
Loading summary
Announcer
Best advice I ever got in security. Go.
Tim Callahan
Best advice is really knowing the difference between what has to be an A plus and where a C is perfectly acceptable. And the reason for that is one of just energy and effort. There's some things that you just can't fail at, and you got to know those things. And there's some things where you just have to pass. And I learned this at a bank that compliance, you have to comply to stay in business. But you don't get extra credit for over complying. So measure that.
Announcer
It's time to begin the CISO Series podcast.
David Spark
Welcome to the CISO Series Podcast. My name is David Spark. I'm the producer of the CISO series. And joining me as my co host for this episode, the principal of duha, none other than Andy Ellis. Andy, say hello to the audience.
Andy Ellis
Hello to the audience.
David Spark
There you go. It's an old gag in movies and television shows.
Andy Ellis
Yeah, it's the Goodnight Gracie gag. But every time I do it, it gets you, David. So like, every once in a while I wanna slip it in.
David Spark
It's similar to the Walk this way joke where you literally mimic the way the other person walks. They've been doing it since the Marx Brothers. It's an old gag. We're available, by the way, @cisoseries.com where we have lots of other wonderful programming. In fact, four other shows on our sponsor for today's episode is Vanta. Trust Is Everything. Earn and Prove it with Vanta. We'll be explaining just how they're doing that with Agentic AI a little bit later in the show. Let me bring in our guest now because the two of you, our guest and you, Andy, have something in common. Our guest for today's episode is a CIO and ciso. They didn't think he was doing enough, so they gave him two jobs. And I believe they double your pay when they do that, right, Tim?
Tim Callahan
I would love to believe that.
David Spark
But anyway, he's the CIO and CISO for aflac, Tim Callahan. Tim, thank you so much for joining us.
Tim Callahan
It's a pleasure to be here.
David Spark
All right, so the thing that I want to mention is the two of you are both hall of fame CISOs. First one of you explained what the heck that means. And where does this hall of Fame exist? And is it in Canton, Ohio?
Andy Ellis
It is not in Canton, Ohio. I think it's in Framingham, Massachusetts. CSO Magazine.
David Spark
Okay.
Andy Ellis
Yeah, this was. They started the CSO hall of Fame. I think 2020 was your class, Tim, which is the first class. And So I think there was, like, six to eight people in that class. Six to eight in mine. I think the first couple classes, they basically just handpicked people. They were like, okay, who are the obvious folks to put in now? There's this weird application and voting system.
David Spark
Yeah. But isn't the whole point of being in the hall of Fame is that you have to be retired and neither of you are retired
Andy Ellis
now? Not for this one. For other hall of Fames. Totally. Is the case for other hall of Fames. Yes. But when you're gonna stay in the industry.
Tim Callahan
Yeah. And I'm pretty sure this one is actually in the physical location in Bob Bragdon's garage.
David Spark
Oh, really? And if I go to Bob Bragdon's garage, could I see a highlight clip of your life as a ciso? And, in fact, I'll ask both of you. Let's close on this. If I were to go to the hall of fame CISOs and there was a highlight clip of just one moment of you as a ciso, what would that highlight clip be? I'll start with you, Andy.
Andy Ellis
Oh, my goodness. One clip for one moment.
David Spark
Yeah. Well, it's just one clip. The one that it goes. This defines it. Like, for example, Larry Bird. There's a famous finals game where he steals the ball and throws it to Dennis Johnson, who gets the basket. That is the highlight clip I see over and over again. What's yours?
Andy Ellis
So I'm just gonna go with. Even though sort of lame was RSA keynoting that probably was it 2013, where I literally. And that's what I used when I was inducted in the hall of Fame, I created a little hype video that had me walking across with hall of Fame playing. And then, like all of my patents and accolades and everything I'd done in my career.
David Spark
What is the hall of Fame music? Is it like the 2001 opening that Elvis used to.
Andy Ellis
No, like the Will I am. You can be standing in the hall of Fame. You don't know this song? My goodness, I don't.
David Spark
I think you should come on with the 2001, the music that Elvis used to come on stage with.
Andy Ellis
You could do that. Tim, what's yours?
Tim Callahan
Yeah. So I'm really interested. Being the first class of the hall of Fame, they were still figuring out what that meant and what it was. So it wasn't quite. Quite as elaborate as yours.
