
All links and images can be found on This week’s episode is hosted by , producer of CISO Series and , principal of Duha. Joining us is , CISO, . In this episode: Making organizations take their security medicine Building CISO support systems...
Loading summary
David Spark
Before I begin this show, I do want to let you know about two great episodes that have just dropped on cisoseries.com for our show Security youy Should Know. Check out the episode entitled Harnessing AI Native Pam. That's privileged access management with formal. And we also have a great episode of Defense in Depth entitled how are you managing the flow of AI data? You can find Security youy Should Know and Defense in Depth on your favorite podcast app or over on cisoseries.com best.
Podcast Announcer
Advice I ever got in Security.
David Spark
Go.
Jason Loomis
Probably the best advice I ever got was from my old CTO and it's overused. I've seen it on T shirts, it's fake it till you make it. But it's really about always saying yes to when you're faced with a new challenge or a new opportunity or something you've never done before. They go, hey, do you want to take over privacy operations? I can't spell privacy. I'll take it. Yes. Always say yes.
Podcast Announcer
It's time to begin the CISO Series Podcast Foreign.
David Spark
Welcome to the CISO Series Podcast. My name is David Spark. I'm the producer of the CISO series. Joining me is Andy Ellis. He's the principal at duha. Andy, say hello to everybody.
Andy Ellis
Good afternoon folks. Or depending on when you are in the world, good morning, good evening, or good night.
David Spark
By the way, Andy was pointing to a graphic over his left shoulder. I have explained to him many times that this is a audio only program. He still doesn't get it, but I'm.
Andy Ellis
Really excited that I have a monitor behind me so I can like do videos with my slides here. But I've got to work on the contrast here.
David Spark
I don't know. We really have to. We all need to help Andy understand the difference between video and and audio. Audio you can only hear.
Andy Ellis
You can't see things unless you have synesthesia. Please, let's not be normist.
David Spark
Good point, Andy. You know we're available@cisoseries.com where all your senses but touch and smell can be used.
Andy Ellis
Ooh, smell.
David Spark
O browsers on taste, touch, smell and taste. I take that seeing and hearing. You could do it.
Andy Ellis
Yeah, we should get scratch and sniff stickers to give away at the next conference.
David Spark
That's not a bad idea. We do have stickers though. By the way, if you ever see me, I usually have stickers on me. Approach me and I'm happy to give you a packet of stickers of all logos of all our programs. You can put on your laptop. Let everyone know you listen I do that. I hope you're doing that, Andy as well. Sometimes, sometimes you take them on and off your laptop.
Andy Ellis
I have different devices and so some devices have stickers on them and some don't.
David Spark
My son went to a skateboard camp and he gave a sticker to a professional skateboarder who put it on his helmet. So CISO series is on the helmet. I don't even know who it is of a professional skateboarder.
Andy Ellis
Very cool.
David Spark
Our sponsor for today's episode is Safe Security, World's first self driving third party risk management platform. We're going to learn more about this very cool third party risk management management platform later in the show. So stay tuned for it. We'll be talking about it now. Andy, this is something I've said on the show multiple times before, but it bears repeating because I do enjoy it and that is compliments. I'm a big fan. Are you a big fan of compliments, Andy?
Andy Ellis
I love compliments. Anybody who wants to give me a compliment, always. Welcome to David. By the way, you're looking remarkably lovely this morning.
David Spark
Thank you.
Andy Ellis
And I see that you are observing the fast of Tammuz and not getting your hair cut for these three weeks before. Atisha Baav.
David Spark
I did not know that was a thing to do. But I have not gotten my hair cut for quite some time. But my hair is not growing at the rapid rate it used to as well. But the thing is, honestly, we've been getting practically daily compliments about our programming. I just want to say, and I've.
Andy Ellis
Said this, just which intern keeps doing them so we can pay them more.
David Spark
It is not an intern. It is. It's multiple different people. I know you want to knock me down a peg. And I just also want to say that the compliments, while they come through me as a conduit, that I know that I am not the one who should be absorbing all the benefit of these compliments, that they should be going to you, to the other co host, to my entire team. So I reiterate it to everybody again and again that we're all benefiting from these wonderful compliments. But we're hearing, although they're often coming directly to me. So by the way, feel free to send compliments directly to Andy as well and to Mike.
Andy Ellis
Actually send them to the audio editors who make us sound good.
David Spark
Yes. And to the audio editors. You can also say that for the audio we have multiple audio editors who work on all our programming and video editor too as well. And just in the entire team. That's just making everything awesome. So just want to say that we appreciate the compliments. As I've said before, the line I use, I have a very high tolerance for compliments. I've yet to find my limit. So if you want to keep hitting me with them, maybe one day I'll find it. Probably not. Let's begin with the show. What do you say, Andy?
Andy Ellis
Yes, that sounds like a great idea.
David Spark
Our guest, first time on a CISO series show. Thrilled to have him on board. He is the CISO over at freshworks. They are not a delivery mechanism for your supermarket, which is no food.
Andy Ellis
They don't deliver talcum powder for your baby's bottom. My understanding is ITSM and customer experience and security stuff. Ish.
David Spark
Exactly. But I bet you if they if someone makes a really big deal with you, I bet you you'd throw that in as an add on. Like you need a bottle of talcum powder. All right, we'll throw it in.
