
Loading summary
Host/Announcer
Best advice for a ciso Go.
Tammy Klotz
My best advice for a CISO is to never let a good crisis go to waste and to ensure that you're using any learning opportunities from those crises to improve your incident response and recovery procedures.
Host/Announcer
It's time to begin the CISO Series Podcast.
David Spark
Welcome to the CISO Series Podcast. My name, my name is David Spark. I'm the producer of the CISO Series and joining me is actually a guest co host, but he's normally not a guest co host. He's a regular co host of a show called Defense in Depth. It's also on our network. It's none other than Steve Zaluski. Steve, say hello to the audience.
Steve Zaluski
Hello audience.
David Spark
That is Steve Zaluski, who has been greeted in person with hello, Steve from. From hearing that very specific greeting. We are available over at cisoseries.com, where you can hear Steve's other show that he's on. And that would be Defense in Depth. And I strongly recommend you check out that show and all our other programs on the CISO series. I do want to mention our sponsor and that would be threatlocker. Allow what you need, block everything else by default, including ransomware and rogue code. That's threatlocker. They have a zero trust solution and in fact they are going to be hosting Zero Trust World in Orlando this year. I'm going to be talking more about that later in the show. But first, Steve, here's my story of the week and that is I had to donate my fish.
Steve Zaluski
Not to dinner, I hope.
David Spark
No, they are not anybody's dinner. They are hopefully swimming and still alive. So here's the thing. I discovered a leak in my fish tank in the luckily the top third of the tank, not the bottom of the tank, the top third. So it was a tiny leak. It was right by the seam. All of a sudden we saw a pool of water. It was like 4ft in diameter on our floor. I'm like, what the heck? And noticed the tank had been leaking and so I had to drain water out of the tank. So there were only about 2/3 left. And I tried to repair the tank with some gorilla glue that works on glass that does not work. Just so you know. Anyone who wants to repair their tank, it doesn't work. But the reason I'm telling this story is there's gotta be things that are akin to this in cyber, where the process of fixing this in the way that would be sort of ideal for the fish and for me just isn't worth it. And that was the process of trying to get another tank, moving them to another tank, draining the other tank, because once you fill a tank with water, you don't move the thing. It weighs a ton. And so good news is the fish are not dead. Anybody. And when thinking that I flushed them, I did not. And if anyone else has this problem, I put all the fish into a bucket and I drove to the local aquarium store and I donated my fish. And. And now I have to figure out a new solution and get essentially a new tank. So that's my story, Steve.
Steve Zaluski
So is the takeaway from there if I have employees that are really difficult around security awareness training, that what I do is I give them away rather.
David Spark
Than try to donate them to the local aquarium? Yes, exactly. We are on exactly the same page here.
Steve Zaluski
Just saying. Okay, I just, I don't know.
David Spark
With that said, I think you read my analogy perfectly there, Steve. Let's bring in our guest. I'm thrilled. I think you just heard her at the beginning of the show and you just heard her laughing. It is the CISO over at Trincio. Thrilled she's joining us. None other than Tammy Klotz. Tammy, thank you so much for being here.
Tammy Klotz
Thank you for the opportunity and I'm very much looking forward to our conversation today.
Host/Announcer
I tell you, CISOs get no respect.
David Spark
QUOTE CISO's own business risk without equivalent authority. This is the most common and most dangerous tension I see. End quote. That's Sanjeev Cherian of Microminder Cybersecurity's view of where the CISO role has landed. We have heard this story before, by the way, and for him, the job has fundamentally transformed. You're now judged on recovery speed, financial exposure and operational continuity. Often with personal liability, there's a structural problem. Boards assign CISO's accountability for business outcomes while their actual decision making power hasn't caught up. Steve, I'm going to start with you on this. Do you find your colleagues are suffering from this accountability slash authority gap? Is this unique to just the ciso? Because we've brought this up before and we say, well, other C level people deal with this nonsense as well.
Steve Zaluski
Yeah, I've often said a CISO is either anointed or appointed, and there's actually no test to validate that you are legitimate. Well, I say in the same vein, okay, the accountability comes when you actually have to sign something, put your name on it, that actually has a material impact on your liability. I say the same thing. There's a lot of CISOs that think that they own it. And want to sign a document. And then there's a set of CISOs that don't want to own it and are being given the document to sign. So they say, be honest with yourself and appreciate where you are in that journey and realize that sometimes wanting to put yourself in that position, run away. And I think that's going to help a lot of us. And the other thing is, the board doesn't necessarily know, I have seen is when you get a piece of paper that you have to sign, that's when reality strikes.