Andy Ellis
Well, mine was also during COVID so we had to create our own hype videos and everything. So we didn't even get invited to get Our stuff, they just mailed it to us.
Tim Callahan
Yeah, I think I had to do some kind of interview kind of thing.
David Spark
Like you said of your career as a ciso, what would your highlight clip look like, Tim?
Tim Callahan
Yeah, it was probably when the deer in the headlights look when I first figured out I was hired into my first CISO role and I figured out what that meant.
Andy Ellis
Yeah, I think we all have that one.
Announcer
First 90 days of a CISO.
David Spark
Percy Rodeville of Rodeville Consultancy laid out the three mistakes that derail new CISOs. Ah, alluding to what Tim just said. Trying to boil the ocean, becoming the quote office of no and burning out by running at 110% indefinitely. The pressure to prove value fast pushes people towards sweeping restructures and tripled budget requests in week two. He recommends instead pick three to five priorities for year one and execute them. Well, I'm going to start with you, Andy, on this. Each one of these mistakes seems obvious and sounds obvious in hindsight, but are these mistakes still common? What early on mistakes did you make as a ciso and how did you correct course when you made those mistakes?
Andy Ellis
Oh, I made. I made lots of mistakes as a ciso. One of the things that I found fascinating is I wanted to drop into the show notes the how to CISO first 91 day guide that I wrote so that we could point folks at it. And the funniest thing was when I googled CISO 91 days, the sponsored hit was the Splunk report that Percy had used to then go write his assessment off of. So fascinating that Splunk's out Sitting on my own content advertising for this one. I think that Percy actually doesn't go far enough here, which is you shouldn't even be worrying about your first year. When you get on the ground, you have 91 days for people to take you seriously. One quarter. That's it. If at the end of one quarter, what you have is a plan for the year you've already messed up, you need to walk in and be like, what am I getting done right now? And there's two simple questions you can ask. It's really the same question with two different flavors. Everybody you talk to, you're going to say after you introduce yourself, meet them, whatever you're going to, you say, hey, what is one stupid security thing we're doing that doesn't provide value but gets in your way? And then the flip side is, what's one obvious security improvement we ought to be doing but we never implemented right? They will hand you the Roadmap to success. Do those things, like, reevaluate them. They might be wrong, but go do those things because they're almost always gonna be really quick, fast wins that everybody loves.
David Spark
By the way, you've mentioned this before, and by the way, I have quoted you multiple times on that tip. I think it's a phenomenal tip. All right, Tim, I'm throwing this to you. You had that deer in the headlights look of, oh, my God. My feeling is probably shortly after that, you started making your first mistakes. What are some classic mistakes you made, and how did you write the ship?
Tim Callahan
Well, probably the biggest mistake was thinking that I could, within that time, create a security roadmap that was going to take us five years down the road. What I learned is the most important thing in any company is building the relationships. I'm a student of John Maxwell, and he's got a couple of relevant or salient points here. One is people don't care what you know until they know you care. And I've really patterned my life after that. I mean, people have to understand who you are and that you really care about them, and then you care about the company or the organization you're working for. The other one, he writes, in five levels of leadership, is the principle that you will have positional authority for about 90 days. It ties back into what Andy is saying. You will have positional authority in 90 days. If you don't make the impact, if you don't convince people of who you are in that 90 days, you've got a fight on your hands. Because after that, they said, you've been here long enough. You need to now kind of perform. And so it's very important to realize that if you don't build that relationship, if you don't establish who you are and your character in that 90 days, you're probably not going to be successful.
Andy Ellis
You know what I really like about that framing Tim and I pivoted just a little bit is remember that your boss only has your back as long as you're going to produce some value.
Tim Callahan
Yeah, right.
Andy Ellis
And that's what that 90 days is. For 90 days, your boss has your back, but then you need to have your boss's back and produce something that makes you worth defending, because otherwise they're going to sabotage you, too.
