
Loading summary
David Spark
Biggest mistake I ever made in security. Go.
Dima Sokolovsky
Not putting enough time into maintaining relationships. Every time I run into a problem inevitably comes back to either me or my team. Not putting enough time into a relationship.
David Spark
You're listening to CISO Series podcast recorded in front of a live audience in Boston.
Welcome to the CISO Series podcast. My name is David Spark. I am the host and producer of the CISO series. And on my far left over there, that is Andy Ellis, who is my co host. He's the principal of duha. Let's hear it for Andy. Say hello to the audience and please feel free to plug your book.
Andy Ellis
Good afternoon, folks. I was just having fun pulling up my book and pointing out the book 1% leadership, 1% leadership and just pointing out that I have a chapter for Demetri's bad event, which is celebrating victories builds relationships. Always help people celebrate their victories because other people aren't doing that. It's a cheap and easy way to make friends. Yes.
David Spark
Not just happy birthday, by the way. I find that the weakest way to celebrate.
Andy Ellis
That's a weak way. But I used to do cake with the CEO when somebody fixed a major problem that I had told the CEO existed. We would get cake, bring it to the meeting with the CEO and have the team show up. They would get cake and I would say, what a amazing things they do.
David Spark
So the more problems you solve, the fatter the team got.
Andy Ellis
Absolutely. But I would have people saying, what do I have to do to get cake with the CEO?
David Spark
Solve a problem.
Andy Ellis
Solve a problem. There you go. And they'd say, well, what's the list? And we would give them something to go do.
David Spark
Let me explain to the listening audience where we are. We have a nice, wonderful live audience in front of us right now. We are at Aqueduct Technologies offices. They're a var and they have a beautiful this atrium space, which is gorgeous that we're doing this show under. So let's hear it for our host, Aqueduct Technologies. And let's also hear it for our sponsors. And let me mention our two sponsors. For today's episode, we have Strike 48, the agentic operations platform without blind spots, and DropZone AI Hunt investigate and respond at machine scale. Let's hear for those sponsors as well. And we will hear more about them later in the show. Okay, so briefly, I always ask Andy before we do the show, like, what do we want to do a quick banter about for just about one minute. And you brought up something called red button, blue button. This is a sort of philosophical exercise. Explain.
Andy Ellis
Yes, it's this meme going around that everybody on the planet is given two buttons. If half of you press the blue button or more, everybody on the planet lives. But if fewer than half of the people press the blue button, then only the people who press the red button live. And what do you do? And, like, Mr. Beast did this on Twitter, and apparently he got, like, 54% of the people to pick the blue button. The correct answer is to push the red button. Because the right way to phrase this is if you push the red button, you live. If you push the blue button, you die. Unless you manage to emotionally blackmail 50% of the planet into dying with you, at which point the person who set up the trolley car problem decides not to kill you all. Push the red button.
David Spark
No, but here's the other thing. If you press the red button and not enough people press the blue button because you're one of the people who did not press the blue button, then you're gonna live a miserable existence with half of the planet gone.
Andy Ellis
It depends on which half. But look, no, the fact that you
David Spark
want to commit suicide, this half is gone.
Andy Ellis
Okay? If they were all foolish enough to press the blue button.
David Spark
Wait, stop. This half. This half is gone.
Andy Ellis
Well, there's a couple people I think should move over. But the correct phrasing, the blue button people are trying to commit suicide and trying to convince you to join them in hopes that that will cause them to not die. Push the red button first, because then you live. And everybody who pushes the red button lives. This is not that you live at the expense of someone else. They're trying to blackmail you into feeling like it's your fault they died. Doesn't work that way.
David Spark
No, it's true. It is. And so now we all know we can't trust Andy. All right?
Andy Ellis
You can absolutely trust me, because you know I will push the red button.
David Spark
Very predictable. And send us all to our demise.
Andy Ellis
No, you will send yourself to your demise by pushing the blue button.
David Spark
I am more supportive of the people around me.
Andy Ellis
I'm absolutely supportive, which is why I'm telling them not to rely on you pushing the blue button.
David Spark
Press the blue button to my immediate left, right here is our guest for today, and I'm thrilled that he's here. Repeat guest, we've had him on many times before. Senior Vice President of Information Security over at Semrush, which just recently got bought by Adobe. Let's hear it for Dima Sokolovsky.
Dima Sokolovsky
Thank you, Dave. Thanks.
David Spark
Is AI going to help us or hurt us?
Quote Every repository of code you rely upon just became a liability with a clock on it, end quote. That's Rob Joyce, who spent 35 years in an NSA leadership but watching offense defense dynamics shift, he's now saying mythos. You know, Claude, Mythos is different. Not an incremental change, a structural break. Now agentic vulnerability. Discovery operates at a scale that makes the entire concept of patch and defend feel like bailing out a ship with a cup. I'm going to start with you, Andy, on this. Does this move technical debt from a budget problem to an existential one? And is this a transition point we've never managed before? And just right now, I'm boiling it down to what are the questions we need to ask ourselves to determine first steps.
