It's Not That We Don't Value Your Experience, We Just Don't Want to Pay for It - CISO Series Podcast

Summary7 min read

CISO Series Podcast

Episode: "It's Not That We Don't Value Your Experience, We Just Don't Want to Pay for It"

Date: June 23, 2026
Host(s): David Spark, Andy Ellis
Guest: Megan Samford, VP of Product and Supply Chain Security, Schneider Electric

Overview

This episode delves into the complex dynamics between CISOs, vendors, and organizations, addressing the changing role of the CISO, the realities of OT security, the practicalities of risk management, and the evolving job market for security executives. The hosts and guest exchange both industry wisdom and first-hand experience, highlighting the tension between structured security frameworks and the need for adaptability, the myth versus reality of patching in industrial environments, and why so many seasoned CISOs find themselves undervalued—or on the move.

Key Discussion Points & Insights

1. Opening Thoughts & "Above Average Mindsets"

Memorable Listener Compliment:
- “You and Andy have a certain addictive chemistry and above average mindsets and themes that are engaging and educative and enjoyable for me. This is basically the only podcast I am listening to.” — Igor Tomasic ([02:14])
Hosts’ Reflection on Compliments:
- Andy Ellis: "Above average. I'll totally take that because it's about your mindset. Like, I don't need somebody to say, like, you have the most amazing mindset out there, because I don't think I do. It just hit me because I had to stop and think about it. I like this compliment." ([03:58])
- Only "above average" guests are invited—sets tone for thoughtful, relatable discussion.

2. Watchmaker vs. Gardener: Building Security Programs

Quotation & Metaphor Origin:

Phil Venables frames CISOs as either “watchmakers” (meticulous, policy-driven) or “gardeners” (culture-cultivating, adaptive). ([05:15])

Andy’s Take:

"Policy is a reflection of culture... People who write policy think you can change culture by policy. You can't. You change culture by having tools that work and then you write policy to match your tools that work." ([07:15])
Favors the "gardener" mindset: change culture, then policy follows.

Megan’s Perspective:

It’s about “achieving the balance between high alignment and high autonomy.” Suggests a "three lines of defense" model:
- First Line: Where risk originates (e.g., developers, divisions)—empowered to stop inappropriate behavior ("stop the line" capability).
- Second Line: CISOs as risk overseers—set policy, governance, escalation paths.
- Third Line: Independent audit—ensures risk is managed appropriately and escalated when needed. ([07:49])
Notable Quote: “Anyone in the first line of defense, just like a factory floor from the 1970s, they should be empowered to have what's called stop the line capability... anyone should be empowered to raise their hand and say, I don't agree with this behavior and this needs to be looked at more thoroughly.” ([08:17])

3. The OT Security Challenge and "Industrial Realism"

Prompt: When third-party vendors have more system authority than internal teams in OT (Operational Technology) environments. ([10:16])

Megan’s Deep Dive:

Introduces "industrial realism": Acknowledges OT’s unique reality where many IT “best practices” simply don’t fit.
"Most attacks in OT environments have nothing to do with a vulnerability in a product whatsoever. They deal more with the porous nature of the networks." ([12:25])
Patching is important, but it’s not the main risk reducer in OT; network segmentation and visibility are more effective controls.
“I think we can achieve the same outcome and result. It just may not look the same in OT as it traditionally does in IT, if that makes sense.” ([13:47])
Memorable Quip: “In many cases the OT products, the relays, the sensors, things that are operating down at, like, level one, level two... they're not the murder weapon, folks, they're the dead body.” ([15:53])

Andy’s Addendum:

Distinction: "OT systems historically are very bespoke, narrowly built systems... That’s one of the things that limits their vulnerability profile." ([14:25])
The convergence of general-purpose computers with OT undermines previous advantages and increases risk.
"Industrial realism" is an important new framing for prepping for a future where the IT/OT difference blurs. ([15:46])

4. What's Worse? (Game Segment) ([17:38])

Scenarios:

Knowing all the security gaps in your program but being unable to close them.
Your staff keeps responding to random texts on their corporate devices.

Andy's Take: Prefers scenario 2 as "less bad."

“The first state is actually the ultimate goal of every CISO. You actually want to be in a world where you know all of your gaps and you can no longer fix them because you fixed all the fixable things, and what's left is the stuff you can't fix.” ([19:41])
But interprets the prompt as: “you have a lot of gaps that are fixable, but you're not able to fix them”—that’s the worst.

Megan’s Take: Disagrees; says scenario 1 is routine CISO territory.

“A CISO should never be owning risk number one. They are a risk overseer... There should be other executives...responsible for either dispositioning that risk...or they need to formally sign their name on the document that they are accepting the risk for a period of time.” ([22:05])
Considers scenario 2 (staff falling for phishing) as potentially worse because of immediate, unknown impact—emphasizes swift incident declaration.
Key Incident Response Advice: "When in doubt, just declare an incident and begin to investigate it. You can always de-escalate.” ([23:59])

Consensus: Both are manageable scenarios if approached with proper processes, but differ on which is worse.

5. Can AI Revolutionize Secure Software? (Easterly's Cyber Nirvana) ([27:47])

Prompt: If AI can make secure code economically viable, will it end the traditional security vendor industry?