Tim Callahan
Yeah. I was taught a principle, and I talked to y' all earlier about the different principles I've taken time to write down. But I think there's a salient principle. There is. One of the generals that I happened to had the privilege to be on his staff in the Air Force was a gentleman named Eugene Lupia. And you can actually look him up. There's some articles about some of the great firsts that he's did, but he practiced and taught us. Work the boss's agenda, not your own. And basically the principle behind that is you have to trust that your boss has the broader landscape and that you have to fold into that. So if the CEO of your company has a vision, it's our responsibility to mold our program into that vision. It's not our responsibility to try to reshape the vision. And I think that's a fundamental principle again, in how we can be successful. Because if we're not working the business agenda, we're never gonna be successful. We're gonna have bolt on security. We're gonna have security that does not resonate with people. Definitely not your business leaders. So I think it is a very good principle that goes along with that. First 90 days,
Announcer
got a better answer than we're.
David Spark
Admitting. I'm still figuring this out builds more trust than pretending you have figured it all out. This is Miko Paulikowski of Quadrature, who was recently reminded that the false certainty of AI doesn't work for leadership. In leadership, there is no destination, only the next thing. You don't understand yet. But that's a hard posture to hold when your team is looking to you for direction. Saying, I don't know once is honest. Saying it every week starts to look like drift. So how do we project direction when we don't have answers yet? I'm going to turn to you, Tim, on this one. I'm sure this is happening a lot right now with AI Everyone goes to the next session on AI hoping that that's going to have all the answers. Let me just tell you, the next session you go to on AI is not going to have all the answers.
Andy Ellis
It will not.
David Spark
I have fallen into that trap myself. So I'm going to ask you, Tim, what does the quote, we're figuring this out together look like in practice? And I think AI is a perfect example.
Tim Callahan
I do. So one of the principles, again, that I learned in the Air Force, that's carried me through life. So what I did in the Air Force, I was bomb disposal, explosive ordnance disposal.
Andy Ellis
The most important person in the Air Force. Just be very clear, EOD at a dead run outranks everybody.
Tim Callahan
Yeah. Yes. People generally follow. But anyway, I will tell you that it taught me that every problem is a team problem, that there's no one that knows there, you can't rely on someone's rank that especially when you're considering, let's say, a terrorist bomb, there's no textbook on that. Right. So you have to figure it out. And so the principle there is that we gather together and we figure it out. And also, you don't rely on someone's rank. You know, most things in the military, there is a rank order, and there should be. But in these kind of situations, the most junior member may be the best studied up on the latest technique in terrorist bombs. So you're going to listen to them. So I've taken that lesson to heart. And in my practice in the civilian world, and generally I do, I gather my core team together and say, look, we got this problem. How are we going to figure this out? And it is a we team sport. Because if I try to purport that I have the answer, especially if I don't, I think that that builds distrust. It's interesting. I was on a panel a couple of weeks ago with my deputy global chief information security officer, and we were having a conversation and this particular topic came up, and one of the things I'm. I'm sure you've heard the saying, fake it till you make it. That's not true.
David Spark
I don't agree with that phrase either.
Andy Ellis
Yeah, I've got nuance on that one. But let's not distract.
Tim Callahan
But it is. First of all, people see right through that. I mean, if I try to put on that I know the answer, when I don't, people are going to see right through that. So it does not build trust. When you come to your team and say, look, this is something we all got to figure out together, that does build trust because you're relying on the expertise that each of them bring to the table. And then you solve it together, you lock arms, and you go to the solution.
Andy Ellis
I agree with almost everything Tim said, except for the fake it till you make it thing. I think he took that one a little too strongly as an absolute. Like, if you have no skill, fake it. No, like, what you don't want to do is say, well, I don't know the answer, so I'm not going to try. That's the advice of fake it till you make it. But I want to look at a different piece of the problem because the advice Tim gave you is really good for where there is a known solution that you can get to. And I think the spirit of this question is about the unknown, which is there is no actual known good solution. And that's where people often get into trouble, which is you have to go forward and you cannot actually defend any answer as being right because there isn't a right solution. And one of my favorite quotes, and there's like 18 different generals who said a variant of this one. And I think General Krulak of the Marines said it best for me, which is the 70% plan violently executed beats the 100% plan every time.
Tim Callahan
Yeah, yeah.
