CISO Series Podcast – Episode Summary

Podcast Title: I Can’t Choose. I Love All My Assets Equally.
Hosts: David Spark, Andy Ellis, Mike Johnson (absent in this episode)
Guest: Tim Jacobs, CISO of Commonwealth Care Alliance
Air Date: May 27, 2025
Sponsor: ThreatLocker

Episode Overview

This episode tackles the complexity of starting or maturing a security program, particularly in environments with minimal existing controls. The trio also dives into best practices for crisis decisiveness, asset valuation, and the unexpected business benefits security efforts can uncover. The hosts and guest use practical anecdotes, active debate, and candid insights to highlight how security must align with business realities and priorities.

Key Discussion Points & Insights

1. Getting Started When Security Is "Rock Bottom"

• Context: Responding to an online post: “How screwed is my company if we only use Windows Defender and have shared cloud logins?”

• Andy Ellis:

  • Sees opportunity: “There’s nothing wrong to undo except potentially that shared password.” (04:36)
  • Advises against leading with fear or fines: “It comes across as a threat.” (05:11)
  • Suggests getting an outside perspective, such as from a Microsoft-focused MSP for pragmatic recommendations.

• David Spark:

  • Pushes the panel: “What’s the way to bring up something scary that doesn’t come off as a threat or FUD?” (05:23)

• Tim Jacobs:

  • Emphasizes business impact: “You’re basically operating where the likelihood of a ransomware attack…is very high. You need to take actions to defend against that because that breaks your business.” (06:35)
  • Advises using practical demonstrations (“unplug the computer, now do your job”) to illustrate the impact, rather than just referencing fines.
  • Endorses consensus: “You’re crowdsourcing… to gain consensus and ultimately force a business decision.” (08:47)

2. CISO Decision-Making in a Crisis: Decisiveness vs. Caution

• Setup: Decisiveness is seen as a key leadership trait, but how should a CISO approach tough calls under pressure?

• Tim Jacobs:

  • “I first start by asking myself what is known versus unknown. Do we have the right people working on the right issue?” (10:12)
  • Emphasizes need for practiced communication: “You have to have practiced that in advance… that helps to make it easier for other people to be decisive.” (10:49)
  • Stresses predefined breach response plans and making sure execs understand consequences of radical actions (like disconnecting from the internet): “If we do have to go offline… trust me. I’ll let you know when it’s time to break glass.” (13:16)

• Andy Ellis:

  • “You have to understand the cost of your decisions. When I was at Akamai… what size credit card do you have? And your credit card is measured in incidents.” (11:42)
  • Weighs trade-offs: “If it cost me 30 SEV3s, that’s okay, we’ll go clean that up later.”
  • Advocates anticipating "side effects" and knowing which bad outcomes to monitor.

3. What’s Worse: Weak Authentication vs. Poor Segmentation

• Game Segment: “What’s Worse” [16:21–20:08]
  Which is worse for Zero Trust: weak authentication or poorly deployed segmentation with excessive exceptions?

• Andy Ellis:

  • “Root of Zero Trust is identity… If you don’t have identity, you don’t have Zero Trust.” (17:25)
  • Dismisses microsegmentation as the foundation of Zero Trust: “Microsegmentation is the least important thing in Zero Trust. Identity over everything.” (17:57)
  • Notable quote: “Weak authentication— that’s weak identity— is functionally no identity.” (18:46)

• Tim Jacobs:

  • Agrees: “The authentication is key...if you don’t authenticate properly up front, you’ve sort of missed the whole point.” (19:45)
  • Notes hospital/healthcare devices are often legacy and can only be protected with microsegmentation as a fallback.

• Memorable Exchange:

  • Andy on legacy healthcare devices: “As long as we feed the gerbil that’s running in the back of the computer to keep the operating system going, everything’s good.” (20:52)
  • David: “Doesn’t the gerbil have a longer lifespan than a Microsoft operating system?” (20:57)

4. Asset Value: It’s All About Business Risk

• Main Question: How do you value assets for effective threat modeling?