Jason Loomis
I don't know if we're that startupy anymore. Pretty established. Everything but the so we have a great security program, but it's not part of our product.
David Spark
Let me say this, the man who's speaking right there, he's the CISO of freshworks. It's Jason Loomis. Jason, thank you so much for joining us.
Jason Loomis
Thank you, thank you. Thank you so much for having me on. Longtime listener, first time guest.
Podcast Announcer
Well, that didn't work out the way we expected.
David Spark
When it comes to preventative cybersecurity, industry definitely suffers from physician heal thyself syndrome. Now, Ross Hallelujk of Venture Insecurity recently called out what many CISOs know but don't like to admit. Everyone talks about prevention, but very few actually implement it. Now, of course, if it was easy, everyone would do it. Prevention requires organizations to know exactly what they're trying to stop. And unlike detection tools that work silently in the background, preventative controls introduce productivity friction. So you might be succeeding with prevention, but at the cost of political capital in the business. Suddenly, every preventative measure becomes a negotiation with frustrated users or impatient executives. So, Andy, I'm starting with you. If we're going to actually make the organization take our prevention medicine, do we need to start with a cultural shift and buy in before implementing controls? How do you start this process of actually doing prevention, which kind of everyone's on board with?
Andy Ellis
So I think the most important thing here is this is not your medicine to give. It's the organization's medicine to choose to take. Right? You go to a doctor and a doctor Says, I'm going to put you on statins. It's your call whether you're going to take the statins or not. Like, the doctor is not forcing them down your throat. And too many security folks think, oh, I get to force it down the company's throat. And shoes.
David Spark
You have to sell these, by the way. A good point, by the way. My dad, who was a doctor, talked about this all the time. He goes, I don't know what it is. Sometimes patients just don't want to take their medicine.
Andy Ellis
Yep. Yeah. I was working with a company actually, just a couple days ago, and I'm sitting in on an executive team meeting. The CISO is presenting, and they've got like 12 slides. And I cannot understand the priorities of the CISO. Like, I'm sorry, I'm a professional here, and I'm like, trying to tease this apart. And I'm finally, like, found one. One slide. And I'm like, is this. Are you trying to do this work? Because. And I described a scenario which is the real scenario. Like, oh, we have this specific problem in our business. Here's this thing. And I said it. And every executive's like, wait, what we're doing what? What is happening? Stop that. And the CISO is looking at gas. He's like, for months I've been trying to sell you on this project, this set of preventative measures, and nobody has cared. And I said, that's cuz you didn't tell them why. You tell them why, and now they're bought in and they're gonna demand preventative measures from you. That's how you roll them out.
David Spark
All right, very good point. I throw this one to Jason. Have you had this same struggle yourself?
Jason Loomis
No, never. I've never heard of this problem ever. This is. I don't know who you're meeting with. Who are these CISOs and who can't story wait. I really want to hit on Andy's thing about storytelling. It's absolutely one of the most critical skills of a ciso. He's absolutely right. You can go show spreadsheets, but until you're telling a story about it, you're not going to get anywhere. So totally agree with that. And yes, absolutely. Preventative controls are the strongest. It's like having a lock on the door versus an alarm system. Alarm system. They break in, they get out. Oh, hey, look, we detected and they reacted. Fantastic. Too bad my jewelry's gone. So, yeah, preventive controls are the hard, but they're also the most impactful. Because when I put the Lock in the door. Now I got to make sure my wife has a key. I make sure she understands how to work that door lock and make sure that it doesn't. You know, she can get in easier and out, but it's going to increase time. As she's carrying groceries, she's going to have to let one hand go. So there's always an impact to something with a preventative control. So the way I like doing them, and I really think everybody should focus on this, meaning almost drop the preventive controls that are left, right, shifting left or far to the right, the ones that are really further down to the right of something, Meaning you're doing it after you built the system or you're doing it after the system was up and after people are using it. Focus on drop that. Don't even do it. Worry about the next system you're deploying and make sure you have the controls either before you deploy it or further left in the stack if you're coding.
David Spark
But is it okay if you successfully do that with the next control? Is there any way to create success? Like people gain, quote, get it, and then you can sort of go back and start dealing with old controls or. No, that's not doable.
Jason Loomis
That's a storytelling that I use. So. Great to get metrics. Great to get a story behind those metrics to say, look, you know, we put in this new control that we're blocking at the dev workstation for a critical. So preventing a critical security bug from going into staging or production, if you do it there, then you got to tell the story after. Like, look, I just saved 100 hours of development time because we know it takes this long to do a critical bug in production. Because I stopped it at the developer workstation when I deployed this new preventative tool, I stopped 100 of them, which is equated to about a thousand hours worth of dev time. So there's absolute ways with that story. Everything comes back to storytelling. Storytelling. You gotta have the metrics for it and then the storytelling behind it to show the value.
Andy Ellis
And even better, if instead of saying, I saved, you're like, this team saved the company by implementing this control.
Jason Loomis
Yeah, I never do. I actually, except on my podcasts. I only talk about me, me, me. Yeah, I always use. You bring up another great point. Always use we. It's we. It's a team effort. It's always we as a leader. That's the number one thing. You never take credit for anything. I never say, I did this and I'll call out Individuals who did the work, like, oh, this is my head of product security Ran. This was awesome job. Naga. That's his name?
Andy Ellis
Yeah. Oh, I go one step further. The security team doesn't take credit. The, the team that actually got it implemented is the one you give credit to. So other teams are like, get out.