Andy Ellis
And that's the really important thing to acknowledge is I don't have all the answers. This isn't perfectly defensible, but it's the best plan we've got. And motion is required, and we have to go do something, even if it's only 70% good. Let's take a recent thing that happened, right? Cloudflare laid off 20% of its staff to basically go all in on AI. They said, look, if you're not core to building product or selling product, we're gonna replace you with AI. And lots of people are all over them. This is a 70% plan being violently executed. They're ahead of the market because rather than nickel and diming and playing around, they're like, oh, we don't need a brand department anymore. We'll have AI do it. I don't think they're right on that specific call, but that's okay, because in a year, maybe they'll come back and be like, oh, we need a brand new manager who will then run an AI team and they'll come back from it, but because they moved fast, and that's what really you have to get across to your team is you have to look, I don't know the ultimate answer, but this is the best answer we've got. Do you have a better one? Do you have input?
David Spark
But. Okay, let me throw something back at you, because the variation I've heard of that is perfection is the enemy of good enough kind of a thing.
Andy Ellis
Yeah, the Voltaire, the best is the enemy of the better.
David Spark
But, but so, so here's my question to both of you is how do you show that you're doing great work by chronically doing good enough fast, I guess, is my question.
Tim Callahan
Well, yeah, and I. Again, it gets back to the premise. There's some things I got to have an A plus in, and there's some things Cs are good, you know, and I'm not disagreeing with Andy, because I do think, first of all, if you're sticking to the basics, you've got principles. And I could go into how we implemented AI at aflac we started off with a set of principles, right? We didn't know the, we didn't, nobody knew this stuff and anybody that said they knew it was wrong. But if you get a set of principles and you stick by those kind of principles, you're going to be more right than wrong. So directionally you're going to be heading in the right direction. And I think that's the approach you have to take is you directionally using the military illustration. We know the enemy's over that hill, so we ought to be pursuing it in that direction, right? Or at least acknowledging that they're there as we figure it out. So directionally is not the same as fake it and make it right. We know in general ways what we need to do. We have a set of principles, we have a policy construct, we have a governance construction. Let's remain within that as we figure it out and you're going to wind up more right than wrong.
David Spark
What's the one thing in business that's spreading as fast as AI? It's AI risk. Every new tool your team signs up for. Every vendor that turns on AI features, every new integration, each one is an opportunity for something to go wrong. And most security programs weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agentic trust platform used by over 16,000 fast moving companies like Ramp, Cursor and Harvey to ensure they're always audit ready. And now Vanta is helping companies like yours watch for the risks that show up between audits across your vendors, your AI tools and your whole environment. How the Vanta agent works like a 24,7 GRC engineer in the background, finding issues, drafting fixes for you and cutting vendor assessment time by up to 50%. Whether you're a fast growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn improved trust. Get started today@vanta.com CISO that's V-A-N T A.com CISO do me a favor, add that CISO. Easiest way to let Vanta know that you heard about them from the CISO series.
Announcer
It's time to play what's Worse.
David Spark
Tama. Have you heard the show before and have you heard this what's Worse segment?
Tim Callahan
I have not.
David Spark
All right, well it sounds just like I described it, which is you're going to get two fictional scenarios, you can't edit them and you have to decide from a risk management perspective which one is worse. I will make Andy answer first and you can agree or disagree with Andy, and sometimes you can agree, but for completely different reasons. All right, and these always come in from one of our wonderful listeners. And this one comes in from Zach Campbell, who's the CISO over Gills Point S Tire. And this is what Zach has. All right? You find out, Andy, in your first day on the job that HR has been independently feeding information from a SAS human resources information system to a public LLM and the company has thousands of employees. All right?
Andy Ellis
Okay.
David Spark
That's what's going on. Or you're taking a CISO role only to find out that HR takes no ownership in their temporary contract workers. And you have hundreds of accounts that have been active for years with these temp and contract work and nothing to check against for it. The users are still current or not. Which one is worse?
Tim Callahan
This is totally fictional, right?
