the problem that your business stakeholder believes.

David Spark

So this guy, and again, wasn't technology, he was selling, he was selling advertising.

Andy Ellis

Oh, your guy was selling advertising?

David Spark

Yeah, yeah, yeah. But he fall under the category when we talk about people buy from people. He was just this guy. You just want to be around this guy. He's a lot of fun. He really cares about the people. He always engages. He just oozed affability, if you will. Why wouldn't I want to talk to this guy and be around him?

Jacob Combs

Right?

Andy Ellis

Because he's not selling to you most of the time until you're like, oh, by the way, I hear that you do advertising. Can you. And then he's like, boom, I'll sell that to you.

David Spark

Great.

Andy Ellis

And then let's go golfing. But I'm going golfing with my buddy, not with the guy who just sold to me.

David Spark

Exactly. And that's definitely the feeling he gave. And I realized there's a lot to just being a nice guy.

Andy Ellis

Yes, absolutely.

David Spark

All right.

Andy Ellis

We could learn from that. Definitely.

David Spark

By the way, a great lead in to our guest who is a nice guy who lives in San Diego. So we still like him very much.

Jacob Combs

So.

David Spark

He is the CISO over at Tandem Diabetes Care, none other than Jacob Combs. Jacob, thank you so much for joining us.

Jacob Combs

Yeah, thank you so much for having me.

David Spark

There's got to be a better way to handle this.

Quote. It's a fundamental misalignment between vendor categories and and real security needs at organizations today. We've built an entire ecosystem around theoretical security models that simply don't match how modern software organizations actually operate. Now that's Nielet Demelo of Datadog calling out what many of us feel about the AppSec vendor landscape. Vendors should want to solve your problems, right? But there's a gap between what the group of industry categories are and what's presented at conference. Those two. With what the reality of dealing with security issues, mostly their context gaps and integration issues. So I'll start with you, Indy. Why is this gap still a persistent problem? You would think vendors don't want that. They want to fill the gap. They want to sell.

Andy Ellis

So the biggest challenge is the gap in AppSec or code security is not the one everybody thinks it is. Black Hat, which had, I think about 360 vendors, over 100 of them were in this space in one fashion or another. That's almost a third of every vendor who was at Black Hat is trying to sell in here. Which tells you that there's a problem, right? Either it's such a massive space with easy commodification that everybody can compete with each other, or it's a space where there is product market mismatch. And here's the real challenge. Let's take software organizations and you have a software leader, right? What is the software leader responsible for? Writing software, solving people's problems with software, maintaining software, deploying software, operating software.

Jacob Combs

Right.

Andy Ellis

May they have a DevOps teams that works for them. But everything related to software is owned by the software leader who's responsible for software Security, the ciso, that is not sustainable. Right. The CISO is who we hold accountable. But they don't get to push code, they don't get to choose software functionality. And so we have this gap where the software leaders have basically gotten away with convincing the world that security is responsible for code security instead of them. And they just get away without fixing things. And many of them are honestly people of very goodwill, just have a lot of things that they're focused on like revenue, get new features out. And so vendors keep trying to solve this problem that the CISO does not actually have the power to implement the solutions that we need. That has to be done by the software leaders. And that's the gap that we have that can't actually just be addressed by the vendors or by the CISOs themselves. It really is going to have to be addressed at the CEO and board level of no longer hold security accountable for the security outcomes, hold security accountable for governance, so that we know that we're not meeting our security outcomes out of our software organizations.

David Spark

Very good point. Your take on the gap, Jacob?

Jacob Combs

Yeah, that's exactly. I think the one of the causes of this mess of an environment we have to deal with in that space. But thinking about it even further, I think what you're getting at is that it is hard to do this. Even all the findings, all the, you know, used to be throwing PDFs over the wall and getting those resolved. Now it's much more integrated, much more even they've gotten rid of false positives and all this, but it's still not good enough. And the challenge I think that we all face with these different vendors in this environment is that we can't take some scalable vanilla system and put it into our environment. Right. So where I work at Tandem, we work with different, many different platforms because we make a medical device, we have firmware, we have mobile applications, we have cloud, we have other like Salesforce platforms and whatnot. We have to deal with the code and all of that. And it's very customizable. And think about orgs that are different than mine that not only have this different tech stack, but also different kinds of technical debts, different compliance regimes like M and A histories. Whatever the legacy is they have to do deal with it all creates all this noise and finding a system that can easily be modified and customized to fit into that business context and work for you. And then what Andy was just saying, make a paved road. That's very easy for the development team to do. The security part of their job is Very challenging. And so it's kind of the way I've taken it as a leader is to one, make sure the model is shared responsibility, but two, is to make sure that solutions we bring in are the easiest to use and can drive the most compliance.