Jason Loomis
Of my head, man.
Andy Ellis
You said nice things about me in front of the ciso or you said nice things about them. How do I do work for you so that you'll compliment me?
Jason Loomis
Pays benefits. When you say, oh, product engineering developed this. This was their baby. And thank you so much product and engineering. You did great work here. Oh yeah, dividend.
David Spark
I will also say while receiving compliments is great, so is giving them.
Jason Loomis
Yeah, giving is better than receiving.
Podcast Announcer
As a ciso, what do you think about this?
David Spark
If you go on the cybersecurity subreddit, there's almost a constant drumbeat of posts talking about burnout and the day to day pressures of cybersecurity. These posts are usually met with frank advice, helpful anecdotes, and more than a little snark. You know, it's still Reddit overall, but one recent Post asked if CISOs and other security leaders need a quote, space to support cybersecurity leaders and teams more intentionally. Now this essentially seems like a CISO support group to me and we have some spaces for this on Slack and LinkedIn, but is that enough? I mean, what would these kinds of spaces need to include in resilience and leadership training to be worth your time? And starting with you, Jason, is it too limiting for individual CISOs? Don't we need this kind of support for the whole team? Basically does what we have. Is that enough?
Jason Loomis
No, but it's so up to the individual, the organization and the team. So many things drive CISO stress from who you're reporting into. What's your executive leadership team like? Do you have the budget and support you're given? How good is your team? Were you handed the team? Were you able to pick the team? Are you a good leader yourself? Because that's going to cause problems if you're not a good leader. There's so many different variables with that, but overall the theme about are CISO stressed out? Absolutely. We have one of the hardest jobs because we don't really ever get wins. Revenue sales get wins. Oh, you busted it out the quarter. Nice work. And you're mentioned at the town halls. Marketing. Wow, what a great marketing effort. Did you see everybody driving by and see that billboard? Everything else is sales product. We nailed these features that our customers are so happy. CISOs never get it. You're always doing something wrong. It's like the power company. Right. You only get complaints when the power goes out. And that tends to be so. CISOs are extremely stressed out. I don't like the virtual nature of the slack and the LinkedIn groups. I think we need in person.
David Spark
Well, and. And we have that to a degree. Like there are conferences and the two big events like Black Hat and RSA are huge. But also, I mean, and I also started a security group in the San Diego area, which has been great for that as well.
Jason Loomis
But like, no, David, in my opinion, those groups are. What are the best solution when you can get. I don't want to be at a conference and talk to somebody I don't know. But if I've met you twice at this dinner and we talked about our kids or about softball, I'm going to get to know you more and then we're going to start talking about how sharing the stress of. The idea is the same storm, different ship. The idea that a CISO can. Oh, we're all facing the same problem and that makes us actually feel better. So that we don't think it's unique to us or that we have these stressors that if we know that other CISOs are facing these same problems, that helps. And you can't do that at Black Hat. Some things you can't say. I mean, we might over a beer once I found out and I start to trust you as another ciso. So I'm really a fan of those smaller. I belong to two of them, one in LA and one here in Colorado, that I absolutely make the dinners every two months. And it's just such a great small ten of us. And that's where I get that support and be like, okay, I feel better. My board just yelled at me. They don't yell.
David Spark
And wherever you are, you could be doing this in your space. There's nothing limiting you to do this in your own space. I can't stress it enough. I moved here knowing nobody or knowing, excuse me, one person. And then he was the one who helped me start the group.
Andy Ellis
Yeah.
Jason Loomis
And it doesn't have to be at the CISO level like you mentioned. Like, it can be at the director level, the manager level. It could be at a specific vertical within security. Hey, we're incident responders. Anonymous.
David Spark
It could be a bunch of people looking for their first job, too.
Jason Loomis
Those are great. Yeah. For the networking, for the. Just to get to know somebody, to get your foot in the door. Absolutely.
David Spark
All right, Andy, I throw this to you. Is what we have satisfactory enough? Both Jason and I agree that it's. If you can do regular in person meetups wherever you are, that's ideal.
Andy Ellis
So first of all, I want to start by saying that if you're worried about burnout, hanging out on Reddit is probably not helping you.
David Spark
Well, people like to shout.
Andy Ellis
Think about your selection bias of what community you're hanging out with, all caps. But let me actually say, I know this is a huge problem in our industry and I'm going to try saying something radical. Get over it. Like, our community is actually not that special, but everybody pretends we are. Like, we do not have more stressful jobs than the CRO who if they don't make the number, get fired. They've got one year to make a number, they're fired and go.
David Spark
But don't you think there's a little bit of a Rodney Dangerfield sort of sentiment in the security industry?
Andy Ellis
Oh, there's a lot of people who are like, oh my God, we got to blow it all out of proportion. We take onto ourselves stressors that are not ours. We panic when people around us aren't stressing and so we stress more. And so at some point you actually have to say, this is a job. This is not. You're not a superhero. Your job is not to save the planet. You have a job to do, which is to enable your business to make wiser risk choices. And I'm not saying that burnout is not ever going to be a problem and that it's all self induced, but there is a component of it that is self induced.
David Spark
But hold on, I'm gonna push back on this because this is a lot of sort of Dr. Phil style response in just get over it kind of a thing. But there are mechanisms to get over it. There are techniques to get, there are techniques to manage and that's why you need your groups.