Andy Ellis
So first, I just want to disagree with some of his language, even though I mostly agree with him on this one, which is rare. I usually don't agree with Rob Joyce, but he's clearly never been an accountant with double entry bookkeeping. Because every liability you have is matched by assets. You want more liabilities, so you have more assets. Like literally these are going to balance out. If you only look at code as a liability, then you're not looking at the fact that code is also an asset that brings you value. And so even the language we use is broken. Technical debt. Most companies are debt fueled. Most homes are debt fueled. Debt is just part of our economy. The language feels fraught with risk, but it's not really. And it doesn't help to have conversations there. But let's come down to really what the challenge here is. How many people in the audience have a car? Everybody's gonna raise their hand. Cause we're in Boston. It's not really safe to ask this question, like in Tel Aviv or San Francisco, where half the people don't. Imagine if some random person in your family could be your kid or someone else says, I found out about a security flaw in your car. I'm going to go fix it. And you're probably gonna look at them and be like, no, you don't touch my car. I have a dealer or I have a mechanic or whomever that deals with my car. This is how security professionals interact with code. Today, we are not the people who maintain software. And yet somehow we think we get to decide and go patch things. This is the biggest sin of software engineers is they have convinced the rest of the business that that is in fact how it works, that the security team is responsible for fixes, yet the software teams aren't going to bother doing them. It is the responsibility of the software engineering organizations to patch software, preferably before it ever goes out. And until we as organizations hold them accountable to it, we are, oh, wait, we're not an explicit podcast, so we're foxtrotted at that point. It's not our problem to fix, but we should be pointing out not the problem of what vulnerabilities are there, but the problem that engineers aren't fixing them. That's the problem.
David Spark
Dima, jump in on this someone. Sue likes what you had to say.
Dima Sokolovsky
I do agree, and I think that's the existential problem that we're dealing with. The fact that we have crappy software. We've been making crappy software for the last 20, 30 years, and we continue to do so now at faster speed because we can and no one is going to stop us. That's what Products is saying right now in many cases. Now, is this a transition point that we've never managed before? That's not true. I think in many places. I've seen this in fidelity, let's say 10 years ago, where their infrastructure is ephemeral. It doesn't live long enough to cause damage because they're continuously redoing it. Now, that's a change in everything about how you release your product, how you run things. Now, instead of trying to build infrastructure to run a product, we should all change the mindset into we got to build infrastructure that can survive this and then build a product to run in that infrastructure. And that's the existential problem we've got to fix.
David Spark
Surprising research just in
quote, most boards are simply completely incapable of overseeing cyber risk. It's just so far outside of their experience and their expertise that all they can do is assess the credibility of the executives that are put in front of them, end quote. Now, a field study of 38 directors, CISOs and consultants in the journal Management Science confirmed what most security leaders already suspected. Non expert boards go through the motions, like asking questions they don't fully understand, receiving reports they can't critically evaluate, and unknowingly letting CISOs set the very terms of their own oversight. Cybersecurity expertise sits on fewer than 15% of public company boards. The more interesting question isn't how to shame boards for this gap. It's how do you extract maximum value from directors who hold governance authority? So I'm going to start with you, Dima, on this. How do you get more value out of those who don't have expertise?
Dima Sokolovsky
I don't think they need to have the expertise in their majority but they do need to maintain the fiduciary responsibility. It's not just making sure that we don't lie to them. It's not just about specifically me. It's about going a little bit further. Some of them that don't know technology don't understand the things do still understand the things in their terms. Business, finance, et cetera.
David Spark
And that's why we always talk about this. It's important that you translate to business risk.
Dima Sokolovsky
But I think they don't do enough about driving us to those conversations. We're being asked to tell them how things are, and we are not giving any guidance. And if the situation is. Look, tell us how it is, but please account for the fact that we don't understand. We need you to tell it to us in the following terms. Here is a finance consultant that can work with you to quantify cyber risk in your company.
David Spark
I'm assuming this took you a while to figure out yourself.
Andy Ellis
Yes.
Dima Sokolovsky
The last two, almost 10 years worth of board conversations is where this kind of landed. But I gotta give credit to the boards I was dealing with. They understood. And some of this was happening in the conversations we had. So it is happening somewhere, but maybe not enough.
Andy Ellis
Andy, I just first want to disagree with Dimitri. If you're trying to quantify cyber risk, you're doing something very badly wrong.
David Spark
By the way, Andy has a lot of opinions on this. Go for it.
Andy Ellis
And I Recommend going to howtocso.com and getting volume 2 on risk, and it will teach you a little bit more there. Sorry, I just had to do that one. Look, I want to agree with this, with the question. It's not even asking, simply because, hey, if you're a company out there that needs cyber expertise on your board, I'm an experienced board member and an experienced cybersecurity professional. It's in my interest to say, you should get more of me.
David Spark
All right, so also get Andy's book, one percent Leadership.
Andy Ellis
Let's just be very clear, other than the CRO and the cfo, boards do not have the expertise to engage with most of the executives. A CMO walks into the room and boards just go blank. They see someone talking about a pipeline number. That's a joke, because the size of the pipeline is usually 30 to 40 times the size of their revenue. And they're like, what is this? But that's okay. We'll get you in, we'll get you out. So this is not a problem unique to CISOs. This is every executive has this problem. The best executives talk to their board outside of board meetings. If you would like to engage with your board, most directors will happily take a meeting with you and dig in on your data and have the conversation. When I was a CISO, I had a 17 page report ready to go all the time. Whenever a new board member showed up that I sent them that explained to them what the company did because nobody else had done that. I said, here's all of our product lines. Here's the sorts of risk they bring us, here's what we do to mitigate it. So that when you hear about a thing and you're surprised, you can refer to my guide. They were using my language before the product people's language because product wasn't briefing them. I got to get a step ahead. So this is the real answer. And Dimitri did hint at that one as well. Talk to your board outside of a board meeting, because a board meeting is kabuki theater. What you say the CEO has already blessed. You're not setting the terms of your own oversight. The CEO is doing that. And you're just working around the edges.