Andy's Skepticism:

“Can is a really important word... The AI has learned how to write bad code.” ([28:46])
LLMs are currently trained on insecure, bug-ridden code; secure-by-default remains more aspiration than reality for now.
Predicts the security vendor space will remain robust as AI introduces new and different risks.

Megan’s Perspective:

AI is already helping with nuisance code in the industrial sector, but “industrial realism” still applies.
“We should not at first assume that the issues in OT environments are coming from individual products necessarily...this is not something that AI can do for us.”
Critical boundary: “AI should not directly instruct onto an OT environment and say open up a valve by 20% because AI believes that it should do that. There is this principle...called 'human in the loop.’” ([31:13])

6. The CISO Job Market: Burnout, Devaluation, and Stagnation ([33:23])

Topic: Many CISOs are open to leaving, but the market is flooded and increasingly values first-timers over veterans.

Megan’s Analysis:

Since COVID, "the game of musical chairs" in CISO hiring has stopped; those in stable roles are staying put.
“It only took, like, one or two people to move from these big roles. And then the game begins and then we're all moving jobs...the game just hasn't started in two or three years.” ([34:30])

Andy’s Perspective:

Many organizations want a "throat to choke," seeking first-timers at a discount with little actual authority or support.
Even after gaining the “CISO” title, it rarely leads to a more prestigious or empowered CISO role.
“I see a lot of people who—yes, I think 10 years ago you would have said there's no way this person will ever accept the marketing job of being a field CISO—who are having a blast going and doing that now.” ([38:08])

Notable Quotes & Memorable Moments

Megan Samford on OT risk:
- "They're not the murder weapon, folks, they're the dead body." ([15:53])
Andy Ellis on Policy & Culture:
- "Policy is a reflection of culture. And the problem that most people have is they think it goes the other direction. People who write policy think you can change culture by policy. You can't." ([07:15])
On Incident Response:
- “When you're in doubt, just declare an incident and begin to investigate it. And you can always de-escalate.” – Megan Samford ([23:59])
On AI and Secure Code:
- “Can is a really important word in there... the AI has learned how to write bad code.” – Andy Ellis ([28:46])

Timestamps for Important Segments

00:03 – Megan’s opening advice: always get a third-party independent report as a new CISO.
05:15 – Watchmaker vs. Gardener: balancing programs and culture.
10:16 – Why OT security best practices diverge from IT; introducing “industrial realism.”
17:38 – “What’s Worse?” game: risk awareness vs. phishing-prone staff.
27:47 – Can AI usher in cyber nirvana?
33:23 – CISOs and burnout: why the executive musical chairs have stopped.
38:49 – Megan’s closing thought: “It’s a great time to still be in the game of cybersecurity. We all love it.”

Tone & Takeaways

Tone:
Conversational but practical; a mix of humor, realism, and encouragement. The hosts and guest are candid about both frustrations and opportunities, providing actionable advice without sugarcoating difficulties.

Final Takeaway:
The landscape for CISOs and cybersecurity is shifting underfoot, challenged by technical convergence, broken expectations, and economic pressures. While OT and AI add complexity, fundamentals—like balancing culture versus controls, managing risk clearly, and keeping human agency—remain paramount. The CISO role may be undervalued by many organizations, but practitioners who master both “watchmaker” and “gardener” modes, and who adapt to "industrial realism," will remain in demand.

