CISO Series Podcast

Episode: I'm Worried That We're Not Worried About the Right Worries With AI
Date: December 9, 2025
Hosts: David Spark, Mike Johnson, Andy Ellis
Guest: Danny Jenkins (CEO, ThreatLocker)

Brief Overview

This episode centers on the nuanced worries security leaders should – and shouldn't – have about AI in the enterprise. The panel dissects common misconceptions, influencer-driven panic, and the AI “solution in search of a problem” phenomenon permeating boards and security teams. Along the way, the hosts and guest Danny Jenkins from ThreatLocker drill into broader topics like complexity versus simplicity in security, the meaning (or lack thereof) of Zero Trust, and perennial challenges like proving ROI in security.

Key Discussion Points and Insights

1. The Illusion of “Downtime” in December

Timestamps: [01:20]–[03:12]
December is often treated like a "dead month," but cyberattacks don't pause for the holidays (case in point: Log4j hit over Christmas).
Mike Johnson: Emphasizes the need for robust holiday/on-call rotations, not just within security teams but also across all dependent support teams.
- "If there is an incident over the holidays, quite often the teams that we depend on might be off on vacation. Make sure you've got your pager rotations set up for those teams you depend on." [02:41]

2. AI Security: Are We Missing the “Real” Worries?

Timestamps: [03:51]–[08:45]
The panel responds to CISO Yasser Abusulam’s contention that much AI security discourse is misplaced, obsessing over rare “lab threats” like data poisoning instead of practical issues like supply chain compromise and over-privileged agents.
Mike Johnson: Encourages security leaders not to follow headlines but to understand their real threat landscape.
- "Don't just read everything you see on the headlines and assume that's your risk. Not everybody actually needs to be worried about prompt injections—even though it's on his list." [04:47]
Danny Jenkins: Warns against solution-first thinking – too many organizations are told to “implement AI for security” without understanding what problem it’s solving.
- "There's no way in the world you should go into a problem with a solution. It's crazy... The biggest concern is the obsession with building AI security tools." [06:00]
- On boardroom pressure: "The board are so scared about falling behind, they're putting pressure on CISOs and C-suite: 'What are we doing to drive AI forward?' When they should be asking, 'What problems do we have and could AI help us solve them?'" [06:49]
Key Theme: Avoid AI-for-AI’s-sake; start with clear problem definition.

3. Security ROI: The Wrong Way to Measure Success?

Timestamps: [09:25]–[14:32]
The panel explores the futility of traditional ROI metrics for cybersecurity and why risk reduction is the more honest (and useful) framework.
Danny Jenkins:
- "We shouldn't be talking about ROI, we should be talking about risk… Security isn't optional in a business. If you don't do it, you will eventually have massive financial consequences where you don't exist anymore." [13:19]
- "I think CISOs sometimes want to make this an ROI play to make themselves feel more valuable… Security is a cost center, but it's a risk reduction and potentially a business saving cost center." [13:55]
Mike Johnson:
- "We need to stop talking about ROI. We're kind of shooting ourselves in the foot. We are a cost center. That's okay. There are plenty of cost centers that are absolutely needed for the company." [12:02]

4. What’s Worse Game: Skills vs. Communication in Security Teams

Timestamps: [16:18]–[21:49]
Scenario: Is it worse to inherit a team of highly skilled security nerds who lack communication skills, or a team that communicates well but lacks technical depth?
Mike Johnson and Danny Jenkins: Both opt for the "nerds who can't talk" over non-technical communicators.
- Danny Jenkins: "I'd always take the nerds. People who can talk but can't do often make people feel falsely confident. That's much worse." [19:40]
David Spark: Notes that technical skills are foundational—communications can be brokered or layered in as needed, especially at the CISO level.

5. Complaint Corner: Complexity vs. Simplicity in Security

Timestamps: [22:00]–[29:01]
Mike Johnson:
- "Complexity is the enemy of security" is overused. We need to embrace complexity where it exists, but make security simple for others—golden paths, paved roads. [22:30]
Danny Jenkins:
- Most breaches are caused by basic missteps, not “sophisticated” attacks.
- "When you hear about large-scale attacks, it's often fundamental flaws in basic configurations, not sophisticated, John Travolta-in-Swordfish attacks. It's basic things—VPNs poorly configured, RDP left open, remote software exploited." [23:33]
- Calls for focusing on fundamental controls (blocking untrusted software, restricting access to ports, practical use of MFA, etc.).
- On controls: "This user—500 users in my company are sales, they run Zoom, Office, Chrome. Only allow those to run." [25:25]
- On balancing detection and rapid response: "If an indicator is triggered—maybe it's just an IT guy—but we can disable admin tools until the SOC clears it. These are real things you can do, to stop and slow attackers." [27:22]

