Podcast Summary
Podcast: CISO Series Podcast
Episode Title: They're Less "Best Practices" and More "Sounds Good on LinkedIn"
Date: March 17, 2026
Hosts: David Spark, Andy Ellis
Guest: Becca Harness, CISO at Deltec
Main Theme: Real-world insights and debates on the evolving role of the CISO, the realities of AI adoption, navigating risky controls vs. best practices, and the perils of questionable security vendor outreach.
Episode Overview
This episode explores how so-called "best practices" in security often sound good on LinkedIn but become complicated in practice. The hosts and guest dive into the challenges of implementing AI, shifting the CISO’s responsibilities, experimenting with controls, and recognizing vendor marketing tactics that cross the line into scammery. Through candid discussion and humor, they highlight the difference between what looks good on paper and what genuinely improves security in today’s dynamic environments.
Key Discussion Points & Insights
1. Advice & Trust in Security
- [00:03] Becca Harness opens with Alan Paller’s advice:
“The most important thing is that people trust you. So job number one when you start a new job is just establish that trust with the board, the executive team, your peers, anyone and everyone.”- Insight: In security roles, trust is foundational. Building credibility early is essential for long-term success.
2. The AI Hype Cycle and Failure Rates
- [05:13] Is AI going to help or hurt us?
- David Spark cites a stat: 95% of AI pilot projects fail to make it to production (MIT via Enrico Signoretti).
- Andy Ellis reframes the stat [06:19]:
“95% of your pilot programs failing is a great statistic ... The whole point of a pilot is to figure things out in live production ... Learning is success.” - Becca’s experience [08:54]:
“[We said] get AI in the hands of all of our people. Let's not have a culture of have and have-nots ... figure out where the logical use cases are. That’s been successful for us.” - Key Insight: Organizations need rapid experimentation with AI but must be realistic about failure rates—success is learning what doesn’t work, not launching every project.
3. The CISO & CIO Role Shift
- [10:18] Discussion of Andy Ellis’s article on the “Death of the CIO”
- Becca’s Real-World Experiment [11:37]:
She successfully pitched moving IT under the CISO at Deltec, merging IT and security teams for greater agility.
“I wrote a 15 page Amazon 6 pager ... including Andy's article ... made that point of, let's think about this a different way ... Bringing IT into the security organization allowed me to merge the teams together ... there’s really great synergies across the stack.” - Andy’s observation [15:17]:
This shift is increasingly common, particularly among women leaders: “The first 10 people I could come up with were all women ... I could not find any men who had done this several years ago. So to me, that's just fascinating.” - Friction Points: Transitioning to Agile methods over project-based management and mitigating headcount boom/bust cycles.
- Becca’s mitigation tip [17:30]:
“Every team tells a very tight story of what they're delivering ... that’s one way we avoid [budget cuts], is we make sure that we tell our story very, very well upline.” - Key Insight: When security and IT converge under one leader, streamlined operations and clear communication are essential, with an emphasis on metrics, storytelling, and trust.
- Becca’s Real-World Experiment [11:37]:
4. Game Segment: What’s Worse?
- [19:36] Scenario:
- Option 1: Huge breach with fines, SEC scrutiny, material weakness, and a wildfire is heading toward you.
- Option 2: Insider threat steals IP, mistress pregnant, spouse just found out.
- Andy’s take [21:26]:
“My professional hat says the first one is worse. The wildfire impacts your ability to deal ... the amount of effect on your life, your company's life, everyone’s is much more massive.” - Becca’s take [24:11]:
“Selfishly, the second one is actually worse because that's going to follow you for the rest of your life ... first example is temporary pain ... that’s a resume building activity.” - Memorable moment: Hosts agree this was the closest split yet—a balance between professional disaster and personal catastrophe.
- Key Insight: Security leaders face both professional and personal risks, but the impact and duration vary wildly.