Loading summary

Transcript129 lines

[00:00]
David Spark
Best advice for a ciso, go get
[00:03]
Megan Samford
a third party independent report. If you're coming into a company new to a program, new to a role, you want to make a big splash in the first six months, get a third party report to baseline where your program's at. And that's something that you can immediately hand off and present to your board. And that's going to add a lot of credibility to whatever strategy you're trying to form.
[00:24]
David Spark
It's time to begin the CISO Series Podcast Foreign.
[00:37]
Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of said CISO series and joining me as my co host for this very episode. It's one of your favorites. You tell me it's one of your favorites. It's Andy Ellis, principal for Duha. Andy, say hello to the audience.
[00:54]
Andy Ellis
Dobre popolodnie allebo zavislos tio tojo que risana Sveti Nachaze date dobrerano dobre vecer alebo dobrunots. That would be Slovak in honor of we are recording during the Olympics and tomorrow the US team will be playing Slovakia in hockey.
[01:12]
David Spark
Well, by the time everyone hears this, it'll be months past I know and we will know who won that.
[01:20]
Andy Ellis
But my mother in law was born in it was the time was Czechoslovakia but on the Slovak side. So we're going to be doing a watch party together with them I think tomorrow or three months ago, depending on how you think about it.
[01:31]
David Spark
Audience we are available also at cisoseries.com, where you can find all of our other wonderful programming. So you should spend, I would say one to two hours. That's what most professional doctors order. One to two hours of CISO series a day. I would strongly recommend it. Our sponsor for today's episode is Native Security. Unify, manage and maximize built in cloud security controls and achieve secure by design consistency across cloud environments. That is Native security and we're going to talk more about that later in the show. But first, Andy, I want to talk about actually a quote that I saw that I posted that that there was a certain phrase in this quote that both hit us and this comes from Igor Tomasic who is an associate professor at the Faculty of Organization and Informatics and he said quote CISO series is my go to choice during my solo car trips. You and Andy have a certain addictive chemistry and above average mindsets and themes that are engaging and educative and enjoyable for me. This is basically the only podcast I am listening to. So the phrase above average mindsets.
[02:47]
Andy Ellis
I loved it. I loved it. That was fantastic.
[02:49]
David Spark
I don't think I've ever heard that phrase before at all. And you definitely doubled down. What is it? First of all, I'm a big fan of compliments in general. As I've said, I'm the Floyd Merriweather of compliments. You can hit me with them constantly, and I can take every single one of them. So what did you like about that above average mindset?
[03:09]
Andy Ellis
First of all, I like it because it's an unusual phrasing, so it stands out. If he just said, you both are brilliant. Everybody says stuff like that, and you sort of take it with a grain of salt, I mean, he'd be lying, too, but, you know, well, I'm not brilliant.
[03:24]
David Spark
Let me qualify anybody who said. Let me also qualify anybody who says that of me. That is far from me.
[03:30]
Andy Ellis
Yeah. And it's possible, like, you might. Someone might look at this and assume negative intent and be like, oh, like, damning with praise. I don't think that's the case. I'm never going to go there. I liked it because it's like, huh, it made me think. And I'm like, if you think about the average mindset, I think people are so used to thinking about bell curves, like, well, average is 50%, but sometimes you actually think average is this whole range in the middle. It's like 60% of the people are
[03:56]
David Spark
average to each standard deviation.
[03:59]
Andy Ellis
Right. And so above average. I'll totally take that because it's about your mindset. Like, I don't need somebody to say, like, you have the most amazing mindset out there, because I don't think I do. It just hit me because I had to stop and think about it. I like this compliment. Plus, if he's on a solo car ride and listening to the two of us, that's amazing.
[04:16]
David Spark
It's great. It cracked me up, too, because also, if you say someone's above average, it's a mild compliment in general, too.
[04:24]
Andy Ellis
It is.
[04:24]
David Spark
It's a mild compliment. He's above average.
[04:27]
Andy Ellis
And look, he's gonna put it on LinkedIn and let lots of people see it. I'm totally good with that.
[04:31]
David Spark
All right. We, by the way, only invite above average guests. Did you know that? That's our. That's our policy. We don't invite average guests or subpar guests.
[04:41]
Andy Ellis
Subpar guests? Yeah. No, definitely not.
[04:43]
David Spark
No, no, we don't. We don't do that. We only invite above average. And in fact, guess what? I have another above average guest. It is. It'll be up to our audience to decide how far above average our guest is today. Not too much pressure on our guest right now. All right. It is the VP of Product and Supply Chain Security over at Schneider Electric, Megan Samford. Megan, thank you so much for joining us.
[05:06]
Megan Samford
Thank you so much. It's awesome to be here with you all.
[05:11]
David Spark
Walk a mile in this ciso's shoes.
[05:16]
Quote. The ciso's craft is about striking a delicate balance, building a security program that is both meticulously engineered and organically resilient. So as Phil Venables, host of the Google Cloud podcast, framed these as two different modes. Are you a watchmaker obsessing over every control and policy document, or a gardener cultivating culture and trusting your teams to make good choices? The watchmaker gets you audit ready and predictable, but risks rigidity when threats evolve. And the gardener builds resilience in distributing ownership. But good luck explaining to your board why you can't produce a neat control matrix. So I'll start with you, Andy, here. Are we all operating as hybrids of these two approaches? And when do we need to shift further to one side? The gardener versus the watchmaker. And by the way, I love these
[06:08]
Andy Ellis
metaphors here, so I get the metaphors. But for me, I grew up in maybe slightly different era, and watchmaker has a very specific connotation from the mode In God's Eye by Larry Niven. Very different culture than what's being posited here by Philosopher, where the watchmakers absolutely did not obsess over policy and controls, and they were the ones who, like, went out and just built random stuff until it worked and then abandoned it.
[06:33]
David Spark
Well, you have to be meticulous to make a watch.
[06:37]
Andy Ellis
