CISO Series Podcast - Episode Summary

Episode: How Much Risk Would a CISO Risk if a CISO Could Risk Risk? (LIVE in Boca Raton)
Date: December 16, 2025
Hosts: David Spark, Brett Conlon (CISO, American Century Investments), Ryan Barras (CISO, Mount Sinai Medical Center)
Sponsor: Dropzone AI
Location: Boca Raton Innovation Center, recorded in front of a live audience at the South Florida ISSA Chili Cookoff 25th Anniversary Event

Episode Overview

This live episode gathers seasoned CISOs and security professionals to candidly discuss the misunderstood role of the CISO, business versus industry risk, bridging communication gaps between security and leadership, real-world decision-making, best (and worst) practices for panels, relationships with vendors, and strategies for talent and security challenges in an evolving landscape. Engaging segments include scenario games, practical advice, and lively audience participation.

Main Discussion Themes and Key Insights

1. What It Means to Be a CISO

• The CISO's Job Is Broad and Often Misunderstood

  • Quote (Andy Ellis via David Spark, 03:11):

    “A CISO does everything related to cybersecurity that nobody else in the company wants to do.”

  • The CISO is in the C-suite but frequently lacks actual power, and their responsibilities differ drastically between organizations.
  • Both Brett and Ryan emphasize the importance of translating technical risk into business impact and being seen as business partners, not just compliance enforcers or “cyber police”.

• Building Relationships Is Critical

  • Brett Conlon (05:12):

    “The higher you go up, your job is to develop those relationships, create those relationships, create that network and, and have them understand why what you're doing is important to the organization.”

  • CISOs need to deeply understand the business, its culture, vendors, and risks—often more broadly than operational staff.
  • Ryan Barras (05:19):

    “We're facilitators... we're basically security as a service, right, to the organization.”

2. Communicating Security: Business Language Over Jargon

• Leaders often don’t reciprocate efforts to “speak security”, so CISOs must always frame issues in business terms.

• Brett (07:01):

  “If you do understand what you're protecting and what drives revenue... they start listening.”

• Ryan (07:50): CISOs shouldn’t necessarily insert themselves into every risk conversation, but they must always tie security posture back to business continuity, revenue, and risk in terms the executive team grasps.

• Concrete Example (Starbucks analogy, 08:41):

  “...let them know there’s a high probability your point of sale systems are going to go out... Now he wants to know, well, how would that happen? And that's what the conversation needs to lead with.”

3. Distinguishing and Tackling Industry vs. Business Problems

• Panelists discuss whether pervasive issues (like vulnerabilities and protocol bugs) are individual business risks or industry-wide problems.
  • Ryan (11:05):

    “We're about to relive Y2K all over again in the year 2038... I would say this is probably an industry problem.”
    Forums, professional associations, and collaboration—not overregulation—are vital for industry-wide risk.

  • Brett (12:32):

    “Heavily regulated industry. Look at how many breaches they have. Right. And so now you have an industry problem...”
    Criticizes misalignment between vendor solutions and actual industry needs, hoping for more listening from vendors.

4. Scenario-Based Risk Decision Making ("What's Worse?" Game)

• Scenario: E-commerce platform on Black Friday: Patch immediately (lose millions, disrupt business), or delay and allow attackers limited ongoing data exfiltration.

  • Brett (17:31): Hypothetically, losing revenue and taking the site offline is worse due to business continuity.

  • Ryan (18:26): Allowing an ongoing, uncontrolled attack is worse, given legal, financial, and reputational unknowns.

  • Audience (19:41): Majority agreed with Ryan: ongoing attack/data loss is the bigger risk.

5. Engaging the Community and the Panel ("Brand New Game" with RSA Interviews)

• Fun segment where panelists and the audience guess the security question answered in anonymous RSA clips.
  • Themes included: key cybersecurity traits, misconceptions of the field, how to explain security to a kindergartner, and worst vendor swag.

6. Effective and Terrible Panel Moderation

• Red Flags:

  • Asking panelists to introduce themselves ("It’s not that professional", 24:58)
  • Moderators answering their own questions before the panel does.

• What Works:

  • Deep engagement with the audience, impromptu Q&A, real-time questions (27:53)
  • Comfortable, collegial panelists who interact naturally (26:29)
  • Ryan (27:53): “The true engagement and participation of the audience is generally... the most successful formula for a panel discussion.”

