CISO Series Podcast Live in NYC:

"Managing Risk Has Been a Priority Ever Since You Asked About It"

Date: January 13, 2026
Hosts: David Spark, Matt Southworth (CISO, Priceline), Saket Modi (CEO, Safe Security)
Location: Live at FAIRCON 25, New York City

Episode Overview

The episode centers on the evolving landscape of risk management and the critical integration between security as both a technical and business problem. David, Matt, and Saket – with contributions from a live audience – dissect traditional and modern approaches to GRC (governance, risk, compliance), the challenges introduced by AI and agentic systems, and the practical aspects of fostering risk culture and quantification in organizations. Lively games, debates, and audience Q&A add to the depth and energy of the discussion.

Key Discussion Points & Insights

1. Shifting Perspectives: From Technical to Business-Led Security

• Biggest Security Mistake
  • "Thinking security is a technical problem and not a business problem."
    — Saket Modi [00:03]
• The panel underscores the necessity of aligning security practice with business objectives and communicating security priorities in language that resonates with organizational leadership.

2. Modernizing GRC: Moving Beyond Compliance

• Outdated Practices
  • Matt: "We can stop doing questionnaires... because the truth is those are going to be filled out by an LLM whether we tell our vendors that or not... We need a better job documenting incidents and controls." [03:07]
  • Saket: "GRC has three letters—Governance, Risk, Compliance. Let's start focusing on all three... you're not saying don’t do compliance, but that’s the floor, not the ceiling." [03:56]
• Insight:
  Compliance is necessary but not sufficient for security. True risk management involves real-time data, telemetry, and understanding how controls impact business risk.
• "99.9% of financial services companies which have been hacked in the last 10 years have been compliant."
  — Saket Modi [05:35]

3. Responsibility and Accountability in AI Systems

• Who’s Liable When AI Fails?
  • Saket: "If you start thinking of GenAI agents as autonomous human beings and treat them like identities... you're talking about the guardrails, identity and access controls..." [07:20]
  • Matt: "You can't use an agent where you can never accept a wrong result... you need a human to review and take action upon what the results look to be." [08:55]
• Governance:
  Treat AI agents akin to new (very capable, potentially hazardous) employees: they require guardrails, oversight, and ongoing review.

4. AI in Security Operations: Adoption vs. Value

• Game: "What’s Worse?" — Black Box AI vs. No AI
  • Both guests and the audience agreed: not investing in AI is worse than spending on an imperfect AI tool, because with evolution and iteration, AI tools will improve, while not starting leaves organizations behind. [14:33–16:45]
  • "The first two years, iPhone did not have cut, copy, paste... every single product, even if today it has 90% false positives, is bound to be better."
    — Saket Modi [15:59]
• AI’s Risks:
  Saket: "The known unknown ways that AI can act." [09:57]
  Drawing from the AlphaGo example, the risk isn’t just in predictable threats but novel, unforeseeable AI behavior.

5. Building a Risk Management Program

• Starting from Scratch
  • Matt: "Process over tools... finding the people who understand the business and grilling them on what’s important." [23:21]
  • Saket: "People, process, then technology... you start with people... There are companies which are very risk driven, and then there are companies who don’t care about the risk at all." [24:05]
• Who Owns the Risk?
  Saket: "The owners of the risk are the owners of businesses... The GRC team, the CISO does not own the risk. The job of the CISO is to show the mirror to each business." [28:22]

6. Reducing Help Desk-Related Security Risks

• Self-Service vs. Human Agents
  • Matt: "As much as we can give guardrails to a bot to do things automatically, that reduces the attack surface... humans are always going to want to escalate, ask a question, have a follow up." [30:18]
  • Saket: "I actually think periodic phishing tests are now more expensive than just giving a simple AI bot." [32:18]

7. Lightning Audience Q&A

• Making Data Actionable:
  • Saket: "You’re asking a simple question of so what? and who cares?" [34:30]
  • Matt: "Am I going to do anything different with this data? If the answer is no, I’m going to stop looking at it." [34:41]
• Incentivizing Supplier Data Sharing:
  • Saket: "Two dimensions—time or money... give back time by making it easy, or discounts." [35:17]
• Effective Storytelling for Boards:
  • Matt: "I statements... what did I do? What did I feel?" [35:48]
  • Saket: "Use SAFE." [35:56]
• Pitfalls of Cyber Risk Quantification:
  • Matt: "Garbage in, garbage out... completeness of data." [37:39]
  • Saket: "The biggest problem with CRQ is the name itself... everybody wants to know value, not just crq." [37:51]

