Our Theoretical Controls Work Great Against Hypothetical Attacks

CISO Series Podcast: "Our Theoretical Controls Work Great Against Hypothetical Attacks"

Date: April 14, 2026
Hosts: David Spark, Andy Ellis
Guest: David Nolan (former CISO, Asurion)

Episode Overview

This episode spotlights security leadership’s everyday realities: the gap between theoretical security frameworks and what organizations actually achieve, the evolution of the CISO role, the practicalities of cybersecurity hiring, and the latest dynamics in AI-driven development. More than just policy and process, the show brims with practical advice, candid debates, and witty banter, giving listeners authentic insights from seasoned CISOs.

Main Discussion Themes

1. The Evolving Role of the CISO: Less Polished, More Decisive

(Starts ~06:05)

Key Insight: The modern CISO must move from merely reporting risk to actively shaping and driving decisions for the business.
Quote [06:11] – David Spark:
“I'm not here to brief risk. I'm here to get a decision so we can move.”
CISOs’ executive presence involves controlling the narrative, tempo, and the decision process—but not necessarily the decision itself.
Andy Ellis [07:10]: The CISO alternates between advisor, translator, and decision architect, applying different roles depending on the corporate situation.
You don’t want to present choices where one is obviously terrible; instead, offer measured, realistic options and earn trust by never crying wolf.

Notable Moment:

Andy Ellis [09:27]:
“They should trust you’d never play Chicken Little … he would always answer the phone when I called … because if I called him on his cell phone, it was always important and always urgent, and he always valued that conversation.”
David Nolan [10:53]:
“We can't control the decision ... but you can control the environment. Influence is the word I would use, but you can shape the narrative and shape the conversation.”

2. The Business of Risk: Tolerances, Hard Choices, and Failure

Organizations differ widely in risk appetite—CISOs need to appropriately calibrate.
Successful companies, especially large ones, often got ahead by taking plenty of calculated risks, failing quickly, and recovering.
David Nolan [12:41]:
“You have to have the framework where you can fail quickly ... It's not big bang risk, it's small risk that's tolerable.”
When executives ask for certainty (“Can you tell me we won’t get hacked?”), CISOs must candidly explain the impossibility of total guarantees while demonstrating measured, risk-driven security plans.

3. Hiring in Cybersecurity: A Broken System

(Starts ~13:34)

The Complaint: The real hiring problem is a shortage of mid-level talent, not entry-level—the industry wants experienced candidates at starter salaries.
David Nolan [14:56]:
“Hosting an entry level role with 10 years of AI experience … that's a thing that happens and it's the running joke.”
Initiative matters most. Demonstrated continual learning (home labs, open source contributions, CTFs) outweighs formal credentials.
Entry-level SOC roles may be vanishing—automation and AI will eradicate tier-one jobs; soon only “mid-level” roles will exist.
Andy Ellis [17:24]:
“What entry level actually means is, an alert fires and there’s a procedure to follow. That’s all going to get replaced by AI … you need context for that decision.”
Best advice: get hands-on experience via nonprofit volunteering or small business IT support—learn by doing, not just by formal education.
Andy Ellis [18:32]:
“Go find those roles. Get practical, hands-on experience. Because once you’re doing it … you can do it as well.”

4. “What’s Worse?” Game: Stale Accounts vs. Unrecognized Active Account

(Game starts ~22:27)

Scenario 1: Thousands of stale accounts.
Scenario 2: One very active account that nobody recognizes.
Andy Ellis [25:17]:
After much deliberation, initially leans toward focusing on one unknown active account (“I would rather have that one service account … focus my effort in one place”), seeing it as more manageable compared to countless stale accounts.
David Nolan [26:15]:
Disagrees: “1,000 stale … I’m going to take the old school approach and turn them off in batches.” He worries more about an active, mysterious account, which “just worries me because it screams malicious.”

Host verdict: The best “What’s Worse?” scenario yet—both are potentially benign or disastrous, sparking genuine debate.