Andy Ellis
But if your groups are all the people who don't know how to get.
David Spark
Over it, then you got an echo chamber.
Andy Ellis
And that's part of the problem here is that we talk to each other and we talk to people who say, oh my God, it's awful. And so we believe it's more awful. Go find your support group of level headed people or people who work outside of cybersecurity who have very stressful jobs and listen to how they manage stress. I know CROs, you know how they manage a lot of the manage stress. They go golfing, they go fishing, they do things that have nothing to do with their day job.
David Spark
So I'll tell you a perfect example of very this. And I think it has to do with the people who. The security people who like to blame the, quote, stupid users and the people who realize know they're doing their job. And years ago, you know, this Ashley Madison case where people got caught and.
Andy Ellis
What was Ashley Madison? I don't know anything about it. Were you one of the users of it? Is that how come you know about it?
David Spark
I read the news, Andy.
Andy Ellis
Can't believe you walked into that one, David.
David Spark
I read the news, the Ashley Madison case, and I did one of my man on the street videos where I asked people, now, the Ashley Madison. What's your advice for users who got snagged in the Ashley Madison case? All right, I would say half. Half of the people. And this goes back a number of years ago. This goes back maybe eight, nine years ago. Half of the people's advice, and because this is security professionals, their advice, again, I was asking for advice, was they shouldn't have been on there in the first place. And I'm like, that's not advice. That's I told you so. And I did get good advice. I talked to some lawyers, and they actually provided some good advice on how to deal with this kind of thing. And so this is often, I think the problem is when something hits the fan, they just want to show that they were right. And again, this. I don't see nearly as much of it today as I did back then, anecdotally. How do you feel, Andy?
Andy Ellis
Like, the challenge is, I agree with you that. That some of this is people who think that they're the center of the universe. They're not focused on the user. Like, you want to talk about Ashley Madison. Like, if I recall, there are several suicides related to that breach. And so if your advice to people who are having literally the last, worst day of their life is you shouldn't have done it. Which, sure, we all can agree on that one.
David Spark
But just so we can all define it, that is technically not advice.
Andy Ellis
Right. That is feeling holier than now. Too many people think that they're paladins out to go save the world. Nope, nope. We are the sidekicks to the business. My best advice to you is recognize that you are Alfred. You are not Batman.
Jason Loomis
All right, that's fair. But when you're stressed out and you need almost psychological support.
David Spark
Yes.
Jason Loomis
You just like alcoholics. So they put them with, hey, just go talk to people who aren't alcoholics. No, you talk to other alcoholics. What have you been through? How did you experience this? It's a shared experience of therapy to get better. And CSOs are the same.
Andy Ellis
Okay, but you don't just go talk to other alcoholics who've not been through therapy.
David Spark
Right, right. Someone who's not an alcoholic is not gonna provide good advice.
Jason Loomis
Well, actually, that's, you know, who's your sponsor is somebody who's been through it, who knows? And sometimes you. And you do find these. At these CISO groups of, hey, what did you do in this situation? You know what? I never thought of that. Dave, That's a great approach. I'm gonna try that next time.
Andy Ellis
Well, and Jason, you're onto something right there, which is. And I don't really like the alcoholic analogy, but I'm gonna run with it.
Jason Loomis
Bad analogy.
Andy Ellis
Which is you don't put alcoholics just with other alcoholics who have not been on the road to recovery. The key there is you want the people who know how to get to recovery, who've been there as part of that, and that's a key part of it. Like, absolutely. CISOs who know how to manage the stress is who you should be talking to. You should not get into a room with a bunch of CISOs who do not know how to manage the stress because you'll just burn each other out.
Jason Loomis
That's fair.
David Spark
It's not so much don't have a plan or don't want to deal with it. They're just living in it, swimming in it.
Andy Ellis
Right.
Jason Loomis
Or they don't know what to do. I think most of it is they don't know what to do. Hey, my board's coming down on me and I don't know what to do here. And that peer discussion helps so much.
David Spark
Before we go on any further, I do want to tell you about our spectacular sponsor, and that is safe. This episode is sponsored by safe, the cyber risk management company flipping the script on third party risk management with agentic AI. This was a hot topic at RSA this year. So let's face it, traditional tprm, it's broken manual questionnaires, static assessments and siloed tools can't keep up with the speed and complexity of today's vendor ecosystems. And this is where SAFE comes in. SAFE leads the way with agentic AI powering a zero effort TPRM platform that automates the entire third party risk lifecycle. From onboarding and due diligence to continuous monitoring, SAFE's growing fleet of specialized AI agents does the heavy lifting so your team can focus on what really matters. Making smart risk informed decisions. That means 100% automated vendor risk assessments in real time. Risk prioritized visibility without the manual grind. So it's no surprise Safe was recently named a leader in Liminal's 2025 TPRM report, topping the charts for product capability. Safe is also the fastest growing vendor in the tPRM space, hitting 10 million in annual recurring revenue from its TPRM platform alone in just 10 months. So if you're looking to scale your TPRM program without adding headcount to visit Safe Security. That's our website, just Safe Security and see why Autonomous TPRM is the future. With Safe leading the charge.
Podcast Announcer
It'S time to play what's Worse.
David Spark
All right, Jason, you know how this game is played, correct?
Jason Loomis
Yes, I do.
