Episode Overview
Podcast: CISO Series Podcast
Episode Title: We Gave the CISO Risk and Liability, and Now They Want Authority. The Nerve.
Date: February 17, 2026
Hosts: David Spark and guest co-host Steve Zaluski (with regular host Mike Johnson absent)
Guest: Tammy Klotz, CISO at Trincio
In this episode, the hosts and guest explore the evolving landscape of the CISO role, emphasizing the misalignment between risk and liability versus true authority. They discuss risk ownership, security myths (hack lore), the realities of new attack surfaces like AI-powered voice impersonation, and the perennial frustration over vendor-driven "budget gap" research. The show features practical insights and candid humor about the modern CISO journey.
Key Discussion Points and Insights
1. Analogy: Fish Tanks, Employee Headaches, and Security Tradeoffs
- [01:39–04:02]
- David Spark recounts a personal story about a leaking fish tank and giving away his fish, paralleling the analogy to security challenges: Sometimes, ideal fixes aren't worth the disruption/risk compared to alternative approaches.
- Steve Zaluski jokes: "So is the takeaway from there if I have employees that are really difficult around security awareness training, that what I do is I give them away...?" [03:14]
- Sets the tone for creative analogical thinking in cybersecurity problem-solving.
2. The CISO Accountability vs. Authority Gap
- [04:15–10:54]
Central Theme:
- "CISOs own business risk without equivalent authority. This is the most common and most dangerous tension."
— Sanjeev Cherian (Microminder Cybersecurity), cited by David Spark [04:15]
Panel Reflections:
-
Steve Zaluski:
- Notes the difference between "anointed or appointed" CISOs. There’s no standard test or credential for legitimacy—sometimes people want accountability but not the matching authority, or vice versa.
- “When you get a piece of paper you have to sign, that’s when reality strikes.” [06:12]
- Cautions: "Don't just sign the paperwork. Read the fine print, okay. And understand that in signing that, what is it that you want in return? Okay. It's a relationship you're establishing. It's not a problem that you're owning." [06:54]
-
Tammy Klotz:
- Differentiates CISO as "risk advisor" rather than sole "risk owner." Success requires partnership with business stakeholders so that risk is not isolated within cyber teams. [07:34]
- "I believe that the CISO takes on the role of risk advisor as opposed to risk owner in a lot of cases." [08:02]
- Emphasizes never claiming to be “100% protected.” Instead, CISOs help the org align controls with risk tolerance, in partnership with legal and insurance functions. [10:05]
-
Steve’s Analogy:
- "Is a CISO more like an emergency room doctor or like a lawyer?" [08:44]
- Sometimes, CISOs must both operate in crisis (“trauma room doctor”) and ensure systemic governance (“keep the company legal”).
3. Security Myths (Hack Lore) and Organizational Culture
- [10:59–18:09]
-
David Spark introduces Bob Lord’s Hacklore.org initiative and questions why security myths withstand the test of time.
-
Tammy Klotz:
- Takes issue with the cliché that "employees are your weakest link." Instead, CISOs should cultivate employees as allies—"How do you make your people your strongest link in protecting your organization?" [12:20]
- Emphasizes tailoring security education by relating it to employees’ personal lives rather than just corporate edicts. [13:30]
- "Don't just say no, but tell me why. And that is a game changer." [13:37]
-
Steve Zaluski:
- Observes that “hack lore” persists because people fallback on what once worked—“Remember when changing the password every 90 days actually was effective?” [14:01]
- Draws parallels to outdated mechanical advice for cars, showing how security practices can become outdated as technology evolves.
- Calls for the CISO profession to shift from "tool jockeys" to strategic risk managers.
-
Tammy Klotz (continued):
- Uses the analogy of child safety advice evolving over decades ("how to put the car seat in") to illustrate the need for updating security practices as research and circumstances change. [16:43]
- Stresses creativity and clear communication: “This is why we’re doing it different.” [18:09]
4. What's Worse? Scenario Game – Supply Chain Chaos v. Critical Utilities Attack
- [20:07–26:47]
Scenario 1:
A threat actor quietly manipulates the routing in a shipping company, causing disruption in logistics and critical shortages for hospitals and factories.
Scenario 2:
A public utility network is compromised, resulting in water quality uncertainty, emergency advisories, and loss of trust.
-
Steve Zaluski:
- Sees water system compromise as “10 times worse.” Impact on health, safety, and societal trust is immediate and severe. [22:19, 23:15]
- "You're disrupting the social fabric of the country as opposed to just the expectation of the delivery of a product." [23:16]
-
Tammy Klotz:
- Agrees, citing the real-life case of the 2021 Oldsmar, Florida, water treatment facility hack. [23:44]
- “The possibility for that to spread much broader and impact a much bigger population was significant. So the risk is high.” [24:53]
- Notes the challenge in even determining when to issue a boil advisory due to compromised monitoring data. [26:33]
-
Steve Zaluski:
- Contrasts “unknown unknowns” (water quality) with “known issues” (sporadic supply), underscoring why utilities attacks are more dangerous. [25:24]
5. AI Deepfakes & Voice Authentication: Trust, Complexity, and the End of ‘Easy’ MFA
- [26:47–33:28]
-
Recent breaches (like MGM Hotels) and Reddit testimony highlight how easily voice cloning attacks can bypass phone-based authentication.
