CISO Series Podcast

Episode: We All Agree That Prevention Is the Best Advice We're Never Going to Follow
Date: September 9, 2025
Host(s): David Spark, Andy Ellis
Guest: Jason Loomis (CISO, Freshworks)

Episode Overview

This episode tackles the persistent gap between the advice to implement preventive cybersecurity controls and actual organizational behavior. Security leaders discuss why prevention is often neglected, strategies for changing the culture, the experience of burnout in security roles, the nuanced value of human intuition compared to AI, and choosing between legal and operational risks. The conversation is rich with storytelling, practical leadership insights, and candid debate over what's really feasible on the ground.

Key Discussion Points & Insights

1. The Myth vs. Reality of Preventive Security Controls

Theme: While prevention is widely espoused as the best approach, it’s rarely prioritized in real-world organizations.
Insight: Cultural buy-in and storytelling are more crucial than technical controls alone for organizational change and adoption.
- Andy Ellis (07:26): “This is not your medicine to give. It's the organization's medicine to choose to take... Too many security folks think, oh, I get to force it down the company's throat.”
- Jason Loomis (09:01): “You can go show spreadsheets, but until you're telling a story about it, you're not going to get anywhere.”
Actionable Point: Focus preventive measures on new systems—“shift left”—rather than retrofitting existing processes. Use success metrics and storytelling to build momentum and organizational understanding.
- Jason Loomis (10:34): “That's a storytelling that I use... I just saved 100 hours of development time because we know it takes this long to do a critical bug in production. Because I stopped it at the developer workstation...”
Leadership Tip: Take team credit and elevate contributors outside security for broader buy-in.
- Andy Ellis (11:15): “The security team doesn't take credit. The team that actually got it implemented is the one you give credit to...”

2. Burnout & Peer Support for CISOs/Security Leaders

Theme: Stress and burnout are pervasive among CISOs, yet dedicated support structures are limited and often virtual.
Insight: Peer groups can provide unique relief through shared experience. In-person, smaller groups are more effective than large forums or conferences.
- Jason Loomis (13:12): “CISOs are extremely stressed out. I don't like the virtual nature of the Slack and the LinkedIn groups. I think we need in person.”
- Jason Loomis (14:26): “If I've met you twice at this dinner... we're going to start talking about sharing the stress.”
Controversial View:
- Andy Ellis (16:04): “Get over it. Our community is actually not that special, but everybody pretends we are... At some point you actually have to say, this is a job. You're not a superhero.”
- David Spark (17:18): “But there are mechanisms to get over it. There are techniques to manage and that's why you need your groups.”
Support Structure Best Practices:
- Seek groups led by peers with experience in overcoming stress—not just echo chambers.
- Broaden support below the CISO level and into role-specific communities (incident responders, new entrants, etc.).

3. What's Worse Game: Privacy Law vs. Security Risk

Scenario:
You’re CISO of a public company. After acquiring a German manufacturing plant, it's hit by ransomware. Legal requirements demand a privacy assessment before deploying new EDR solutions, but the plant is vulnerable in the meantime.
Options:

A. Deploy EDR immediately, risk violating privacy laws and damaging internal trust
B. Wait for privacy approvals, risk another security incident
Andy Ellis (25:11): Firmly picked Option B (waiting) as “worse,” arguing you can manage the legal risk with paperwork while acting swiftly to protect against operational harm.
- Quote (26:39): “You have an emergency. You're doing an emergency cleanup. You will do the privacy impact assessment in parallel…”
Jason Loomis (27:16): Disagreed, preferring to respect legal and privacy obligations, prioritizing the rights of individuals over operational expediency.
- Quote (30:00): “I respect the personal right of individuals over my company.”
Memorable Exchange:
- David Spark (27:27): “Andy was, like, so confident. It's like, of course number two is what's worse. Everyone sort of read that between the lines.”
- Jason Loomis (27:55): “I could see him. He was dancing.”