But there's a very specific speech, like, if you haven't read the series by Larry Nevin, you really ought to. It's the gripping hand. This is, I think, the second book anyway, sorry, Divergent there. But sometimes, important thing to learn, which is sometimes your analogies run into somebody else's mental model and just don't land correctly because they have something else sitting there. I actually think that you're in both of these modes all of the time. But it's mostly the gardener mode. Like, if you're gonna say the watchmaker's obsessing over policy, like policy is a reflection of culture. And the problem that most people have is they think it goes the other direction. People who write policy think you can change culture by policy. You can't. You change culture by having tools that work and then you write policy to match your tools that work. And so if you're going to make me pick one, I'm going to say I want to be the gardener because I'm obsessing over how my policy is a reflection of culture. But I change culture before I change policy.
[07:34]
David Spark
All right, very good. I take this one to you, Megan. Yes, I would agree that most CISOs are gardeners cultivating a team, but you have to kind of lean into the watchmaker. What do you think, Megan?
[07:49]
Megan Samford
Yeah, I think it's really more about achieving the balance between high alignment and high autonomy. And for large organizations, what I've seen work successfully is this concept of a three lines of defense strategy. So the first line of defense needs to be where the risk actually originates. So if you're a company like mine that develops products and sells them to global markets, our first line of defense is typically considered developers and divisions and individual P and LS unto themselves. And so that's really where the risk originates. It's the best opportunity you have to mitigate that risk directly. The key thing with the first line of defense is that anyone in the first line of defense, just like a factory floor from the 1970s, they should be empowered to have what's called stop the line capability. If anyone observes behavior that is out of bounds for the company's values for their policies, what it clearly says we're going to do with our secure development life cycle and the way that we make products, anyone should be empowered to raise their hand and say, I don't agree with this behavior and this needs to be looked at more thoroughly. That being said, there's also the second line of defense. That's really where CISOs sit as the second line of defense. We are risk overseers. And so our job is to set policies, set successful governance structures, empower that first line of defense, make make their lives easier, create clear escalation paths when we're not seeing behavior that we want to see. How do the right folks get eyes on it? And how is that risk disposition properly with escalations that hopefully don't need to have emotion about them. Right. When things are going wrong, everyone should be free to say that this is something that we need to take a closer look at. But you're really running more like air traffic control and then your third line of defense, perhaps my favorite line is that third party internal audit, making sure that the risk overseers in that first line of defense are doing what they said that they were going to do, and they're not accepting more risk than is appropriate at their level. And that risk is being surfaced up to the board and all of that. And then of course, I'm also a fan, as I mentioned earlier, of third party independent reports. So that could come in the form of like a 62443 certification or an independent consulting firm helping you out just to get a external view on what you're doing and making sure that everything is coming to light.
[10:16]
David Spark
How would you handle the situation?
[10:21]
Quote, if a third party can handle your process faster than your own engineers during a crisis, then you are leasing your control system. This is why OT security is such a different beast. In most plants, vendors hold more system authority than internal teams. Noted Muhammad Ali Khan of Toyota Shusho Systems. Continuous uptime demands decades old equipment and safety constraints mean vendors get persistent remote access, shared credentials and privilege control because, quote, that's how it works. OT assumes you can't touch anything without risking millions in downtime. Good luck getting business buy in to take equipment offline to patch. So, Megan, this is your world with Schneider Electric. I actually did some work with Schneider Electric. Well, well, before CISO series days. This sounds like some, quote, best practices simply aren't going to work in ot. What has to change? What do you think?
[11:21]
Megan Samford
Sure, this is a topic. If you had eight hours, I could talk to you about this. But I think the first thing is you're going into the problem set, viewing it correctly, and that yes, OT is different. We say this every single day, but there's a term that's emerging called induct, Industrial realism.
[11:38]
David Spark
Okay, all right. That's new for me.
[11:40]
Andy Ellis
That's new to me too. I'm very excited.
[11:43]
Megan Samford
Yes. And what this is is recognizing that, yes, the controls are going to look very different within OT environments. We have been adopting a lot of the good security practices from our friends on the IT side. And this itot convergence has been happening, I think for the past 5, 10, 15 years, depending on who you ask. But where we really need to start is actually looking at the data and what have been proven to be effective controls in OT environments versus ones that were kind of porting over from the IT side of the house and saying, yeah, you absolutely need to do this because if you don't, it's security heresy or something. So on the topic of patching, most attacks that happen in OT environments have nothing to do with a vulnerability in a product whatsoever. They deal more with the porous nature of the networks. And so if we walk back from the place of yes, patching is important. Megan Sanford is Not on this show today telling you not to patch. That's not what I'm saying at all.
[12:42]
Andy Ellis
Oh, I was so hoping we had that quote.
[12:45]
Megan Samford
But if the data tells us that there are other things that should be addressed first in security and hardening of the networks and network segmentation and visibility in OT and use of all these different technologies that are proven and are very effective or quite simply just getting devices that are directly exposed on the Internet. Today, if you go to Shodan or Census or any of these websites, you will see very apparent attack surface that is existing in global critical infrastructures every single day. But when it comes to patching, again, back to the point of the attacks aren't coming from lack of patching, folks. We're not seeing that, but within patching and we back into the conversation of downtime that you need to take factory floors and assembly lines down for patching. There are ways to do this. You can prioritize the patches and really understand what's going to give you the most bang for your buck. I would Definitely prioritize patching HMIs and engineering workstations and things. But for other products, I think that OEMs are considering partnerships with cybersecurity vendors where if we know that the customer can apply the patch immediately or we know that it could come in the next quarter, or we know that they have limited patch windows, we should be directly deploying patch signatures to firewall companies so that the customer is protected even if they're not able to patch yet. So I, I think we can achieve the same outcome and result. It just may not look the same in OT as it traditionally does in it, if that makes sense.