• Tim Jacobs:

  • Focus on business function: “It’s more the role of the asset in processing critical data that supports the company that’s key.” (22:38)
  • Identifying “crown jewels” is iterative and driven by business dialogue: “It’s difficult, it’s iterative, based on talking to your business stakeholders.” (23:08)
  • Regulatory drivers like new HIPAA rules may force more rigorous mapping of data flows.

• Andy Ellis:

  • Argues that asset valuation is an output, not an input, of risk modeling:
    “You don’t know what your assets are actually worth until you have done risk modeling.” (23:51)
  • Memorable moment:
    “What is the value of a patient’s life? …It has no value. You don’t value it. You don’t put a price tag on it… That’s my unacceptable loss. And I work backwards from it.” (25:38)
  • Practical advice: Start with unacceptable business losses; work backward to discover and value critical assets.

5. Unexpected Business Benefits from Security Initiatives

• Context: Security “side effects”— how security reveals broader business opportunities

• Andy Ellis:

  • “It’s usually getting rid of assets that are unused.” (28:08)
  • Anecdote: Security team at Akamai was first to safely decommission unused networks, which had been ignored out of organizational caution.
  • “I see places in the cloud where people do cost optimization because they discover there’s a whole bunch of assets that just aren’t in use. Oh, let’s get rid of those rather than trying to secure them...” (28:52)

• Tim Jacobs:

  • On business email compromise: “By shining a light… you can identify things like, do we have employees who are communicating back and forth with an adversary in our accounts payable department, are they transferring money?... The business has no control within their accounts payable department to be able to validate... until through security you identify [it].” (29:13)

• Non-security Motivators:

  • Andy: “I’ve used the security reason to give the push to the other thing that was needed... Let’s get to fast software updates.”
  • Tim: “If we’re not looking for these [code validation] checks up front and we’re delivering bad code, bad products… you would never deliver a car through an assembly line that hadn’t had the right checks, why are we waiting until we’ve already delivered something to fix it after the fact?” (31:35)

Notable Quotes & Memorable Moments

• Andy Ellis on Zero Trust: “Weak authentication— that’s weak identity— is functionally no identity.” (18:46)
• Tim Jacobs on business risk: “The worst incident is that we can’t deliver care to our patients and people could die or suffer very serious health outcomes.” (24:50)
• Andy Ellis on asset value: “I have never seen anybody who started from a let me value all of my assets and then do risk modeling, end up with a usable risk model.” (25:40)
• Tim Jacobs on risk modeling: “You’re crowdsourcing… to gain consensus and ultimately force a business decision.” (08:47)
• Andy Ellis, humor: “As long as we feed the gerbil that’s running in the back of the computer to keep the operating system going, everything’s good.” (20:52)

Timestamps for Key Segments

• How to Approach Security “Rock Bottom”: 03:43–09:05
• Crisis Decisiveness for a CISO: 09:10–14:33
• What’s Worse: Authentication vs. Segmentation Game: 16:16–20:08
• Valuing Assets in Threat Modeling: 21:39–27:02
• Hidden Business Benefits of Security Initiatives: 27:08–32:05

Tone & Style

The episode is pragmatic and conversational, punctuated by humor and war stories from real security and business challenges. The style is direct: panelists don’t shy away from disagreeing or exposing the tough realities of security leadership, but they keep it approachable for listeners at all experience levels.

Closing Thoughts

The panel stresses that mature security requires aligning with business priorities—what truly matters and what can’t break. Asset value and risk decisions must be rooted in a deep, often painful understanding of unacceptable losses, not just compliance checklists or asset spreadsheets. Meanwhile, the “side benefits” of a security mindset—cost savings, process improvements—are often as valuable as the primary risk reduction itself.

Networking is highlighted as another core piece: keep building relationships before you need them. As Andy Ellis puts it, “Networking is about just connecting with somebody and giving to them so that when you need from them later, there's a connection.” (33:00)

For more insights and to join the community, check out cisoseries.com