David Spark
Can you give me the specifics? What does this piece of paper say?
Steve Zaluski
Oh, you're signing off on a SOX audit. The CISO is the designated accountable executive that's signing off that says that this audit is legitimate, the equivalent to the CFO signing off on a sox. SOX audit. Same thing is that for the first time, you are what I'll call a named executive, that the accountability resides with you explicitly. There you go.
David Spark
And by the way, like you said with the cfo, anytime you have an audit or anything that has to be approved, someone somewhere has to sign it. Yes.
Steve Zaluski
Yes. Right. You may want to sign it. You may say, that's mine to sign. Well, that's on you then, that you're accepting that accountability, you're demanding it, and they may be able to go, well, fine, go ahead, sign it. Because you don't actually understand what you just did. I'm more of the line is don't sign anything, okay? Like a marriage certificate. Don't just sign the paperwork. Read the fine print, okay. And understand that in signing that, what is it that you want in return? Okay. It's a relationship you're establishing. It's not a problem that you're owning.
David Spark
All right, Tammy, I'm throwing this to you. Have you ever been fearful signing a document to yourself?
Tammy Klotz
So I would say there's definitely, I don't know, fear. Fear is the right word, but there's definitely, like a reality check that comes into play when you are putting your pen to paper. Right. And putting your name behind an official document. But I think a couple of things that I would comment on with regards to kind of the intro is that I believe that the CISO takes on the role of risk advisor as opposed to risk owner in a lot of cases.
David Spark
Yes.
Tammy Klotz
And it's really that partnership with the business that becomes part of your capability and your influence within the organization to make sure the risks are understood by the appropriate business owners within the organization.
David Spark
Now, let me throw this out. We had an argument about this Very issue of risk ownership and risk advisement. And Steve is nodding his head because he remembers this. By the way, we have echoed very much what you've said, and many have agreed. And it's like. And then there was the thing of, yeah, but cybersecurity is your thing. You got to own some of it. Like, you got to own your responsibility of your advice. Yes, Steve.
Steve Zaluski
All right, so is a CISO more like a emergency room doctor, or is it more like a lawyer? The problem is we have both responsibilities, because when the company is attacked, we're like a trauma room doctor. Right. Trying to make sure the patient stays alive. And yet, on the other hand, we're like a lawyer where our obligation is to keep the company legal. Okay. We got to practice cybersecurity in a way that documents can be signed because there's an accountability. But like in the legal profession, keeping you legal is a very different conversation around understanding where that line is and where your tolerance is to stay above the legality line. And cybersecurity practice has also got that. So part of it is, which situation am I in? And appreciating the fact that, like a lawyer, I will often say, I will keep you legal. That doesn't mean I will make you the best security team, but I will keep you legal to sign the documents, and you have to decide how much risk you're willing to accept. That's a very different conversation that, for many CISOs, is one they don't want to go towards because they believe their obligation is to build a great firefighting organization, not be able to put out the right fires.
David Spark
Tammy, I'll let you have the last word on this.
Tammy Klotz
So I think it's an element of preparedness as well that comes into play. I will never sit there and say that we are 100% protected, and no CISO would.
David Spark
Yeah, nobody would.
Tammy Klotz
Right. If they do, they're not just for the job. But in. In that conversation then, is, I will keep us secure enough for what the organization's tolerance actually is. Right. And then that is a conversation and discussion that needs to be had with legal at the table. Right. And risk. Because as you think about it, in the terms of cybersecurity liability insurance, those are things that also need to be addressed to ensure the proper or the right level of controls are in place for the organization that you are protecting.
Host/Announcer
Why is everyone talking about this now?
David Spark
We used to wear amulets to keep ourselves safe. End quote. Now, for former CISA advisor Bob Lord, cybersecurity advice like, quote, always Change your password every 90 days or never use public wi. Fi is basically the same kind of hokum. It persists despite most experts knowing it's outdated or just wrong. Lor just launched hacklore.org with an open letter from over 80 security professionals to call out these stubborn myths. So, Tammy, I'll start with you. Why do these myths persist in security programs? Does it veer on security theater? And what's the one piece of so called security hack lore you'd like to see disappear? What's your take here?