David Spark

Understanding security sales.

Quote. I see too many vendors exaggerate features, promise roadmaps that don't exist, or try to confuse with jargon. The irony, it always backfires. Every CISO I know respects honesty more than bravado. End quote. Now that's rinky. Sethi, who's the CSO over at Upwind Security, calling out one of the fastest ways vendors lose trust with security teams. We've heard it many times from CISOs that during a pitch they want to know what the company does and what it does not do. It's become actually so popular, this trope that we make it a required question to answer on every episode of our other show, Security youy Should Know. So if you listen to that show, you'll hear hear it from every one of our vendors who are their sponsors on these episodes. So all the CISOs want this honesty, but vendors aren't getting the message. Could the quote we can do it all mentality be an effort for a vendor to try to sell themselves as a platform when they're not? That's just one idea. Or I think it's also very scared young salespeople. Jacob, what's your take?

Jacob Combs

Yeah, I think we're in the phase where it seems like a lot of security companies and a lot of people that my peers are moving towards the platform phase. Right. We want it integrated. We want all kind of one pane of glass. We're going back to that one again. But really, I'm really trying to think about the most effective solution for the business itself. And so I hear this a lot and I hear I can solve all your problems. But I always do two things in my organization to try to get to the bottom of this and solve the problem. The first one is every single tool, especially big ones we bring in require like a really effective poc. Right? We want to evaluate it as much as we can, and we'll even pay for it if we have to, to make sure that it can work in our context driven environment. We have. So that's the first one. And then the second is that a part of the requirements that I have for tools coming into my group is that we require this easy ability to integrate and decommission. So I don't want to have this six to eight month Integration cycle we have to go through and then the same on the back end. I want it to be easy and simple as possible. And I found those two mechanisms force the honesty. They can't hide anything. They. The second one especially is going to be pushing the vendor to like, continue to create features and continue to create value for us that delight us. Right. So we want to renew with them. It's not this forced lock in.

David Spark

By the way, we've all heard this line. You can be up in a week, an hour, a day, whatever. Has anyone ever actually had the speed that was sort of touted like that?

Andy Ellis

Yeah.

David Spark

You have?

Jacob Combs

Yeah, they have. Yeah, I've seen poc. We had a call and we had a POC in an hour. It was pretty incredible. Well, it's the cloud and containerization makes it much easier these days.

David Spark

Sure, sure, sure. I would assume so. But I always think that they over promise in that area as well. All right, Andy, you've seen this behavior.

Andy Ellis

Oh, absolutely. Then here's. And I talk to a lot of vendors and by the way, do you.

David Spark

Think I see it happening with very young salespeople just eager to, like, if I ever say no, then I'm going to lose the sale, which is again the opposite. Or I'm starting to think now that they just want to be seen as a platform. So start saying this.

Andy Ellis

So I think that there's a big piece of the challenge here, which is a lot of people whose job is technically sales are really doing field marketing and they don't realize it. And the challenge is they're so fixated on closing deals, but 98% of their conversations are with people who are not in market. And so they're trying to sell to somebody who's already told them no or who has signaled no. And so they get into this habit of basically trying to oversell and it's not working there. And then when they have a real prospect, they're still in that oversell mode. And here's a question I love. Just ask sales reps. I say, look, is your product good enough that if somebody knew exactly how it worked, they would still be willing to buy it and what would be true in their world, that's what you should be selling. It may be that your product is not actually better than anybody else's, in which case, sure, you're going to have to go and lie about what you do, but if there's a use case for your product that somebody who knew exactly how it worked would want to buy it, you should be selling to that person and identifying them and talking about why. Because you should acknowledge that a CISO will do their diligence. They're not going to buy from you just because you sounded really cool. The first thing they're going to go do is ask a dozen CISOs, hey, have you heard of this company? Have you heard of this space? Who are your vendors? And so they're going to do the competitive analysis. So you'd better walk in and say, here is what all of my competitors are better than me at, and here's what I am better than them at, because that gives you instant credibility. I am not perfect. You go with this vendor, their UI is a little bit easier than mine. This vendor, they have slightly better upwards reporting, but I'm going to block 20% more than either of them will. Right. First of all, if they know your UI isn't that great, when they show up, they're like, oh, wait, your UI isn't as bad as you said it was. I can work with this. They want to disagree with you, so always have them disagree in the favorable direction.