[14:19]
David Spark
You have run into this as well. I mean, I think you, you explained pretty clearly. Megan, what would you add to this?
[14:25]
Andy Ellis
Andy So I think one of the nuances in what Megan just said, and I love the framing of it, is OT systems historically are very bespoke, narrowly built systems. They're not general purpose computers. They have a task that they do, which is one of the things that limits their vulnerability profile is they don't have a billion pieces of software that are just running a computer. General purpose computer and IT systems are general purpose computers that do a lot of stuff. And 90% of your patching has nothing to do with what you bought the computer for. It's just you have to deal with patching Windows. If you're not running Windows on a machine, like you're not patching Windows or Linux. I'm not trying to pick on Microsoft here and the convergence challenge is as OT systems are embedding general purpose computers on board. That's where we run into the challenge. And, and so as Megan said, like you always patch your hmi, your human machine interfaces, your engineer workstations, those are general purpose. If your OT system also is general purpose, now you sort of run into that challenge, especially if you're also exposing it out onto either the open Internet, big problem, or even on your private intranet. But it's not actually that private or well protected. So that's maybe a mental framework that would help people, is it and OT are also different beasts under the covers. But that difference I think is starting to go away more and more.
[15:46]
David Spark
It is industrial realism.
[15:49]
Andy Ellis
I love, I love industrial realism. I've got to now wrap my brain around that one for a while.
[15:54]
Megan Samford
Yeah, and the last point I'd add there, and it's a, it's a good quip, is you know, in many cases the OT products, the relays, the sensors, things that are operating down at like level one, level two, butting into level three of the traditional OT model, they're not the murder weapon folks, they're the dead body.
[16:12]
Andy Ellis
I love that.
[16:15]
David Spark
Before I go any further, let me tell you about our spectacular sponsor and that would be Native security. Brand new sponsor with the CISO series. So let's talk about cloud providers. They ship powerful built in controls, but most teams struggle to turn security intent into consistent enforcement across aws, Azure, Google Cloud and oci. Different policy models force security teams into manual translation and one off exceptions which get brittle fast as accounts, services, APIs and AI workloads change. Native is the secure by design control plane for cloud security. It helps teams operationalize provider native enforcement, manage intent centrally and roll out changes safely at scale. Native works through the cloud's own mechanisms, so guardrails are enforced natively while teams can preview impact before deployment and reduce drift over time. Now with Native security isn't bolted on after the fact, it becomes part of how you operate the cloud. Go to their website, check out what they're doing. It's native security. That's it, just native security spelled exactly the way it sounds. And when you go, let them know that you heard about them from the CISO series,
[17:38]
It's time to play what's worse.
[17:43]
Megan, do you know how this game is played?
[17:45]
Megan Samford
I know that you're going to give me a horrible scenario and I'm going to have to choose between the lesser of two evils.
[17:51]
David Spark
You know exactly how it's played. Perfect.
[17:53]
Andy Ellis
He makes me Go first, so you at least have time to think about it.
[17:56]
David Spark
And you can agree or disagree with him.
[17:57]
Andy Ellis
And the one rule that we have is you don't get to immediately pivot and say, well, I'll accept situation A because I'm immediately going to then do something totally different. Like, you're stuck in the situation and
[18:09]
David Spark
you can agree or disagree with Andy. I always prefer it when you disagree with Andy.
[18:13]
Andy Ellis
I, of course, prefer the opposite.
[18:15]
David Spark
So decide who you want to be nicer to. All right, this comes from Dave Ratner over at Silent Push, and here are your two scenarios. Andy, knowing all the security gaps in your program and not being able to close them. So you're just staring at it and it's like, okay, I can't deal with
[18:36]
Andy Ellis
this, but at least I know what they all are.
[18:38]
David Spark
That's the positive of but it's happening.
[18:41]
Andy Ellis
Or there's half of a CISO's life already.
[18:44]
David Spark
So there you go. Your staff keeps responding to random texts on their corporate mobile devices.
[18:51]
Andy Ellis
Okay, I know I sometimes say, give us things that aren't even related, but,
[18:55]
David Spark
like, well, it's interesting. Just so you know, Dave gave me two different sets, and I literally picked one from one and one from the other, and I put them together. So this was me literally Frankensteining two different. What's worse scenarios.
[19:08]
Andy Ellis
What does responding mean in this case, David?
[19:11]
David Spark
They could be clicking on links, they could be having conversations. Who the heck knows what they're doing? They could be, essentially, they could be, you know, being pig butchered and God knows what's going on right now.
[19:21]
Andy Ellis
I mean, this one's weird.
[19:22]
David Spark
Yeah. Yeah. Well, it's going to make your brain go in a few directions here.
[19:26]
Andy Ellis
Like, I don't know, I'm trying to even figure out, how do I compare these two? Sorry, Megan. Normally I have, like, a coherent thought process, but.
[19:31]
David Spark
Right. Because it's usually the flip side of the other thing. But I purposely am doing these as two very divergent things. So you have to figure out the risk environment of each.
[19:42]
Andy Ellis
I mean, so here's the entertaining thing about this, which is the first state is actually the ultimate goal of every ciso. You actually want to be in a world where you know all of your gaps and you can no longer fix them because you fixed all the fixable things, and what's left is the stuff you can't fix.
[19:58]
David Spark
And then you buy insurance at that point.
[20:00]
Andy Ellis