5. Security Frameworks vs. Reality: Are We Chasing the Wrong Things?

(Starts ~29:17)

Ross Halilyuk argues security leadership is distracted by idealized frameworks but fails at implementing basic measures.
David Nolan [30:49]:
“Best practice assumes a level of maturity most organizations will never get to … you have to obsess over the table stakes.”
Patching, identity hygiene, and legacy remediation remain pervasive issues—real risk rarely comes from cutting-edge threats but from overlooked basics.
Getting IT budget for reducing technical debt (legacy/unsupported systems) is “the best security budget you can spend,” freeing up risk reduction without direct security cost.
Andy Ellis [33:29]:
“When people talk about frameworks, they’re trying to create a perfect model rather than tackling parts of the problem. Until you have tackled enough that you can’t just glance around and go, ‘oh, I should fix that,’ you shouldn’t be bothering with some perfect framework.”

6. Trust and Accountability in AI-Generated Code

(Starts ~34:27)

Despite their eloquence, LLMs/AIs lack true accountability—“AI does not own outcomes … only how to simulate confidence.”
AI is more an “accelerator” than a replacement for developers, democratizing basic coding/integration skills.
Andy Ellis [35:28]:
“The person behind the AI has never had to manage code before, and now they're a software development manager who's got an AI that wrote the code, but they themselves do not know what software development management looks like.”
This mirrors the cloud revolution—new responsibilities land on users without traditional training or oversight.
Maintain solid SDLC, code scanning, secret detection, and provenance for AI-generated code—don’t invent “special” rules for AI output alone, but tag and govern its use.
David Nolan [40:21]:
“There’s a lot of basic controls that should be applied whether it’s AI or human generated … but we do need to consider where it's different. AI-generated meta-tagging may be a thing … tie it back to the product—make the product owner accountable for that code regardless of whether it’s AI or not.”
Use AI not just to create, but to check and secure: “why not have a trained AI security bot that's going to check all the AI work and use it against itself?” (David Nolan, [41:25])

Memorable Quotes & Moments

David Nolan [02:12]:
“Life goals achieved right there, right behind my kid’s birth.” (On his high pinball score)
Andy Ellis [08:31]:
“You want to get to a point where there are no bad decisions … because the awful choice might be what the company goes with.”
David Nolan [11:29]:
“The reality is we're a partner and we're going to work together to find what that right decision is.”
Andy Ellis [33:29]:
“The answer is: it can be sexy.” (On making MFA the centerpiece of a security keynote.)

Key Timestamps for Major Segments

00:02: CISO advice on obsessing over business outcomes (David Nolan)
06:05: The CISO’s changing executive role—narrative, tempo, decision
13:34: What’s broken in cybersecurity hiring and “SOC ready” requirements
22:27: “What’s Worse?” Game: Stale vs. unknown accounts
29:17: The difference between best practices and reality, practical security basics
34:27: Can we trust AI-generated code? Governance and risk
41:25: Using AI to check AI-generated code

Final Takeaways

Theoretical controls protect against hypothetical attacks: In practice, CISOs must bridge gaps between policy and execution, risk reporting and business translation, and hype and real harm.
Basics come first: No amount of sophistication substitutes for disciplined patching, account hygiene, and legacy reduction.
AI is accelerating and democratizing tech skills: It isn’t replacing security thinkers or developers but challenges governance and accountability.
Candid, creative, and sometimes comedic debate makes for actionable advice: This episode shines as much for its wit and personal stories as its risk wisdom.

Listen to the full episode for deeper context and more insights directly from security’s front lines.