Notable Quotes & Memorable Moments

• Saket Modi on Compliance vs. Security:
  "Compliance is a subset. Nobody's saying don't do compliance, but that's the floor, not the ceiling." [05:35]

• Saket Modi on AI Risk:
  "What scares me is not that, oh, there’ll be new ransomware attacks... The unknown ways by which AI can reason and almost say this is the way to infiltrate systems." [10:05–11:16]

• Matt Southworth on AI as Interns:
  "New employee and intern's a good perspective... you can't use an agent where you can never accept a wrong result." [08:55]

• Matt Southworth on Data Overload:
  "Am I going to do anything different with this data? And if the answer is no, I'm going to stop looking at it." [34:41]

• Saket Modi on Human Owners of Risk:
  "The GRC team, the CISO does not own the risk... The job of the CISO is to show the mirror to each business of how well, slash, not well are they doing." [28:22]

Game & Interactive Segments (with Timestamps)

"What's Worse?" Risk Scenario [13:14–16:45]

• Debated whether it’s worse to spend a million annually on a black-box AI that no one trusts or to invest nothing in AI, resulting in high onboarding costs.
• Consensus: Not starting on the AI journey is worse than starting with an immature product.

"Guess the Security Question" Game [17:37–22:14]

• Audio answers to questions like "What is the cybersecurity equivalent of a home run?" and "What are your pet peeves?" — requiring panelists (and audience) to guess the original question.

Audience Q&A Speed Round [33:57–38:54]

• Rapid-fire questions from the audience on dashboards, supplier incentives, board storytelling, building for "snowflake" organizations, CRQ pitfalls, and more.
• Humorous and candid responses, maintaining an informal and energetic tone.

Actionable Advice & Takeaways

• Build risk culture before investing in tools:
  Start with people and process. Tools only help scale good practices, not create them.

• Treat AI as you would a powerful intern:
  Supervize, set guardrails, and don’t expect flawless results, especially early on.

• AI in responses isn't perfect — but not investing is worse:
  Evolving with AI, even amid mistakes, positions organizations to improve and adapt faster than those who wait.

• CISOs are facilitators, not risk owners:
  Their role is to make business leaders aware of the risks and options, not take ultimate responsibility themselves.

• Storytelling matters when talking to the board:
  Use personal experiences and simple frameworks to drive home impact.

• Data must drive action:
  If a metric doesn’t change behavior or decisions, it’s not worth tracking.

• Vendor and Supplier Transparency:
  Make data sharing easy or worthwhile, either by gamifying the process (time saved) or using financial incentives.

Timestamps for Key Segments

• [00:03] Biggest Security Mistake
• [01:09] What CISOs ask each other at conferences
• [03:07] Antiquated GRC Practices
• [05:22] Can You Shift from Compliance-Driven to Risk-Driven?
• [07:07] AI Accountability: Governance and Mistakes
• [08:55] AI Agents as Interns
• [09:57] Top AI Concerns: "Known Unknowns"
• [13:14] "What's Worse?" AI vs. No AI
• [17:37] Guess the Question Game
• [23:21] Starting Risk Mgmt Programs from Scratch
• [28:22] Who Owns Risk in Organizations?
• [30:18] Help Desk Security: Self-Service vs. Human
• [33:57] Audience Question Speed Round (dashboards, incentives, storytelling, pitfalls of CRQ)
• [39:05] Episode wrap and closing thanks

Overall Tone

The tone is lively, insightful, candid, and often humorous—grounded by the real-world challenges of CISOs and risk owners. Panelists give actionable advice, openly admit uncertainties, and encourage experimentation and adaptation (especially relating to AI and risk quantification).

For Listeners Who Missed the Episode

This episode is rich in practical advice for those responsible for managing security and risk within organizations. From building foundational risk culture, evolving GRC to be more data- and risk-driven, grappling with the new realities of AI, to practical tips on communicating effectively with boards and incentivizing transparency from vendors, the discussion covers an up-to-the-minute sample of the hardest questions facing security leaders today. The combination of expertise, audience interaction, and humor makes this episode an essential listen for risk leaders, CISOs, and any practitioners looking to improve security strategy and business alignment in 2026.