David Spark
All right, we got a brand new contributor. Just literally minutes before this recording, this what's Worse scenario came in. It comes from Azrin Bogavac of Generac. And here's the situation. You got the following situation. You are the CISO of a publicly traded company that acquires a manufacturing plant in Germany. Shortly after the deal closes, the site is hit with ransomware, resulting in a two week outage. After a tireless recovery effort, the site is finally back online. Now, the investigation reveals that the existing endpoint detection response solution is outdated and inadequate. So your team is prepared to deploy your standard enterprise platform to restore visibility and strengthen defenses. However, a privacy impact assessment has not been completed and the workers council has not been consulted. You are still trying to confirm whether one has been formally established. Both steps are required under German law. You are also informed that if privacy violations occur, local authorities could intervene and potentially shut down the planet again. All right, here are your two scenarios. Scenario one, and by the way, Jason, just so you know, I'm going to have Andy answer first, so hold your response. Scenario number one, you deploy immediately to contain the threat. Privacy teams may block it and the move could damage trust with internal teams and the new subsidiary. Or scenario two, you just wait for approvals, which could take months. Meanwhile, the plant remains vulnerable and at risk of another attack. So Andy, which one is worse?
Andy Ellis
I'm trying to find the trick here because this is pretty clear that number two is worse.
David Spark
Well, hold it, let me see.
Andy Ellis
Just go deploy both of these.
David Spark
Our risk. Risk of getting fined and getting shut down or risk of being attacked?
Andy Ellis
Right, Yeah. I think you go deploy, you file a bunch of CYA paperwork, you notify lots of people that we're doing this. We're going to rapidly do a privacy impact assessment. We are going to hide all of our logs from our US Colleagues for a little while. Like, you jump through some hoops to make it clear that you are not end running the privacy system. You are just end running the bureaucracy. You're gonna get it out, but you're gonna comply with everything. You engage folks like, you can manage this. Like, this is a paperwork exercise that is completely manageable on this front end. Establishing the precedent up front that, oh, no, no, we don't do anything until this bureaucracy comes through, even in a crisis. Yeah, no, I'm gonna go with number two, even if it costs me my job, is what I prefer. So number one's worse.
David Spark
But we're assuming that they don't care that you say all of this stuff, because if that were the case, what you said, Andy, then of course, scenario two would be far worse. That's assuming that, like, oh, we're okay with the fact that you did this and you sent the paperwork, but look, we have privacy laws in Germany, and we don't care that you said it.
Andy Ellis
Yeah, I still think that in this case, you're gonna proceed with. Because almost every one of the laws. First of all, you get to file all your paperwork in German, which is a lot of fun dealing with the German government. You file nothing in English. It's all in German. But you're basically, you have an emergency. You're doing an emergency cleanup. You will do the privacy impact assessment in parallel, but you're not going to sit here and say, oh, we are going to leave German power offline until we get the privacy impact assessment done. No, we're going to do the privacy impact assessment. If it turns out we picked wrong, we'll fix our error.
David Spark
All right, Jason, do you agree or disagree?
Jason Loomis
Door number two, please. Door number two. I disagree.
David Spark
You disagree?
Jason Loomis
But I. Here's. Yes, I disagree.
Andy Ellis
Oh, you. So you would rather wait for the assessment?
David Spark
Okay. All right. So, Andy. So hold. Wait. Let me just.
Jason Loomis
Please let me finish that sentence.
David Spark
Hold it. Let me pause you for a second, Jason. I just want to point out that Andy was, like, so confident. It's like, of course number two is what's dancing. Of course you're a fool for even reading this.
Andy Ellis
David, I did not say you're a fool for even reading this. Although I did think it.
David Spark
No, but it was intended. It was all. Jason, you heard it. It was intended. Right? It was between. Everyone sort of read that between the lines.
Jason Loomis
I could see him. He was dancing.
David Spark
So there was he was dancing.
Andy Ellis
Like I was. I totally was dancing.
David Spark
All right. I love whatever comes out of Jason's mouth. I know I'm gonna love it.
Andy Ellis
Okay, I wanna. I wanna hear Jason's justification for leaving his company exposed to ransomware that could shut down the German power distribution infrastructure when he has an off the shelf tool currently capable to deploy.
Jason Loomis
Sure. An untested in that environment tool.
Andy Ellis
No, no.
Jason Loomis
And a tool that's not 100% efficacy. I don't know if the tool's going to work for me. I'd focus on mitigating controls. There are always mitigating controls to one specific control. So I would say I'll wait and I'll figure out.
David Spark
No.
Andy Ellis
Okay. So Jason is editing, which I just want to point out, what is your. That Jason edited the scenario to say untested tool. No, no. This is your standard off the shelf tool.
Jason Loomis
There's no. This is a Kobayashi Maru.
Andy Ellis
Yeah. This is your standard off the shelf. Like this is the EDR that you're running everywhere else in your business.
David Spark
Right.
Andy Ellis
That you just want to deploy into here because it is effective for your business. If you think it's fit for purpose, you can't make it not fit for purpose for this scenario.
David Spark
Yeah.
Jason Loomis
No. So I'm not going to. I'm going to wait to deploy that. But I would focus on. There's nothing wrong with. On why I can't focus on other controls to help prevent what happened.
Andy Ellis
Do you have to do privacy impact assessments for those? No. Nope. You can't deploy anything if you're waiting.
