CISO Series Podcast: "Time to Choose a Security Vendor: Dart Board or Spin the Wheel?"
Hosts: David Spark, Mike Johnson, and Andy Ellis
Guest: Pavi Ramamurthy, Global CISO & CIO, Blackhawk Network
Date: September 30, 2025
Episode Overview
This episode dives into the perennial challenges CISOs face when selecting security vendors in an overcrowded and confusing marketplace. The hosts and guest explore how to navigate vendor selection, communicate ambiguity in cybersecurity risk to boards and executives, handle the rapid rise of AI-driven threats, and recognize why so many CISOs are leaving the profession. The discussion is candid and practical, focusing on real-world experience, decision-making frameworks, and the criticality of trusted peer networks.
Key Discussion Points & Insights
1. The Curse of Knowledge: Meeting People Where They Are
- Opening Thoughts:
- Pavi likens cybersecurity to playing chess "with the pieces on fire, the board upside down, and business yelling 'move faster'" ([00:03]).
- The group discusses how experts sometimes lose touch with how to explain concepts to non-experts, a phenomenon known as the "curse of knowledge".
- Practical Takeaways:
- Security professionals must learn to "explain it like I'm five" ([03:28]).
- If you get the same questions repeatedly, that’s feedback—update your communication!
- Notable Quote:
- “You need to meet people where they are, not where you are.” – Mike Johnson ([03:14])
2. Communicating Ambiguity & Building Trust with the Board
- The "Are We Safe?" Board Question:
- Boards often want clear answers; CISOs' job is to express readiness, not safety.
- Tools like heat maps aren't perfect but help frame nuanced conversations ([07:10]).
- Key Insight:
- The real leadership skill is being “confident about ambiguity.”
- Pavi’s Metaphor:
- “Asking are we safe is like asking, Is a submarine 100% dry? Is a pinata safe at a toddler's party? It’s unreasonable.” ([08:48])
- Focus on showing the organization is “ready”—prepared to evolve and respond—not absolutely safe ([09:59]).
- Notable Quote:
- "We can't promise safe, but I can promise ready." – Pavi Ramamurthy ([09:59])
3. AI, LLMs, and the "Trifecta of Doom"
- Emergent Risks:
- The MCP (Model Context Protocol) can expose sensitive systems via LLMs at unprecedented speed ([11:45]).
- Developers spin up tool integrations faster than security can keep pace.
- Actionable Security Practices:
- Practice ongoing visibility, governance, and guardrails, especially in data flows and endpoint controls.
- DLP (Data Loss Prevention) and specific policies are critical but not all-encompassing.
- Notable Quote:
- “AI tools with no guardrails are very convincing chaos engines.” – Pavi Ramamurthy ([12:54])
4. What's Worse? The Impossible Demand for "Perfect Security"
- Game Segment:
- Who is it worst to hear “I want perfect security” from: CIO, CEO, or CFO? ([18:25])
- Mike picks CIO (least power to enact organizational change); Pavi picks CFO (hardest to get full buy-in and budget alignment).
- Key Takeaway:
- There is no winning with this demand; the trick is identifying where the ask is most strategically dangerous.
5. Why CISOs Walk Away: Burnout and Misaligned Environments
- Root Cause:
- The real reason for CISO churn is being accountable for things outside their control—lack of budget, trust, alignment ([25:12]).
- Advice:
- Vet companies carefully during the interview. Ask tough questions about why the previous CISO left, budget, authority, and expectations.
- If the fit is wrong, it's better for both sides for the CISO to exit early.
- Trends:
- More early-stage companies hiring CISOs—often before they’re ready or truly need one, leading to mismatched expectations and short tenures.
- Top Advice (Mike):
- "Put yourself first. Take care of yourself. If you're in an environment that is over-stressing you, go do something else." ([30:25])
6. Vetting Security Vendors in a Sea of Sameness
- Market Problem:
- Thousands of vendors, similar offerings, and “the same playbook” ([31:24]).
- Demos and case studies are common, but few genuinely differentiate.
