CISO Series Podcast

Episode: If We Can't Do Better, at Least Do It Faster

Hosts: David Spark, Andy Ellis
Guest: Vikas Mahajan (VP and CISO, American Red Cross)
Date: February 24, 2026

Episode Overview

This episode explores the tension between compliance and real security outcomes, especially around third-party risk management, the reliability (or theater) of security policies, and the realities of security operations. The hosts and guest candidly discuss how the industry often prioritizes speed and box-checking over lasting improvements, and debate when it makes sense to build security functions in-house vs. outsourcing. The conversations are lively, honest, and peppered with memorable analogies and frank career advice for CISOs.

Key Discussion Points & Insights

1. Top Advice for CISOs: Build Relationships

[00:02]

• Vikas Mahajan: "My best advice for a CISO is make friends, not enemies. You must learn to get along with your peers… and with key executives. They are the ones who manage risk and need to understand cyber risk."

2. Dealing with Basic Privacy & Security Failures

[01:24-04:26]

• Discussion on encountering casual mishandling of sensitive data (e.g., publishing birthdates in public fields).
• The hosts highlight how many organizations lack in-house security talent, leading to "ew" moments for practitioners.
  • Andy Ellis: "They didn't even name the field. Come on. At least name the field 'birth date.'" ([02:29])
• The issue is often not malice but ignorance or carelessness.
• A core point: distinguishing between accidental exposure to a community vs. outright public posting — and the importance of understanding the audience and purpose of data sharing.
• David Spark: "Exposing them will make a problem for me... I just want to fix the problem." ([04:16])

3. Third-Party Risk Management: Compliance Theater or Real Security?

[04:53-10:43]

• Ross Young's Quote: "Being busy is the new stupid. No one cares how many hours you logged... they care about outcomes." ([04:53])
• Discussion on how most organizations treat third-party risk management (TPRM) as compliance theater, focusing on forms and reports (e.g., SoC2, CAIQ) rather than risk reduction.
• Andy Ellis:
  • Critiques the proposal of outcome-driven vendor contracts (e.g., paying bonuses for meeting patching SLAs) as unworkable.
  • "Absolutely not… This proposal doesn't reduce what you pay me, it's going to increase what you pay me." ([05:57], [08:50])
  • Vendor-side reality: filling out questionnaires is cheap and automated; meeting custom SLAs is costly and complex.
• Vikas Mahajan:
  • Also disagrees with incentivizing SLA compliance.
  • "We do not manage our third party vendors' environments. We will never know the truth of what's in there… I care more about them being able to get back online… than anything else." ([09:02])
  • Suggests a better path is focusing on vendor resiliency, and actively involving critical suppliers in tabletop exercises to build joint response plans for incidents.

4. Are We Just Pretending Security Is Better?

[10:49-17:43]

• Joshua Copeland's Unpopular Opinion: "Cybersecurity didn't get better. We just got better at pretending… We built an industry around looking secure instead of being secure."
• Vikas Mahajan:
  • Agrees that focusing on fundamentals is crucial (patching, vulnerability management) but defends progress: "A lot of security these days is things that our users don't see… I think overall it is [making things better]."
• Andy Ellis:
  • Strongly disagrees with Copeland:
    • "Security has gotten way better since 1999… our environments are functionally secure and we have built a trillion dollar economy… and it's mostly fine." ([14:17]/[16:57])
  • Provides a historical perspective, describing how much more primitive and insecure everything was in the 1990s. Routine secure updates and encryption were rare.
  • Vikas Mahajan: "My EV gets its updates from Tesla automatically. My car, right, I'm driving on this thing… how different a world it is today." ([17:34])

5. Policy vs. Control: What’s Worse— Toothless Policy or Minimal Control?

[19:11-28:41]

• Game: What's Worse?
• Two scenarios debated:
  1. No enterprise AI strategy; only a basic, likely-ignored acceptable use policy (AUP); organic, uncontrolled shadow AI usage.
  2. No broad AI strategy or AUP, but strong technical controls for a single AI tool (Claude); users can enter anything, but usage is monitored.
• Andy Ellis:
  • Scenario 1 is worse: "All you have is a policy nobody reads. That's the wild west."
  • Legal protection is less than people think: "If the person who signed the policy violates it, he didn't mean anybody to follow it…"
  • Advocates for implementing controls and practices first, writing policy last: “Too many security practitioners think [writing policy] is the first thing you should do. It’s actually the last.” ([25:38])
• Vikas Mahajan:
  • Agrees: "From a risk perspective… you have a controllable environment [in scenario 2]… you know where it all is."
  • Shares that showing users responsible use of tools is more effective than blocking everything.