Dima Sokolovsky
So you're saying teach them.
Andy Ellis
Yes. But don't teach them in a way that sounds like you're teaching them. You're just being open and transparent and recognizing that their time is valuable in a board meeting and not wasting it there and giving them the opportunity to ask questions in front of you that they might not ask in the board meeting because they're afraid of looking stupid, but they'll ask you a question one on one.
David Spark
Yeah.
Dima Sokolovsky
And I can concur. This is what happens, is when you engage one on one with the board members that have some connection. This is what happens.
David Spark
Who's our sponsor this week?
We have two wonderful sponsors and I want to tell you about both of them, but we're just going to do it one at a time here. So let me ask you something. What does your SOC do at three in the morning on a Tuesday? New Threat intel drops an attack pattern targeting your industry. Your team is four people, all on day shift and already behind by the time someone gets to it. The window for early detection has closed. DropZone AI is built for exactly this problem. AI agents that investigate alerts, hunt threats, and respond to attacks across your full security stack while your team sleeps or eats lunch or focuses on the work that actually requires a human brain. These aren't chatbots or copilots. They are autonomous AI agents that query your tools, follow the evidence, and deliver completed investigations with every reasoning step visible. No black box, no hidden humans. Your analysts direct the strategy. The AI agents handle the volume. DropZone is deployed at over 300 organizations and and recognized by Gartner as a cool vendor for the modern soc. You want to learn more, you got to go to their site. DropZone AI. It is spelled just the way it sounds. DropZone AI. And when you go, let them know you heard about them from the CISO series.
It's time to play what's Worse.
All right, I'm assuming you are all aware of the game what's Worse. Yes. You've listened to the show, you've heard this. We've been doing this game since the beginning. These are two awful scenarios. Andy's already scribbling down. He's going to write notes down. By the way, this, I would say variations of this I think are playing out right now. Okay, this comes from Jeremy Trammell of Check Point Software. Thrilled that he sent this in. Andy's going to answer the scenario first, then Dima, you can agree or disagree, and then I will throw it to the audience by applause. We'll see which of the two scenarios you like. All right, scenario number one. I'll just title it Taking the AI lead for competitiveness, security be damned. We're moving fast. Who knows what risks are coming on? We're going to win. The goal is to beat competition to the market. Security implications of AI agents running wild are completely unknown. The business's attitude has always been we're business first, security second. I would say all businesses are like that, but the risks are so completely unknown because we have no idea what these agents will do. You'll get to implement security, but you won't know until after the agents are deployed. That is scenario number one. Scenario number two, company is very risk averse. They're playing it very safe with AI adoption moving very slowly and getting the security team involved at every step. Sounds great, but they're in a very active space and their biggest direct competitors have made it clear that they're pushing forward fast and aggressively with AI adoption. So it sounds like they got competitors in scenario number one. So lack of AI adoption could set your business and company back years. But if your competition missteps, you could step ahead. Andy, which one's worse?
Andy Ellis
Okay, so this one's an interesting one. Can I specify the size of the company? Because I think that actually does matter.
David Spark
Sure.
Andy Ellis
Okay, so you said active, competitive, aggressive space. So we're not talking really large, multibillion dollar, established companies.
David Spark
Probably not.
Andy Ellis
Great, because that definitely will change things.
David Spark
Those guys are in general more Risk averse.
Andy Ellis
So there's this great article about the Redmond versus the Cambridge approach to delivering software. This was probably written 25, 30 years ago, which basically, there's two ways that you can build software companies. One way, the Redmond way, a la Microsoft, is take something that's barely minimally functional and put it in the hands of users so that you grab all the market share. The other, the Cambridge way, yes, Cambridge, Massachusetts, named after mit, is to wait until you have a perfect thing and then try to get in the hands of users. One of these builds large companies, one of them does not. And that's basically what we're facing here, which is, do you want to have a company at the end of this? Because if so, then you're going to adopt option one. You might not have a company. Just to be clear, you still might fail. Bad things can happen. But chasing option two is the way to not have a company because you have a run rate, you have so much time until you're out of business.
David Spark
And if you're big, you're assuming scenarios two is a startup, these two are startups.
Andy Ellis
With that attitude, if you are relying on the fact that you're gonna get to keep whatever revenue you have and maintain profitability in an aggressive and changing space while you are not innovating, you might as well function like a startup.
David Spark
This is not saying they're not innovating, just means they're moving slowly. The first one is if you have security and breaking.
Andy Ellis
David, I've been in these meetings. If you have security involved at every single step and you don't make any progress until the security team says yes, that is a very polite code word for saying you are not making any progress at all and you are death by committee. We've all read the KGB manifesto about how to destroy American corporations, and it's that. So I'm gonna say that scenario two is much, much worse.
David Spark
All right, Dima, agree or disagree?
Dima Sokolovsky
I agree there's higher risk, much higher risk in not adopting this technology everywhere possible than anything else.