Tammy Klotz
So I may have a little bit of a different opinion on this, but.
David Spark
No, please, this is all about opinions. So go.
Tammy Klotz
Yeah, so the one piece of hack, Laura, and maybe it's not really defined as that, but so many times in security programs, people will start on the supposition that your employees or your people or your workers are your weakest link.
David Spark
Yes, yes.
Tammy Klotz
In your security program. Right?
David Spark
Yes. Yeah.
Tammy Klotz
And that in itself is just a demoralizing statement. So how do you get people to work with you? By telling them that you're my weakest link in protecting the organization. So.
David Spark
Well, you, you don't say that.
Tammy Klotz
You know, you don't say that. So we turn it on a ted. I turn it on a ted and we talk about how do you make your people your strongest link in protecting your organization?
David Spark
By the way, Mike Johnson, the other host of the show, he says this all the time, too. Go ahead, Tammy.
Tammy Klotz
Yeah, so that, that is one of my mantras. But it, it resonates so well within the organization and it does boil down to the basics. And Steve and I have done a podcast on this with regards to going back to the basics. And it is those fundamental things that people oftentimes just become complacent around. So how do you reinforce, how do you keep them educated? How do you make it personal for them? Right. So many times if you can take it out of the context of what the business is asking you to do and put it in the context of, well, is that what you would want your bank to be doing? Or how do you want your information to be protected? And then have a very different conversation, I think that turns things on. It says, because people, it becomes more relatable to them than talking about things from a technical control perspective or talk about it? Well, if you're on public WI fi, this is what could happen. Is that what you want to have happen to your personal data? And then it starts to resonate a little bit better.
David Spark
So less than orders and commands and more of explaining why we say these things.
Tammy Klotz
What's your why? Honestly, that just came up in an earlier call. Don't just say no, but tell me why. And that is a game changer.
David Spark
All right, I go to you, Steve, the wonders of hacklore. Let's hear it. What are the terms that you wish would go away? Or how better should we be explaining what's important and those things that are.
Steve Zaluski
Useless in cyber hacklore, like everything else, it's about the good old days. Remember when changing the password every 90 days actually was effective? Remember when I used to do that? And it was a good thing and I don't know what to do, so therefore, I'm just going to fall back on what I know how to do.
David Spark
Which, by the way, and that's a really, really good point. Is. And that's true kind of. In our lives in general, there's a time things do work and there's a time things no longer work.
Steve Zaluski
And it's not that they don't work. Okay.
David Spark
One of the things don't have the same impact, maybe.
Steve Zaluski
And I go, let's look at automobile engines and cars way back when. It used to be when you turned on the car for the first 2,000 miles, you didn't go above 40 miles an hour because you had to give it a chance to break in. Okay. Or you had a turbocharger on there and you therefore had to let it run for five minutes before and after, so the turbocharger didn't burn out. There was a time when that was true. But we've gotten better. Okay. Which is it's changed and we don't have to follow those practices anymore. But folklore says we continue to do that because it used to be good. So it probably still is.
David Spark
It's hard to stop things on a dime.
Steve Zaluski
Right. Because it used to be. Well, so my dad did okay. And so I'm going to do the same thing. That's where I'm getting to how we as professionals. Right. How does the profession of a CISO move from being a tool jockey? Right. And just changing passwords as a tool process was good. To being a risk manager, like Tammy said, which is to be able to say the goal is to go 150 miles an hour in 7.2 seconds. Let the automotive mechanics handle the engine. Your job is to drive that car to get to 130 miles an hour. Okay. That's the transition and then the practice of doing it. Cybersecurity is a set of tools. And what we used to do, it's so different in these 30 years that again, it's our ability to transition to. What I say is like, Tammy, look, humans are the weakest link. And it's like, well, that's a terrible say. It's like, how do I encourage humans to be part of the solution? And what I often will say is, look, human nature is what it is. So let's acknowledge the good parts of human nature and the parts that we just have to accommodate, like raising your kids. And so again, what we're seeing in those kind of three phrases is appreciating how we move the conversation to risk and what we have control over and what we don't.