David Spark

Yeah. And I can't stress how making it clear this is what we do and what we don't do. I hear it again and again from CISOs. I'm going to go back to you, Jacob, on this. It just imbues trust, doesn't it?

Jacob Combs

Yeah. The honesty, the transparency. I actually prefer that over anything. Tell me. We're working on this. We have a roadmap, we're going to get there and I'll come back to you then. I really prefer that. But I think, like what Andy said, I get oversold to constantly when I've already said I don't need this or I just signed with your competitor or whatever, I still get sold to. And I don't think it may not be the young person's problem. Maybe their leadership is pushing them to do such things.

Andy Ellis

Oh, the metrics and KPIs are awful in this space.

David Spark

For sure. For sure. By the way, when I say the young person, it is because they're being pushed to do something and so they're taking desperate moves in hopes to do it. Yes. With all of this stuff, there is the pressure from the VC to see numbers, the pressure from the CEO, the pressure to see things quartered. The pressure. There's just pressure, pressure, pressure. And that trickles all the way down.

Andy Ellis

And on the platform conversation. And everybody wants to be a platform. Here's my simple definition of a platform. I have two different ones, but one is very practical. If you have more than three different sales motions that the first product a customer buys can be different. Right? I sell antivirus and I sell an intrusion protection system and I sell email filtering. I have a platform now. I have a whole bunch of things. If they're always going to buy the first product, one product at the same time, that's almost always you're not yet a platform, and that's okay, you can grow into being one, but that's your simple model. Don't try to sell yourself as a platform if everybody's just buying the same thing.

David Spark

Now, CISO's here at zero Trust like everywhere, but very few conferences actually teach you how to implement it. And guess what? Now you're in luck. Zero Trust World 2026 will do exactly that. So join us. Yeah, that means CISO Series 2, because we're going to be there March 4th to the 6th, 2026 in Orlando, Florida for a fully immersive experience with hands on hacking labs, ransomware analysis sessions and practical workshops that show you how to roll out Zero Trust in the environments you actually manage. Hybrid, remote and well, just good old fashioned messy environments. You'll leave with practical playbooks for reducing attack surface, locking down privileges and maintaining Zero Trust without overwhelming your team. And if that wasn't enough, here is the icing on the cake. I will be there doing a live episode of the CISO series podcast at Zero Trust World yet again. We did it last year. It was a ton of fun. It'll be on the morning of March 6, 2026, right there on the main stage. Now here's Even another bonus CISO series listeners get $200 off with the code ZTWCISO26. Now you might want to write that down. Or you know what, if you just go to the blog post for this very episode, we have it there as well. The code is ztw ciso26 and you go to the website ztw.com standing for zero trust world. So ztw.com register today and I will see you at Zero Trust World 2026.

It's time to play what's worse.

Jacob, I know you are aware of how this is game is played. Two horrible scenarios. It is up to you to guess which is the worst of the two. This comes from Jonathan Waldrop, who as of this recording I know has a new job, but I don't know what it is. He was formerly the CISO over at the weather company. But here is this scenario. Andy is answering first. Your company has recently leaned into using AI and is trying to use it efficiently. But here are the scenarios. Scenario number one, a security team who does not embrace modern AI, LLMs, generative AI, et cetera, as a means to work more effectively or efficiently. So in this scenario, they're not actually doing it at all. So they are letting the attackers use the AI against them and they're going to have to deal it with all the humans. Or you have an HR team that relies too heavily on AI and plans to fill all future positions with very early career individuals and maybe right out of college because they can use AI to help do their job. So you get the security team who does not embrace it as a means to work more efficiently, or the HR team that's going to just fill every position with the junior. And they're going to say, you know what, they're going to get to senior by just using AI. Andy, which one is worse?

Andy Ellis

So this one's interesting. I always love the things that aren't really comparable. Like it's not.

David Spark

Right. Right. One word says this with that or the same thing without it.

Andy Ellis

Or I thought, yeah, I thought he was gonna go the opposite of like the security team that only uses AI.