CISO Series Podcast: "Our Theoretical Controls Work Great Against Hypothetical Attacks"

Date: April 14, 2026
Hosts: David Spark, Andy Ellis
Guest: David Nolan (former CISO, Asurion)

Episode Overview

Main Discussion Themes

1. The Evolving Role of the CISO: Less Polished, More Decisive

(Starts ~06:05)

Key Insight: The modern CISO must move from merely reporting risk to actively shaping and driving decisions for the business.
Quote [06:11] – David Spark:
“I'm not here to brief risk. I'm here to get a decision so we can move.”
CISOs’ executive presence involves controlling the narrative, tempo, and the decision process—but not necessarily the decision itself.
Andy Ellis [07:10]: The CISO alternates between advisor, translator, and decision architect, applying different roles depending on the corporate situation.
You don’t want to present choices where one is obviously terrible; instead, offer measured, realistic options and earn trust by never crying wolf.

Notable Moment:

Andy Ellis [09:27]:
“They should trust you’d never play Chicken Little … he would always answer the phone when I called … because if I called him on his cell phone, it was always important and always urgent, and he always valued that conversation.”
David Nolan [10:53]:
“We can't control the decision ... but you can control the environment. Influence is the word I would use, but you can shape the narrative and shape the conversation.”

2. The Business of Risk: Tolerances, Hard Choices, and Failure

Organizations differ widely in risk appetite—CISOs need to appropriately calibrate.
Successful companies, especially large ones, often got ahead by taking plenty of calculated risks, failing quickly, and recovering.
David Nolan [12:41]:
“You have to have the framework where you can fail quickly ... It's not big bang risk, it's small risk that's tolerable.”
When executives ask for certainty (“Can you tell me we won’t get hacked?”), CISOs must candidly explain the impossibility of total guarantees while demonstrating measured, risk-driven security plans.

3. Hiring in Cybersecurity: A Broken System

(Starts ~13:34)

The Complaint: The real hiring problem is a shortage of mid-level talent, not entry-level—the industry wants experienced candidates at starter salaries.
David Nolan [14:56]:
“Hosting an entry level role with 10 years of AI experience … that's a thing that happens and it's the running joke.”
Initiative matters most. Demonstrated continual learning (home labs, open source contributions, CTFs) outweighs formal credentials.
Entry-level SOC roles may be vanishing—automation and AI will eradicate tier-one jobs; soon only “mid-level” roles will exist.
Andy Ellis [17:24]:
“What entry level actually means is, an alert fires and there’s a procedure to follow. That’s all going to get replaced by AI … you need context for that decision.”
Best advice: get hands-on experience via nonprofit volunteering or small business IT support—learn by doing, not just by formal education.
Andy Ellis [18:32]:
“Go find those roles. Get practical, hands-on experience. Because once you’re doing it … you can do it as well.”

4. “What’s Worse?” Game: Stale Accounts vs. Unrecognized Active Account

(Game starts ~22:27)

Scenario 1: Thousands of stale accounts.
Scenario 2: One very active account that nobody recognizes.
Andy Ellis [25:17]:
After much deliberation, initially leans toward focusing on one unknown active account (“I would rather have that one service account … focus my effort in one place”), seeing it as more manageable compared to countless stale accounts.
David Nolan [26:15]:
Disagrees: “1,000 stale … I’m going to take the old school approach and turn them off in batches.” He worries more about an active, mysterious account, which “just worries me because it screams malicious.”

Host verdict: The best “What’s Worse?” scenario yet—both are potentially benign or disastrous, sparking genuine debate.

5. Security Frameworks vs. Reality: Are We Chasing the Wrong Things?

(Starts ~29:17)

Ross Halilyuk argues security leadership is distracted by idealized frameworks but fails at implementing basic measures.
David Nolan [30:49]:
“Best practice assumes a level of maturity most organizations will never get to … you have to obsess over the table stakes.”
Patching, identity hygiene, and legacy remediation remain pervasive issues—real risk rarely comes from cutting-edge threats but from overlooked basics.
Getting IT budget for reducing technical debt (legacy/unsupported systems) is “the best security budget you can spend,” freeing up risk reduction without direct security cost.
Andy Ellis [33:29]:
“When people talk about frameworks, they’re trying to create a perfect model rather than tackling parts of the problem. Until you have tackled enough that you can’t just glance around and go, ‘oh, I should fix that,’ you shouldn’t be bothering with some perfect framework.”