Tammy Klotz
Yeah, I think one of the things that came into my mind when you all were talking was really around the people side of it. Right. And how things change and things that used to be good are no longer good. So again, taking it out of the cyber context. But rules change all the time. How do you put the car seat in the car to keep the child the most safe? How do you put the baby to bed so that there's less likelihood of any sort of breathing disorder that's going to happen? And that has changed decade by decade based upon research, based upon experience, based upon fact. It's no different in this world. Right. There are things that just don't work as well anymore. And we need to course correct as we go and implement new technologies, new ways, new capabilities to get the better level or the best level of protection. And it just doesn't resonate the same way. So that's where you have to be creative in how you deliver the messages. To say, this is, again, back to the why, this is why we're doing it different. Talk about passwordless. Instead of having to change your password every 90 days. Talking about conditional access that, well, I don't. Maybe I don't have to do multi factor if I'm coming from a trusted device and they know that it's me. Right. So using the right set of logic to get folks to behave in the way that we want them to, I think becomes extremely beneficial in helping our own cause in those situations.
David Spark
You know, CISOs hear the term zero trust, like everywhere, but very few conferences actually teach you how to implement it. And zero Trust World 2026 does exactly that. I know, I was there last year. In fact, join us, and I say us, because CISO series will be there March 4th to the 6th, 2026, in Orlando for a fully immersive experience with hands on hacking labs, ransomware analysis sessions, and practical workshops that show you how to roll out zero trust in the environments you actually manage. Hybrid, remote and when they're just good old fashioned, messy. Now you'll leave with practical playbooks for reducing the attack surface, locking down privileges and maintaining zero trust without overwhelming your team. And if that wasn't enough, here's a kicker. I, David Spark, will also be there doing a live episode of the CISO series podcast at Zero Trust World. Again, we did it last year. We had a blast. We're going to do it the morning of Friday, March 6, right there on the main stage. We want you to be there. And here's even more enticement. If you're a CISO series listener, you will get $200 off the registration for the event. And by the way, they do a massive blowout. This is at a ludicrously beautiful resort in Orlando. Orlando. And who doesn't want to be in Orlando? Especially in March, where it might be very cold where you are, you get $200 off if you use the code ZTWCISO26. Again, that's ZTW0TrustWorld CISO26. If you forget that, don't worry about that. Just go to the blog post for this very episode and you'll see it right there. And you can go ahead and register and use the code. I hope to see you there. And if you go there, please introduce yourself. I would like to meet you.
Host/Announcer
It's time to play what's Worse.
David Spark
All right, Tammy, this game is very simple if you've never played it before. We provide two horrible scenarios. They are provided from our audience, and then I make you decide. Of these two crappy scenarios, which one is worse? It's a risk management exercise. But this is the way I'm going to make it, quote, easy for you. I'm going to make Steve answer first, and you will either agree or disagree. I do not make it easy on Steve. I will make it easier on you. All right, here we go. Here are the two scenarios brought from one of our fantastic listeners who's given us lots of great scenarios. And that's Jdance over at StubHub. And here you go. These are little involved. What's worse? Scenario 1. A major shipping and freight company is responsible for moving food, medicine and manufacturing parts across the country. A threat actor infiltrates its routing optimization system and quietly manipulates it. Trucks and cargo containers aren't stopped, but instead key deliveries are subtly delayed, rerouted, or flagged, as in transit. Even when they're sitting idle in remote depots by the Time the intrusion is discovered, hospitals, grocery, distributors, and factories are all reporting shortages, but no one can tell which delays are sabotaged and which ones are real. Okay, that's scenario number one. Not good. Number two, A relatively unfunded but large city's public utility network is infiltrated through an unmaintained and forgotten remote vendor account. Threat actors intermittently manipulate water quality and pressure settings and recordings, forcing the city to issue emergency boil water advisories and shut off sections of the system to avoid contamination. Public confidence erodes as officials admit they can't confirm how long the monitoring data has been unreliable or whether other essential city services were tampered with. All right, this one's tough. Steve, which one is worse?
Steve Zaluski
Oh, so maybe it's because of my background in utilities and everything else.
David Spark
Okay, you're immediately jumping to that is worse.
Steve Zaluski
So the potential compromise of the water systems. 10 times worse. Absolutely. Without a doubt, 10 times worse.
David Spark
And that's just because it's water and it's a public utility. Yes.