4. The “Doorman Effect”: What Humans Bring That AI Can't (Yet)

Theme: AI can automate visible tasks, but humans contribute context, intuition, and storytelling—crucial in security analysis and incident response.
- Jason Loomis (32:39): “Automating tasks is easy. Automating trust, intuition, cultural fluency... The doorman effect isn’t just about finding threats. It's about knowing why, who to tell, and how to say it.”
- Andy Ellis (33:35): “Let's just start with things like Outlook and calendaring and how much of a disaster meeting scheduling has become since we took humans out of the loop... AI has the potential to start to do some of that correlation... But I do agree... It's the context that the human brings.”
Example: Human analysts correlate alerts with knowledge of company context (“that's the CEO in Ibiza”), while AI may lack necessary integrations to get the full picture.

5. Underappreciated and Unsexy Risks in Security

Theme: Flashy risks (APTs, ransomware) often overshadow basic, underappreciated ones, such as:
- Script-based malvertising on 'trusted' websites
- Insider threats (malicious and negligent)
- Over-privileged users
- Business continuity basics (weather, HVAC failures)
Andy Ellis (36:01): “The single biggest risk is that most companies don't make good choices. They don't have the right information to make choices.”
- Focus should be on unacceptable losses, not just the risk scenario.
- Overlapping single points of failure (e.g., only Jason has a permission) are more critical than just excess permissions.
Jason Loomis (38:15): Advocated a controls-based mindset.
- Emphasized that 85% of cyber risk can be mitigated by getting the basics right (CIS18 controls).
- “It's about inventory. It's about know where your data is going and who has access to that data... It's the same basic security controls that I think all of us CISOs have known for... over 20 years.”
On AI Hype & Quantum Risk:
- Jason Loomis (40:12): Raised quantum encryption as a potential looming risk.
- Andy Ellis (40:16): Dismissed concern for now: “Right now the only functional algorithm we have is shorz, which breaks public key crypto... breaking AES is not an NP hard problem...”

Notable Quotes & Memorable Moments

Jason Loomis (09:01): “Preventative controls are the strongest. It's like having a lock on the door versus an alarm system... Too bad my jewelry's gone.”
Andy Ellis (20:01): “Too many people think that they're paladins out to go save the world. Nope, nope. We are the sidekicks to the business. My best advice to you is recognize that you are Alfred. You are not Batman.”
Jason Loomis (20:21): “Just like alcoholics... you talk to other alcoholics. What have you been through? How did you experience this?... It's a shared experience of therapy to get better.”

Segment Timestamps

[07:26] – Culture and storytelling in prevention
[13:12] – CISO/team burnout and peer groups
[23:31] – “What’s Worse” scenario: privacy law vs. operational urgency
[32:39] – “Doorman effect”: What’s lost in automating human security roles
[36:01] – Overlooked risks and controls-first risk management

Episode Tone

Candid, irreverent, yet practical. The hosts and guest blend serious leadership and technical insights with playful back-and-forth, especially in the “What’s Worse” debate. They balance skepticism of hype (AI, quantum risks) with actionable advice rooted in team dynamics, empathy, and the realpolitik of organizational change.

Takeaways for Listeners

Prevention is ideal—but stories, metrics, and early integration are essential for adoption.
True peer support for CISOs needs to be local and personal; online chatter often isn’t enough.
Choosing between legal and operational risks is rarely clear-cut; know your context, and document intentions.
AI automates tasks, not wisdom; keep humans in control of context, communication, and judgment.
Never ignore the basics—most breaches still derive from gaps in foundational controls.
Stay humble: security teams enable, not dictate, organizational goals. Be Alfred, not Batman.

Contact & Careers

Freshworks Security Careers: Hiring in Bangalore and Chennai; U.S. positions coming soon. Mention the CISO Series Podcast when applying.
Sponsor: Safe Security – for autonomous Third Party Risk Management (TPRM).

For more episodes and to participate in the CISO Series community, visit cisoseries.com.