7. CEO-CISO Relationships & Reporting Up

• Ideal CEOs:
  • Ask, “Tell me what I don't know and should be doing,” and, “Make me look good.” (29:32)
  • Want concise, actionable soundbites and business context, not technical jargon or a litany of “problems”.
• Brett (30:17):
  • Don’t weaponize CEO questions to promote your own issues. Build trust and focus on what’s crucial for their success.
• Ryan (32:17):
  • Always frame answers in the broader organizational context, e.g., third-party risk is part of a central procurement process.
• On 'Are We Secure?'
  • There’s no “yes/no” answer—be transparent but reassuring:
    Brett (34:02): “You have to be honest with them...here's where we're doing really well, and here's where we're focused on in the areas that we're improving...”

8. Audience Speed-Round Q&A (35:17 onward)

Notable Practical Questions & Answers:

• First step for coding hobbyist worried about app security?

  • Ryan (36:28): Use a consultant or outside party for a code/security review.
  • Brett (36:59): If it’s just for experimentation, “use AI, see what happens,” but for anything public-facing, involve a professional.

• Most effective marketing from cybersecurity vendors?

  • Brett (37:19): Relationship-building, not just a quick sales pitch or generic solution.
  • Ryan (37:43): Value learning about the person and having genuine conversations—multiple points stress that timing, fit, and relationship make the difference.

• Impact of AI on cyber staff?

  • Brett (38:41): “I think it will augment my staff,” automating tedious/repetitive tasks.
  • Ryan (38:55): “It’s going to level up the skill set.”

• Keeping up with regulations in health/finance/IoT:

  • Ryan (39:17): Depends on partners, industry associations, and colleagues.
  • Brett (40:14): Lean on outside counsel and ISACs; solving for compliance is separate from just keeping up.

• Best strategy for recruiting top cyber talent?

  • Brett (40:44): Strong college partnerships and fostering an enjoyable, valued work environment.

  • Ryan (41:17): “Being vested in your staff,” maintaining and leveraging relationships, making the job enjoyable (“Monday: teach me the Gen Z word of the week!” 42:13).

  • Gen Z word example: “Slay” = doing a great job or being cool (42:18).

Notable Quotes & Moments

• On assumptions and mistakes:

  • Ryan Barras, cold open (00:03):

    “That might have started with taking the job... assuming that people actually understood the distinction between cybersecurity, the role, and IT in general.”

• On the CISO role’s breadth:

  • Ryan (05:19):

    “...you need to better understand the organization often than the folks that are actually doing the work.”

• On vendor relationships:

  • Brett (37:19):

    “I would just appreciate someone coming in if they want to introduce themselves to me as a person, not a vendor... You’re just developing that relationship.”

• On humor and team retention:

  • Ryan (42:13):

    "Monday mornings... the first order of business is asking the Gen Z guys on my team, 'What's the Gen Z word of the week?'"

Memorable Segments (Timestamps)

• [03:11] The CISO role defined (“does everything nobody else wants”)
• [11:05] The Y2038 bug as a looming “industry problem”
• [17:31] What’s Worse game: Security vs. Business tradeoffs
• [24:58] Moderation pet peeves: “Introduce yourself” and audience-insulting panels
• [29:32] The two questions every CISO should answer for their CEO
• [35:17] Speed round: Audience Q&A—vendor relationships, AI’s impact, recruiting, and survival tips for “vibe-coded” apps
• [42:13] Gen Z word of the week: “Slay”

Tone and Style

• Informal, direct, punctuated by humor and real-world anecdotes.
• Panelists offer honest, sometimes self-deprecating takes on their roles.
• Lively crowd involvement and quick banter throughout.
• Intentionally avoids over-technical explanations, modeling the desired executive-to-security communication style.

Takeaways for Listeners

• CISO success comes from relationship-building, business literacy, and empathetic communication—not technical acumen alone.
• The value of security must be translated into business risk and continuity terms.
• Industry-wide security dilemmas need collaborative communities and vendor listening, not just regulation.
• Panel/meeting impact is determined as much by audience engagement as by expert content.
• AI and automation are seen as augmenting—not eliminating—security roles.
• Vendor outreach that builds genuine relationships stands out; timing and empathy matter.
• Retention is all about creating a place people enjoy working and are able to learn and grow.

This episode provides both pragmatic advice and a “peek behind the curtain” at real-life decisions, challenges, and lighter moments in the security leadership world.