Right. You're like, okay, here's the hazards that we just accept simply because, like, we have consumers. We can't fire Our consumers and they present a bunch of problems because of account takeover, et cetera, blah, blah, blah. So in one sense, you can argue one is an ideal world, but I don't think that's what's intended here. But you should always remember that that is your end state. You will always have vulnerabilities and risks you can't deal with. People are responding to texts on their mobile devices. Like that one's just kind of weird.
[20:31]
David Spark
Well, then think about all the spam texts you get. All of a sudden your staff is just responding to all. So they're engaging with someone who's. Yeah, looking forward to do harm to them.
[20:41]
Andy Ellis
I think I'm gonna go with. I'm gonna take the first one. In the spirit it's intended of you have a lot of gaps that you should fix, but you can't.
[20:49]
David Spark
And that being the worst scenario.
[20:51]
Andy Ellis
And I think that is actually the worst scenario, even though you said very
[20:55]
David Spark
positively about it at the beginning.
[20:57]
Andy Ellis
Right. Because I think the way it's intended is you have a lot of gaps that are fixable, but you're not able to fix them. And so I want to take it in the spirit it is and not define it into something that's not bad. And so I'm going to say that's the worst one, because I can. If people are just responding to text. Look, if I've got great fish proof authentication, then I'm not worried about them clicking on links as much. So, yeah, no, that's a problem. Mostly it's a problem for them.
[21:21]
David Spark
But a lot of wait, a lot of this, like butchering techniques is to get them offline to do other things kind of thing like download this app, start doing this, you know, that kind of stuff.
[21:30]
Megan Samford
Yeah.
[21:30]
Andy Ellis
So I'll rely on the fact that I fixed my security problems because I'm not in situation one. So if they download an app, we'll catch it with our edr, we'll block the app, we'll be fine.
[21:39]
David Spark
You think those are the gaps you're going to be able to fix, unlike all the ones you do know?
[21:43]
Andy Ellis
Yeah, I think I'll be able to fix those because I'm not stuck in situation one. All right, so I'm going to go. Situation one is worse because this would be included in the gaps that I have is. Oh, look, people respond to things on their devices and I can't control it.
[21:56]
David Spark
All right, Andy, that was an above average answer.
[21:59]
Andy Ellis
Okay, barely.
[22:01]
David Spark
Megan, give us your above average response, please.
[22:05]
Megan Samford
Sure. So I will also address point number one. So what I heard there, the Reader's Digest notes, was we uncovered a lot of risk and we're aware of the gaps. Great. That's every day on the CISO job. Like this is great that we actually know what the gaps are. I mean, this almost felt like a softball question because we do this every single day. So if you've identified all of your gaps, a CISO should never be owning risk number one. They are a risk overseer. So there should be other executives within the company that need to be aware of the risk and they would be responsible for either dispositioning that risk and coming up with a timeline for when remediation and everything else needs to happen, or they need to formally sign their name on the document that they are accepting the risk for a period of time and that needs to be time bound. Right. Like we can't perpetually accept risk that are a danger to the company or increasing risk to the board or anything like that. I think question number one is pretty softball. We disposition, assign, have people review, sign off on risk, escalate the risk, or otherwise come up with a roadmap for how they're going to deal with it every single day. No one should be stumped by that question whatsoever. On question number two, with the thing you have going on there with the potential phishing and the mobile apps team number one, I'm impressed that the CISO is notified quickly. I'm impressed that people have come to you with this.
[23:34]
Andy Ellis
Oh, no, you don't necessarily know it's happening. You just are aware that this is the reality.
[23:39]
David Spark
Yes.
[23:40]
Megan Samford
Okay, so we're, we're sitting in this reality again. Then I would say you need to, number one, determine potential initial impact in that golden hour. Figure out if you need to formally declare an incident that would need to be investigated, the level of that incident.
[23:56]
David Spark
Hold it. So which, which scenario are we talking about here?
[23:59]
Megan Samford
For the mobile app? For the mobile app where people are responding to text messages could be phishing. Not quite sure, not sure how many people, all of that. That's why you stand up incidents to kind of get the full scope of what's going on and you begin to tackle it. And I would say, depending on the nature of the fish or how sophisticated you think the phishing attack was, just start an incident. When you're in doubt, just declare an incident and begin to investigate it. And you can always de escalate the incident and say, okay, well this wasn't as big of a deal as we thought it was going to be, but you can huddle all the teams together that would be responsible for providing, providing some immediate stop gaps and then longer term things like more education and things like that for your employees. So that's how I think about that.
[24:44]
David Spark
So hold on, I'm getting the sense that you think are both of these are great scenarios.
[24:49]
Andy Ellis
They're both manageable.
[24:50]
David Spark
Both manageable. Okay, well which one is the worst then, do you think? From the risk perspective?
[24:55]
Megan Samford
Probably the mobile one in the immediate. Until you get your arms around the scenario. Because the first scenario, the way you described it today, me, I mean, if people aren't doing this stuff every day, what, what are they doing?
[25:08]
David Spark
What they aren't doing? What stuff every day? Hold on, I'm sorry, not following.
[25:11]
Megan Samford
Identifying risk and dispositioning risk. Right. Because the whole scenario is, hey, we've uncovered some risk, we're aware of it. We're not sure what we're going to do about it.
[25:22]
David Spark
Yeah, I mean, it could be a whole host of reasons. You don't have enough staff, you don't have the tooling. You're like, who knows what the heck it is that you can't. But you just can't deal with it.
[25:29]
Andy Ellis
Right. But where Megan is not. So this is. Megan is in my sort of ideal state on that first one, which is ultimately the job of the ciso is not to fix risk. There are small places where we own fixing risks, but most of what we do is incentivize the rest of the business to do so if the rest of the business chooses not to do so. But the CEO and the board is aware of that and is fine with that. You have done your job. Like the single biggest stressor in the CISO world is the belief that, that you get to decide what risks get closed and you don't. That's the business's job. And Megan's saying, I'm good with that.