David Spark
Okay, all right, I'm throwing this to the audience. So scenario number one is taking the AI lead for competitive, moving fast and breaking stuff by applause. How many people agree with the two of them? By applause? All right, you can applaud. It's the audience. All right, by applause. How many people think, you know, you got to be a little risk averse here. You got to be a little safer here. Buy applause. How many people think that's the right strategy? One person. Little louder. Come on, Clap loudly.
Andy Ellis
What's your name?
David Spark
Jermaine.
Andy Ellis
Jermaine, with a J, A I, N E at the end.
David Spark
All right. What. What's. Oh, is he. He's giving you a copy of his book is what he's doing. Good job.
What are they talking?
All right, we have a new game. Well, we've played it a few times, so I'm going to play a series of sound clips of people answering a question for which you do not know what the question is. Your goal in this game is to figure out what question were they answering. And I'll give you a hint. All of these are what a CISA would say if. Okay, all four of these are that. All right, so going to go to the first one. We're going to let you two try. You can keep guessing.
Andy Ellis
I'm always bad at these games.
David Spark
After you do them, we're throwing it to the audience, see if they can get it. Okay, here we go. First clip you'll hear. You're going to hear multiple people answering. They're all answering the same question. All right, so it's what a CISO would say if at least it wasn't an insider threat. That went worse than I expected. Hopefully, you will still have a CISO tomorrow. How many lawyers am I going to have to be speaking with for the next six months?
Andy Ellis
They got breached.
Dima Sokolovsky
Got to be something like that.
Andy Ellis
Yeah.
Dima Sokolovsky
Incident with a breach.
David Spark
That is correct. That. You got that right. Good job. All right.
Andy Ellis
Okay. It's the first time I think I've ever gotten one of these. Right on the first try.
Dima Sokolovsky
It's because I'm sitting next to you.
Andy Ellis
Yeah.
David Spark
There we go. Here's the second one. Got some budget. You want to share with me for that? We'll do our best, but no promises. Do you want us to award prizes? Sorry, we can't. It's something everybody hates. All right, I will just say I'll play. I'll play. Sorry, we can't. It's something everybody hates. I'll play it again. This one is a lot tougher than that first one. I'll play it again. Got some budget you want to share with me for that? We'll do our best, but no promises. Do you want us to award prizes? Sorry, we can't. It's something everybody hates.
Andy Ellis
So you're being asked to implement something, but I'm trying to figure out what the thing. Because the last one implies it's a specific thing instead of just like you're being asked to, like, go deploy something new. What does everybody hate? Security awareness training?
Dima Sokolovsky
Yeah, awareness training.
Andy Ellis
And it's probably like. Hold on.
David Spark
Okay, you're right. I'm giving you a half a point for that. But there's something specific that brings that about, so I'll play one more time. Got some budget you want to share with me for that? We'll do our best, but no promises. Do you want us to award prizes so we can't. It's something everybody hates. So listen, you got the right part on the security awareness training, but there's something specific about that, that the first few sort of give you clues on prizes.
Dima Sokolovsky
Something about money, like, you know, like a bug.
Andy Ellis
And that can be a bug bounty. Oh, incentivize. Like paying people for like doing good. Security awareness awareness competition reported the boast.
David Spark
You're dancing around and I'm throwing this to the audience. It's what a CISA would say if. What do you think?
Dima Sokolovsky
Phishing simulation.
David Spark
No, what it has to do about security awareness training. What does CISO would say if. Something about security awareness training. When you want to try. Throw it out. New clients. This is a super tough one. I'm gonna. I'll be honest. I'll let one more try.
Andy Ellis
Val time Performance for businesses for successful completion of training.
David Spark
I'm going to give you the answer here.
Andy Ellis
Or maybe people do personalized training whenever they screw up.
David Spark
It's what a CISO would say if HR told them to make security awareness training more fun. So here, listen to it again. Got some budget you want to share with me for that? We'll do our best, but no promises. Do you want us to award prizes, sir?
Dima Sokolovsky
We can't.
David Spark
It's something everybody hates.
Andy Ellis
Oh, I see. The person is declaring that something everybody hates is a necessity, which is wrong. Easy to do. Security awareness training that people like. Make it short and fast.
David Spark
All right, we got two more. Here we go. Thank God it's only taken me 10 years. We're going to implement this immediately before you change your mind. I will spend it wisely. Now I can finally get something done. So what does CISO says when they get more money? Yes, that is correct. Good job.
Andy Ellis
Dimitri was on that on the very first one.
David Spark
Yes, yes, yes. All right, last one. Good job.
Andy Ellis
I don't know that CISOs ever have said that. Because that would impress flight getting more money.
David Spark
Well, it just. It just means what a CISO says when they get budget. All right, last one. We've talked about this. I warned you. Hopefully you haven't ran somewhere at the company. This is why training is so important.
Andy Ellis
Thank you for showing everybody that you're human too. When the CEO clicks on a phishing link.
David Spark
Yes, very good. I was gonna say, good, good job, Ed. And you were saying, you're no good at this game.
Andy Ellis
Well, so this one, this one actually, entertainingly, I had a CEO who instead would get up and instead of me going and doing the various security awareness trainings at an all hands, he would do it and he would go up and be like, I clicked on this link and you shouldn't. To sort of normalize it. He had never clicked on those links, but he would totally pretend that he had gotten fished and had fallen for things that were wrong.
David Spark
That's a damn good CEO.