6. Zero Trust: Buzzword or Mindset?

Timestamps: [31:51]–[37:29]
David Spark: Reads some pointed commentary about Zero Trust being like “dating in high school…everyone’s talking about it, not many are doing it, and almost no one’s doing it right.”
Danny Jenkins:
- On zero trust marketing overkill: "We didn't even say it on our website when everyone else did. I'd rather say 'block untrusted software' and 'limit what applications can do.' If we use Zero Trust, we tie it to something real." [32:59]
- On achieving zero trust: "Can we achieve it? I don't think we achieve it, yes or no, but we do achieve a zero trust mindset in certain areas. It's least privilege—just expanded business-wide." [34:36]
- On branding: "Zero Trust is just the new word for least privilege." [35:47]
- Core mission: "Change the paradigm of security from default allow to default deny." [36:59]
Mike Johnson:
- "Zero Trust means so many things to different people—it’s noise. I’d like to see the term go away. The philosophy of least privilege, not persistent access—these have been around forever." [35:00]

Notable Quotes & Memorable Moments

On board pressure to “do AI”:
- Danny Jenkins: "People are actually not looking at the things they should be looking at in their business...The solution is being made and they're trying to find problems to match." [07:36]
On the risk of non-technical communicators:
- Danny Jenkins: "I'd rather people who make me feel scared than people who make me feel really confident and go home every night thinking, 'We're great.'"[19:40]
On “sophisticated” attacks:
- Danny Jenkins: "Most of the time it is not a sophisticated attack. It's a fundamental flaw in configurations." [23:33]
On vendor buzzwords:
- Danny Jenkins: "Zero trust is the new word for least privilege... Marketeers come up with new buzzwords to reinvent it and make it sexier." [35:47]
On controls versus detection:
- Mike Johnson: "There's focus on prevention, but also rapid response. There might be things we can't block, but we can take automated action to slow the business until we're sure." [28:03]

Key Timestamps for Important Segments

[00:02] – Security tip: block RDP from Internet
[02:41] – Pager rotations for dependent teams during holidays
[04:47] – Sensible approach to AI security risk (Mike)
[06:00] – "AI solution in search of a problem" warning (Danny)
[09:25] – The ROI “dark art” and why it’s a red herring
[16:18] – “What’s Worse” scenario: skilled nerds vs. communicators
[22:23] – Complexity vs. simplicity (“complex systems are reality”)
[23:33] – Most breaches are "not sophisticated attacks"
[25:25] – Fundamental controls: allow only what’s needed
[31:51] – Zero Trust: mindset, not a product; overused and vague
[35:00] – Where Zero Trust fits for practitioners, and the real meaning
[36:59] – Default deny: ThreatLocker’s guiding principle

Flow and Tone

The conversation is lively, direct, and laced with wry humor about overhyped buzzwords and the realities of working under pressure in security. Both Jenkins and the hosts are frank about challenges, keen to pull back from hype, and push for clarity and first-principles thinking over marketing or fear-based narratives.

Summary Table (Quick Reference)

| Topic | Key Takeaways | Notable Quote / Timestamp | |-----------------------------------|-------------------------------------------------------------------------------------------------------|-------------------------------------| | December Security Risks | Cyberattacks don’t pause for holidays; plan on-call rotations | Mike: "Make sure you've got your pager rotations..." [02:41]| | AI Security Worries | Ignore lab-theory panic; focus on real threats & business context | Mike: "Don’t follow the crowd..." [04:47] | | ROI vs. Risk | Security is about risk reduction, not profit-generating ROI | Danny: "We shouldn’t be talking about ROI..." [13:19] | | Skills vs. Communication | Technical skills matter more; CISOs can bridge communication gaps | Danny: "I'd always take the nerds..." [19:40] | | Simplicity vs. Complexity | Embrace complexity internally, make security simple for users | Mike: "Complexity is the enemy..." [22:30] | | Sophisticated Attacks Myth | Most breaches are due to basic missteps, not advanced attackers | Danny: "Most of the time not sophisticated..." [23:33] | | Zero Trust Philosophy | It's a mindset/least privilege, not a product; marketers have muddied the term | Danny: "Zero trust is just... least privilege" [35:47] |

Final Thoughts

Clarity and problem-first thinking are desperately needed, especially with AI hype and vendor overpromises around Zero Trust.
Focus energy on tangible, practical controls and strong fundamentals, not just detection or “new shiny things.”
Security is a cost center—embrace the risk narrative, don’t chase ROI ghosts.
Simple configurations and “default deny” philosophies are more effective than buzzword-laden products.
As always, there’s no substitute for experienced, technically skilled staff—“nerds”—even if you need to be the translator for management.

