CISO Series Podcast

Episode: "Our Security Team's Love Language is Buying New Tools"

Date: March 3, 2026
Hosts: David Spark, Andy Ellis
Guest: Tim Lahee, VP of Corporate Strategy & Operations, Strike 48

Episode Overview

This episode focuses on how security and business teams can better collaborate, the challenges of implementing security in fast-moving organizations, and the realities of managing security tools and practices. The hosts and guest debate cultural fit, legal risk, forensics, and the evolving role of AI in security log management, punctuated with real-world stories, expert tips, and a classic "What's Worse?" scenario segment.

Key Discussion Points & Insights

1. Defining the CISO’s Role

• Quote: “The best definition I ever heard of a CISO is someone who can tell you why the protection architecture he had in place yesterday didn’t work.”
  — Tim Lahee [00:02]
• CISOs must continuously adapt as attackers evolve their methods to bypass yesterday’s defenses. Half the job is explaining what failed and why.

2. Banters on Audience Relevance & Micro-Inclusion

• Behind the Scenes: David and Andy reveal they often debate what opening banter should be about and whether it should tie to holidays, events, or universally relevant topics.
• Quote: “You’re not going to find anything the majority cares about. The goal is to create micro-inclusions, lots of little places that as long as somebody cares about one of them, then they feel included.”
  — Andy Ellis [02:54]

3. Forensics and Legal Perfection

• Forensics requires a different level of rigor when incidents move to litigation.
• Andy: For most incident responses, perfection means being “defensible” — making arguments that can be proven in court, not knowing every detail.
• Tim: Legal scrutiny tends to target procedures and documentation, not technical minutiae. Practitioners must anticipate counsel’s favored lines of attack.
• Quote: “Opposing counsel is attacking your credibility, not your conclusion. Because they don’t have the credibility to defeat your conclusion until they defeat your credibility first.”
  — Andy Ellis [10:13]

4. Security Culture vs. Business Culture

• Main Debate: Are security exceptions a failure of training or a misfit with business needs?
• Tim: Security must be a business enabler; strict, inflexible controls often clash with fast-paced environments. Organizations should expect exceptions and proactively design for them.
• Quote: “If you come into an organization that has to run fast to survive, then you have to understand that exceptions are going to be a part of the security profile and how do you work around them?”
  — Tim Lahee [11:49]
• Andy: Don't impose controls from entirely different environments (e.g., military) onto startups. Know your business and its risk appetite.
• Tim shares a real story: A former military security pro wanted to physically disable USB ports, which wasn’t practical for a startup [14:06].

5. "What's Worse" Game: Risks of Domain Admin Access

• Scenario 1: Temp worker with domain admin.
• Scenario 2: No one has domain admin when production is down.
• Andy’s Take: The second scenario (no admin access during crisis) is demonstrably worse, stalling recovery and directly harming the business.
• Tim’s Experience: He’s lived both. While lacking access is painful, giving admin rights carelessly to a random temp can spell catastrophic, irreversible loss (company-ending breach).
• Quote: “If you are truly as casual as to give domain access to some random person…that’s worse because you will eventually get completely owned.”
  — Tim Lahee [24:12]
• Timestamps: Game introduction [16:27], Deep dive [20:11–25:49]

6. SIMs, AI, and the Future of Log Management

• Andy: Tired of “AI for everything” marketing. Wants to know how AI fundamentally changes, not just accelerates, SIM use.
• Tim: Agrees. Most AI enhancements are superficial. Strike 48’s approach reimagines the SIM not as a siloed alert tool but as a hub for broader business value (fraud management, compliance, NOC workflows, etc.).
• Quote: “If you stop thinking of [the SIM] as a siloed tool within security and you do AI and agents correctly…the Sim can become a whole lot more than just the place you go to throw alerts.”
  — Tim Lahee [27:23]
• Hard Example: A financial services client started with agentic SOC use, but quickly shifted to automating fraud detection & management with Strike 48’s platform [29:43].

7. Exposure Management as Business Continuity

• Focus not just on technical vulnerability severity but on mapping risk to business outcomes: “What stops working if this is exploited?”
• Prioritizing remediation by business impact (revenue, customer trust, operations).

8. Insider Threats: The Temporary Pack Phenomenon

• Black Hat 2025 research: Nearly a third of insider cases are “temporary heist crews”—employees collaborating just for a single incident, then dispersing.
• Andy: Lone wolf narrative is misleading. He shares a story where a perk-turned-scam spread from two insiders to many over time.
• Tim: In forensics, he nearly always expects to uncover more than one perpetrator, except in finance fraud, which tends to be solo.
• Quote: “If you think you’ve got an insider threat problem, you’ve got a multiple insider threat problem.”
  — David Spark [39:06]

Notable Quotes & Memorable Moments

• On CISO Roles:
  “Half of your job is explaining why what you had in place didn’t work. It’s a tough life to lead in some ways.”
  — Tim Lahee [00:02]

• On Security Culture:
  “You have the opposite, which is you have an anti-business security culture.”
  — Andy Ellis [12:52]

• On Forensics Pressure:
  “Their work must be 100% correct because opposing experts will retest everything and small mistakes cascade into major legal consequences.”
  — David Spark [06:25]

• On Practical Security Trade-offs:
  “Get your glue gun at home. We have to sort of adjust your brilliance to the way we need to do business.”
  — Tim Lahee [14:06]

Segment Timestamps

• CISO Definition & Banter: 00:02–05:14
• Forensics & Legal Perfection: 06:19–10:28
• Security Culture vs. Business Speed: 10:33–14:45
• Strike 48 Sponsor Segment: 14:45–16:27
• What's Worse Game: 16:27–25:49
• SIMs, AI, & Strike 48 Deep Dive: 26:09–31:21
• Exposure Management Tip (Qualys): 31:31–33:03
• Insider Threats Research & Forensics: 33:25–39:06
• Outro, Plugs, and Hiring: 39:38–40:26

Final Thoughts & Takeaways

• Security is not “one size fits all”: Effective CISOs adapt their approach to business realities.
• Expect exceptions and design for them: Security that impedes business is often circumvented.
• SIMs and AI need real innovation, not just automation: Seek platforms that turn logs into strategic assets, not just alert machines.
• The biggest threat may be internal — and rarely solo: Watch for cooperative but temporary insider schemes, not just lone actors.
• Tooling alone doesn’t solve cultural issues: If your team’s love language is “buying new tools,” ask what underlying problems you’re not addressing.

Try Strike 48: Sign up for a free, fully-featured account at strike48.com/security Strike 48 is hiring! — AI/agent-focused talent encouraged to apply.