-
Tammy Klotz:
- Highlights the increasing sophistication and realness of AI voice fakes (including a personal anecdote about her mother falling victim). [28:17]
- Focuses on returning to authentication basics—two-factor/multi-factor—but with more layers.
- Champions empathy and context for help desk staff: "Tell them your why: I'm protecting you and I need to make sure it's you so that I do not accidentally give somebody else access." [29:32]
-
Steve Zaluski:
- Admits, “We’re screwed,”—the traditional phone/voice route is now fundamentally unreliable. [32:32]
- Predicts more friction in authentication processes and the need for new solutions (e.g., biometrics, wearables like Aura rings) [32:29–33:28]
- "For five years now, you've heard us say, make security simple so people will follow it... We got to go back to the drawing board." [32:29]
6. Do Vendor "Budget Gap" Studies Actually Matter?
- [33:33–39:14]
-
David Spark:
- Expresses frustration with redundant, vendor-funded studies that claim “security needs more budget,” labeling much of it as “fear, uncertainty and doubt dressed up as insights designed to drive sales.”
-
Steve Zaluski:
- Quips, "Figures don't lie, but liars figure." [34:59]
- He’ll use these studies if it supports his agenda, but rarely are they truly actionable or convincing at the board level.
- Finds even reputable reports (like Verizon DBIR) stale, but acknowledges some incremental value in observing slow changes.
-
Tammy Klotz:
- Stresses real-world risk conversations are more persuasive than stats.
- "...If we found ourselves in the middle of a cyber attack, we are going to have operational risk. ...Therein lies the conversation around where the risk is and how it impacts the company. ...That's how you gain support for the tools you need." [37:26–39:14]
Notable Quotes
-
“I believe that the CISO takes on the role of risk advisor as opposed to risk owner in a lot of cases.”
— Tammy Klotz [08:02] -
"When you get a piece of paper you have to sign, that’s when reality strikes."
— Steve Zaluski [06:12] -
"Don't just sign the paperwork. ...You're establishing a relationship, not just owning a problem."
— Steve Zaluski [06:54] -
“How do you make your people your strongest link in protecting your organization?”
— Tammy Klotz [12:20] -
"We’re screwed. … Voice recognition can’t be trusted, we have to take that out of the MFA equation.”
— Steve Zaluski [32:32] -
"Figures don't lie, but liars figure."
— Steve Zaluski [34:59] -
"Talk about it in the context of, if we found ourselves in the middle of a cyber attack ... there is operational risk... That's how you gain support for the tools you need."
— Tammy Klotz [37:26]
Timestamps for Major Segments
- [00:02] CISO advice: "Never let a good crisis go to waste." — Tammy Klotz
- [01:39] Fish tank analogy, unintended consequences, and security parallels
- [04:15] The CISO risk/authority gap and evolving liability
- [07:34] The CISO as risk advisor vs. owner (Tammy Klotz)
- [08:44] CISO as trauma doctor vs. lawyer (Steve Zaluski)
- [10:59] Security mythology (“hack lore”) and culture change
- [12:20] Reframing “weakest link”: Empowering employees (Tammy Klotz)
- [20:07] 'What's Worse' Game: Supply chain compromise vs. water utility hack
- [26:47] AI and the end of easy voice authentication; new MFA challenges
- [33:33] The emptiness of vendor "budget gap" studies
- [37:26] How to actually build support for cybersecurity spending: Focus on real risk
Closing and Additional Resources
- Tammy Klotz plugs her book, “Leading With Empathy and Grace” (April 2024), on the importance of reframing “soft skills” as critical leadership essentials. [40:33]
- Hosts remind listeners about the upcoming Zero Trust World event in Orlando and encourage participation.
- Call to action: More “What’s Worse?” scenarios needed from listeners.
Tone and Takeaways
The episode is candid, witty, and pragmatic—challenging sacred cows (like “employees are the weakest link”), gently mocking vendor hype, but ultimately empowering security leaders to have real, business-first conversations. Core themes are responsibility, communication, adaptability, and leadership empathy.
If you missed the episode:
You'll come away understanding the current CISO reality: extensive risk and liability, limited authority, a need for coalition-building across business, and an imperative to move past outdated security dogma. The episode is full of practical analogies, hard-won wisdom, and the occasional playful jab—unmistakably in the unique, engaging style of the CISO Series.