Jason Loomis
No, no, that's not true. We don't know. I'm positive there are things I can do that aren't the edr. They're going to affect privacy.
David Spark
Hold on. First of all, yeah.
Jason Loomis
I respect the. I respect the law.
David Spark
So the way these platforms work is you got. You only could do A or B here. There isn't a choice of C or D here. That's how this game works. Jason.
Andy Ellis
Jason does not want us.
David Spark
He said I was going to love everything came out until he went rogue on the game.
Andy Ellis
I know.
Jason Loomis
Oopsie. Okay. I'll still go B. It's the right thing to do.
David Spark
You're still going. Oh, you mean B you prefer. Because the game's called what's worse. You have to check which one you think. So is it worse?
Jason Loomis
I prefer B.
Andy Ellis
You prefer me then leaving yourself, leaving your company open to the ransomware.
Jason Loomis
I respect the personal right of individuals over my company.
David Spark
Ah. You see, and that's what The German government thinks as well, and I don't.
Jason Loomis
Want to touch with that. And that's what government believes, and I'm a fan of that.
David Spark
Jason is in line. Do you really, really want to mess with the German government? They're probably bigger than you.
Andy Ellis
Me? Wait, are you asking if I want to mess with the German government as I hold up my Star of David?
David Spark
No. No, I don't. You don't? They've got some pretty strict privacy laws now.
Andy Ellis
They absolutely have strict privacy laws, but they are not, despite the reputation that they might have, they're not stupidly draconian.
David Spark
Well, is it?
Jason Loomis
Wait, aren't we going outside of the rules of the thing again? If you say, oh, they're really not going to come after us.
Andy Ellis
No, they might come after you, but they're not going to come after you in a way that is overly punitive. Like, I've operated in Germany before. Like, they don't come and be like, oh, my God, you did this one thing without any permission. Your whole company's going to jail. Like, they're like, why did you do this? Okay, let's get the paperwork done right? Like, as long as you're willing to work within the bureaucracy, you're fine. Like, you might pay a fine, but would you rather pay a fine or risk not being in business in Germany with a subsidiary you bought that clearly didn't understand security? Security.
Podcast Announcer
Is AI going to help us or hurt us?
David Spark
Quote on paper, a doorman gets paid to open a door. An automatic door does it cheaper, faster, and never takes a lunch break if you only measure the task. It's obvious we don't need doorman in 2025, but as you might have noticed, we still have them and similar jobs like Costco receipt checkers. So rather than considering these roles, a novel anachronism, Nick Romanos of Rivers Agency pointed out this reductive approach mistakes the visible task for the full value. The doorman also screens for sketchy people, recommends the best nearby latte and signal status of the building where you're at. So can we extend this, quote, doorman effect to AI in cybersecurity? We're facing the idea of replacing analysts, researchers, and even some architects because their output can be mimicked by machines. But the best security professionals navigate organizational politics, interpret ambiguous intelligence, and read the room during incident response. There's more there than just the visible task of analysis. There's no question AI can and will be used to execute human security tasks. But I'm going to start with you, Jason. What are these dormant effects we'll miss without a human in the loop a lot?
Jason Loomis
Automating tasks is easy. Automating, trust, intuition, cultural fluency. That's not. The dormant effect isn't just about finding threats. It's about knowing why, who to tell. Get back to storytelling and how to say it. AI can analyze, but humans contextualize. AI can tell you someone's breaking in. Hey, we just had this alert go off. Yep. AI says, oh, I got an alert. Someone's trying to get into our systems. But as of today, it's the human that's going to know. Oh, man, that's my CEO again. He's partying in Ibiza and he's using a hotel wi fi. But I knew that there's value beyond the task. Absolutely. Just like the door greeter analogy. And also the other big thing is when to cause an incident and when not to cause an incident. Oh, boy, somebody's breaking in. And the knowing not to is like, oh, oh, no, that's your buddy over there again.
David Spark
All right, throwing this to you, Andy. What dormant effects do we lose with any automation?
Andy Ellis
I mean, let's not even go to AI first. Let's just start with things like Outlook and calendaring and how much of a disaster meeting scheduling has become since we took humans out of the loop. Like, remember when we used to have admins who would actually figure out, like, optimal meeting scheduling and do same things? And now it's like, oh, somebody goes and clicks a link and they throw something on your calendar, like, at a pessimal time. And like, you have crazy things going on, like, with that AI might actually make this better. To be clear, I think that the Replacing humans with small technologies to do those tasks is the really dangerous thing. Right. An alert that says, oh, here's an alert. Automatically block it. That's problematic. AI has the potential to start to do some of that correlation that humans have been doing. I don't think we're really there yet outside of some very narrow use cases. But I do agree with Jason that, like, it's that. I don't necessarily want to say the intuition. It's the context that the human brings. Because sometimes it's intuition, but a lot of times it's just. No, I remember that, like, yeah, Jason's off in Ibiza right now. There's no reason your AI doesn't know that, except that you don't connect it. How many security systems do people have that are actually connected to your company's vacation tracker? Just start with that question. If you don't know where your people are on vacation and your security systems can't see that. How are you possibly doing anything from a context perspective?
David Spark
That's a very good point.
Podcast Announcer
Okay, what's the risk?