For further insights, visit the CISO Series Podcast page and explore additional episodes for ongoing debates, tips, and real-world stories from practitioners and vendors alike.

CISO Series Podcast

Brief Overview

Key Discussion Points and Insights

1. The Illusion of “Downtime” in December

Timestamps: [01:20]–[03:12]
December is often treated like a "dead month," but cyberattacks don't pause for the holidays (case in point: Log4j hit over Christmas).
Mike Johnson: Emphasizes the need for robust holiday/on-call rotations, not just within security teams but also across all dependent support teams.
- "If there is an incident over the holidays, quite often the teams that we depend on might be off on vacation. Make sure you've got your pager rotations set up for those teams you depend on." [02:41]

2. AI Security: Are We Missing the “Real” Worries?

Timestamps: [03:51]–[08:45]
The panel responds to CISO Yasser Abusulam’s contention that much AI security discourse is misplaced, obsessing over rare “lab threats” like data poisoning instead of practical issues like supply chain compromise and over-privileged agents.
Mike Johnson: Encourages security leaders not to follow headlines but to understand their real threat landscape.
- "Don't just read everything you see on the headlines and assume that's your risk. Not everybody actually needs to be worried about prompt injections—even though it's on his list." [04:47]
Danny Jenkins: Warns against solution-first thinking – too many organizations are told to “implement AI for security” without understanding what problem it’s solving.
- "There's no way in the world you should go into a problem with a solution. It's crazy... The biggest concern is the obsession with building AI security tools." [06:00]
- On boardroom pressure: "The board are so scared about falling behind, they're putting pressure on CISOs and C-suite: 'What are we doing to drive AI forward?' When they should be asking, 'What problems do we have and could AI help us solve them?'" [06:49]
Key Theme: Avoid AI-for-AI’s-sake; start with clear problem definition.

3. Security ROI: The Wrong Way to Measure Success?

Timestamps: [09:25]–[14:32]
The panel explores the futility of traditional ROI metrics for cybersecurity and why risk reduction is the more honest (and useful) framework.
Danny Jenkins:
- "We shouldn't be talking about ROI, we should be talking about risk… Security isn't optional in a business. If you don't do it, you will eventually have massive financial consequences where you don't exist anymore." [13:19]
- "I think CISOs sometimes want to make this an ROI play to make themselves feel more valuable… Security is a cost center, but it's a risk reduction and potentially a business saving cost center." [13:55]
Mike Johnson:
- "We need to stop talking about ROI. We're kind of shooting ourselves in the foot. We are a cost center. That's okay. There are plenty of cost centers that are absolutely needed for the company." [12:02]

4. What’s Worse Game: Skills vs. Communication in Security Teams

Timestamps: [16:18]–[21:49]
Scenario: Is it worse to inherit a team of highly skilled security nerds who lack communication skills, or a team that communicates well but lacks technical depth?
Mike Johnson and Danny Jenkins: Both opt for the "nerds who can't talk" over non-technical communicators.
- Danny Jenkins: "I'd always take the nerds. People who can talk but can't do often make people feel falsely confident. That's much worse." [19:40]
David Spark: Notes that technical skills are foundational—communications can be brokered or layered in as needed, especially at the CISO level.

5. Complaint Corner: Complexity vs. Simplicity in Security

Timestamps: [22:00]–[29:01]
Mike Johnson:
- "Complexity is the enemy of security" is overused. We need to embrace complexity where it exists, but make security simple for others—golden paths, paved roads. [22:30]
Danny Jenkins:
- Most breaches are caused by basic missteps, not “sophisticated” attacks.
- "When you hear about large-scale attacks, it's often fundamental flaws in basic configurations, not sophisticated, John Travolta-in-Swordfish attacks. It's basic things—VPNs poorly configured, RDP left open, remote software exploited." [23:33]
- Calls for focusing on fundamental controls (blocking untrusted software, restricting access to ports, practical use of MFA, etc.).
- On controls: "This user—500 users in my company are sales, they run Zoom, Office, Chrome. Only allow those to run." [25:25]
- On balancing detection and rapid response: "If an indicator is triggered—maybe it's just an IT guy—but we can disable admin tools until the SOC clears it. These are real things you can do, to stop and slow attackers." [27:22]

