Podcast Summary

CISO Series Podcast

Episode: Dear Abby: Why Should I Trust a Vendor Selling Me Zero Trust?
Air Date: October 21, 2025
Host(s): David Spark, Mike Johnson, Andy Ellis (not present in this episode)
Guest Co-Host: Dan Walsh (CISO, DataEvent)
Special Guest: Rob Allen (Chief Product Officer, ThreatLocker)

Main Theme

This episode centers on the challenges CISOs face when evaluating security vendors—especially those offering "Zero Trust" solutions. The conversation explores what security leaders should demand from vendors, the pitfalls of vendor over-promises, building layered security defenses, configuration management best practices, and the ongoing tension between business needs and security imperatives.

Key Discussion Points & Insights

1. Budgeting Season and Vendor Approaches

• Context: Many CISOs are entering budgeting season while vendors are pushing for end-of-year sales.
• Dan Walsh emphasizes:
  • Evaluate current vendors and their ongoing value.
  • Beware of feature creep—ensure new features don't overlap with other tools.
  • "Lead with value, not price. If the value's there, then the CISOs will pay the price." (Dan Walsh, 01:38)

2. Ransomware Crews Bypassing EDRs

• Problem: Ransomware players using techniques (e.g., abusing drivers) to disable EDR protection.
• Key Question: What's your backup if the main detection layer (EDR) is taken out?
• Dan Walsh’s response:
  • Defense in depth is not just a slogan.
  • Layer technical controls—so no single failure is catastrophic.
  • Network telemetry is critical but not sufficient by itself.
  • Focus on identity security, resilience controls (like immutable backups), and hardening EDR configurations.
  • "With security, it's never set it and forget it." (Dan Walsh, 05:18)
• Rob Allen’s take:
  • Multiple, different security layers—don’t just stack similar controls.
  • Combine detection with controls (e.g., allow listing).
  • Detection can't block what it doesn't know—layers help cover blind spots.
  • "Layers should be different. They shouldn’t be the same type of layers." (Rob Allen, 05:53)

3. The Credibility of Zero Trust Vendor Pitches

• Prompted by: Raghav Dinesh’s observation that too-perfect vendor pitches are a red flag.
• Discussion:
  • Vendors must be transparent about their product’s limitations.
  • Admitting limitations builds trust with CISOs.
  • Rob Allen:
    • Pen test feedback is valuable, especially where it reveals real gaps.
    • "If the vendor doesn't understand their own limitations, that's a problem. The bad guys are going to figure out your limitations and exploit those." (Rob Allen, 09:34)
  • Dan Walsh:
    • "Admitting to your limitations is the thing that actually builds trust, not the fact that you can do it all." (Dan Walsh, 11:07)

4. Game: What's Worse? (Cloud Security Snafu)

• Scenario: Business units have spun up ungoverned cloud resources—some are already compromised.
• Scenarios:
  1. Pause all new cloud provisioning, demand security compliance, and face business friction.
  2. Let teams continue but require mitigation plans (which they ignore).
• Dan Walsh: Prefers friction over ignored security; business anger is less damaging than real data loss, especially with sensitive or regulated data.
• "Data is trust. If customers are putting their data with you... that's really the mission of the company." (Dan Walsh, 15:23)
• Rob Allen: Agrees—ignoring security emails is unacceptable. "Screw those guys... apply security." (Rob Allen, 16:11)
• Takeaway: Sometimes security friction is necessary, especially when noncompliance risks sensitive data or regulatory consequences.

5. Configuration Management: What Needs to Change?

• Dan Walsh:
  • Tired of "you configured the tool wrong" excuses.
  • Wants better, more contextual vendor guidance; hopes AI can help tailor configurations.
• Rob Allen:
  • Misconfiguration is a massive, common cause of breaches.
  • ThreatLocker’s new tool, Defense Against Configurations, does automated checks against frameworks (NIST, HIPAA, etc.) and offers actionable guidance.
  • "61% of security leaders have suffered a breach because of failed or misconfigured controls in the last 12 months." (Rob Allen, 19:05 from Gartner data)
  • Community/AI-driven improvement is possible—solutions will increasingly learn from customer environments and shared intelligence.

6. Are “Window Stickers” for Software Just Compliance Theater?

• Prompted by: Adam Iles’s idea for “stickers” (crash-test-like ratings for software).
• Dan Walsh:
  • Car analogies fall short; software ages differently and faces constant, evolving threats.
  • Stickers might have the same limitations as software bills of materials (SBOMs)—point-in-time, not dynamic.
• Rob Allen:
  • Agrees—constant questionnaires and compliance documentation is already overwhelming for vendors and buyers.
  • "Compliance theater is tremendous." (Rob Allen, 26:12)

Memorable Quotes & Notable Moments

• Dan Walsh:

  • "Lead with value, not price." (01:38)
  • "Security is never set it and forget it." (05:18)
  • "Admitting to your limitations is the thing that actually builds trust..." (11:07)
  • "Data is trust." (15:23)
  • "Brakes on a car cause friction as well, and we all like brakes." (17:15, on necessary security friction)

• Rob Allen:

  • "Layers should be different. They shouldn’t be the same type of layers." (05:53)
  • "If the vendor doesn't understand their own limitations, that's a problem." (09:34)
  • "Screw those guys... apply security." (16:11, jokingly on unresponsive business units)
  • "61% of security leaders have suffered a breach because of failed or misconfigured controls in the last 12 months." (19:05)
  • "Compliance theater is tremendous." (26:12, on overblown compliance requirements)

Important Segment Timestamps

| Topic / Segment | Speaker(s) | Timestamp | |------------------------------------------------|---------------------|------------| | Budgeting season, vendor advice | Dan Walsh | 01:38 | | Ransomware disables EDR: defense-in-depth | Dan Walsh, Rob Allen| 03:49–07:30| | Red flags in Zero Trust vendor pitches | Rob Allen | 08:49 | | Building trust by admitting tool limitations | Dan Walsh | 11:07 | | What's Worse? Game (Cloud Security Chaos) | Dan Walsh, Rob Allen| 13:49–17:22| | Configuration management—what needs to change | Dan Walsh, Rob Allen| 17:43–23:36| | Window stickers/"compliance theater" for software| Dan Walsh, Rob Allen| 23:42–27:59|

Tone and Style

• Candid and Practical: The hosts and guests speak directly and pragmatically, often with humor (e.g., “Screw those guys,” “We all like brakes.”)
• Constructive Critique: Willing to discuss industry weaknesses (like “compliance theater”).
• Educational: Frequent references to real-world examples and failures, not just theory.
• Encouraging Vendor Transparency: Vendors are challenged to be upfront about product gaps.

Final Thoughts

This episode delivers practical insights for CISOs and security leaders—especially about holding vendors accountable, building real defense in depth, and fostering honest dialogue about limitations and configuration. The panel underscores that real security requires ongoing diligence, not just slogans or checklists, and that sometimes necessary friction with the business is a sign security is being taken seriously. Vendors who align with this reality are the ones CISOs will trust.

For further information, visit cisoseries.com.