Podcast Summary: CISO Series Podcast
Episode: All Cybersecurity Problems Are Easy to Fix… With Unlimited Time and Budget
Date: March 4, 2025
Hosts: David Spark, Andy Ellis
Guest: Adam Holland (CISO, The Wendy’s Company)
Episode Overview
This episode explores the practical realities of the CISO role—how security leaders must transcend mere risk communication to become true business partners. It delves into mentorship’s changing landscape, how bridge mentoring fosters stronger, more diverse teams, and the utility vs. complexity problem. The group draws from real-world stories and challenges, particularly from the fast-service restaurant sector, to illuminate the trade-offs and strategies that define modern security leadership.
Key Discussion Points & Insights
1. The Evolving CISO: From Translator to Business Partner
- Framing Cybersecurity as Competitive Advantage:
- CISOs shouldn’t stop at “translating” security for nontechnical executives. Instead, as Andy Ellis notes, they should embody authentic business enablement, making clear how security advances operational goals.
- Quote:
“You cannot just say, ‘I'm going to be the strategic business enabler.’ And now you are one. That's like putting on the trappings of an adult while you're still a kid.”—Andy Ellis [05:59]
- Security can still drive business value—but not always as a “differentiator” anymore; almost everyone is now doing baseline security.
- Moving Beyond Fear-Driven Conversations:
- Fear as a motivator—like “twisting the screws”—is outdated. Instead, security should stay focused on enabling people to do their jobs safely and efficiently.
- Quote:
“My job is not to keep you from doing unsafe things. It's to help you do things safely. Very subtle difference. But once you have that in your brain, you'll never say that I want to twist the screws on someone.”—Andy Ellis [09:03]
2. Mentorship, Bridge Mentoring, and Changing Career Paths
- Bridge Mentoring:
- Success often comes through exposure to mentors from different backgrounds (bridge mentoring), not just those who look like the mentee.
- Advice for Mentees:
Focus on curiosity and a commitment to learning, not simply seeking a “secret sauce” for fast promotion.
- Mentorship Types:
- Andy breaks down mentorship into transactional mentors, long-term sponsors (“rabbis”), and the importance of having a “bench” of recommended names for opportunities.
- Quote:
“There's another one...often called a rabbi...who is deeply invested in your career and they're going to follow you and watch you for a decade or more and they're going to find opportunities for you—way better than being a mentor... I've had this where I've had a major company call me up and say, ‘Hey, we want you to consider taking this job.’ And I'll be like, ‘No, but I know somebody who's not on your radar that you should go hire.’”—Andy Ellis [13:42]
3. Budgeting for Cyber Risks: What’s Worse Game Segment
- The Budget Dilemma:
Two options discussed:- Teams get funding only after highly publicized risks in the news.
- Teams get funding only after an incident in their own domain.
- Panel agrees: The second scenario (needing your own incident to secure budget) is “worse.”
- Memorable Moment:
Playful riffing on “burger bucks” and “fry franks” as internal security budget currencies at Wendy’s. - Quote:
“In either scenario, I'm going to fall back on, never waste a crisis. It's going to be I have the money to move or I'm going to get that incremental cost in that second one.”—Adam Holland [23:45]
4. Utilitarian Approach to Securing at Scale
- Focus on Most Impactful Actions:
- Should CISOs strive for “the greatest good for the greatest number” (utilitarianism)? Both Adam and Andy advocate balance—solve major issues that benefit the majority, but don’t neglect outliers with unique risks.
- “Solve, life support, or live with” framework: triage which problems to fix outright, which to “contain,” and which to accept.
- Quote:
“If you're going to say, 'I have to go take John Stuart Mill's definition of utilitarianism and build my security program on it'—I want to treat you like the trolley operator in every trolley problem. The correct answer...is shoot the trolley operator..."—Andy Ellis [28:54]
5. Gamification and Neuroscience in Security Awareness
- Beyond "Checkbox" Training:
- Gamification succeeds only if it’s grounded in meaningful goals and tailored to user needs. Recognition (e.g., challenge coins at Wendy’s) can drive positive behaviors more than repetitive, generic modules.
- Fill-in-the-blank gamification (badges, points) can misalign objectives if not tied to real skills.
- Quote:
“Gamification is a tool. It's a thing. What is the point of your security awareness program? If you don't know what you're trying to teach people, then it does not matter how well you gamify it to suck people in.”—Andy Ellis [33:07]
- Peer recognition and rewards (“cake with the CEO”), or in Wendy’s case, “challenge coins,” are memorable and valued.
Notable Quotes & Memorable Moments
- On Ego in Business Relationships:
“Your goal is rarely to be right. It is to get something done.”—Andy Ellis [04:23]
- On Cybersecurity’s Business Value:
“How does this help me sell more jeans?”—Steve Zaluski (quoted by David Spark) [07:47]
- On Budget Jargon:
“I use that phrase cause it adds humor to a tough topic. So when I put up my budget stuff. Yeah, it's burger bucks.”—Adam Holland [25:07]
- On Recognizing Teamwork:
“I did cake with the CEO... I got more work done out of teams because I would feed them cake in front of a CEO and laud them and be like, here's all the great things they did.”—Andy Ellis [36:35]
“Maybe like, burgers with the boss, right?”—Adam Holland [36:40]
Timestamps for Key Segments
- [05:00] – How the CISO role as business partner is evolving
- [11:39] – Bridge mentoring: Approaching mentorship from different backgrounds
- [19:16] – "What's Worse" game segment: Budgeting for risk
- [27:00] – Operationalizing a utilitarian approach in security
- [31:56] – Advances in neuroscience, gamification, and security awareness training
Final Thoughts & Closing
- Adam Holland emphasizes the value of community in security:
“Smart people are uniquely vulnerable to mistaking complexity for insight. And I love tools like this and communities like this that are helping us find that insight in complicated topics…” [37:19]
- Adam also confirms Wendy’s is hiring and invites listeners to connect via LinkedIn.
Summary Takeaways
- Security leaders must do more than “translate”—they must proactively partner with the business, using security as a driver (not friction).
- Mentorship’s real value comes from relationships and long-term advocacy, especially from diverse perspectives.
- Gamification is not a panacea; the heart of training is meaningful skills, recognition, and relevance to the learner’s work.
- Budget battles are perennial; savvy CISOs know how to align funding arguments to what the business and its leaders value most.
- The cybersecurity community grows and improves by openly sharing pain, humor, and insight—together.