David Spark

So it's kind of like an apples and oranges comparison, which happens all the time in security.

Andy Ellis

Yeah. I do just want to quibble slightly. Like the HR team is not who actually does hiring in most companies. They facilitate.

David Spark

Right. But yes, yes, yes, that's a good point. It's.

Andy Ellis

But let's imagine you have a corporate policy says going forward, but just like.

David Spark

Corporate hiring policies should say, that is.

Andy Ellis

That, you know, I'll say it would be sort of fascinating to actually see a company embrace that philosophy.

David Spark

Embrace. It'd be a good experiment.

Andy Ellis

Like, it'd be a great experiment because I think we're actually headed in the opposite direction that we're going to have companies that will not hire junior people because their expectation is that you're only having senior people who can validate AI outputs, but you don't need junior people to do that job that AI is now replacing. So I think we're going to have to be in a different world of only hiring relatively senior people who have AI skills. And maybe you'll have AI wranglers. Like, I think marketing teams will be heavily AI wrangler dependent, but that's different than other parts of your organization. So that said, I actually don't know that either of these is really bad. Like, so I do want to sort of challenge the premise. Hold on.

David Spark

So the first one, not using AI.

Andy Ellis

For your security program right now, honestly, if you have.

David Spark

Well, with the attackers using AI and beating you at scale.

Andy Ellis

But the challenge is it's an asymmetric battle. Like, you can't compare, oh, the adversary is using AI. But, like, if my defenses work, like, I don't need AI to do adaptive defenses, if I actually have reasonably strong defense, like, if I have authentication that is phish proof, I don't care that the adversary is using AI to phish my people, because you still can't steal authentication credentials. Like, that doesn't require me to use AI. So in a sense, like, I know where this is headed, but I just want to say neither of these is a priori just awful. So it doesn't quite come up to our normal standards.

David Spark

It's a little disconcerting though, I would say.

Andy Ellis

I mean, but every team has like weird Persona quirks. But that said, I'm just gonna go with the first team, the security team, not using anything AI related and being very averse to it. I think that's just problematic simply because your whole organization is doing this. And so if you have no expertise in it, whether you could do your job without it. But if you don't have expertise in AI and in LLMs and in MCP and in Rags, you can't have a conversation with anybody else in the business about how they're going to solve their problems. And that's what the security team needs to do. So I'm going to go with, that's actually the worst outcome for you because it means your security team is going to end up being perceived as a bunch of curmudgeons that sit in their ivory tower and just say AI bad. Don't use AI and so you're not getting anything done.

David Spark

All right, I throw this to you, Jacob. Agree or disagree here?

Jacob Combs

I tend to agree, but I'm going to disagree just for the conversation part of it.

David Spark

Thank you, Jacob. It's about time.

Andy Ellis

I mean, it's okay because this one's like two not bad things. So I don't mind to be disagreed with.

Jacob Combs

So I think it is worse that you don't have. Pretty bad that the security team doesn't embrace security. But that's a changeable thing, right?

Andy Ellis

Nope. No, we're not allowed to change. That's. That's one of the constraints of what's worse. You are stuck with that team for eternity.

David Spark

Yes, yes.

Jacob Combs

But then on the other end, if you're hiring just junior people who don't really understand your business, don't really understand Security and are relying on AI all the time to make all these calls and decisions. It's going to have a potentially worse result in the future. Because like you said, I think if you have solid security team, and they will probably talk about later, they're very good at managing all the vulnerabilities and all the defenses. Even without AI, they can still survive where if eventually you have a very young organization that has no business context or history, you likely could see other kind of problems, not just security issues. That's the way I think about it. Although it depends on the timeframe, because if these young people have grown up and were born into the AI, they may be like ninjas and wizards that can manage this way better than some old person with a typewriter.

David Spark

Right.

Jacob Combs

So.

Andy Ellis

Right. So even Jacob's not convinced. He really wants to disagree with me here.

David Spark

Jacob, are you sticking with the second one is worse?

Jacob Combs

I'm sticking with the second one's worse.

David Spark

Yeah. I appreciate that. I like your confidence.

Andy Ellis

This one was, like, sort of off the wall. Like.

David Spark

Yeah, I liked it. Well, again, we like the asymmetric. What's worse?

Andy Ellis

I love the asymmetry, though. That's fantastic, because it requires the brain.