Steve Zaluski
Yeah, well, so if I don't know when packages are going to arrive, I have no issue with the integrity of the content of the package. It's just when is it going to arrive? And I can do compensating controls, putting my security hat on, no big deal. Packages don't arrive, I don't have it to sell. I'm upset if I don't know that the quality of the water is acceptable and I have to go to boiled water. The impact to health and safety is immediate. Okay, that by far is way worse because now I'm impacting everybody with an unknown. Unknown. Okay. I don't know if you can trust that water.
David Spark
And then you got hysteria.
Steve Zaluski
That's why I immediately went there. Yeah, right. That's hysteria. You're disrupting the social fabric of the country as opposed to just the expectation of the delivery of a product. And that, in my mind is why I go. Impact on the water systems by far, is dramatically worse as far as brand management.
David Spark
Good point. All right, Tammy, do you agree or disagree? And sometimes you can agree for different reasons. What's your take?
Tammy Klotz
So I actually do agree with Steve that the, the worser situation is the, the infiltration of the water supply, but it's also backed by, you know, there was definitely an insulation incident in May of 2021 in Florida of the Oldsmar Water treatment facility, where in fact, somebody did get in adjusted controls. And the operator was fortunate enough to discover that. Right. Had he not in that particular situation, the water would have been contaminated. It would have been poisonous because of the amount of lime that was actually in the water. And it was super bowl weekend when that actually happened. So the possibility for that to spread much broader and impact a much bigger population was significant. So the risk is high. The reason I teetered a little bit because you also said on the shipping one, there was hospital supplies which may be life threatening in some cases if the surgery couldn't be performed. And life was definitely at risk as well. But I think the pervasiveness of the water and the consumption of the water definitely puts me into that utility example being the more or worse of the two.
David Spark
Well, so you bring up an interesting point here. And so I'm going to throw this back to you Steve, is there could be life threatening situations. Scenario number one, Scenario two sounds like level of hysteria. We may or may not have life threatening. Probably not, I'm guessing but there are of there might be more life threatening. So it's one of those. Is the greater common good in the second scenario or the first? I don't know. Steve, what do you think?
Steve Zaluski
That's one when I said there's the unknowns, known unknowns and unknown unknowns. Okay. And a known unknown to Tammy's point is, look, let's assume that a hospital is counting on getting medical gloves and they don't arrive. Okay? Well they can go old school with soap and water and everything else. They can call another hospital. Okay. Compensating controls and get supplies over. They're in control of the situation. It's a known issue. Right. The integrity isn't in doubt. Okay. Whereas with the water supply, what we're saying is it's an unknown unknown. We cannot guarantee the integrity of the product that you're using. Therefore, what do you do? Okay. This is like I don't know that the water is good. I can't guarantee as opposed to I can only give you 100 gallons of water. That's all I have. Well, that's fine. Okay. Because we know that that's good supply all stretched 100. If it's the. I don't know if you can trust this water. There's the problem. Right. Then you have to revert to no integrity in the system. We're in big trouble. That's kind of the way I think about about it.
David Spark
All right?
Tammy Klotz
Yeah. And you may not even have enough information to put in the boil water requirement as well. Which again to the not knowing situation that that becomes even more concerning.
Host/Announcer
What about this AI security challenge?
David Spark
Quote, if I don't see you in person, you're not getting a reset. End quote. Now that's one comment on the cybersecurity subreddit from a security professional on voice based authentication after a convincing voice impersonation attempt at their help desk. The attacker sounded just like a real employee. Same cadence, same phrasing. Enough to almost fool a newer analyst. And this is actually how the MGM hotels got breached. And it's why those my voice is my password systems banks loved suddenly now look questionable. The Reddit thread surfaced some practical defenses. Callback procedures on no numbers manager verification, MFA pushes to registered devices, or just removing human factors from password resets altogether. But help desk exists to, you know, help people, especially when they're locked out, traveling, or claim their phone has died. Voice cloning now costs a few bucks and 20 seconds of audio. So, Tammy, the voice thing seems a little scary here. How are you handling authentication on voice only channels?
Tammy Klotz
So from an AI perspective, yep, the threat is real. It's here. We need to figure out how we're going to go after and protect the organizations. Right.
David Spark
And I just want to point out you have heard voice fakes. Like there are voice fakes that can fool all of us with just very little audio that could fool our own mothers.