6. Zero Trust: Buzzword or Mindset?

Timestamps: [31:51]–[37:29]
David Spark: Reads some pointed commentary about Zero Trust being like “dating in high school…everyone’s talking about it, not many are doing it, and almost no one’s doing it right.”
Danny Jenkins:
- On zero trust marketing overkill: "We didn't even say it on our website when everyone else did. I'd rather say 'block untrusted software' and 'limit what applications can do.' If we use Zero Trust, we tie it to something real." [32:59]
- On achieving zero trust: "Can we achieve it? I don't think we achieve it, yes or no, but we do achieve a zero trust mindset in certain areas. It's least privilege—just expanded business-wide." [34:36]
- On branding: "Zero Trust is just the new word for least privilege." [35:47]
- Core mission: "Change the paradigm of security from default allow to default deny." [36:59]
Mike Johnson:
- "Zero Trust means so many things to different people—it’s noise. I’d like to see the term go away. The philosophy of least privilege, not persistent access—these have been around forever." [35:00]

Notable Quotes & Memorable Moments

On board pressure to “do AI”:
- Danny Jenkins: "People are actually not looking at the things they should be looking at in their business...The solution is being made and they're trying to find problems to match." [07:36]
On the risk of non-technical communicators:
- Danny Jenkins: "I'd rather people who make me feel scared than people who make me feel really confident and go home every night thinking, 'We're great.'"[19:40]
On “sophisticated” attacks:
- Danny Jenkins: "Most of the time it is not a sophisticated attack. It's a fundamental flaw in configurations." [23:33]
On vendor buzzwords:
- Danny Jenkins: "Zero trust is the new word for least privilege... Marketeers come up with new buzzwords to reinvent it and make it sexier." [35:47]
On controls versus detection:
- Mike Johnson: "There's focus on prevention, but also rapid response. There might be things we can't block, but we can take automated action to slow the business until we're sure." [28:03]

Key Timestamps for Important Segments

[00:02] – Security tip: block RDP from Internet
[02:41] – Pager rotations for dependent teams during holidays
[04:47] – Sensible approach to AI security risk (Mike)
[06:00] – "AI solution in search of a problem" warning (Danny)
[09:25] – The ROI “dark art” and why it’s a red herring
[16:18] – “What’s Worse” scenario: skilled nerds vs. communicators
[22:23] – Complexity vs. simplicity (“complex systems are reality”)
[23:33] – Most breaches are "not sophisticated attacks"
[25:25] – Fundamental controls: allow only what’s needed
[31:51] – Zero Trust: mindset, not a product; overused and vague
[35:00] – Where Zero Trust fits for practitioners, and the real meaning
[36:59] – Default deny: ThreatLocker’s guiding principle

Flow and Tone

Summary Table (Quick Reference)

Final Thoughts

Clarity and problem-first thinking are desperately needed, especially with AI hype and vendor overpromises around Zero Trust.
Focus energy on tangible, practical controls and strong fundamentals, not just detection or “new shiny things.”
Security is a cost center—embrace the risk narrative, don’t chase ROI ghosts.
Simple configurations and “default deny” philosophies are more effective than buzzword-laden products.
As always, there’s no substitute for experienced, technically skilled staff—“nerds”—even if you need to be the translator for management.

For further insights, visit the CISO Series Podcast page and explore additional episodes for ongoing debates, tips, and real-world stories from practitioners and vendors alike.

wavePod

I'm Worried That We're Not Worried About the Right Worries With AI

Powered by Wave AI

Summary

CISO Series Podcast

Brief Overview

Key Discussion Points and Insights

1. The Illusion of “Downtime” in December

2. AI Security: Are We Missing the “Real” Worries?

3. Security ROI: The Wrong Way to Measure Success?

4. What’s Worse Game: Skills vs. Communication in Security Teams

5. Complaint Corner: Complexity vs. Simplicity in Security

6. Zero Trust: Buzzword or Mindset?

Notable Quotes & Memorable Moments

Key Timestamps for Important Segments

Flow and Tone

Summary Table (Quick Reference)

Final Thoughts

Summary

CISO Series Podcast

Brief Overview

Key Discussion Points and Insights

1. The Illusion of “Downtime” in December

2. AI Security: Are We Missing the “Real” Worries?

3. Security ROI: The Wrong Way to Measure Success?

4. What’s Worse Game: Skills vs. Communication in Security Teams

5. Complaint Corner: Complexity vs. Simplicity in Security

6. Zero Trust: Buzzword or Mindset?

Notable Quotes & Memorable Moments

Key Timestamps for Important Segments

Flow and Tone

Summary Table (Quick Reference)

Final Thoughts