David Spark

To go in, like, two to three different directions.

Jacob Combs

Yeah.

Andy Ellis

But I think for listeners, an important thing is, like, when you first hear these, they sound really bad. But if you tease them out, these two are not actually that bad, obviously. Except in the extreme case, like, if you have a new corporate rule that says, we will hire no one with any work experience, probably that's gonna be a really bad outcome in the future.

Jacob Combs

Yeah. Minimum wage only, right?

Andy Ellis

Yeah, minimum wage only. No college. I don't think everything should require college degrees. But imagine a no college degrees, minimum wage only, entry level. Can't have even worked at McDonald's before. Like, that's a fascinatingly odd outcome.

Jacob Combs

And here's your LLM. Go do marketing. Right.

David Spark

Hold. Wait. Have either of you worked at McDonald's before?

Andy Ellis

No, I have not.

David Spark

Have you worked in any kind of service industry?

Andy Ellis

Me? Yeah.

David Spark

What'd you do?

Andy Ellis

Let's see. I've been a bartender, wine steward. I've done costume issue at Disneyland. Huge service industry.

David Spark

What is the shortest job you ever held?

Andy Ellis

Shortest job. One day.

David Spark

Same here. One day. And where was that?

Andy Ellis

Two different ones. One was a telemarketing firm that my grandmother wanted, was looking for something to do and convinced me to come interview with this. They wanted to hire me right off the bat. Like, I did one day of it. And I'm like, I Will never do this again. Made myself a promise I would never do that again. And a second one was I did PC assembly and repair and got to the end of the day and I'm like, okay, let's talk about when I get paid. And he said, what do you mean, get paid? He said, you're doing this for the knowledge. And I'm like, oh, no, I'm not. Like, I know how to build PCs.

David Spark

And they didn't show. Wait, wait, wait. We can pay you.

Andy Ellis

Yeah. No, he was, he was all about the free labor.

David Spark

Jacob, what's the shortest period of time you've held a job?

Jacob Combs

Three months, and it was at a pizza place, a pizza chain restaurant. And I only did it at the end of high school for a short period of time until I left.

David Spark

Similarly, I lasted one day delivering Domino's pizzas. And here was the kicker. I was delivering a pizza and the guy gave me the money, and I was handing him his change, which was 5 cents, and he said to me, gallantly, keep the change.

Andy Ellis

Well, demonstrating the value you provided.

David Spark

That's it. I'm out of here.

Andy Ellis

Yeah.

David Spark

What about this AI security challenge.

Quote? It's no longer just about protecting infrastructure. It's about enabling innovation safely, building trust, and helping the business move faster with confidence. It turns out that AI is changing the relationships of CISOs with the rest of the C suite. According to Deneen DeFiore, CISO at United Airlines and former guest, this seems like a perfect moment for cybersecurity to be seen as a business enabler. Jacob, like your opening tip, how is this happening? Well, not the aspirational vision, but the messy reality. Speak for yourself, Jacob. And actually, when I saw you last, you were speaking on an AI panel. I want to know what yourself or some others you know, have done with in the security division or the business, that it's actually enabled AI to help the business, to move the business forward, to be innovative. I'm interested to know what's worked and what has not worked with AI. What's been your experience and also speak for what also you've seen too.

Jacob Combs

Yeah, yeah. And what I've seen and what really, at least in this short period we've had, it at least be somewhat functional and more trustworthy, I would say, as days go by. But what I would say is, number one, is ultimate productivity. So I'm seeing myself and even the C suite and then the same in other companies, just up level their productivity. And so what that has allowed us to do as a collective executive group is to be able to actually have more time together to talk more about risk management. And what I've seen it do from my perspective is I'm able to talk more about the business with the broader risk management, enterprise level risks. Right. Not just security risks. And that's helped not only them function and manage the business better because I have a very conservative, transparent way I manage security. But then also it helps me understand a lot more about the business and then I can drive that back into my security team and we are only focused on really important projects. So it has this sort of flywheel, I hate saying that, but it has this flywheel of productivity that it creates at least at a management level. What I've seen not working is just when you try to solve some problem that's not really solvable, or at least the way I've seen it put is you try to put AI into an existing process. It seems to not function as well. And what the kind of advice I've been given and what I've seen in other organizations that when you bring AI in to help completely revamp a process or, you know, only hire young people or whatever it is you want to do, you start from the beginning and you kind of rebuild it from scratch in learning all the lessons you've learned, know what you're doing and build it for AI and not for the human that used to be there in the past. So that's at least what I've seen that works and what kind of doesn't work, but with a somewhat of a solution.

