Podcast Summary

CISO Series Podcast

Episode: Every Failed Startup Starts as a Dream for a Single Pane of Glass
Hosts: David Spark, Andy Ellis
Guest: Sean Marion, VP and Chief Security Officer at Xcel Energy
Release Date: February 25, 2025

Overview

This episode explores the enduring challenges and wishful thinking in cybersecurity vendors and practitioners, with a focus on why certain persistent solutions—like the mythical “single pane of glass”—remain out of reach. The discussion dives deep on organizational culture, effective policy-making, soft skills across cyber roles, evaluating crisis leadership, and the allure (and folly) of cybersecurity startup “tar pits.” The hosts are joined by Sean Marion, who brings both physical and digital security expertise from his new role at Xcel Energy.

Key Discussion Points & Insights

1. Policy vs. Practice: When Does Policy Matter?

[03:55–08:51]

• Reality vs. Written Word: Policies without implementation don’t just fail—they degrade overall compliance and introduce liability.
  • Andy Ellis: “Policies that don’t match the real world are harmful to your business because they degrade every other policy.” [04:36]
  • Sean Marion: “You can introduce a tremendous amount of legal liability. If you say, we’re doing one thing and you don’t actually do that one thing, that’s liability.” [05:56]
• Practical Implementation: Start with practices that work, then codify as policy rather than imposing “one-size-fits-all” directives.
  • Both agree: It's better to have a simple, fully-adopted policy than a complex, ignored one.
• Change Management: People adapt over time, but context (“the why”) and communication are usually neglected.
  • Sean Marion: “I don’t think that people come to work and say, I don’t want to do the right thing. I think sometimes they just don’t fully understand how to do the right thing.” [07:25]
• Eye-Roll Policies: Example: Badging in and out for physical security is often ignored unless tied directly to an action (like opening a door).

2. Cybersecurity Soft Skills: Speaking the Language of the Business

[08:57–12:38]

• Storytelling as a CISO Superpower: Sean emphasizes that communicating risk or security priorities often hinges on storytelling—not just to boards, but also to architects and other teams.
  • Sean Marion: “A lot of what I do is storytelling… not dumbing it down… just trying to make sure I can communicate that story effectively.” [09:40]
• Peer Support and Coaching: Leveraging a network of CISO peers helps improve narratives and presentations, especially for high-stakes board interactions.
  • Sean Marion: “There have been many times when I’ve reached out… Give me feedback. Am I relaying this appropriately?” [10:24]
• “Hard” and “Soft” Skills: Andy flips the terminology—soft skills are often harder and less measurable.
  • Andy Ellis: “Soft skills are actually much harder than what we call hard skills. The reason we call hard skills hard skills is because we can measure them directly.” [11:15]
  • Adapting the narrative to the audience is critical—risk for a product manager needs to be discussed in business impact, not technical exploit lingo.

3. What’s Worse? (Game Segment)

Scenario: Known Breach with Missing Logs vs. Unknown Breach with Missing Logs

[14:05–19:30]

• Scenario 1: Breach occurs, but logs are sporadically missing during the incident.
• Scenario 2: Weeks of logs are missing with anecdotal evidence of suspicious activity, but no confirmed breach.
• Panel Verdict: The known breach with missing logs is worse; partial information can mislead, while ongoing visibility (even when incomplete) in the second scenario offers more opportunity for real-time remediation.
  • Andy Ellis: “…the breach is what matters. So, given my choices, I’ve got a breach that I know about, or I’ve got a potential breach I don’t know about. … I’m just gonna go with the breach is worse.” [16:46]
  • Sean Marion: “Partial information can be a red herring too. It can lead you down the wrong path. … Either one is rough.” [18:33]

4. Hiring for Crisis Experience

[19:35–26:35]

• The Dilemma: Is it worse to hire a CISO who’s had five major crises (some handled poorly) or one who has never faced a crisis?
• Experience Diversity: Both agree context is key—industry, company size, and potential risk profile matter more than incident count alone.
  • Andy Ellis: “The real question I want to ask… are you putting your team in the roles of being able to run maybe not your worst cyber incidents, but the ones that are one step down? Because that’s where they’re going to learn the skills…” [26:35]
  • Sean Marion: “If you haven’t had a single incident, I’m more curious where you’re looking… I really want to understand the failures. Like, what did they learn from that?” [23:12]
• Success Isn’t Always a Lack of Incidents: CISOs who build resilient, preventative programs can have spotless records for the right reasons.

