CISO Series Podcast

Episode: "I'll Show You Our Resilience Plan Once Our Cloud Storage Is Back Online"

Date: January 27, 2026
Hosts: David Spark, Mike Johnson (CISO of Rivian)
Guest: Johan Balaguer (Global CISO, Hard Rock Hotels & Casinos)

Episode Overview

This episode dives deep into the evolving landscape of cybersecurity leadership, the real-life challenges of AI identity risks, managing career development in security teams, and the daunting task of building resilience amid increasing reliance on third-party cloud providers. Through candid discussions and practical advice, hosts David Spark and Mike Johnson, joined by guest CISO Johan Balaguer, explore what it means to lead in cybersecurity today—balancing technical know-how, organizational risk, and people management.

Key Discussion Points & Insights

1. Building a Strong Cybersecurity Foundation

• 10-second security tip (00:02):
  Johan Balaguer likens a cybersecurity program to a house’s foundation:

  “A poor foundation makes your whole house susceptible to breaking and falling apart. Always ensure your cybersecurity program is built with a strong foundation that bakes in effective basic cybersecurity controls. I always say go back to the basics.”

• Emphasizes the importance of fundamentals over chasing every cutting-edge threat.

2. What It Really Takes to Become a CISO

• The real pivot: Speak Risk, Not Ransomware (04:34):
  David Spark introduces a forum quote:

  “The real pivot is learning to speak risk, not ransomware. Once you can tie patch delay to revenue, risk execs actually listen.”

• Both Mike Johnson and Johan Balaguer stress starting by understanding why someone wants to become a CISO.
  • Mike Johnson (05:29):

    "Sometimes it’s just, I want to make more money. ... There are senior individual contributor roles that pay as well or better. ... You have to start with the why."

  • Johan Balaguer (07:33):

    “…You have to understand, are they just trying to become an authority figure or are they trying to do something that’s good? … I think this is a very exciting and fulfilling position, but it comes with a lot of stress, a lot of anxiety.”

• Both agree: Effective CISOs are business enablers, not just authority figures or technical experts.
• Johan’s career origin (08:26): Started in helpdesk, rose up through IT, and found purpose in cybersecurity’s “cat and mouse game” of defending organizations.

3. AI Identity Risk: Deepfakes, Voice Clones & Employment Rights

• Real-world deepfake experience (09:47):
  The crew discusses a story about an AI voice clone so convincing it fooled the creator’s own family.
• Key considerations:
  • Should companies have contractual clauses about using an employee’s AI-generated likeness after they leave?
  • Johan Balaguer (10:48, 12:24):

    “…I think there should be policies in place, governance over this. … [But] if we write that into an employment contract, I would expect royalties.”

  • Mike Johnson (13:09):

    “I don’t see this as a security problem … it falls under HR and legal … but it is novel that it’s something new.”

• Takeaway: Organizations must start thinking about digital identity rights in employment contracts—even if it falls outside the CISO mandate.

4. "What's Worse?" Game: Logs vs. Money in a Ransomware Crisis (16:30)

• Scenario #1: Cloud logs are good, but no budget remains after ransomware recovery.
• Scenario #2: On-premise with poor logs, but a small post-incident budget.
• Mike Johnson (18:19):

  “…from my experience, I always want to know what happened. … If I know exactly what didn’t work as expected, I can now go fix that. The solution for ransomware isn’t buying a new tool.”

• Johan Balaguer agrees (19:50):

  “You can’t protect what you don’t know. … Having the logs, fully understanding what happened … helps you rebuild.”

• (20:26): More budget is useless if you’re “spending it blindly on the wrong things.”

5. Building Healthy Security Teams & Career Journeys

• The "Sport Contract" vs. "Marriage" Metaphor (20:43):
  • Encouragement for managers to see jobs as growth opportunities, not personal betrayals.
  • Mike Johnson (21:58):

    “Growth means different things for different people. … I’ve had boomerangs, and those are amazing.”

  • Johan Balaguer (23:38):

    “…if you end up leaving the organization or my team, I welcome that. … You want to start thinking about succession planning, right? Because at the end of the day, who’s going to replace me eventually?”

• Handling departures with grace:
  • David Spark (24:56): Shares a story about a CEO making a talented employee feel guilty for leaving.
  • Mike Johnson (26:11):

    “How you handle an employee departure says potentially a lot more than the work that you do to try and keep someone … You have to support it and you have to have the mechanisms to support it.”

6. Exposure Management: Visibility Alone Isn’t Security (27:20)

• Sponsored Security Tip (Tenable):
  • Dashboards may show what’s exposed, but not what’s exploitable.
  • Importance of breach and attack simulation (BAS) and continuous threat exposure management.

7. Cloud Resilience: Critical Infrastructure in SaaS Era

• Redefining "Critical Infrastructure" (29:18):
  • Modern businesses rely on cloud/SaaS as foundational as utilities.
  • David Spark (29:18):

    "Critical infrastructure isn’t just the power grid and water supply anymore."

• Resilience planning challenges:
  • Johan Balaguer (30:24, 31:18):

    “…unfortunately our hands are kind of tied … you have to go back to basics. … If you understand those dependencies … you can start to bake in what happens if they go down.”
    “Always thinking about, like you said, I live here in South Florida. We're very prone to hurricanes… So, going back to accounting for all that, making sure that you even have paper copies of Playbooks..."

  • Mike Johnson (31:39):

    “There is a shared responsibility. … Your application needs to be architected to take advantage of [cloud] resiliency… Maybe a lot of companies learned their risk tolerance that day.”

• Dependency mapping and stakeholder engagement:
  • Johan Balaguer (35:34):

    “…it's asking different people because sometimes you don't understand the dependencies … making sure that you're relying on multiple stakeholders…”

Notable Quotes & Memorable Moments

• On career motivation:

  • “If your focus is just the paycheck, you're missing the real impact—and the stress.” – Mike Johnson (05:29)

• On handling team departures:

  • “I've had boomerangs, and those are amazing.” – Mike Johnson (21:58)
  • “I welcome people leaving for growth. I hope our paths cross again.” – Johan Balaguer (23:38)

• On AI identity rights:

  • “If we write that into an employment contract, I would expect royalties.” – Johan Balaguer (12:30)

• On incident response priorities:

  • “The solution for ransomware isn't buying a new tool. The answer is always understanding what happened.” – Mike Johnson (18:34)

Timestamps for Important Segments

• Strong Foundations in Security: 00:02–00:19
• Becoming a CISO: Mindset & Motivation: 04:34–09:41
• AI Identity Risks (Deepfakes in the Workplace): 09:41–14:28
• "What's Worse?" Game (Logs vs. Budget): 16:30–20:37
• Healthy Career Development: 20:43–27:05
• Security Tip: Exposure Management & BAS: 27:20–29:01
• Cloud as Critical Infrastructure & Resiliency: 29:18–36:02

Episode Tone & Style

The conversation is practical, open, and laced with dry humor and camaraderie. Johan brings firsthand insight from leading security at globally recognized enterprises. Mike balances technical depth with leadership wisdom, and David drives discussion with curiosity and frequent references to real industry scenarios.

For Further Engagement

• Johan Balaguer is open to connections via LinkedIn and notes Hard Rock is always looking for new talent ([36:33]).
• More episodes and resources available at cisoseries.com.

This summary delivers the key themes, practical advice, and real voices from the episode—perfect for CISOs, aspiring security leaders, and anyone navigating today’s cyber risk landscape.