David Spark

All right, Andy, I want to know real world examples. What have you seen work and not work in sort of any aspect of AI?

Andy Ellis

So I think what I've seen really work well is you say, here's what AI will be great at and then here's what the human still needs to do. And that's the conversation. Because I see a lot of security vendors especially that embrace AI for marketing. But what they think is they can just say, well, I need to write 70 blog posts in the next month. I'm going to have AI create a list of 70 posts and then have AI create 70 posts and then have AI post them and nobody ever read them. There was no editing, and AI writes fine. It's not like you need an editor to go in and do copy editing. You need somebody to go in and say, does this match our narrative? What were our prompts? And so once you have conversations around that with a business partner, now you can talk about ways AI goes wrong and now you can get to Talk about security. If you first come in and start to talk about security, it's heard as an implicit no. So instead talk about how to just implement AI right, for the business and then you can talk about the security components of that. Like one of my favorite uses of AI, especially for executives, because executives are fantastic human beings who are great at context shifting, but they sometimes make decisions before they finish their context shift. Right. They just came out of a meeting about one thing. They walk in and you start talking about a project that you've talked to them every week about for six months. But since the last time you talked to them, they have worked on 75 different problems. They don't remember your project. Right. I think every executive should have AI right next to them. So when you walk in and say, hey, we're here to talk about mfa, they can be like, hey, Grok, explain MFA to me like I'm five years old. Right. Or give me the quick summary of this. The ability for us to like use AI in this, in the risk decision making conversations, to make sure everybody actually has the whole knowledge in their head. Because if you walk in and say, we need you to spend $5 million to. Doesn't matter how you finish that sentence. All they heard is, you want $5 million. F you right, it should instead be, remember, we have this problem we're working on. Here's how we're going to approach it. Everybody's already bought in. And even though you had that conversation a week ago, you have to remind them. And I'm like really excited about the use of AI for that. I know that wasn't quite necessary to the question, but I think that we need to embrace AI for productivity. More like Jacob talked about. But a big piece of executive productivity is being able to put your head into the right frame for the conversation that you're about to have.

Jacob Combs

Yeah. And to that point I'm looking at that kind of thing for my team as well. And documentation, threat intelligence, all of the heavy lifting, kind of pulling out the context. That's exactly it.

David Spark

Best of breed tool sprawl and a lot of redundancy. There's gotta be a better way to handle all this. We got some suggestions coming up next.

This week's security tip is brought to you by Tenable, the exposure management company.

Over the past decade, rapid technology adoption has pushed many organizations toward a best of breed security strategy. Multi cloud environments, IT and OT convergence containers, Kubernetes, and now AI all evolved at breakneck speed. In many cases, security for these technologies was led by innovative startups that solved very specific problems and solved them well. But specialization came at a cost. Tool sprawl increased, procurement became more complex, and security teams were left juggling disconnected views of risk. More tools often meant more data without necessarily more clarity. Without shared context, alerts stayed siloed and attackers exploited the gaps between tools. Consider your exposure management as an asset to provide visibility into your security program. What are those best in class solutions doing and how are they talking to each other? Are the tools performing as intended? Are they actually working together? Initiate an internal discussion with your team around what your exposure management program can or should do for you. You want to correlate signals, map relationships, and add the cross domain context needed to understand how attackers actually gain access, move laterally, and reach critical systems. When you have greater clarity, CISOs can maximize return on existing investments, reduce noise, and make smarter decisions about where consolidation truly makes sense over time.

This has been your weekly security tip. To learn more about exposure management, go to tenable.com. Here's some surprising research.

Are you better off than you were four years ago? End quote. It's a classic question in presidential politics, but Wade Baker from the Scientia Institute try to apply it to cybersecurity. Turns out it depends how big you are. Their 2025 IRIS study shows that over the past decade, firms under a hundred million dollars in revenue have seen their incident probability more than double, While those over $100 billion in revenue have cut their risk by a third. Now, as Baker puts it, this quote hammers home Wendy Naser's concept of the security poverty line. Giant corporations with giant budgets are winning while the pace of change is Moving faster than SMBs ability to defend themselves. So I will start with you Andy. So what are large enterprises doing right, that's actually working and is there anything we can apply from that to close the gap for these smaller organizations?