6. Policy Writing Philosophy

[26:32-27:16]

• Policies should be the last layer, reflecting already-established good practices, not aspirational or academic standards nobody follows.
• Andy Ellis:
  • "When most people write policies, it's an exercise in writing the dogma of where we believe we ought to be…"

7. Building a SOC: In-House or Outsourced?

[28:46-33:58]

• Starting a Security Operations Center (SOC): Most subreddit commenters say outsource unless you’re a very large enterprise.
• Vikas Mahajan:
  • Agrees: "It's better to procure the service… They've already built all the rules."
  • Recommends a hybrid approach: keep data and investigation access internal, outsource the monitoring function.
• Andy Ellis:
  • Highlights the need for organizational maturity: "Who is your tier 4 engineer? If you don’t have one… you’re not ready.”
  • Outsourcing works only if you have someone senior enough internally to manage the MSSP relationship.
  • SOC and IT helpdesk should be tightly integrated; don't build an entirely parallel operation.
• Vikas Mahajan: "You do have to manage the relationship and that’s the key. If you want good service, you have to put in the time and effort."

8. Shift Left: Is It Still Valuable or Just Buzzword?

[34:04-39:01]

• Derek Fisher's Quote: "'Shift left' has become a cringe-inducing or eye-rolling phrase… but the goal is to be proactive."
• Fisher suggests using Adam Shostack’s lightweight four-question threat modeling at the user story level.
• Andy Ellis:
  • Shift left is overused, but the core practice—engaging in dialogue early, understanding system goals and threats—remains powerful.
  • "Instead [of coming in with demands], walk in and say: what are you doing? How could it go wrong?"
  • Developers are more receptive when respected as owners and experts, not as policy targets.
• Vikas Mahajan:
  • Agrees context is crucial: "Bring the water to the horse — bring capabilities to the people, embed security in their tools and train them."
  • Security should be a partner, not "the OWASP top 10 thrown at you."
• Consensus: Lightweight, conversational threat modeling is better than box-checking or prescriptive policies.

Notable Quotes & Moments

• Vikas Mahajan, on CISOs:
  • “Make friends, not enemies. You must learn to get along with your peers... They are critical for you to be able to get the security things you want done.” ([00:02])
• Andy Ellis, on TPRM:
  • “Absolutely not... This proposal [pay-for-patching SLA] doesn't reduce what you pay me, it's going to increase what you pay me. That's why it's dead in the water.” ([05:57]/[08:50])
• Andy Ellis, on policy writing:
  • “The last thing you should do is write a policy… the first thing that you do is you go and you secure a system… when you finally write a policy, it’s already being followed." ([25:38])
• Andy Ellis, on history:
  • “Security has gotten way better since 1999. If I go back to where I was… nothing was encrypted… the amount of just insecure by default… software was through the roof.” ([14:17])
• Vikas Mahajan:
  • “We will never know the truth of what’s in [vendors’] environments… I would rather focus on resiliency.” ([09:02])
• Andy Ellis, on shift left:
  • “When a security team walks in and says, 'you need to do X'… and developers don't see the context, they’ll stop listening to you for everything.” ([36:25])
• Vikas Mahajan, on shift left:
  • “Bring the water to the horse, bring the security capabilities to the people, embed it in the tools they’re working with… security as a trusted advisor.” ([37:55])

Timestamps for Important Segments

• [00:02] CISO advice: "Make friends, not enemies"
• [04:53] Compliance Theater in Third-Party Risk (Ross Young quote)
• [05:57]/[08:50] Andy Ellis: Why outcome-based vendor contracts won't work
• [09:02] Vikas Mahajan: Focus on resiliency, not patch-based incentives
• [10:49] Joshua Copeland: "We just got better at pretending"
• [14:17] Andy Ellis: IT security is vastly better than in 1999
• [19:11] Game: What's Worse? (AI policy vs control)
• [25:38] Policy writing philosophy: last not first
• [28:46] Building a SOC: in-house vs outsource
• [34:04] Shift left: Diluted buzzword or valuable practice?
• [36:25] Andy Ellis: Why developer-first threat modeling works
• [37:55] Vikas Mahajan: Embed security in dev workflows

Takeaways

• Real Security Demands Relationships and Context: Technology and policies provide little value unless grounded in organizational context and sustained by trusted relationships.
• TPRM and Compliance Are Ripe for Reform: Box-checking doesn’t protect anyone; focus on resilience and active collaboration with vendors.
• Security is Better, But Fundamentally Hard: The basics still matter, but core technologies and hygiene have improved, even as attack surfaces have grown.
• Don’t Lead With Policy: Build working practices first, write policies to codify, not mandate, them.
• When in Doubt, Outsource (But Don’t Abdicate): For SOCs and other key operations, buy expertise, but keep internal ownership and oversight.
• Security Engagement Should Be Developer-Centric: Avoid “checklist” security; embed guidance in developer tools, and respect their expertise.

Episode tone: Candid, practical, often irreverent and sprinkled with industry war stories. The conversation focuses on real-world experience, genuine skepticism, and constructive advice for security leaders.

For more CISO Series content, visit CISOseries.com