[26:06]
Megan Samford
Yes.
[26:07]
David Spark
All right, Megan, which one are you choosing? Which one's the worst scenario then?
[26:10]
Andy Ellis
So she took number two. She took two.
[26:11]
Megan Samford
Yeah, I took number two. But I mean, I don't.
[26:14]
David Spark
So you disagree with Andy, so that's great.
[26:16]
Andy Ellis
Yeah. David's happy you disagreed with me. But I want to pull something out that Megan said because I think a lot of people need to hear this one, which is it's okay to declare an incident to get focus and attention and then de escalate. Like you can say, oh, we just heard about this thing. We're going to declare an incident and we're going to discover it's culture wide, shouldn't be managed at incident tempo. So we'll just go de escalate. But you can use that as a way to sort of gather focus, figure out what's going on and then move into normal project management.
[26:44]
Megan Samford
That's exactly right.
[26:45]
Andy Ellis
And I think too many people don't know that they can de escalate incidents.
[26:49]
Megan Samford
And with things like NIST to and CRA and global regulation, you better build some muscle memory in to where if you know that there is a potential for greater risk in your company and you know that a select population has been spearfished on the mobile and there's a good potential that there could be something on your network or that risk is moving laterally. Yeah, absolutely. You need to declare an incident to huddle around that so that you can understand if you have any reporting obligations. Remember data protection, data privacy, There are about a million things that can into play there DFars. I mean the point of declaring an incident sometimes is to make sure that you are gathering the right people gathering the right data and you are running everything down so that a small incident doesn't end up cascading into a larger catastrophe because you tried to sweep it underneath the rug.
[27:43]
David Spark
Managing security changes for Business Optimization
[27:48]
Quote the core issue is economic, not technological. Jenna Easterly's post CISA Peace in Foreign affairs leans into a core tension in cybersecurity. We don't talk enough about software. Vendors know buyers can't measure security directly. Why go to the expense on building it in when it doesn't move the needle on revenue? The cybersecurity industry exists entirely to compensate for insecure software that should never have shipped. It's 2026, which means the answer is AI. Easterly argues AI can finally make secure code economically viable at scale through prevention and secure by default, framing it as an end to cybersecurity as we know it. Kind of a bold statement there. So let's say Easterly cyber nirvana actually happens. Andy, what does the security vendor landscape look like now?
[28:47]
Andy Ellis
So I love that AI can finally make secure code economically viable. Can is a really important word in there. It reminds me of a sketch Yoram Bauman, who's a standup economist, did a long time ago in which he riffs on the 10 principles of economics, one of which is trade can make people better off, he says. Well, the fact that you say can instead of will means that trade can also make people not better off. And similarly, AI can also not make secure code happen.
[29:16]
David Spark
Yes, we have also seen, and what I've seen is that the Internet and AI can be a race to the bottom too.
[29:24]
Andy Ellis
Right. And so the reality is, what did AI get trained on? Right. The LLMs are trained on the code written by humans. The code that we know is full of vulnerabilities and insecurities, and so the AI has learned how to write bad code. So it is possible for us to train an LLM on secure coding practices and on secure architecture practices, which I think most people don't think about. It's not just, oh, do I not have buffer overflows and format vulnerabilities? No. Have I also built an architecture that is resilient and it is possible to do that, but I don't actually see that happening right now. So I suspect the answer is it's going to get a lot worse before it gets better from a security perspective. And that's okay from our industry's model, because, hey, it means we get to still be employed.
[30:12]
David Spark
By the way, I'm all for Chet Easterly cyber nirvana, but I don't see
[30:16]
Andy Ellis
the economic drivers currently pointed in that direction.
[30:18]
David Spark
No, and I'm 100% agreement on that, too. All right, Megan, I'm sure you'd love a nice cyber nirvana like this, which fixes all cybersecurity problems in code. Do you see there's a way we can push towards Easterly's vision?
[30:34]
Megan Samford
Sure. So I think, and again, I'm speaking from the industrials, right. We're already adopting use of AI for secure coding. I think that most companies are. I think that most companies have been kind of anxiously looking at those percentages. What percent of our code is being AI assisted, where it's AI assisting the developer in that coding, which I believe can solve for a lot of the nuisance, buggy code and things like that. Code quality, I think that that's great. Within industrial environments, though, again, we have to start from a place of industrial realism.
[31:13]
David Spark
Love it.
[31:14]
Megan Samford
Where we. We should not at first assume that the issues in OT environments are coming from individual products necessarily, or vulnerabilities there with them, because that's not what the data tells us. Instead, we would be looking for application and use of AI to support more of the hard work that still has to be done by human beings and cannot be automated to that extent. With AI, that's good network security. That's exposure management. That's understanding. If you have devices inadvertently directly exposed to the Internet, it's network hardening. It's upgrading products from legacy comms to secure communications. This is not something that AI can do for us. The OT environments are still going to require a lot of rolling up our sleeves and getting in there. And just human beings are still going to have to go in there and manually do the hard work of securing these porous environments. That's number one. The second interesting conversation occurring in OT with use of AI is whether or not or should AI be allowed to directly control products in an OT environment? And so if we're following like traditional NERC SIP strategies where you have an electronic security perimeter right now, most thought leaders in OT are saying AI is great for analyzing data coming off of industrial products. They can tell you when the products need to be serviced, how the product is performing, et cetera, et cetera. It's good data the AI can analyze for the customer's benefit. But AI should not directly instruct onto an OT environment and say open up a valve by 20% because AI believes that it should do that. There is this principle that we will maintain in OT called human in the loop, where a human being has to review what the AI is recommending and then decide if it's appropriate to allow those constructs in the OT environment. So AI is coming to ot, but it's going to look different. So that would be my thought on that.