David Spark
On cybersecurity headlines, we feature a lot of stories about APTs, advanced persistent threat threats, ransomware and lots of other flashy risks. These get a lot of attention, but the cybersecurity subreddit recently tried to highlight the underappreciated risks that often go unnoticed. For example, ads that run scripts on sites deemed quote safe without much oversight, insider threats either malicious or negligent, and over provisioned users were popular under appreciated risks. Others cited more basic risks like the weather flooding a data center or your air conditioning going out at your data center. And of course good old fashioned stupidity is a risk. So Andy, do any of these resonate with you and what risk do you see? Not getting the concern they deserve.
Andy Ellis
I mean the single biggest risk is that most companies don't make good choices. They don't have the right information to make choices. But that's not actionable, much like several of these are also not actionable. You can't say stupidity is a risk. The real risk is you didn't design good systems and so users just trying to get their job done cause you problems. But I like this concept. People do need to be focused. You need to say what are the unacceptable losses? So you had in here one of the ones you mentioned was like a data center flooding. Okay, so somewhere you should write down not the risk of the data center flooding but that the data center going offline. How bad is that? Is that an unacceptable loss for your business? When I was at Akamai, there were basically only a handful of the data center going out was even a problem for us. Most of us, we didn't care. So we're like great, whatever, like data center die is not our worry. Other ones, then we're going to start to focus on these risk scenarios. And so I think the challenge is people often start from the sexy risk scenario and they don't start from the unacceptable loss. That's where you actually need to start doing your risk analysis is from what are the outcomes that that present problems for our business and how do we mitigate the hazards that lead to those.
David Spark
But I will also say, and I agree 100%, like start with what could happen that would cripple us, end our business and then figure that. But at the same time you need to know sort of the common ways these things happen.
Andy Ellis
As well, oh sure, like you absolutely need to know. But if your challenge is like let's take the over provisioned user which overlaps with an insider risk threat, overlaps with a bunch of things is what if you have a single point of failure? Like I've got Jason. Jason runs 80% of my business. If Jason becomes unavailable is my unacceptable loss. Now my problem is not Jason has too many permissions because taking away the permissions doesn't solve the problem that the business relies too much on Jason and there's nobody backstopping him. I can't take away his permissions before I give them to somebody else. And I've seen companies that focus on how many permissions does one person have versus how many permissions are not replicated. There's only one person with that permission.
David Spark
Okay, I throw this to you, Jason.
Jason Loomis
I like looking at it from the controls perspective because nobody does. It's about the basics, almost all risks. I don't like the data center thing, but that could go into the availability and recovery part of NIST csf. But everybody always looks at, oh, I gotta go protect this APT from this specific attack. When you figure out how they got in, it's gonna point to one of the basic security controls. So and if I focus, we. I don't know if you know, but we know that if you do 85% of the CIS18, which you know, those foundational controls, there's like what, 50 of them. You do these 50 things, you're gonna reduce 85% of your cybersecurity risk. And we still today don't focus on those. We go with the flash, we go with that APT just got in here through this way and now I gotta go make sure I have an MFA resistant MFA and I SPE critical and it's my number one priority when. Why don't you just work with getting MFA efficacy across all of your systems, being good at the one thing. So for me, I really think CISOs in general need to focus on just getting the basics right.
David Spark
We talk about this all the time.
Jason Loomis
And I feel like this is a 20 year old speech. We've known about these controls for 20 years. They haven't really changed. Even AI. What is AI about? It's about inventory. It's about know where your data is going and who has access to that data and that training data and those models and those systems. And this whole AI security, we got AI security figured out. Marketing stuff is really, at the end of the day, it's the same basic security controls that I think all of us CISOs have known for. I just dated myself over 20 years.
David Spark
I will quote something that I read on Reddit, a very popular post on the cybersecurity subreddit. And I've said this before, and it's ironic because we're just a couple of weeks away from Black Hat, but the quote was the thing you were worried about before you went to Black Hat is going to be the same thing you're going to be worried about after you leave Black Hat. And the whole point of Black Hat is to tell you about new stuff to be worried about.
Jason Loomis
Can I throw one in that maybe not will be that I think is and some of my peers think is a blind spot.
David Spark
Sure.
Jason Loomis
And it might be science fiction. Y But quantum encryption?
Andy Ellis
Oh, God, no.
Jason Loomis
I think as soon as AES256 is broken, you're going to, you know, somebody. Some. Somebody's going to figure it out.
Andy Ellis
But we don't have an algorithm to break AES with quantum.
Jason Loomis
Not today, no.
Andy Ellis
But right now the only functional algorithm we have is shorz, which breaks public key crypto. And the whole benefit of Quantum is that you reduce NP hard problems to p and breaking AES is not an NP hard problem because it's not based on a reversible function. So I'm going to disagree on that one and say, like, there is a day that we have to worry about it because the way we distribute private keys for AES relies on algorithms that are quantum attackable. But we're so far away from that right now. But the forward secrecy problem, the data you're transmitting today may be broken in 15 years. And is that going to matter?
David Spark
Okay, that brings us to the very end of the show. I want to thank our guest, Jason Loomis, CISO over at freshworks, where you could ask him all you want. He's not going to deliver your groceries.
Andy Ellis
Dang it.
David Spark
So people are mistaken about freshworks.
Jason Loomis
What is it not it is not a lettuce delivery or grocery delivery service. Freshworks. We uncomplicate X and CX for your business. So if you're ITSM or interfacing with customers, we have an uncomplicated AI centric platform.