Tammy Klotz
So yes, yes, that happens. That probably happens more often than not. That's actually happened to my mother. But very similarly, I mean, to do a deep fake of a CEO who's trying to deliver a message is very easy and scary. Right? Especially when you put it in front of folks and they're like, oh, that wasn't me. Right. So how do you overcome that? Right. And I think it again comes down to the basics of authentication. And two factor takes on just a couple of different dimensions. Right. So your voice may not be the only thing, but what are the other components that you need to know about yourself when you're being challenged to prove you are who you say you are. And again, if the health desk is getting resistance by the person calling because they're traveling and they're frustrated and they just want to get on their system, tell them your why I'm protecting you and I need to make sure it's you so that I do not accidentally give somebody else access. And that's where human logic should prevail in those situations too. As long as you're explaining that. So two factor, you know, what do you know? What do you have something that only you're going to uniquely know about yourself is what something?
David Spark
And it could be things that happened recently, like you may have information about the person, something that did the past week or something like that. When's the last time you logged on to xyz? Kind of a thing like that.
Tammy Klotz
Right. And, you know, if somebody says that they're traveling for work on company business, do you have the opportunity to verify that travel was booked through the travel system? Right. Now, help desk folks may not have all of the rights to that information, but that's where manager approval may have to come in in those situations. Right. So. Or if somebody is saying, I need to change my password and my authentication phone number, these are the things that we need to think about that, you know, Yes, a help desk analyst is going to want to help. I agree 100%, but that's why security has to be top of mind for everybody in the organization. So that the. When questioned, there is a general acceptance of why I'm being asked those questions.
Steve Zaluski
Steve, when.
David Spark
When you have those kinds of things and those extreme single cases where someone needs a password reset and they're asking for like, I need to change my phone and my password, like, two massive things like that, and you do go through all the verification steps, because that is conceivably a scenario that could happen. It's rare, but it can do you then say, all right, this person. We did do the change, we did all the verification steps, but we still want to keep an eye on this account. I mean, do you do that after the fact? Yes.
Steve Zaluski
So, yes. But here's what it comes back to. Remember the good old days when driving a car and all you needed was spark plugs, fuel. Right. And a battery. And there was no systems to be able to make sure combustion was good. Right. And all of the vacuum tubes. Okay, this is the problem we got, which was, we're now doing this. Boy, remember when. When MFA was easy. Okay, well, what's happened is MFA is no longer easy because our voice component is shot. So we're screwed. So now what we have to do is we're going to have to make it more complex. We're going to have to put more friction into the process, because the easy way we used to be able to do it doesn't work anymore. We were literally having this conversation last week with the Bay Area CISO Council, which was, hey, folks, what do we do now? Because the way we do it doesn't work anymore. Do we have to go back to shared secrets? Do we have to look at other technologies? Because fundamentally, we lost this as a trusted authentication path. And that's what we're all talking about now, which is From a compensating controls perspective, we have to do it different and it's going to be more complex, unfortunately, which for five years now, you've heard us say, make security simple so people will follow it. Make it business centric. We got to go back to the.
David Spark
Drawing board right now and also play out these scenarios.
Steve Zaluski
It sounds like, yes, play out the scenarios. And that's just it. That's what I said, is we're screwed. Okay? Because we all know now that the way we're doing it, because voice recognition can't be trusted, we have to take that out of the MFA equation. We got a problem, okay? We fundamentally got a problem. Now we got to look at other ways of doing this. One of the conversations was the aura rings. Do we now have people wear a ring with biometrics on it? Okay. To know it's you, that you can assert that it's correct at this point on a phone call or on whatever we're doing. Right. It's no longer good enough to be able to have a certificate on a phone or a traditional RSA token. That's inconvenient. That's an example of we got a problem right now. And we're really struggling to understand how much more friction and how to put into the system.
Host/Announcer
How CISOs are digesting the latest security news.