Andy Ellis
It's completely fictional. Sorry, I'm laughing because I lived that second scenario. So here's the funny thing. Do you know how I actually solved that second scenario? Because this was like a huge battle because you had things like contractors who were students and so they worked for the summer, and then the hiring manager was like, well, I want to bring them back over the winter break or maybe next summer, but they'll do like an hour a week, maybe during the school year, so I don't want to deprovision them. And then they never actually used them. And so we'd end up with these accounts, and HR didn't want to deal with it, the contracting agency didn't want to deal with it, whatever. Here's the stupidest way to solve this problem, which was our security awareness training program, which. This goes back to the. Sometimes you just need to see in. This was literally a cron job with a database that every employee with the date that they last clicked on the security awareness training program. And it would just email them and say, hey, you need to come back and redo this. It's been 11 months. Read the training, which fit onto one screen and click Accept. And if you didn't do it by the end of one year, it cc'd your manager. Yeah, and here's what started to be funny is we'd get. These managers would email us and would be like, why are you sending this person security awareness training? They don't work for us anymore. I'm like, well, apparently you never told hr. And that's how he went and hunted down, really, these folks. Originally. Then we started to. We got to finance, and we said, we want to pull for everybody in a contractor status did they get paid in the last month and if they didn't get paid. So we just, we worked completely around HR until HR finally stepped up. Now I know that's outside the scenario of the what's worse. But I want to give this advice that if you're stuck here, there are other ways around the second problem than hr. The first one is kind of an interesting because they're feeding HR data to an LLM and I'm not allowed to change this because that's part of the what's worse scenarios.
David Spark
Yeah, that's part of the game. You can't change things here, Tim.
Andy Ellis
So honestly this is weird because either I'm dealing with data breach about my employees or potentially access breach based on these contractors that aren't still here anymore.
David Spark
Everything I would just say in both cases here, these are both insane wild cards, like anything could happen.
Andy Ellis
They're really wild cards and I like this because they actually both start from basically the same problem, which is hr. So it's an apples to oranges, but it's on the same tree.
David Spark
You like blaming hr, right?
Andy Ellis
Right. Well I love blaming HR actually. HR can be your best friend, but they also can be a nightmare. So I think that I am going to go with, I'd prefer the second scenario and partly that's familiarity because I've dealt with it and I know how to work around it. I can't fix it, I can't get HR to deal, but I can at least solve the access management problem out of the other end of it.
David Spark
So you think the first scenario is worse?
Andy Ellis
So I think the first scenario is worse because it is so unbounded and the fines that are come out of the EU because I'm assuming I'm a global company for dumping the data of EU citizens into some publicly accessible LLM where I going to assume there will be a breach at some point just strikes me as a ticking time bomb.
Tim Callahan
So.
Andy Ellis
But I could, I could argue myself either direction here. So if Tim disagrees with me.
David Spark
All right, so this might be an easy one for you to disagree with Tim. If you want to disagree with Andy, which by the way, I'm just going to tease you and say I love it when people disagree with Andy.
Tim Callahan
Well in this case I can't because I agree, I agree that the worst, the second scenario I actually fix that because we deactivate after 45 days of non use. So if we see no activity it goes into a deactivate camp and then there's another time that we just totally Eliminate.
Andy Ellis
So how do you deal with people on parental leave, Tim? I'm just really curious because that's more than 45 days.
Tim Callahan
Well, there's an acceptance. There's an acceptance.
Andy Ellis
So if they've been registered, you pull their leave data and.
Tim Callahan
Yeah, exactly, we can do that. But having the systemic control is very helpful because no ID ought to be orphaned for 45 days. I mean, but anyway. But the first one is really a mess because depending on your jurisdiction, depending on, and the truth is once any data, personal information comes under any form of unauthorized access, it cues a notification of some sort in most jurisdictions, again, you're navigating globally, it's even worse. So that's definitely the worst scenario.
Andy Ellis
And before any listeners are like, oh but that's good because now that we're notifying, people have to do something about it. I will tell you that trying to convince your organization that you have just triggered the notification rules because it's only in an LLM, it hasn't yet been disclosed, you're going to have every executive lined up saying this isn't actually a data breach yet.
Tim Callahan
Yeah, yeah. And depending on the content, I mean, you know, again, it triggers different regulations that have different interpretations. But it's bad.
David Spark
Well, we will agree with you on that.
Announcer
Is AI going to help us or hurt us?
David Spark
Quote, AI tools are not creating new vulnerabilities, they are revealing legacy debt that was previously invisible, end quote. Now that's Ross Young of CISO tradecraft who frames the arrival of agents like Anthropic's Mythos as an MRI effect diagnostic visibility into rot that's been sitting in our code bases for years. But collapsing time to exploitation from months to now minutes, that breaks every assumption. In the vulnerability management category, Young argues for vulnops, a machine speed replacement for manual remediation. How is that different than current vulnerability management tools? I ask? And how should we expect vulnerability management tools to reinvent themselves? And Tim, I'm going to ask you how quickly before we start ripping them out? And this is also a question I was asking at a meetup last night. Does vulnerability management in its current state survive? Tim?
