CISO Series Podcast: "Our CISO Certainly Puts the Tool in Multi-Tool" (LIVE in LA)
Date: November 11, 2025
Host: David Spark
Co-hosts: Jeff Stedman (Deputy CISO, Corning Incorporated), Quincy Collins (CSO, Shepard Mullen)
Overview
This live episode from Los Angeles delivers an engaging roundtable of CISOs and security practitioners. The panel dives into critical discussions around the practical impact of AI on cybersecurity careers, how leaders should balance technical and leadership skills, hiring philosophies, and the realities behind industry hype. With a live audience and interactive games, the conversation covers learning paths in security, leadership myths, creative approaches to problem-solving, dangers and debates around AI, and the ongoing quest to balance business needs with security risk.
Key Discussion Points & Insights
1. Biggest Security Mistake
- Quincy Collins admitted: "Not firing a managed security services provider fast enough." (00:03)
- Insight: It's important not to tolerate ineffective partners, especially when they're core to operations.
2. The Stress of Incident Response
- Jeff Stedman recalled early career advice: “You can’t outrun a packet.” (02:05)
- Insight: Stress disrupts incident response more than any technical shortcoming. Taking notes and following your playbook can be easily forgotten in the heat of the moment.
- Quote: “If you’re working too fast to take notes, you’re just working too fast.” — Jeff Stedman (02:05)
3. Will AI Undercut the Foundations of Cybersecurity?
- Prompt: How will the next generation learn core cyber skills as AI takes over entry-level work? (03:17)
- Jeff: AI can't replace the foundational understanding of confidentiality, integrity, and availability.
- Quincy: "Cybersecurity starts with information technology... you have to have the wherewithal to understand if the AI is potentially giving you some incorrect information." (06:06)
- Both Agree: No shortcuts—using AI as a crutch without fundamental knowledge creates a weaker workforce.
4. CISO Myth: The “Cyber Swiss Army Knife”
- Quoting Jerk Beeson, WM CISO: “Build credibility by making your strengths your signature while hiring for your weaknesses.” (07:03)
- Quincy: CISOs must “be able to ask the right questions of the executives... the business... You have to tread water in order to be able to make it to shore.” (07:58)
- Jeff: “It's important to ask your team, your stakeholders, what is it from their perspective that they see.” (09:07)
- Both Discuss: Letting technical skills lapse with leadership growth. “As an executive, that’s not your role to tighten down the bolts.” — Quincy (10:08)
5. Game: What’s Worse? (Marvel Edition)
- Scenario: Which is worse—Ultron’s nanobots bypassing physical security, or breaking all encryption keys? (13:20 onward)
- Jeff: Initially picked nanobots, then switched to encryption as worse: “As soon as you can break that encryption... you’re done.” (15:09)
- Quincy: Chose nanobots: “It's actually a confidentiality, integrity and availability risk compared to the confidentiality risk of breaking the encryption.” (15:47)
- Audience vote split; lively debate ensues.
6. Game: What Is Dave’s Mom Talking About?
- Humorous guesses from hosts and audience as David’s mom attempts to define security concepts.
- Posture: “Stand up straight to stop someone from breaking in.” (Security posture) (18:10)
- Spyware: “Someone cheating and looking into your data.” (19:13)
- White Hat: “It’s hard to believe, but some people will be good when they get into your information.” (19:50)
- VPN: “An online streaming service that is so unusual, few people know about it.” (21:10)
7. Should You Hire Creative Minds for Cyber Teams?
- Prompt: Would you hire an artist or narrative architect over an analyst? (22:33)
- Jeff: Not a top priority, but “bringing in differing perspectives...creative or otherwise...provides that angle you may not think about.” (23:33)
- Quincy: "I'm a fan of the whole person concept...ask yourself, is this the right culture fit? How does their mind work?" (24:28)
8. Sobering Research: Is Cyber Truly Existential Risk?
- Prompt: Only 17 companies (over 10 years) have gone out of business due to cyberattacks.
- Quincy: Warns against FUD (fear, uncertainty, doubt), and emphasizes focusing on team training, avoiding “expensive paperweights,” and staying “right behind the bleeding edge.” (29:43)
- Jeff: “It’s not just those 17 [companies]; that impact has a ripple effect into a supply chain.” (32:28)
- Consensus: Security must be about risk mitigation, not drama.
9. Audience Speed Round: Top Questions
a) AI Recommends Raises
- CISO Story: Copilot told a user "you've been working a lot, you deserve a raise” (35:05)
- Jeff: Dangerous if controls aren’t in place: “Copilot has unfettered access to information [like salary, workload]…” (35:49)
- Quincy: Risks touch all business units, not just security/IT; underscores need for cross-org risk awareness (36:14)
b) Fraudulent Job Candidates
- Quincy: Many forms exist (location, multiple roles, adversarial nation-states), and require “strong HR controls” and vigilance (37:12)
c) Defining Sensitive Data
- Jeff: “I actually don't get to define sensitive data. That's really up to the business.” (38:56)
- Quincy: Data owners and regulations set this, then security aligns controls and policies (39:38)
d) Security Strategies to Abandon
- Quincy: “Defense in depth” merely gets repackaged (as Zero Trust, for example); nothing is truly abandoned (40:20)
- Jeff: Layering and expanding strategies with data and identity focus (41:07)
e) Real AI Risks to the C-Suite
- Jeff: "It’s across the business... not a single technology... AI can assist or be a detriment if you’re not careful.” (42:00)
- Quincy: Focus on “security architecture”—where data goes, how it's used, shared, and logged are crucial questions (42:35)
Notable Quotes & Memorable Moments
- On technical skills fading in leadership:
“My technical capabilities have diminished. They haven't perished, but they have diminished.” — Quincy Collins (09:46) - On learning with AI as a helper:
"I'm here to say that there are no shortcuts. AI is a tool that we can utilize, but you have to have the wherewithal to understand if the AI is potentially giving you some incorrect information..." — Quincy Collins (06:06) - On FUD in the industry:
"We have to just be careful not to purchase expensive paperweights, but to really be right behind that bleeding edge just to keep pace with the attacks..." — Quincy Collins (29:57) - On creative hiring:
“I think it's more important that we consider hiring for what I call the three As: attitude, aptitude, and appetite.” — Jeff Stedman (23:33) - On defining sensitive data:
“I actually don't get to define sensitive data. That's really up to the business.” — Jeff Stedman (38:56)
Important Segment Timestamps
- [00:03] Quincy’s biggest security mistake
- [02:05] “You can’t outrun a packet”—Incident response and stress
- [03:17] AI’s role in learning cybersecurity
- [07:03] CISO as Swiss army knife: leadership & technical skills debate
- [12:42] "What's Worse?" audience game
- [18:10 - 22:04] “What Is Dave’s Mom Talking About?” game
- [22:33] Should you hire more creative minds?
- [28:32] Have cyberattacks put many companies out of business?
- [35:05] Audience speed round (AI raises, fraudulent candidates, defining sensitive data, outdated strategies, board-level AI risks)
Summary/Tone
This episode was lively and conversational, featuring playful games and practical, hard-earned insights. The atmosphere was welcoming but candid, often poking fun at industry cliches while imparting actionable leadership, hiring, and operational wisdom. The consensus: AI brings new tools and new risks, but foundational understanding and human context remain irreplaceable. CISOs can't (and shouldn’t) do everything, but asking the right questions—and hiring for attitude and adaptability—remains their superpower.
For more episodes or to participate, visit cisoseries.com.