5. Security Controls: Paper vs. Reality
- [25:25] Operational friction from “solid” controls
- Common friction points:
- USB lockdowns (trust issues)
- Removing local admin privileges
- DLP policies interfering with workflows
- HTTPS inspection misconfigurations
- Becca’s view [26:32]:
“Migration to zero trust network access ... you’re unwinding decades of stratified goo when it comes to network rules ... but if I have a great networking team ... it’s a day or two of pain.” - Andy disagrees [27:42]:
“What went smoothly was ZTNA, what failed was removing local admin access ... Which place did you truly understand what your users were doing in advance?” - Andy’s core advice [31:30]:
“We work for the user. If the user needs a thing, the answer is not, let's run that through the process. The answer is yes in real time ... Don't get in the user's way.” - Becca echoes [32:35]:
“Championing employee enablement will build a lot of trust quickly.” - Key Insight: Success with controls comes from understanding users, anticipating pain points, and fostering an enablement culture—not rigidly enforcing controls.
- Common friction points:
6. Who Owns Remediation? Exposure Management
- [33:00] David explains the pitfall:
Security teams are left accountable for remediations when they lack authority to make the change, resulting in delays and breaches. - Best Approach:
“Push ownership to the teams that can actually control the risk ... Security becomes the orchestrator, not the bottleneck.” - Key Insight: Sustainable exposure management assigns risk ownership to those who control the relevant infrastructure, with Security acting as facilitator.
7. Shady Vendor Marketing Tactics
- [34:40] Incident:
Vendor emails CISO claiming to have found 1,223 “issues” and demands $15,000 to reveal them. - Andy’s view [35:31]:
“I see this from legitimate vendors ... If what you have is I discovered some things, give the things you have discovered. Turn this from shady to now I’m doing good work.”
“Anything that involves going over my head ... is even worse ... Your CISO is ignoring this. That's honestly even worse.” - Becca’s approach [37:30]:
“It's important to have a responsible disclosure program. If [the report] looks quasi legitimate, I'll respond back ... If they don't want to submit, they don't.” “Vendors will absolutely climb up that ladder, but they'll also go downstream, too ... they get [analysts] spun up and distracted.” - Andy’s worst experiences [38:49]:
- Academic researcher bills them after using their data for research without prior agreement.
- Vendor threatens to disparage the company unless they pay (“pay us money for us to stop saying that”).
- Key Insight: Clear boundaries, strong disclosure policies, and internal trust among executives are vital to fend off predatory vendor tactics.
Notable Quotes & Moments
- Becca Harness [00:03]:
“The most important thing is that people trust you. So job number one ... is just establish that trust.” - Andy Ellis [06:19]:
“95% of your pilot programs failing is a great statistic ... Learning is success.” - Becca Harness [11:37]:
“I wrote the paper, I sent it to all of our executive team ... then met one on one with them and ... they poked and prodded. ... They trusted me.” - Andy Ellis [31:30]:
“We work for the user ... Don't get in the user's way.” - Becca Harness [32:35]:
“Championing employee enablement will build a lot of trust quickly.”
Timestamps for Important Segments
- 00:03 — “Best advice I ever got in security” (Trust)
- 05:13 — AI pilot projects: hype, stats, and reality
- 10:18 — The evolving CISO/CIO leadership model
- 19:36 — Game: What’s Worse? (Breaches, wildfires, and personal scandal)
- 25:25 — “Solid on paper” controls that break in the real world
- 33:00 — Exposure management: ownership and remediation
- 34:40 — Scammy vendor outreach: red flags and war stories
Closing Thoughts
- Becca Harness [40:24]:
“This is a delightful industry to be in ... These type of stories are the things you’ll think about for your whole career ... Highly advise paying attention to the voices that come before you.” - Open Invitation:
Becca is available on LinkedIn for those interested in breaking into cybersecurity.
Summary Takeaways
- Real “best practices” require empathy, trust, and adaptability—not just process.
- Learning fast and iterating is more valuable than fixating on flawless deployments, especially in AI and tech innovation.
- Modern CISO roles are becoming more operational and cross-functional, reflecting industry shifts and new success metrics.
- Success hinges not on saying “no,” but on championing users safely through change.
- Vendor relationships demand strong boundaries and skepticism; transparency and trust within the organization is critical.
- The stories and lessons shared by experienced practitioners are crucial development tools for early-career professionals.
This summary distills the episode’s candid insights and memorable debates, providing listeners and non-listeners with a full sense of both the complex topics discussed and the personalities shaping the conversation.