Andy Ellis
That was really amazing, like, fantastic. But he would get up and do it and he would show people, like, I shouldn't have clicked it, but it was just going so fast. And I had to call Andy and I'm like, we never had. The first time he did it, I'm like, what is he talking about? We didn't have this conversation. Nobody told me about this. I'm like texting the head of it, being like, when did this happen to him? And later he's like, oh, yeah, it's never happened.
Dima Sokolovsky
I'm like, is this what he does instead of budget?
Andy Ellis
Yeah. Hey, it worked. I got to tell you, like, I have to say, the biggest challenge of security awareness training since we had hit it here is that we have actually normalized. Hiding your failures and being embarrassed by them. We should normalize the opposite. You are going to get phished. And it's not your fault. It's the fault of our computer systems. And we appreciate that you tell us when it happens and so you should report it very publicly. In fact, our mailing list for people who were socially engineered was public. Anybody in the company could be on it and you could get to say, I just got a phone call that claimed to be from the CEO asking for somebody's phone number.
David Spark
And.
Andy Ellis
And whether or not you fell for it, you would still send mail because the CEO would reply and say, thank you for not falling for that or thanks for telling us so that we can deal with the damage. Normalize it.
Dima Sokolovsky
I'm going to write this down. Thanks, Henry.
David Spark
Is this really the right strategy?
Quote all these solutions are trying to massage existing security techniques and apply them to LLMs. End quote. This was said by Gigaom's Andrew Green. Now the hope is LLMs will build completely new approaches we never thought of before. We traditionally had humans running security. Now, that's not necessarily the constraint. How can we think of security differently? It's possible the large players are purchasing startups as an aqua hire for talent, hoping these smart cyber soldiers will build the solutions that will be relevant in the future. I'll start with you, Dima. What are the ways we need to be thinking differently about security if we're not constrained by the capabilities of humans?
Dima Sokolovsky
I think we can dig deeper into the humans now that we have the capability that is above that. And I think we can get to things like intent and try and understand what people want to do versus just try and match some technological factors. It's kind of like the next level in behavior analytics, the super weird high level behavior analytics. Again, it would probably be weird, but all of this is where AI could understand what you want to do based on what it knows about things that are happening around you and the project. So I think we can get there. It is a little creepy, but we could.
Andy Ellis
A little creepy. It's a lot creepy. It's AI. It's AI. So I'm going to go in a different direction, which is, I hate to use a Navy analogy, since since I'm an Air Force veteran, but we should think of humans as becoming aircraft carriers. And I capitalize the A and the I in that one, which is it used to be if the human had to do work and if they wanted some more work done, they got another human to do some work. And instead this is about power projection. AI is how you project power, but you still need a human at the center of it. I'll be honest, if you want to know how to do this, go talk to a marketing professional and if you're here, I'll point at one that's doing it really well. How do you take AIs and do the work that humans actually aren't great at, but needs to be done at scale? Because you still value human decision making and human intent, but you can have AI execute on pieces of it. Where I think people get it wrong as they think about how do I replace a human with AI? Rather than saying, how do I augment a human with AI so that they can get more done, so that when they're reviewing the press release, they have an adversarial AI that goes in and looks from a product perspective and says, oh, here's words you shouldn't say because they'll reveal future capabilities. And one that's looking at it from a legal perspective saying, oh, this will get us in liability trouble. And one who's looking at it from a security and all of these different perspectives and all of a sudden this thing that takes groups of humans insane amounts of time. If you've never been part of drafting a press release, you will be stunned and amazed at how much human time goes into it. That could be mostly replaced by AI.
David Spark
But don't let me throw this out because this is what I've been thinking about with regards to AI and that is it is so powerful and can do so much. Won't there be some things that someone will think of? Like, we've never thought to do this before because no human or groups of human could handle it. So let's now try it with a machine.
Dima Sokolovsky
A ton of things Andy's hitting. That's exactly it. There's so many things we already know. Like, if I could only do this at scale. But unfortunately we. Oh, we can now.
Andy Ellis
We can now.
Dima Sokolovsky
We can do a lot of those different things at scale. At massive scale. Conveyor. But you had. You just repeated my conversation from this morning with my team. We're not. We're not looking to replace people. We're trying to give people, put them in the right places and give AI freedom to be as expansive with power as it can be in the rest of it. The things that you do repetitively.
David Spark
Right.
Andy Ellis
What AI is going to give us is the ability to do things at scale individually. We've already had the ability to do things at scale. We have software. It does stuff at scale and has for a very long time. What AI will allow us to is take a human and scale the human so that they're only spending the time on the things that humans are great at and the things that they don't need to do.
David Spark
Or also humans are bad at because we make mistakes with repetitive actions. Right.
Andy Ellis
Read the press release how many times. And as I've got a PR person in the room that I know how many times you have to read the same press release over and over again. Because every time somebody edits it, you have to check to make sure that they didn't eff it up in a way that you're going to have to deal with. An AI can say, here's the changes that were made. This is what you should about Care. Care about. And yeah, somebody happened to accept a track change since the last time you saw it. So you didn't get to see it. But the AI can catch it. There's so much in that. Leave the human doing the thing that's important. Right. Help coordinate this, make sure it's on message, get it out let the AIs do the things that humans aren't great at.
Dima Sokolovsky
Do you need a hug? Feels like you've suffered here.
Andy Ellis
I have suffered through this press release challenge many, many times. But fortunately I have the person who who suffered more right over there and so he needs some alcohol.
David Spark
Who's our sponsor this week?