[33:24]
David Spark
I tell you, CISOs get no respect.
[33:29]
If the math doesn't add up anymore for a ciso, too much responsibility with no authority to execute, it might be time to hit the bricks. Now a recent INS research and Artico Security survey found that 69% of security executives are open to leaving the role within the year. Many are exiting the enterprise entirely for consulting or compliance functions where accountability and authority align. But Megan, you've recently highlighted that roughly about 1,500 CISOs are currently out of work and the market isn't exactly rolling out the welcome mat. Organizations would rather hire a first time CISO at a discount than pay for someone who's actually done the job. So we've built a role that burns people out, exposes them to personal SEC liability, strips them of budget and procurement authority, and then devalues their experience the moment they leave. Megan, that seems like a structure broken by design. How the heck did we get here? What do you think?
[34:31]
Megan Samford
Well, I really hate to go back to Covid on this one, but to me I started to notice that the market was changing during COVID times and a lot of people were nervous for all the reasons that they should have been in the world at that time. But people really were like, you know what? I'm pretty happy in my role. I've got a Good team. I understand the company. I feel like we're making progress. Where for most CISOs and other cybersecurity executives, it was like, unless there is something horribly wrong here, I'm probably staying in my position. Staying in my position feels safe. Safe. And so there have been other papers and news articles written about this, but people that are pretty happy in their roles I think are staying put. And when I've talked to other friends in the industry that may be looking or maybe they're impacted by layoffs and horrible things like that, everyone is waiting for the game of musical chairs to begin in the industry, if you, if you've ever heard of this construct. But essentially in CISO world, if one CISO was the CISO for a large Fortune 500 and they moved roles, then you would see another CISO from another Fortune 500 move laterally into that role or maybe get a little bit of a bump or a promotion and this game of musical chairs would start. And it only took like one or two people to move from these big roles. And then the game begins and then we're all moving jobs. And I have friends that are executive recruiters and they're saying every six months, we're saying that the game's going to start in January, the game's going to start in June, and the game just hasn't started in two or three years. So again, I think for most people, if you're an executive, if you feel good in your role, if you feel like you're getting stuff done, you like your boss, you like your team, probably staying put. And it is this attitude. And I think this anxiety is why the game hasn't started and no one's moving chairs.
[36:26]
David Spark
I will also throw out. And we were going to do a segment on this instead, but Hitch Partners comes out with a CISO salary index and the wide range of salaries, it's like 4 to 5x. It's pretty humongous.
[36:41]
Andy Ellis
Andy, it's bigger than that. Depends on who you're looking at.
[36:46]
David Spark
Well, this was from their survey too.
[36:49]
Andy Ellis
It's crazy numbers there. One of the things I see a lot of, because I talked about to a lot of folks outside the Fortune 500 as well, and I'm seeing a lot of places where they're companies that basically want to have a throat to choke, right? They want to have a ciso. They don't always want to call it a ciso, but they want somebody first time who doesn't have massive salary expectations where maybe they'll trade off. Oh, we pay A little bit less. But we give you the title CISO and you think that's a stepping stone to another CISO role elsewhere. But the answer is no, because after you're done with that gig, you'll look around and the gigs that you think you're qualified for, you probably are, are all the ones who are hiring first time people because they, they can get that discount at this point. In a sense, we've done a good job of building up a workforce of people who are ready for these roles. So in one sense maybe we've saturated the almost CISO roles. And then at the same time, as Megan points out, like there's a lot of people who are basically comfortable in their role and they're saying rather than move laterally and have to relearn a company, I'll stick it out for another three to five years and then I'll go be a consultant or a field ciso. I see a lot of people who, yes, Yes. I think 10 years ago you would have said there's no way this person will ever accept the marketing job of being a field CISO who are having a blast going and doing that now.
[38:08]
David Spark
Excellent. Good button on today's discussion. This was packed, absolutely packed today. Megan, thank you so much. Andy, thank you so much. And also, most importantly, as much as I love you, I have to thank our wonderful sponsor and that'd be Native Security Unifi Manage and maximize built in cloud security controls and achieve secure by design consistency across cloud environments. You in more than one of them. You went into Azure, Google, Cloud, aws. I'm sure you are. You're all over the place. Take a look what they're doing over at Native Security. Native Security. Megan, I'm going to let you have the very last thought for today. Any last thoughts you have for our audience?
[38:49]
Megan Samford
I think it's a great time to still be in the game of cybersecurity. We all love it. And thanks so much for having me on today. And thanks as well to my company, Schneider Electric. We want to be your partner for technology and energy management.
[39:03]
David Spark
I see someone who has worked with them before. They are a great, great group. And here's the thing that I've found and I find this also in the airline industry. When I met some people there, they would go, well, I haven't been here this long, only about 15 years and that always cracked me up. So thank you again, Megan. Thank you very much, Sandy. And thank you to our audience. As we always say, we greatly appreciate your contributions and listening to the CISO
[39:32]
that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website cisoseries.com Please join us on Fridays for our live shows Super Cyber Friday, our virtual Meetup and Cybersecurity Headlines. Week in Review this show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a couple question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@davidsoseries.com thank you for listening to the CISO Series podcast.