Tim Callahan
It definitely survives. So I do think that we have been automating vulnerability management for some time, so certainly AI is going to enable that to be faster. Some vulnerabilities don't have a patch though, and again that's an area. If you have an application coding that introduces a vulnerability, the only fix to it is to fix the code and especially if it's a homegrown app. There's nothing for that. So AI exposes that we have been using automation to some extent, and it doesn't sound as sexy as AI, but we've been using automation to discover vulnerabilities for quite some time, non human intervention automation. So I don't see a big shift in that. I think again, everybody kind of freaked out over the Mythos thing. The truth is, if you have a solid vulnerability management program, you're probably ahead of the game anyway because it's still a classification of risk, a classification of how fast do I need to patch it? Face on risk, a classification that includes is it outward facing, inward facing, what is the attack path to get there? And all of this has to be taken into account in your vulnerability management program. But I think AI can help bring that together faster.
David Spark
All right, Andy, what do you think?
Andy Ellis
Well, I just wrote an op ed on this one and except for Tim, who foolishly also took the title of cio, if you're a ciso, the vulnpocalypse is not your problem.
Tim Callahan
Yeah.
Andy Ellis
And in fact, the worst mistake we have made as entire industry is letting the CISO be accountable for vulnerability management. That never should have been the case. If you deploy it, you fix it, period. That's your job. Prioritization is your job. This is all your job. The CISO's role always should have been governance. This engineering team is not patching their systems in the same way that you might point at a maintenance vehicle fleet and say, this vehicle fleet is not putting oil in their trucks or they're letting oil leak all over the place. You're then not the one who remediates it. You're just pointing it out for the business. But instead we got a seat at the table by saying, oh, we'll try to fix these problems, we'll manage it. People would listen to us. And then they nerd sniped us by saying, can you please prioritize this? And we created an entire industry about risk quantification on the premise that we could actually prioritize a whole bunch of vulnerabilities instead of saying fix them all. There is no reason not to fix all of the vulnerabilities unless there's one that is fundamentally will break your system. The flat assumption always should have been fix them all. And it's not.
Tim Callahan
I agree, and so what I do what we do. And it is a little bit odd having both positions right now. However, we've created a very clean line of accountability and that kind of stuff. But we've always owned the responsibility to metric and I do think CISOs should own the risk ranking now. I do agree we should say fix them all. The reality is that's not going to happen. So there has to be some methodology
Andy Ellis
and I think that right now we're in the fixed 10% by default and we should be in the fixed 90% by default.
Tim Callahan
And so yeah, yeah. And the fact that I metric it every quarter, it goes to the board every quarter. One of our board members says hey, this has improved from last but we're still not hitting our target every quarter. I will say one segment has knocked it out of the park. They for over a year hit their target every quarter but
Andy Ellis
you should bring some of them to the next board meeting and bring cake.
Tim Callahan
We did well we didn't bring cake.
Andy Ellis
Oh no. Bring cake because then it's memorable.
Tim Callahan
That's right. But it is. And we have one particular board member who is pretty much our designated, although we have more than one designated technology member. But she is very good about rewarding and praising when we hit those kind of metrics. But I do think that getting back to the basic question, we are leveraging AI to get us the information faster.
David Spark
Coming up next, if every AI use case goes through the same committee, your governance is both too slow and too weak.
Announcer
This AI governance and AI security tip is sponsored by Speakeasy.
David Spark
Here's a pattern that stalls AI programs. Every AI idea, from internal models used by HR to customer facing chatbot agents get funneled into one committee that reviews them all the same way. The trivial cases wait months. The genuinely dangerous ones get the same rubber stamp as the rest. As the way you handle oversight is the same no matter the AI use case, you're in for a world of hurt. Mature programs tier their AI by risk and match the level of scrutiny to the tier. The EU AI act uses this as a basis for its core logic. Some uses are prohibited outright. High risk uses carry heavy obligation like human oversight and documentation, and low risk uses carry almost none. NIST AI RMF says the same on the accountability side that governance needs clear roles and named owners, not diffuse committee consensus. So classify your use cases before you review them and route the high risk ones to real scrutiny while letting the low risk ones move. And for each AI system, name a single accountable owner, one person who answers for its risks. Shared accountability is just another way of saying nobody is accountable.