Andy Ellis

So one thing that we should just always take studies with a grain of salt is it is quite possible that the thing that they're doing right is being careful about talking in public about their costs and their breaches.

David Spark

So this may not be legitimately accurate.

Andy Ellis

It may or may not be. I'm a huge fan of Scientia IRIS work, but sampling is a huge problem and the bias of what you actually can observe. Right. And we've seen this with a bunch of other studies as well. That said, there's economies of scale here, right? If you have less than $10 million in revenue, you probably don't actually have a security team at the end of the day that's going to be your biggest challenge. And so you're more likely to get hit. Now, the other thing worth noticing if you looked at their data is that while organizations over that was that number, $100 billion have gotten safer. They are still less safe than the $10 million companies we're working off of. A like you are the biggest targets and you're getting hit all the time. Right. You went from 70% chance 20 years ago of having critical incidents or 17 years ago to now it's only 18%, whereas those less than $10 million businesses went from like 2% to 6%. So I'd be very cautious about saying this is a security poverty line problem and more just I think everybody is online, it is easier to get attacked and everybody is getting hit. That's kind of where I think we are. I think the democratization of having tools that work for everybody is helping everybody, while at the same time everybody being online is making everybody more risky.

David Spark

All right, what do you think, Jacob, in regarding, do you think there is a security poverty gap? Because I'm thinking if you're bigger, you got a lot more things to protect. So maybe you got bigger problems even though you got more money. What do you think?

Jacob Combs

Yeah, I tend to agree with Andy, but I think there's two things that may make that difference and may have fed the information to this study. One is I'm in a medium sized company. We're more than the poverty line, but we're still not that large. And when I look at these massive companies who are hiring a senior manager for the center of excellence for Identity Access Management, I have no thought that I'm ever going to have that kind of role in my organization. And so they're able to build this focus and these centers of excellence that can do this thing well and do it from top to bottom in a whole vertical. Right. And so that's, that's one area I think that they may have an advantage. And the other is because of that, because of these resources, they're able to sustain better. Right. And that's the issue with smaller companies. You'll go and you'll buy a product and you'll plop it in place. But then in six months, you haven't looked at it in three. Right. So what's that mean? It's really can do you have the resources and the capability and the maturity to sustain it over time. But again, like Andy said, I think there are tools coming out there that are democratizing this a little bit. Right. The MDRs that are coming out in place and giving you a full soc that you can pay, you know, not too much more than you would pay for just a SIM product. Right. And things like that that are making it much easier. And then like we were talking about AI here to help you duplicate your staff and increase their productivity without having to have all the overhead and maybe all the process that a large company. But then, then by virtue you're more agile, you can actually respond and behave better. So I think the poverty line is still present, but I think it is like you said, there's a scale and a scope that then make it almost the equivalent. I would say.

Andy Ellis

Yeah, I actually think the poverty line is worse in foster care. I mean really strain this analogy, which is in the very large companies, they're very clearly the unloved children. And just to be clear, foster children should be greatly loved. And anybody who's willing to foster, amazing. So I don't want to overstrain this, but there are sub organizations in these large companies that are using dated ancient technology. They're not the flagship, nobody cares about them and as a result they often have really poor investment in IT and security. And it would not shock me if we see a disproportionate number of breaches in those larger companies are coming out of the not flagship units.

David Spark

Very good point. Well, that brings us to the very end of the show. I want to to thank our guest, Jacob Combs, CISO over at the Tandem Diabetes Care. Are you guys based in San Diego, by the way?

Jacob Combs

We are headquarters in San Diego.

David Spark

Awesome. Huge thanks to our sponsor Threat Locker and the fact that they are bringing us and we want to see you there at Zero Trust World 2026. Remember it's happening in early March and you get $200 off with the code ZTWCShow26. You gotta go to ztw.com, which stands for Zero Trust World. But if you forget all of that, just go to the blog post for this episode and you'll find it right there. Thank you again. And as I say to our audience at all times when they listen to show and I truly mean it, we greatly appreciate your contributions. And for listening to the CISO series.

Podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website cisoseries.com please join us on Fridays for our live shows Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly at davidisoseries. Com. Thank you for listening to the CISO Series podcast.