CISO Series Podcast

Episode: We All Agree That Prevention Is the Best Advice We're Never Going to Follow
Date: September 9, 2025
Host(s): David Spark, Andy Ellis
Guest: Jason Loomis (CISO, Freshworks)

Episode Overview

Key Discussion Points & Insights

1. The Myth vs. Reality of Preventive Security Controls

Theme: While prevention is widely espoused as the best approach, it’s rarely prioritized in real-world organizations.
Insight: Cultural buy-in and storytelling are more crucial than technical controls alone for organizational change and adoption.
- Andy Ellis (07:26): “This is not your medicine to give. It's the organization's medicine to choose to take... Too many security folks think, oh, I get to force it down the company's throat.”
- Jason Loomis (09:01): “You can go show spreadsheets, but until you're telling a story about it, you're not going to get anywhere.”
Actionable Point: Focus preventive measures on new systems—“shift left”—rather than retrofitting existing processes. Use success metrics and storytelling to build momentum and organizational understanding.
- Jason Loomis (10:34): “That's a storytelling that I use... I just saved 100 hours of development time because we know it takes this long to do a critical bug in production. Because I stopped it at the developer workstation...”
Leadership Tip: Take team credit and elevate contributors outside security for broader buy-in.
- Andy Ellis (11:15): “The security team doesn't take credit. The team that actually got it implemented is the one you give credit to...”

2. Burnout & Peer Support for CISOs/Security Leaders

Theme: Stress and burnout are pervasive among CISOs, yet dedicated support structures are limited and often virtual.
Insight: Peer groups can provide unique relief through shared experience. In-person, smaller groups are more effective than large forums or conferences.
- Jason Loomis (13:12): “CISOs are extremely stressed out. I don't like the virtual nature of the Slack and the LinkedIn groups. I think we need in person.”
- Jason Loomis (14:26): “If I've met you twice at this dinner... we're going to start talking about sharing the stress.”
Controversial View:
- Andy Ellis (16:04): “Get over it. Our community is actually not that special, but everybody pretends we are... At some point you actually have to say, this is a job. You're not a superhero.”
- David Spark (17:18): “But there are mechanisms to get over it. There are techniques to manage and that's why you need your groups.”
Support Structure Best Practices:
- Seek groups led by peers with experience in overcoming stress—not just echo chambers.
- Broaden support below the CISO level and into role-specific communities (incident responders, new entrants, etc.).

3. What's Worse Game: Privacy Law vs. Security Risk

A. Deploy EDR immediately, risk violating privacy laws and damaging internal trust
B. Wait for privacy approvals, risk another security incident
Andy Ellis (25:11): Firmly picked Option B (waiting) as “worse,” arguing you can manage the legal risk with paperwork while acting swiftly to protect against operational harm.
- Quote (26:39): “You have an emergency. You're doing an emergency cleanup. You will do the privacy impact assessment in parallel…”
Jason Loomis (27:16): Disagreed, preferring to respect legal and privacy obligations, prioritizing the rights of individuals over operational expediency.
- Quote (30:00): “I respect the personal right of individuals over my company.”
Memorable Exchange:
- David Spark (27:27): “Andy was, like, so confident. It's like, of course number two is what's worse. Everyone sort of read that between the lines.”
- Jason Loomis (27:55): “I could see him. He was dancing.”

4. The “Doorman Effect”: What Humans Bring That AI Can't (Yet)

Theme: AI can automate visible tasks, but humans contribute context, intuition, and storytelling—crucial in security analysis and incident response.
- Jason Loomis (32:39): “Automating tasks is easy. Automating trust, intuition, cultural fluency... The doorman effect isn’t just about finding threats. It's about knowing why, who to tell, and how to say it.”
- Andy Ellis (33:35): “Let's just start with things like Outlook and calendaring and how much of a disaster meeting scheduling has become since we took humans out of the loop... AI has the potential to start to do some of that correlation... But I do agree... It's the context that the human brings.”
Example: Human analysts correlate alerts with knowledge of company context (“that's the CEO in Ibiza”), while AI may lack necessary integrations to get the full picture.