Announcer
Go to Speakeasy.com to see how leading enterprises are scaling AI securely with the Speakeasy AI control plane. How have you actually pulled this off?
David Spark
Quote Humans are, are not your weakest link. They are your most predictable component. End quote. Security awareness training is a blame shifting exercise for Joshua Copeland of Crescendo. When phishing works at scale, we need to think of that as a design failure, not a user failure. He claims the fix is engineering controls that don't rely on perfect behavior. Is that too high of a bar? I mean, how far up the severity curve does that approach extend before we run out of controls, budget or business tolerance? So, Andy, I'll ask you, what does designing for predictable human failure look like in practice? And there has to be kind of a limit where we can't essentially put everyone in sort of a digital padded room.
Andy Ellis
I don't know that I agree with that. First, I just want to note that Joshua Copeland is amazing because he has this capability of writing a sentence that I completely agree with and then following it up with a sentence that I completely disagree with. Like, it's amazing.
David Spark
Well, Keith, let me give a pitch for Josh Copeland. He writes these unpopular opinion posts, right? So they're designed, they are designed to do essentially to make you love them and hate them all at the same time.
Andy Ellis
But there are people who can't do this of get it exactly right. He's exactly right. Humans are not our weakest link. They're not actually very predictable. But that's okay. And you're not planning for their failure. Here's the scenario. Let's talk about phishing. Very simple. I get email from HR that says you need to click this link and enter your financial payment details to get paid. Right? That is a legitimate email that everybody gets on their first day of work at almost every corporation on the planet. Okay, good luck going from that to saying, oh, you should figure out when a link is legitimate. When our mail clients hire hide who really sent it. When the user interface hides where that link is going to where our operating system will allow me to click something and go execute it. What does perfect behavior look like here? Because I think you're setting us up for a disaster. Here's the problem, which is the command and control infrastructure of our business is fundamentally broken and it's not hard to fix. Like if you have phishable authentication, that's your problem. Every user. When I was at Akamai, you clicked to go to a website and it would prompt you to authenticate. Guess what it did? It checked that you had the X509 certificate on your device and then it did a push off automatically to your phone. The phone of the human associated with the device to say, hey, is this really you? I don't care if you click a phishing link because you don't have a password for the adversary to steal. If you don't have EDR protecting you from downloads, that's your problem. Not that the user clicks on a download. So this is a fundamental design and most users are not actually going to object to, oh, I don't have to type in my password all the time. All I have to do is come from my computer and push a button on my phone to just say, hey, yeah, that really was me as I'm doing a thing. This is easy.
David Spark
All right. Andy has his take. Tim, I'd like to know your take in terms of what is sort of creating security for humans. Look like essentially architecting, engineering it so we don't have to rely on them always being perfect.
Tim Callahan
Well, I think you have to go in assuming that humans are going to make arrows, because we're humans and we do make arrows. So you build a layered defense. What Andy described as the authentication pattern is one. And we know that sometimes that fails because of authentication fatigue or MFA fatigue, but that is. It's a good pattern. Right. I do think you do education, it's very important. It's one of those things that I don't necessarily believe that the annual security training certification actually fixes things because you can go to anyone that's taken the test two weeks later and ask them questions and they're not, you know, they're not going to remember. But I do think it's effective to constantly remind people. I do think, you know, again, building in a phishing, resilient, systemic approach is very important. The days of username and password have been behind us for a long time. It took some of us longer than others to realize that and fix it. But definitely having the whole components of the authentication begin with, is this even a trusted machine? Or is this a trusted URL, or is this even trusted? Right. I think many companies, and us included, have been very good at black holing. Things that just can't be good so the user never sees them. If it cannot produce a good outcome, why are you even letting it in your environment? Those are keys. So again, I don't like blaming the employee. One thing we do, however, do that I think is very important. I actually minted a coin. I got that idea from someplace in my past, but I minted a coin, a cyber hero type coin, Cyber ambassador, cyber champion. And when someone. We had a situation not long ago where there was a very aggressive social Engineering attack. Some people fell for it. One hero did not. Not only stopped, it called it out and alerted us. I recognize that person very publicly. They got a feature on our Aflac website because I want people to realize what good behavior looks like more so than what bad behavior looks like.
Andy Ellis
Yes.