5. Tar Pit Startups: The Doomed Quests of Cybersecurity

[26:41–34:40]

• Classic Tar Pits:
  • Single Pane of Glass/Dashboards: Universally sought after, universally elusive.
  • Real-time Third Party Risk Management: Vendors resist real-time transparency; demand will never align with supplier willingness.
    • Andy Ellis: “Technically, you could go solve this. Practically, you can’t.” [27:44]
  • AI-powered SoC: Aspirational, but unclear if true value is achieved—often leadership doesn’t understand their SoC’s value, making “AI replacements” a false promise.
  • Perfect DLP: Sells well, delivers poorly—executives believe the pitch, but “Data Loss Prevention” is really just “Data Loss Notification.”
    • Sean Marion: “…they pitch it as what it is and they come back… This is going to keep all… It’s data loss prevention. It’s in the name. […] But it’s data loss notification.” [30:09]
• Hope for Improvement: Both Andy and Sean express cautious optimism that AI could eventually improve DLP and data categorization—the main barrier in past attempts.
  • Andy Ellis: “…the use of AI to do categorization. Because categorization has been the thing that has killed every DLP project… people are creating content faster than I can do anything to categorize it.” [30:35]
• Other “Escapable” Tar Pits: Non-human identity management and self-service security marketplaces may see progress with appropriate innovation.

Notable Quotes & Memorable Moments

• On Policy:
  • Andy Ellis (04:36): “Policies that don’t match the real world are harmful to your business because they degrade every other policy.”
• On Legal Liability:
  • Sean Marion (05:56): “If you say, we’re doing one thing and you don’t actually do that one thing, that’s liability.”
• On Storytelling & Feedback:
  • Sean Marion (10:30): “Can I share this with you? Give me feedback. Am I relaying this appropriately? It’s things like that that make me better.”
• On DLP False Promises:
  • Sean Marion (30:09): “It’s data loss notification. It’s like, oh, there it went, there it went.”
• On Startups Chasing Tar Pits:
  • Andy Ellis (27:44): “Technically you could go solve this. Practically, you can’t.”

Other Highlights

• Andy’s Writing: Andy runs howtocso.com, an evergreen content site focused on practical CISO guidance based on real-world scenarios. Many show topics are reflected and expanded on there.
• Networking Importance
  • Sean Marion (35:39): “It just shows how these times go around. So lean on your friends. Make friends more than just colleagues.”
• Personal Milestone: Sean celebrates his 28th anniversary during the episode. “Today is 28 years. I celebrate my anniversary today. So super happy about that.” [36:19]
• Hiring at Xcel Energy: Sean notes they’re “wrapping up pretty heavily”—interested candidates should watch his LinkedIn for job postings and appeals to attitude and aptitude over resumes.

Key Timestamps

• 03:55: Introduction to real policy effectiveness and liability
• 08:57: Soft skills and storytelling at the CISO level
• 14:05: “What’s Worse” Security Scenarios Game
• 19:35: Crisis experience vs. no crisis experience in hiring
• 26:41: “Tar Pit” security startup ideas (single pane of glass, DLP, TPRM, etc.)
• 35:17: Closing words, networking significance, and recruitment plug

Takeaways

• Culture & Context Matter: The best policies grow from the ground up—make sure policy reflects established, real practice and communicate why changes happen.
• Networking is Power: Seasoned CISOs rely on each other for practical advice, emotional support, and honest feedback; building this network is invaluable.
• Beware the Dream Solutions: The industry is replete with “just one more dashboard” or “AI will fix it all!” dreams; skepticism, realism, and understanding the actual problem remain crucial.
• Evolving Optimism: While everyone dreams of perfect DLP and real-time everything, incremental improvement is possible as tech like AI matures—if anchored in clear outcomes.

Further Reading

• HowToCISO.com – Andy Ellis’ practical resource for CISOs
• Venture in Security: Tar Pit Ideas – Source for the “tar pit” blog post discussed