CISO Series Podcast – Episode Summary
Episode: Don’t Worry, We’ll Get to Solving Your Problem on Slide 87
Date: October 7, 2025
Hosts: David Spark, Andy Ellis
Special Guest: Daniel Lieber, CISO at Monday.com
Overview
This episode explores core communication challenges between cybersecurity vendors and practitioners, the evolving security landscape in the age of AI, and strategies for effective risk management. Through dynamic debates, practical anecdotes, and playful exchanges, the hosts and guest dissect why vendor communication is failing, the complexity of AI threats, how to measure real risk, and how much presentation versus substance matters in the world of cybersecurity tools.
Key Discussion Points & Insights
1. The Best Security Advice (00:45)
- Daniel Lieber's best advice: Adapt to the culture in a new CISO role, but have clear boundaries.
- "You need to be aware of where your boundaries are and to assure that they're not being crossed. Even if it means you need to pull the organizations a bit towards you." – Daniel (00:49)
2. Memorable Swag & Vendor Marketing (02:06–04:27)
- Reflections on best swag (laptop monitor wipe, power banks, screwdrivers).
- Brief humor on how conference swag often outshines vendor booth substance.
3. AI Security Challenges (04:49–09:44)
Prompted by a quote from Brian Fox (Sonatype):
- AI and Security “Blind Spots”:
- AI models as black boxes; security tools unable to scan them effectively.
- “Prompt-sharing platforms are being weaponized to steal API keys.”
Andy’s Take:
- Compares the challenge to the shift from purpose-built electronics to general-purpose computers.
- New design paradigms needed to tightly control access (e.g., LLMs shouldn’t necessarily control API keys).
- "We've gone from APIs that were very tightly defined...to now we've replaced the APIs with General Purpose LLMs, and you have to sort of apply the same principles." – Andy (07:10)
Daniel’s Framework:
- Break down AI security into three categories:
- Traditional issues extended to AI tools (easier)
- Highly specialized domains (e.g., model poisoning)
- The messy middle—new AI-related domains, vendor boom, unclear lines of responsibility.
- "It's becoming very difficult to define the roles and responsibilities about who should protect what, because code is now with infrastructure and agents and cloud. So it's becoming a mess." – Daniel (09:01)
4. How to Improve Security Vendor Pitches (09:44–15:37)
The Problem:
- Swamped by buzzwords; booths focus on design or swag, not substance.
- "Customers don’t care if you’re first, autonomous, automated...they care about what problem you solve and whether you solve it well." – David (09:52)
Daniel’s Advice:
- Vendors must understand the customer's problem first.
- Technical knowledge is crucial; pitch should be tailored, not generic.
- "They usually come in and say what the solution is without understanding the problem." – Daniel (10:40)
Andy’s “Nine Truths Model”:
- Vendors must hit key truths: location fit, urgent problem, ownership clarity, stakeholder interest, technical fit, etc.
- "If they don't have those nine truths in their head and you don't resonate with them, they're just going to walk past 359 booths." – Andy (14:16)
- Some booths are more successful by directly naming the specific pain point (e.g., “Vibe coding” booths).
5. What’s Worse? – Leadership Perceptions (17:30–22:04)
Scenario 1:
CISO gets undue credit thanks to a competent deputy but is insulated (and no constructive feedback reaches them).
Scenario 2:
CISO is highly competent, but the executive team sees them as an overpaid manager due to poor communication.
Panel Verdict:
Scenario 2 is worse.
- “Perception is reality... If the executives do not respect you and do not trust you...the business is gonna do the wrong thing.” – Andy (19:29)
- "If the CISO delivers but fails to communicate, the executive team might...cut budget and eventually they're going to cut into things which really make difference without them knowing." – Daniel (21:12)
6. The Cycle of Vendor Hype vs. Real Innovation (22:18–29:18)
- Marketing outpaces real innovation:
- "We live in a model where marketing outpaces innovation. The top vendors spend millions telling you they're number one." – Dr. Chase Cunningham (22:18, quoted by David)
- Emphasis on empty promises, indistinguishable value propositions.
- AI security: All vendors are evolving at the same pace—differentiators are unclear.
Andy's Critique:
- Just tell buyers what you do, plainly and upfront!
- The “Ice Cream Vendor” analogy: vendors cluster around buzzwords instead of serving distinct customer needs.
- Recommends a demo deck explaining exactly what attack is mitigated, how, and why.
Daniel’s Buyer Playbook:
- If a POC (Proof of Concept) is required to tell competitors apart, marketing has failed.
- Favors vendors who are honest about where their strengths and weaknesses are.
- "If I need to use your product to understand how it differentiates from others, your marketing failed." – Daniel (28:03)
- Trust starts with candor in differentiation.
7. Risk Assessment in Practice (29:23–34:32)
Carrick Stanwyck’s Challenge:
– The most dangerous CISO is one who confuses being right about risk with effective management. If leadership accepts a risk, that’s actually functioning risk management—not failure.
Daniel’s Method:
- Before presenting risk registers, he actively “senses” the executive team’s risk appetite through informal exercises and scenarios.
- “I try to get at least a few meetings during my onboarding with the executive team...a small game of adjusting the skills...This is where I kind of start to understand where I came into.” – Daniel (30:23)
Andy’s Perspective:
- Security leadership is about evangelizing risk, not merely calculating it.
- The real goal: Make sure non-security leaders believe in and own the risks.
- "We are evangelists evangelizing about risk...You have to make them believe in the risk. You have to make the risk part of their model." – Andy (32:07)
Notable Quotes & Moments
- “Perception is reality.” – Andy Ellis (19:29)
- “If I need to use your product to understand how it differentiates from others, your marketing failed.” – Daniel Lieber (28:03)
- “We are evangelists evangelizing about risk.” – Andy Ellis (32:07)
Timestamps for Key Segments
- Best security advice: 00:45
- Swag segment: 02:06–04:27
- AI security blind spots: 04:49–09:44
- Improving vendor pitches: 09:44–15:37
- What’s Worse? game: 17:30–22:04
- Vendor hype vs. innovation: 22:18–29:18
- Validating risk assessments: 29:23–34:32
Tone & Style
- Conversational, candid, lightly humorous
- Mix of practical advice and big-picture thinking
- Willing to critique peers and vendors honestly but constructively
Conclusion
This episode provides a reality check for security practitioners and vendors alike. From the tangled world of AI security to the pitfalls of formulaic vendor marketing, the panel advocates for clarity, authenticity, and genuine engagement—both in boardrooms and on the crowded expo floor.
The final takeaway: Security leadership isn’t just about being right—it’s about ensuring the business understands, believes in, and right-sizes its risks.