David Spark
Only 27% of companies give CISO's budget control over OT security, and nearly half spend just a quarter of their security budget on critical infrastructure protection. That's from a recent OPSWAT study. And your reaction is, well, duh, you're getting the point. This is a vendor funded research that tells us exactly what we already know security needs more budget threats are rising and organizations are underprepared. Oh, and security professionals are concerned about cyber attacks. It's fud, fear, uncertainty and doubt dressed up as insights designed to drive sales, not inform the industry. It's a cycle. PR teams pitch it, lazy journalists write it up, and the whole thing gets treated like news. It is not news. As someone receives this kind of stuff, I reject it and I tell them, this is not news. This is my editorial comment here. Now compare this to something like the Verizon dbir, which is also from a vendor, but uncovers valuable intelligence about attacker behavior and trends. So here's a question, Steve. Do these we need more budget studies from vendors actually help you make the case internally, or are they just noise? Have you ever cited one of these in a board presentation and gotten traction, or are they a waste of everyone's time and money? For that matter.
Steve Zaluski
So the way I characterize it is figures don't lie, but liars figure. If it's to my advantage, to me wanting to make a point, then these are fine. I'll pull them out. But if I'm having a hard enough time as a CISO raising my own kids, do I want to go try to help my brother and sister raise theirs? OT is an example of a different problem. It's somebody else's problem. Do I, the ciso, want to now make it part of my realm of responsibility? If I do, then those reports are valuable. Otherwise.
David Spark
But the thing is. But let me also point out, my point here is you don't have enough money. Forget it's OT or not. You don't have enough money, and you're worried about cybersecurity. How many reports have you read that give you that information again and again and again and again? You've seen a number of them. Yes.
Steve Zaluski
So they don't provide facts. Right. That's the point. They're just figures. If they're to my advantage, that's fine. The vendors are going to do that because they got to sell.
David Spark
Right. Because they're hoping to sell their product. Right.
Steve Zaluski
They're hoping to sell more, as I said, which was great, I can go to the library and I can pull out a bunch of facts. We can argue about whether they're facts or opinion. It's kind of irrelevant. I just go, see, you got all this noise. I will even say DBIR more and more is simply the same thing every year. It's not uncovering new. It's just simply adjusting the percentages of the standard ways that the attacks work.
David Spark
Right. And by the way, that's actually a pretty good point right there. But that also points to the fact that our world does not turn upside down year over year. It moves in different directions. Right?
Steve Zaluski
Yes. The universe is not expanding at this point.
David Spark
Right.
Steve Zaluski
We just don't, as CISOs, necessarily all agree as to how much of the universe we want to have accountability for. That's it.
David Spark
All right, Tammy, I throw this to you. And again, this is not a discussion about OT or not ot, but it's just more of these studies that tell us what we already know. I looked at the study. I'm like, yeah, I get it. I know this already. Nothing here is a surprise. You're selling this to try to scare people, to, like you said, have a data point to show to your board to say, we need to spend more money on this. What are your thoughts?
Tammy Klotz
So, first and Foremost, the points around taking care of your sister and brother's children. Right. So if, if there is an issue in my organization, it doesn't matter one if it's OT or it, if I'm the ciso, it needs to be clearly understood and documented where that accountability lies. And that, in essence, I've, I've grown up in manufacturing. 30 years of my career has been spent in, in manufacturing. Right. So talking about it in the context of business risk and where the lines of accountability actually are drawn becomes extremely important. So that, that's kind of my take on the OT space, right. The reports and the numbers, honestly, like, I don't think they hold a lot of weight with the folks at the manufacturing facilities. Right? Because it feels like it's just a, quote, ploy to get us to spend money. But if you back the truck up and you start talking about it in the context of, if we found ourselves in the middle of a cyber attack, we are going to have operational risk. We are not going to be able to produce products, we are not going to be able to ship product, we are not going to be able to fulfill our order obligations. Therein lies the conversation around where the risk is and how it impacts the company. So if you talk about I need this much money to protect us from not being able to deliver product, and you do that on how much money do I lose on a daily basis by not being able to ship products? That's how you gain support for the tools that you need to invest in to protect the organization, not a vendor report that's going to say you should be spending this much money. That's my opinion.
David Spark
Well, that brings us to the very end of this show. Tammy, thank you so, so much. I'm going to come back to you in just a moment, but first I want to thank our sponsor. And that would be three Threat Locker. Remember Threat Locker. Allow what you need. Block everything else by default, including ransomware and rogue code. And more importantly, I want to see you in Orlando in March. And we're going to be doing a live show there. And you can learn a ton at Zero Trust world. Remember, it's March 4th through the 6th, 2026. If you use the code ZTWCISO26. And if you forget it again, go, go find the blog post for this episode. We'll have it there. You will get $200 off on your registration, so go there. Ztwciso 26. Let's see each other over at Zero Trust World. Steve, thank you for coming in and jumping in here and bringing your good friend Tammy for the recording.