It is no secret that AI is only as good as the data available to it. That's where most AI security solutions fall short. Strike 48 takes a different approach. The platform unifies agentic AI with unmatched log visibility, querying your data wherever it lives, including cold storage logs. Now that means no blind spots, no data gaps, and no rip and replace. This gives Strike 48's purpose built agents the full picture. They need to actually do the work, not summarize it, not suggest next steps, but actually do it. And with a full audit trail, use the no Code agent builder to create and deploy agents for phishing, detection, alert, triage, threat, correlation and more, or get started immediately. With pre built agent clusters, your agents run investigations, complete incident reports, and hand off findings to each other around the clock, compressing what used to take hours into minutes. You can Learn more at strike48.com
unexpected outcomes or failures
quote if we know about it, we have to report it. End quote. Now that sentence offered as justification for walking away from a working tool is the whole problem. Joshua Copeland of Crescendo argues that alert fatigue is a misdiagnosis. What organizations actually have is a low tolerance for the obligations and that visibility creates. Investigate, prioritize, communicate upward and fix it. That's a lot. So the alerts aren't the problem. The accountability they trigger is. So I'm going to start with you Andy. So how do you build a security program that can absorb the truth its own tools are telling it? And when ownership of an alert and capacity to deal with it are misaligned, whose job is it to say so?
Andy Ellis
Okay, so there's two different problems here. And this is sort of a magician's trick. He's sort of blending two problems in to give you sort of a Mott and Bailey attack. And one of the problems we already talked about earlier in the show, which is if you are not the team that can fix it, then there is a piece of alert fatigue, which is I get lots of stuff and I can't really do anything with it. I can investigate, I can prioritize, but if I'm not fixing it, my priority prioritization is kind of meaningless and the rest of the organization is weaponizing that against me. Let's ignore that for the moment and let's just point out that most security tools suck.
David Spark
Oh, there are many vendors in this room, Andy. Sorry, you're insulting our audience.
Andy Ellis
Your tools suck.
David Spark
Wait, wait.
Andy Ellis
The UIs are all false.
David Spark
The vendors are actually applauding right now.
Andy Ellis
Even vendors are applauding here. Right? Why? Here's the reason why. And I point back at one of my favorite security standards, which is the PCI Data security standard. And in that security standard, I'm going to put Dmitri on the spot here, right? It requires that you ensure the integrity of System Level objects. What is a System level object, Dimitri?
Dima Sokolovsky
Don't I have to define it?
Andy Ellis
Shouldn't it be defined by the PCI DSS would be good. Guess what? It isn't. Why isn't it? It isn't so that Visa and all the other members now of the PCI Council can always say, you failed. There has to be an unpleasant truth here, which is you cannot possibly comply with the PCI Data security standard. And in fact, every company that has been breached while in compliance was retroactively found to have not been in compliance because there are impossible things to do. This is the same challenge a vendor has. Imagine I get breached, and you were my security vendor, responsible for something around where the breach was, and you had not fired a single alert indicating anything that that breach might possibly happen. I'm going to say to you, you failed. Give me all my money back. So what do you do? You make sure that your system alerts on everything that might possibly ever lead to a breach so that you. Look, we told you, it's buried there among a million other alerts. If you'd only noticed it six years ago, then you would not have suffered the breach. This is your fault. Just to be clear, you have the economic incentive to build the products that do this to us, and then we have the audacity to complain to you that you're building what we actually did ask you to build.
Dima Sokolovsky
I agree with you about the alert fatigue piece that I think is mixed here. But I think that simply saying vendors
Andy Ellis
suck, or I'm not saying the vendors suck, just to be clear, I do
David Spark
remember you saying that.
Andy Ellis
No, I said they're tools.
Dima Sokolovsky
The damn tools suck.
David Spark
So their children suck. Vendors are.
Andy Ellis
That's very different. Vendors are responding to the economic incentives that have been put in front of
Dima Sokolovsky
them, but no one is making me use it the way that they've set it up. I think there's also responsibility on me as a practitioner to understand What I'm going to get. The reality of these tools is that they suck, right? Okay. That's my reality. So if that's my reality, I can do something about it not to drown in this alert fatigue. But that's not, that's not the, that's not the problem we're facing. The problem that Joshua is talking about is that we see the thing, the reality of a thing.
David Spark
This is, this is why, by the way, this is why a lot of people do not take vendors up on their free scan that almost every single one offers, because they just don't to want, want to know.
Andy Ellis
I disagree 90% with this. There is a 10%, which is at some point, like when somebody says, oh, we can increase your pipeline of ingest problems, but you don't have the capacity to deal with more unless you actually are going to increase my pipeline with things that are more important than what I know about. Today, I'm interested in learning about things that are less important than what I'm
David Spark
actually able to do. Well, that's not. Usually these scans are showing like, you know, how Many, you know, SaaS tools you have in your environment that you didn't even know or something like that. Sure.
Andy Ellis
But if I'm, but if I have, if I know that I have more than 500 SaaS tools in my environment and you show me about seven more, but I'm not doing anything to the 500 I've got today.
David Spark
Yeah, but usually, usually they're wake up call type types of scans. They're not like that. They're like, oh, I already knew about 5,000. You show me 5,007. It's rarely that situation.
Dima Sokolovsky
Yeah, I think, I think the point here isn't, it's not about the tooling. It's about my decision, do I want another set of tooling because I now have more capacity.