- Pavi’s Approach:
- Favors in-network peer referrals and real-world feedback from other CISOs ([34:47]).
- Most decisions to “rip and replace” require a 10x improvement and a compelling reason, due to migration pain and “bubble costs” ([36:37]).
- Mike’s Criteria:
- Evaluates vendors via standardized must-have/nice-to-have checklists for apples-to-apples comparisons.
- Looks for strong reference customers and evaluates the vendor’s partnership potential and innovation.
- Safe Spaces & Vendor Discovery:
- CISOs rely on trusted communities because they’re wary of getting trapped in sales funnels.
- Video demos on vendor sites are encouraged for initial evaluation without aggressive sales tactics.
- Notable Quotes:
- “There’s always bubble costs involved because you can’t just rip something out and replace it.” – Pavi Ramamurthy ([37:02])
- "Vendors have three meta competitors: do nothing, build it yourself, and other vendors." – Mike Johnson ([39:35])
- "It's exhausting to replace an existing solution... unless your differentiator is 10x, there is absolutely no reason to." – Pavi Ramamurthy ([36:37])
7. Community and Support in the CISO Role
- Support Systems:
- The value of CISO peer communities in sharing unvarnished advice and support, especially during burnout ([42:11]).
- These safe havens are often the greatest resource during tough professional periods.
Notable Quotes & Memorable Moments
- [00:03] Pavi Ramamurthy: "When you play chess in cybersecurity, it's like the pieces are on fire, the board is upside down and business is yelling, move faster."
- [07:54] David Spark: "The ability to speak Confidently about ambiguity is a core leadership competency."
- [09:59] Pavi Ramamurthy: "We can't promise safe, but I can promise ready."
- [12:54] Pavi Ramamurthy: "AI tools with no guardrails are very convincing. Chaos engines."
- [30:25] Mike Johnson: "Put yourself first. Take care of yourself. If you're in an environment that is overstressing you, go do something else."
- [37:02] Pavi Ramamurthy: "It's exhausting to replace an existing solution with a new solution. Unless your differentiator is 10x, there is absolutely no reason to."
- [39:35] Mike Johnson: "Vendors should recognize that there's essentially three meta competitors: do nothing, build it yourself, or other vendors."
- [42:11] Pavi Ramamurthy: "This is a thankless job...but I wouldn't do this if not for the security community. They've been there to not just offer guidance about vendors or best practices, but they've been there when CISOs get burnt out."
Timestamps for Major Segments
- [00:03] – Chess in cybersecurity: the impossible game
- [03:28] – Explain it like I’m five: communicating security
- [06:36] – Ambiguity & building board trust ("ready" vs. "safe")
- [11:45] – The “trifecta of doom” in LLM/AI integration risk
- [18:25] – What’s Worse Game: "I want perfect security" from CIO, CEO, or CFO?
- [25:12] – Why CISOs quit: powerless accountability and burnout
- [31:24] – Choosing security vendors in a sea of sameness
- [34:47] – Peer referral networks vs. scheduled demos
- [36:37] – The high cost and challenge of "rip and replace"
- [39:35] – Vendors’ real competition: do nothing, build yourself, other vendors
- [42:11] – Closing thoughts: community, burnout, and hiring
Conclusion & Closing Remarks
-
Resilience and Readiness:
- The recurring theme is that CISOs can’t guarantee “safety” but can cultivate organizational readiness and adaptability.
-
Community as Essential Infrastructure:
- Peer networks offer a lifeline for not just advice, but also emotional support and vendor intelligence.
-
Vendor Selection Realities:
- Checklist-based evaluation, reliable referrals, and careful scrutiny of migration complexity are critical.
- Vendors breaking in must solve the “do nothing” problem, not just compete against other products.
-
Final Call to Action:
- Pavi is hiring at Blackhawk Network, but warns applicants: “You have to have heard every single minute" of the podcast!
This episode offers candid, actionable insight for CISOs and aspiring security leaders facing today's complex vendor ecosystem and organizational challenges. The frank talk between peers provides both tactical advice and empathetic support for those holding the line in enterprise cybersecurity.