David Spark
By the way, do you charge an extra 25 cents for grocery bags?
Jason Loomis
No, only if our AI agent delivers.
David Spark
Thank you so much, Jason. We greatly appreciate it. Our sponsor for today's episode has been and we love having them on board, it's Safe Security. Remember, go to their website, Safe Security to learn about their really impressive TPRM Third party risk management platform that can do a lot of work for you. It's gonna be pretty darn cool.
Andy Ellis
Apparently it's self driving.
David Spark
It's self driving.
Andy Ellis
The waymo of third party risk management.
David Spark
It's the waymo of third party risk management programs. Yes, exactly. Just what Andy said there, Jason. Let me also ask you another question. Are you hiring over at Freshworks?
Jason Loomis
We are in security. I think every CISO is always hiring to find good talent. And yes, we are. We have multiple open positions out of Bangalore and Chennai.
David Spark
All right. Nothing in the United States, so I understand. Correct.
Jason Loomis
Not today. But soon, soon. So keep an eye out. Check Our job board, freshworks.com they have.
David Spark
A job board over there. And by the way, it would definitely help, I'm sure, Jason, if they mentioned they heard you on this show.
Jason Loomis
Yes, yes, we have the freshest groceries in town.
David Spark
Well now, this is your new tagline.
Andy Ellis
You should say that Andy was stupid. Jason, you were so brilliant for disagreeing with him. I want to come be on your team.
Jason Loomis
I love it. You're hired.
David Spark
All right. Thank you very much, Jason. Thank you very much, Andy. And thank you, our audience. Send us more. What's worse scenarios? You could add an A, B, C or D option because it looks like Jason wanted to create a C or D even though it wasn't there. I thought the AMB was fine here, but Andy thinks he can just work the German government and get what he wants.
Andy Ellis
I'm saying I can mitigate the risk by working the German government, but I'm not going to risk having my power plant not functioning.
David Spark
German government cares more about the privacy of their people.
Andy Ellis
No, no, they actually don't. They. They give lip service in the other direction.
David Spark
But I. I think power is it. I think beats privacy. I. I think I would agree with you on that. All right, with that being said, thank you everybody and thank you to our audience. We greatly appreciate your contributions and listening to the CISO series podcast.
Podcast Announcer
That wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spring directly at davidisoseries.
David Spark
Com.
Podcast Announcer
Thank you for listening to the CISO series podcast.
Episode: We All Agree That Prevention Is the Best Advice We're Never Going to Follow
Date: September 9, 2025
Host(s): David Spark, Andy Ellis
Guest: Jason Loomis (CISO, Freshworks)
This episode tackles the persistent gap between the advice to implement preventive cybersecurity controls and actual organizational behavior. Security leaders discuss why prevention is often neglected, strategies for changing the culture, the experience of burnout in security roles, the nuanced value of human intuition compared to AI, and choosing between legal and operational risks. The conversation is rich with storytelling, practical leadership insights, and candid debate over what's really feasible on the ground.
Theme: While prevention is widely espoused as the best approach, it’s rarely prioritized in real-world organizations.
Insight: Cultural buy-in and storytelling are more crucial than technical controls alone for organizational change and adoption.
Actionable Point: Focus preventive measures on new systems—“shift left”—rather than retrofitting existing processes. Use success metrics and storytelling to build momentum and organizational understanding.
Leadership Tip: Take team credit and elevate contributors outside security for broader buy-in.
Theme: Stress and burnout are pervasive among CISOs, yet dedicated support structures are limited and often virtual.
Insight: Peer groups can provide unique relief through shared experience. In-person, smaller groups are more effective than large forums or conferences.
Controversial View:
Support Structure Best Practices:
Scenario:
You’re CISO of a public company. After acquiring a German manufacturing plant, it's hit by ransomware. Legal requirements demand a privacy assessment before deploying new EDR solutions, but the plant is vulnerable in the meantime.
Options:
A. Deploy EDR immediately, risk violating privacy laws and damaging internal trust
B. Wait for privacy approvals, risk another security incident
Andy Ellis (25:11): Firmly picked Option B (waiting) as “worse,” arguing you can manage the legal risk with paperwork while acting swiftly to protect against operational harm.
Jason Loomis (27:16): Disagreed, preferring to respect legal and privacy obligations, prioritizing the rights of individuals over operational expediency.
Memorable Exchange:
Theme: AI can automate visible tasks, but humans contribute context, intuition, and storytelling—crucial in security analysis and incident response.
Example: Human analysts correlate alerts with knowledge of company context (“that's the CEO in Ibiza”), while AI may lack necessary integrations to get the full picture.
Theme: Flashy risks (APTs, ransomware) often overshadow basic, underappreciated ones, such as:
Andy Ellis (36:01): “The single biggest risk is that most companies don't make good choices. They don't have the right information to make choices.”
Jason Loomis (38:15): Advocated a controls-based mindset.
On AI Hype & Quantum Risk:
Candid, irreverent, yet practical. The hosts and guest blend serious leadership and technical insights with playful back-and-forth, especially in the “What’s Worse” debate. They balance skepticism of hype (AI, quantum risks) with actionable advice rooted in team dynamics, empathy, and the realpolitik of organizational change.
For more episodes and to participate in the CISO Series community, visit cisoseries.com.