Andy Ellis
Right, Right.
Dima Sokolovsky
That's where the conversation should start. Hey, CEO, can I get more? Oh, you gave me more capacity. Okay, what can I do with that now? At that moment, I could argue about using another scan on a tool. There's plenty of things to do with the tools we already have misaligned, misconfigure, whatever they are. But I think it's still on us. It's, it's not just tools suck. It's. We also have to be a part here.
Andy Ellis
I think there are too many tools that we chase that are cataloging tools. They will tell you about the things in your environment, how many there are, how many problems there are, and not enough that are Filtering tools that are going to go through and actually fix problems and remove issues. And so at some point, yes, you don't want another cataloging tool when you don't have more capacity to fill.
David Spark
It's time for the audience question speed round.
What I hold in my hands are index cards with questions from you, the wonderful audience. And we have some time left, so let's just get through as many of these we can. Here we go. You don't both have to answer, but you can if you want to. This comes from Sam Paris, who is with the company Fractional ciso. She herself has just become a ciso.
Andy Ellis
Congratulations.
David Spark
She asks as someone. Let's go. Let's give Brett Sam. Appropriate applause. All right, Sam has a very important question here. As someone who has just become a ciso, Sam, what's a tip to manage imposter syndrome?
Andy Ellis
So the first thing I'm doing, I'm going to. Rather than pimping the book I have in front of me, which does actually talk about imposter syndrome. So you should read my book.
David Spark
And by the way, almost every security professional I've spoken to admits to have. Have had it or currently.
Andy Ellis
Yes. And I also tell you, go read howtocso.com which is entirely free and advice for CISOs. But here is the reality. Imposter syndrome is part of what makes humans amazing, is you take on a thing that you are not perfect at. If you were perfect at it, you would be bored. So you always are stretching. That's how you grow. Imposter syndrome is what pushes you to get better because you don't want to keep feeling that. So this is how you manage it, is be willing to take risks, Recognize that you might fail. That's okay. Figure out what your failure budget is and move forward.
David Spark
What is a failure budget?
Andy Ellis
How often are you allowed to fail? I would tell my team, you have an apology budget, which is how often I'm going to apologize on your behalf, that I screwed up by letting you do a thing wrong. You have an apology budget. And only once have I ever said these words to somebody. Said, by the way, you've used up the apology budget for a little while, so can you stop?
David Spark
All right.
Dima Sokolovsky
The problem with imposter syndrome is that the failure is what we're afraid of. It's not the fact that we are going to fail. It's the fear of the failure. That's the syndrome. Right? So, Andy, just. You have to keep talking to yourself. Recognize it as. That's what is. That's part of the job, it's not going away. That's why you're good. That's why you are a ciso, because you have it. Without it, you won't be able to.
David Spark
All right, we're going to push this a little bit longer because I want to get through a few more questions here from Bill Brenner of Cybertech Media. There's Bill right there. What can. And by the way, I love this question. It's the opposite of what we normally hear. What can CISOs do to better communicate to vendors so we can all better solve our problems?
Andy Ellis
Stop. No.
David Spark
Come on. Come on.
Andy Ellis
No, no. So Bill's a plant. I gotta start with that one.
David Spark
He wasn't a plant.
Andy Ellis
No, he's a plant. Bill used to work for me so many, many years ago. And we work together still. The most important thing is be honest with them. If you are not going to buy from them and you don't want to talk to them, just say that. Don't lead them on. Don't say, come talk to me later next quarter, right? You get some SDR who's trying to get a meeting with you or you're going to be at a conference and they see you're there and they're like, hey, can you meet with my founder while we're there? Don't lead them on. Right? They need to. That is good advice.
David Spark
Nobody needs to waste your time, their time, nobody else.
Andy Ellis
Because here's the problem. Their incentives are not aligned correctly. This is a vendor problem. They're just willing to push and push and push in hopes of getting to a yes. If they don't have a shot at a yes, you just need to say no. Nope, sorry, I'm not interested. I'm not a lead for you. It's fine. If you want an email template for this Google vendor rebuff and the first non sponsored link you will get is a template. You can just make your signature file. So you hit reply signature, switch your signature and just send it.
Dima Sokolovsky
What if they just want to learn more about you?
Andy Ellis
They don't just want to learn more about you. Oh, my God. Please. We weren't asked for the vendor advice, but the vendor advice is just stop lying to us. We know that you don't want to get.
David Spark
I'm going to throw this question in this because this has to do with you talking about vendors from Hannah Kelly at strike 48. What has a vendor said about AI that makes you. You believe they get it? Because I know you've heard the opposite, man.
Dima Sokolovsky
That's a When they said it's hard to understand.
David Spark
Okay, I would agree on that one.
Andy Ellis
So actually, the interesting trend that I noticed, I walked all the vendor booths at RSA and at Black Hat so that none of you have how many hundreds? 607 booths at RSA and 360 something at Black Hat.
David Spark
Well, that's a lot.
Andy Ellis
And I will tell you, there were vendors who started to listen, because if you were at Black Hat, all of the vendors talked about replacing humans with AI. That was implicit in their messaging. And by rsa, more and more of the messaging was about how AI was going to augment humans in various ways. That's very clearly vendors who are listening to the fact that CISOs are not responsive to the message. I will take away the humans who work for. For you.
Dima Sokolovsky
See, this is why they want to talk to you.