6. Trust and Accountability in AI-Generated Code

(Starts ~34:27)

Despite their eloquence, LLMs/AIs lack true accountability—“AI does not own outcomes … only how to simulate confidence.”
AI is more an “accelerator” than a replacement for developers, democratizing basic coding/integration skills.
Andy Ellis [35:28]:
“The person behind the AI has never had to manage code before, and now they're a software development manager who's got an AI that wrote the code, but they themselves do not know what software development management looks like.”
This mirrors the cloud revolution—new responsibilities land on users without traditional training or oversight.
Maintain solid SDLC, code scanning, secret detection, and provenance for AI-generated code—don’t invent “special” rules for AI output alone, but tag and govern its use.
David Nolan [40:21]:
“There’s a lot of basic controls that should be applied whether it’s AI or human generated … but we do need to consider where it's different. AI-generated meta-tagging may be a thing … tie it back to the product—make the product owner accountable for that code regardless of whether it’s AI or not.”
Use AI not just to create, but to check and secure: “why not have a trained AI security bot that's going to check all the AI work and use it against itself?” (David Nolan, [41:25])

Memorable Quotes & Moments

David Nolan [02:12]:
“Life goals achieved right there, right behind my kid’s birth.” (On his high pinball score)
Andy Ellis [08:31]:
“You want to get to a point where there are no bad decisions … because the awful choice might be what the company goes with.”
David Nolan [11:29]:
“The reality is we're a partner and we're going to work together to find what that right decision is.”
Andy Ellis [33:29]:
“The answer is: it can be sexy.” (On making MFA the centerpiece of a security keynote.)

Key Timestamps for Major Segments

00:02: CISO advice on obsessing over business outcomes (David Nolan)
06:05: The CISO’s changing executive role—narrative, tempo, decision
13:34: What’s broken in cybersecurity hiring and “SOC ready” requirements
22:27: “What’s Worse?” Game: Stale vs. unknown accounts
29:17: The difference between best practices and reality, practical security basics
34:27: Can we trust AI-generated code? Governance and risk
41:25: Using AI to check AI-generated code

Final Takeaways

Theoretical controls protect against hypothetical attacks: In practice, CISOs must bridge gaps between policy and execution, risk reporting and business translation, and hype and real harm.
Basics come first: No amount of sophistication substitutes for disciplined patching, account hygiene, and legacy reduction.
AI is accelerating and democratizing tech skills: It isn’t replacing security thinkers or developers but challenges governance and accountability.
Candid, creative, and sometimes comedic debate makes for actionable advice: This episode shines as much for its wit and personal stories as its risk wisdom.

Listen to the full episode for deeper context and more insights directly from security’s front lines.

wavePod

Summary

CISO Series Podcast: "Our Theoretical Controls Work Great Against Hypothetical Attacks"

Episode Overview

Main Discussion Themes

1. The Evolving Role of the CISO: Less Polished, More Decisive

2. The Business of Risk: Tolerances, Hard Choices, and Failure

3. Hiring in Cybersecurity: A Broken System

4. “What’s Worse?” Game: Stale Accounts vs. Unrecognized Active Account

5. Security Frameworks vs. Reality: Are We Chasing the Wrong Things?

6. Trust and Accountability in AI-Generated Code

Memorable Quotes & Moments

Key Timestamps for Major Segments

Final Takeaways

Summary

CISO Series Podcast: "Our Theoretical Controls Work Great Against Hypothetical Attacks"

Episode Overview

Main Discussion Themes

1. The Evolving Role of the CISO: Less Polished, More Decisive

2. The Business of Risk: Tolerances, Hard Choices, and Failure

3. Hiring in Cybersecurity: A Broken System

4. “What’s Worse?” Game: Stale Accounts vs. Unrecognized Active Account

5. Security Frameworks vs. Reality: Are We Chasing the Wrong Things?

6. Trust and Accountability in AI-Generated Code

Memorable Quotes & Moments

Key Timestamps for Major Segments

Final Takeaways