CISO Series Podcast: "Take Two-Factor Authentication and Call Me in the Morning"

Date: February 3, 2026
Hosts: David Spark, Andy Ellis
Guest: Janet Hines (CISO, ChenMed)

Episode Overview

This episode dives into the everyday challenges and deeper philosophical questions facing security practitioners and vendors. The panel debates the sales process for security products, leadership reporting structures, transparency versus actual risk in third-party vendors, risk quantification models, and the high-stakes tensions between security controls and business outcomes—especially in life-or-death scenarios like healthcare.

Key Discussion Points and Insights

1. The Dysfunctional State of Security Vendor Sales

(04:21–09:33)

• Andrew Beckerer's Vendor Experience: Filled out legitimate sales forms with four vendors. Results: only one professional response; others ranged from chaotic to non-existent.

  • “The irony that when you're ready to buy on your own terms, vendors can't seem to answer the door.” – David Spark (04:26)

• Why the Sales Experience Is Broken:

  • Marketing and sales are siloed; inbound intent often gets lost in a form queue.
  • CISOs prefer peer introductions to vendors over impersonal contact forms.

• How to Fix It:

  • Andy’s Take: “I would actually really love it if marketing teams were integrated more tightly into sales teams...when somebody says I have intent that needs to go right to sales.” (08:43)
  • Janet’s Take: “I want there to be an actual focus. Someone on the other end...This is actually the warmest call you could get.” (09:19)

2. CISO Independence and Reporting Structures

(09:42–16:14)

• Joshua Copeland's Controversial Assertion: “If your CISO reports to the same execration, who creates a risk? That's not oversight, it's hostage negotiation.” (09:42)

• Panel Takes:

  • Janet: Strongly opposes CISOs reporting into functions they oversee. “You'd be stifled, you'd be muffled, you'd be silenced. I think it should be [independent] everywhere.” (10:51)
  • Andy: Disagrees—calling out a nuanced reality: In the end, all risk traces back to the CEO. “The CEO creates all risk. And none of us are advocating that the CISO doesn't work under the CEO.” (12:54)
  • Organizational dysfunction is inevitable; CISOs must pick their battles and find alternate advocates (legal, finance, enterprise risk) for critical issues.

• Big Picture:

  • Independence is ideal, but adaptability and alliances are essential in less-than-ideal structures.
    • “There is plenty of good work to do. Stop beating your head against the wall that you're not gonna break down.” – Andy Ellis (15:10)

3. What’s Worse: Security Transparency or Security Competence?

(18:04–23:19)

• Scenario:

  • Which is worse: a third party with strong security controls but zero transparency, or weak security with radical openness?

• Unanimous Answer:

  • Both Andy and Janet support strong security over transparency.
    • “The transparent but bad vendor is the worst scenario. Now I know you're a disaster, so I've got a whole bunch of new issues.” – Andy Ellis (19:00)
    • “Once you know, you know, and you can't unknow, and then you've got to deal with all of it.” – Janet Hines (20:15)
  • Trust, in many cases, is a reality in security vendor relationships.

4. Risk Quantification: FAIR vs. Roll Your Own?

(23:24–28:39)

• Key Question:

  • Should organizations build their own risk model, or stick with industry standards like FAIR?

• Janet:

  • Favors standard models for cross-industry benchmarking and ease of communication.
    • “You would be constantly having to map your custom homegrown risk levels to a standard.” (24:37)

• Andy:

  • Argues FAIR is often impractical for most real-world organizations.
    • “There are too many people who have a religious fixation with FAIR...You cannot take the actuarial methodology that works in insurance, that deals across large populations, and apply it to singular individual risks.” (24:54)
  • Advocates for whatever model resonates with business decision-makers—even if that's a homegrown solution.

• On Benchmarking:

  • Janet: “How do we compare to our peers?” (28:17)
  • Andy: “You say, ‘I am better than average. I am worse than average.’ That's mostly what your executive peers want to hear.” (28:17)

5. Security Controls vs. Business/Life Outcomes in Healthcare

(28:45–35:58)

• Scenario:

  • Doctor needs urgent patient info at 3am; security controls block access (two-factor, password reset, etc.). Should rules be broken to save a life?

• Reality Check from Janet (Healthcare CISO):

  • “If I was given this scenario...it's the lives of the patients over everything else...there's just no reason anyone would choose security over the life of a human being.” (29:55)
  • Suggests these scenarios are rare and mostly fictional, but supports transparency and post-incident documentation.

• Andy’s “Incident Credit Card” Metaphor:

  • “The worse the incident is, the higher the limit on your credit card is...You have a credit card where you get to create any incident you want that does not affect another patient's life.” (32:10)

• Human Workarounds:

  • “The humans are going to work around your system.” – Andy (32:01)
  • “There's workarounds for everything.” – Janet (32:10)

• Design Guidance:

  • Understand front-line user needs, prioritize resiliency, and engage practitioners as experts.
    • “You've got to understand what the doctors need and when they need it... There's got to be resiliency.” – Janet Hines (35:14)

Notable Quotes & Memorable Moments

• “They're so focused on banging on my door that they're not looking at their own door.” – Janet Hines on security vendors (07:43)
• “The CEO creates all risk.” – Andy Ellis (12:54)
• “There is plenty of good work to do. Stop beating your head against the wall that you're not gonna break down.” – Andy Ellis (15:10)
• “Once you know, you know, and you can't unknow.” – Janet Hines (20:15)
• “If the scenario is doctor vs. security: ‘it's the lives of the patients over everything else.’” – Janet Hines (29:55)
• “Incidents give you a credit card… you get to create lesser incidents to solve the main one.” – Andy Ellis (32:10)

Timestamps for Key Segments

• Understanding Security Sales Dysfunction: 04:21–09:33
• CISO Reporting Structure Dilemma: 09:42–16:14
• What’s Worse? Security Transparency vs. Competence: 18:04–23:19
• Risk Models: Build vs. Buy: 23:24–28:39
• Security vs. Saving Lives (Healthcare): 28:45–35:58

Tone & Style

Conversational, occasionally irreverent and playful, with a strong undercurrent of practical, lived cybersecurity experience. The hosts and guest are unafraid to challenge industry orthodoxy or poke fun at themselves and their peers.

Additional Resources and Final Comments

• Janet Hines’ Book: "Go Ahead, Ask for It" (about career and personal advocacy)
• Andy Ellis’ Book: "1% Leadership"
• For more information and involvement, visit cisoseries.com

Summary prepared for listeners who want a concise, in-depth understanding of the episode’s lessons and debates without the banter and ads.