David Spark
I'm going to make you. Andy's nominating, so you're going to. Dima, you're taking these next two questions here. And Andy, you can throw in from William Toll of Elicity. How does pending legislation affect your decision making? So it could be anything that's pending in the government or it could be in the eu. Does that ever affect. Or you're like, I can't pay attention to it. I just got to get moved through.
Dima Sokolovsky
No, it does not. I don't. I don't. There are people on the legal team. Thank you. The people on the legal team that should. And if something really, really bad comes up, I hope they'll tell me. But I'm definitely not spending any of my mind time on that.
David Spark
Andy.
Andy Ellis
I paid attention to it. In fact, I hired a lawyer to pay attention to it so that I would know before our public policy team would get around to deciding what they wanted. Mostly so that I could decide how I wanted to weaponize the knowledge in my favor.
David Spark
All right, last question here from Amber Benwee of AI Security Alliance. What is one thing security culture has to adapt to? Given AI, that implies there's a security culture.
Andy Ellis
Like, I'm trying to deal with. I think Dimitri is struggling with, like, what does security culture actually look like today?
Dima Sokolovsky
It's coming and we can't stop it, so we got to do something about it. I don't know.
Andy Ellis
I think that the big change is everybody is a developer now. HR reps are developers, marketers are developers. Everybody in your business is now a developer. And see, earlier in the show when we talked about how the developers already aren't listening to you. Well, now that's not 20% or 40% of your organization. That's 100% of them.
Dima Sokolovsky
Everyone is not listening to you.
Andy Ellis
They're still not listening to you.
David Spark
Well, that brings us to the very end of the show. I want to thank my guests, Dima Sokolovsky. Let's hear from him some semrush. And my co host Andy Ellis of Duha, author of one percent Leadership as well. Keep it going. Let's hear for our sponsors, Strike 48, the agentic operations platform without blind spots and DropZone AI hunt, investigate and respond at machine scale. Go to strike48.com and DropZone AI. I want to thank again Aqueduct Technologies for hosting this event. Let's hear it for them. And we loved being here. We'd love to come back. Thank you everybody for being here and thank you to our audience. As we always say, we greatly appreciate your contributions. And for listening to the CISO Series podcast.
That wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.
Date: June 16, 2026
Hosts: David Spark, Andy Ellis
Guest: Dima Sokolovsky (SVP of InfoSec at Semrush/Adobe)
Location: Live at Aqueduct Technologies, Boston
This live episode dives deep into the shifting landscape of cybersecurity leadership and practice, particularly around how security leaders interact with boards, manage AI-driven risk, and navigate practical challenges like alert fatigue and vendor relationships. Through a combination of lively debate, games, and audience questions, hosts David Spark and Andy Ellis (with guest Dima Sokolovsky) provide candid insights into the current realities and future direction of cybersecurity—especially as AI transforms both opportunities and risks.
AI Changing Security Dynamics:
Referencing Rob Joyce, the hosts tackle AI’s overwhelming speed in vulnerability discovery and the inadequacy of traditional patch-and-defend strategies.
Rethinking Accountability:
Andy Ellis argues that tech debt isn’t just risk—it's paired with business value, and the language around it needs reframing. He stresses that software engineering teams—not security teams—must own patching.
Continuously Ephemeral Infrastructure:
Dima explains that forward-thinking companies are already managing risk by making infrastructure ephemeral—reducing long-term vulnerabilities.
Board Cyber Literacy Gap:
Most non-expert boards can only judge executives’ credibility rather than security substance. CISOs must translate risks into business terms.
Proactive Education:
Andy and Dima highlight one-on-one conversations outside board meetings as key for real understanding and influence.
Audience Game:
The panel enjoys a guessing game about what CISOs say in tough situations—like breaches or making training fun. Takeaway: Security training is universally disliked, and "fun" usually isn't on the menu.
“Thank you for showing everybody that you’re human too—when the CEO clicks on a phishing link.”
“That’s a damn good CEO.” (David Spark)
Normalize Reporting Mistakes:
Andy emphasizes the importance of destigmatizing errors to encourage openness and rapid response.
Humans as AI "Aircraft Carriers":
Dima and Andy discuss scaling human intent and judgment with AI, not replacing humans but making them more effective.
Massive Scaling of Security Effort:
With AI, repetitive or large-scale analytical tasks can be offloaded, reserving human attention for decision-making and context.
Alert Fatigue vs. Accountability Fatigue:
Joshua Copeland's observation reframes the debate: the issue isn't alerts, but organizations' unwillingness to own the amount of work created by visibility.
Vendor Economics:
Andy critiques the economic incentives for security vendors to produce overwhelming amounts of alerts so they can't be blamed for missed breaches.
Owning Capacity:
Dima notes practitioners must be honest about capacity—don’t deploy more tools or scans without resources to act.
CISO Imposter Syndrome:
How CISOs Can Help Vendors:
What Makes a “Good” AI Vendor:
Pending Legislation:
Adapting Security Culture to AI:
Lively, irreverent, honest—a mix of sharp professional insight and approachable humor (“The team gets fatter with every solved problem,” “Your tools suck”). The panel is candid about flaws in vendor products, board engagement, and even their own failures. The focus remains pragmatic: how do you actually move the needle in security leadership and risk management in the AI era?
In sum: This episode provides a candid and comprehensive look at the new (and perennial) challenges of cyber leadership, especially as AI disruption and organizational change force CISOs to rethink both technical and human strategies.