Tim Callahan
It's like the old adage. And I don't. I was told this years ago by a Secret Service person. One of my joys in the Air Force was getting to do presidential protection along with the Secret Service as an augmentee. But in the service, the Secret Service, as you know, one of their big things is anti counterfeiting, if that's the right word. They told me that they're trained on real dollar bills, not fake dollar bills. Because if you're really trained hard on what something should look like, you will detect quickly when it doesn't look like that. And so I really do think we should spend a lot of time on what good behavior looks like. And that generally is more favorable an outcome than the other.
Andy Ellis
And it happens more often as well.
Tim Callahan
Yes, it does.
Andy Ellis
If 99% of the time you're dealing with the good things, train on those things so that you can be like, oh, this is trying to look like a good thing. But it's. It's not, actually.
Tim Callahan
It's not. Yeah.
David Spark
All right. Well, that brings us to the tail end of the show. Thank you both, gentlemen. That was excellent. I want to thank our sponsor and that would be Vanta. Remember, trust is everything. Earn and prove it with Vanta. Go ahead, get that vantage. And working for you 24. Seven, a GRC engineer that's always working, looking out for you. Go to vanta.com CISO and add the CISO. Easiest way to let Van to know that you heard about them from the CISO series. Tim, I'm going to let you have the very last word here. I will first though, ask you, are you hiring over there at Aflac?
Tim Callahan
We do have a few positions. Obviously you can go to aflac.com/careers and see those. We're very emphatic that we want to hire from within. And so that's our first avenue all.
David Spark
So get in any way you can. Is that the idea? Yeah, yeah, that's. That sounds like a good philosophy. And by the way, and I'm glad you're saying that because I must say, every job that I ever took, they said that. And then when I was at the job, it was clear they did not do that.
Tim Callahan
Well, we. We do. I will tell you at Aflac, we. We have the seven principles that we follow that that cut to our culture and who we want to be. But one of the things that we do is because culture is such a big part of our company and our business, we find we can train people on skills. You can't always institute culture, and so we look heavily to that. So if you have a proven employee that's adapted to the culture, certainly we want to continue to invest in that person.
David Spark
Good. Good philosophy. Thank you again, Tim. Thank you again, Andy. And as I always say to our audience, and mean it, we greatly appreciate your contributions. In fact, send me a lot more. What's worse scenarios, send me ones that make Andy and Mike and all of our co hosts and guests struggle. That's what we want. And also disagree with Andy, which is what I always look forward to. Thank you everyone, everybody. Keep sending in your contributions. And for listening to the CISO Series
Announcer
podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Part Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. thank you for listening to the CISO Series podcast.
Episode Title: The Only Thing Worse Than Technical Debt is Newly Discovered Technical Debt
Date: July 14, 2026
Hosts: David Spark, Andy Ellis
Guest: Tim Callahan (CIO & CISO, Aflac)
This episode dives deep into security leadership—what it really means to be a CISO, how to navigate the critical early days, and the evolving challenges of technical debt, especially with the rise of AI. Hosts David Spark and Andy Ellis join guest Tim Callahan to unpack common leadership missteps, AI-driven risk, vulnerability management, and how to design for inevitable human error.
[02:09–05:01]
Notable Quotes:
[05:30–11:03]
Notable Quotes:
[11:09–18:20]
Notable Quotes:
[19:42–25:40]
Notable Quotes:
[26:21–31:58]
Notable Quotes:
[32:09–33:38]
[33:59–41:04]
Notable Quotes:
| Topic | Timestamp (MM:SS) | |------------------------------------------------------|--------------------------| | Hall of Fame CISO reflections | 02:09–05:01 | | First 90 days: mistakes & relationship-building | 05:30–11:03 | | AI leadership: honest “I don’t know” and team solving| 11:09–18:20 | | What’s Worse? Scenarios | 19:42–25:40 | | AI/vulnerability management debate | 26:21–31:58 | | AI governance: moving past committee slowdowns | 32:09–33:38 | | Securing for “inevitable” human error | 33:59–41:04 |
Tone: The episode balances humor and candor, blending war stories with actionable advice—always with a clear, practical lens on security leadership.
For new and veteran CISOs, this episode is a must-listen, distilling not only what can go wrong, but how to steer toward what works, especially in an AI-infused landscape full of both legacy headaches and fresh unknowns.