5. Underappreciated and Unsexy Risks in Security

Theme: Flashy risks (APTs, ransomware) often overshadow basic, underappreciated ones, such as:
- Script-based malvertising on 'trusted' websites
- Insider threats (malicious and negligent)
- Over-privileged users
- Business continuity basics (weather, HVAC failures)
Andy Ellis (36:01): “The single biggest risk is that most companies don't make good choices. They don't have the right information to make choices.”
- Focus should be on unacceptable losses, not just the risk scenario.
- Overlapping single points of failure (e.g., only Jason has a permission) are more critical than just excess permissions.
Jason Loomis (38:15): Advocated a controls-based mindset.
- Emphasized that 85% of cyber risk can be mitigated by getting the basics right (CIS18 controls).
- “It's about inventory. It's about know where your data is going and who has access to that data... It's the same basic security controls that I think all of us CISOs have known for... over 20 years.”
On AI Hype & Quantum Risk:
- Jason Loomis (40:12): Raised quantum encryption as a potential looming risk.
- Andy Ellis (40:16): Dismissed concern for now: “Right now the only functional algorithm we have is shorz, which breaks public key crypto... breaking AES is not an NP hard problem...”

Notable Quotes & Memorable Moments

Jason Loomis (09:01): “Preventative controls are the strongest. It's like having a lock on the door versus an alarm system... Too bad my jewelry's gone.”
Andy Ellis (20:01): “Too many people think that they're paladins out to go save the world. Nope, nope. We are the sidekicks to the business. My best advice to you is recognize that you are Alfred. You are not Batman.”
Jason Loomis (20:21): “Just like alcoholics... you talk to other alcoholics. What have you been through? How did you experience this?... It's a shared experience of therapy to get better.”

Segment Timestamps

[07:26] – Culture and storytelling in prevention
[13:12] – CISO/team burnout and peer groups
[23:31] – “What’s Worse” scenario: privacy law vs. operational urgency
[32:39] – “Doorman effect”: What’s lost in automating human security roles
[36:01] – Overlooked risks and controls-first risk management

Episode Tone

Takeaways for Listeners

Prevention is ideal—but stories, metrics, and early integration are essential for adoption.
True peer support for CISOs needs to be local and personal; online chatter often isn’t enough.
Choosing between legal and operational risks is rarely clear-cut; know your context, and document intentions.
AI automates tasks, not wisdom; keep humans in control of context, communication, and judgment.
Never ignore the basics—most breaches still derive from gaps in foundational controls.
Stay humble: security teams enable, not dictate, organizational goals. Be Alfred, not Batman.

Contact & Careers

Freshworks Security Careers: Hiring in Bangalore and Chennai; U.S. positions coming soon. Mention the CISO Series Podcast when applying.
Sponsor: Safe Security – for autonomous Third Party Risk Management (TPRM).

For more episodes and to participate in the CISO Series community, visit cisoseries.com.

wavePod

We All Agree That Prevention Is the Best Advice We're Never Going to Follow

Powered by Wave AI

Summary

CISO Series Podcast

Episode Overview

Key Discussion Points & Insights

1. The Myth vs. Reality of Preventive Security Controls

2. Burnout & Peer Support for CISOs/Security Leaders

3. What's Worse Game: Privacy Law vs. Security Risk

4. The “Doorman Effect”: What Humans Bring That AI Can't (Yet)

5. Underappreciated and Unsexy Risks in Security

Notable Quotes & Memorable Moments

Segment Timestamps

Episode Tone

Takeaways for Listeners

Contact & Careers

Summary

CISO Series Podcast

Episode Overview

Key Discussion Points & Insights

1. The Myth vs. Reality of Preventive Security Controls

2. Burnout & Peer Support for CISOs/Security Leaders

3. What's Worse Game: Privacy Law vs. Security Risk

4. The “Doorman Effect”: What Humans Bring That AI Can't (Yet)

5. Underappreciated and Unsexy Risks in Security

Notable Quotes & Memorable Moments

Segment Timestamps

Episode Tone

Takeaways for Listeners

Contact & Careers