Steve Zaluski
Hey, nothing but the best, okay? And I'll say I'll see you all on the Lazy river where you're doing your podcast is what I heard.
David Spark
I will not be doing a podcast on Lazy river, but I do want to plug Tammy's book Leading With Empathy and Grace. We'll have a link to it on the blog post for this episode to buy it over on Amazon. But Tammy, please explain what this book is about.
Tammy Klotz
Yeah, so thanks for that opportunity. So, yes, so Leading with Empathy and Grace was published in April 2024. It is a book based upon my leadership journey and to embrace both empathy and grace as critical skills, as opposed to the normal classification of soft skills, filled with life experiences, personal journeys, and tools and techniques to help you become a better leader in your space. So thanks for the plug. I appreciate that.
Steve Zaluski
Of course, it's an awesome book. Highly recommended.
David Spark
There you go. You. Did you actually write a review on Amazon for Tammy? I did not get on that. Now, immediately after this recording, that's what you're doing?
Steve Zaluski
Yes. Yes, sir. Yes, ma', am. I promise. But I've got the book. It's in my library right there.
David Spark
Thank you very much, audience. We greatly appreciate your contribution. Send me more what's Worse Scenarios. I need more what's Worse Scenarios. We greatly appreciate your contributions. And for listening to the CISO series.
Host/Announcer
Podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.
Podcast: CISO Series Podcast
Episode Title: We Gave the CISO Risk and Liability, and Now They Want Authority. The Nerve.
Date: February 17, 2026
Hosts: David Spark and guest co-host Steve Zaluski (with regular host Mike Johnson absent)
Guest: Tammy Klotz, CISO at Trincio
In this episode, the hosts and guest explore the evolving landscape of the CISO role, emphasizing the misalignment between risk and liability versus true authority. They discuss risk ownership, security myths (hack lore), the realities of new attack surfaces like AI-powered voice impersonation, and the perennial frustration over vendor-driven "budget gap" research. The show features practical insights and candid humor about the modern CISO journey.
Steve Zaluski:
Tammy Klotz:
Steve’s Analogy:
David Spark introduces Bob Lord’s Hacklore.org initiative and questions why security myths withstand the test of time.
Tammy Klotz:
Steve Zaluski:
Tammy Klotz (continued):
A threat actor quietly manipulates the routing in a shipping company, causing disruption in logistics and critical shortages for hospitals and factories.
A public utility network is compromised, resulting in water quality uncertainty, emergency advisories, and loss of trust.
Steve Zaluski:
Tammy Klotz:
Steve Zaluski:
Recent breaches (like MGM Hotels) and Reddit testimony highlight how easily voice cloning attacks can bypass phone-based authentication.
Tammy Klotz:
Steve Zaluski:
David Spark:
Steve Zaluski:
Tammy Klotz:
“I believe that the CISO takes on the role of risk advisor as opposed to risk owner in a lot of cases.”
— Tammy Klotz [08:02]
"When you get a piece of paper you have to sign, that’s when reality strikes."
— Steve Zaluski [06:12]
"Don't just sign the paperwork. ...You're establishing a relationship, not just owning a problem."
— Steve Zaluski [06:54]
“How do you make your people your strongest link in protecting your organization?”
— Tammy Klotz [12:20]
"We’re screwed. … Voice recognition can’t be trusted, we have to take that out of the MFA equation.”
— Steve Zaluski [32:32]
"Figures don't lie, but liars figure."
— Steve Zaluski [34:59]
"Talk about it in the context of, if we found ourselves in the middle of a cyber attack ... there is operational risk... That's how you gain support for the tools you need."
— Tammy Klotz [37:26]
The episode is candid, witty, and pragmatic—challenging sacred cows (like “employees are the weakest link”), gently mocking vendor hype, but ultimately empowering security leaders to have real, business-first conversations. Core themes are responsibility, communication, adaptability, and leadership empathy.
If you missed the episode:
You'll come away understanding the current CISO reality: extensive risk and liability, limited authority, a need for coalition-building across business, and an imperative to move past outdated security dogma. The episode is full of practical analogies, hard-won wisdom, and the occasional playful jab—unmistakably in the unique, engaging style of the CISO Series.