
Loading summary
David Spark
What I love about security vendors. Go.
Patti Degnan
I love RSA conference booth energy, especially the ones with the loudest music and the most aggressively cheering people handing out branded puppies.
David Spark
It's time to begin the CISO Series podcast.
Welcome to the CISO Series podcast. My name is David Spark. I am the producer of said CISO series, and joining me is my co host. He's one of your favorites, whether you like it or not. It's Andy Ellis, the principal of Duha. Andy, say hello to the audience.
Andy Ellis
Good afternoon, folks. Or depending on when you're listening in, good morning, good evening, or good night.
David Spark
I'd be interested to know if anyone, because my wife does this, listens to us to fall asleep.
Andy Ellis
So I have been told by people that they use the audio reading of my book for going to sleep time. My voice is very soothing for them.
David Spark
That must make you feel fantastic. We are available@cisoseries.com if you have not spent at least half of your day there. I really don't see how you get anything done. Please go there. Check out all our other programming. We have live shows, most Friday, Super Cyber Friday. Join us for those. Those are a ton of fun. Our sponsor for today's episode is Threatlocker, a continuously great sponsor for the CISO series. Allow what you need. Block everything else by default, including ransomware and rogue code. We'll be talking about the latest from Threatlocker a little bit later in the show, but first, I want to introduce a guest who's in studio with me right now. The former CISO over at Notion, now an operating partner at Andreessen Horowitz. Working with many of the security portfolio. Working with. Helping with security with the portfolio in general. Sitting right here, Patti Degnan. Patti, say hello to the audience.
Patti Degnan
Hello. Hello, Hello. And very nice to be here. Thanks for having me.
David Spark
All right, now I have a question for both of you. Patti and for Andy. Have either of you ever attended your high school reunion?
Andy Ellis
Nope.
Patti Degnan
Never.
David Spark
Never?
Andy Ellis
Never.
David Spark
Okay.
Patti Degnan
No.
Andy Ellis
I'm gonna say that only people who are, like, really insecure about their ego go to their high school reunion and then bring it up in conversation. I mean, I just want to put that out there.
Patti Degnan
Oh, all right. David, back at you.
David Spark
Andy knows I went to my high school reunion. Maybe that's why he's setting it up like this, because I just saw Andy in Boston, and I had coordinated doing a live show in Boston so I could also attend my high school reunion, which I hadn't been to in a long time. I won't specify the number of years, but it's long. But I think what the humor of going to a high school reunion after you haven't seen anyone since you were 18. 17 years old is what we all look like today. Who has let themselves go, who has kept themselves together. And I think that's the greatest amusement of going back to the high school reunion.
Andy Ellis
I can say a little schadenfreude goes a very long way.
David Spark
Yeah. So I went to. Mine was very, very small because I went to an all boys prep school. My graduating class was 65. Only a dozen showed up and I was, I think, the only one from out of town that was there. Everyone else was local.
Andy Ellis
Now it might also be different when you go to such a small school. Like my graduating class was I think 880 out of a sophomore class that had been 1100. Just to give you sort of an idea of what the schooling was like.
David Spark
It matriculates that much.
Andy Ellis
Yes. We lost 230 people or so.
David Spark
Wow.
Andy Ellis
Across three years.
David Spark
That's insane. Well, so I mean with 800, you probably did not know everybody. When you have a class of 65, everybody knew each other. Yeah. How big was your high school?
Patti Degnan
The first high school I went to was like 3,000 students. But then when I lived in Orlando, but then I moved to upstate New York and it was my graduating class, I think was like 120 people and they all knew each other and they all grew up since preschool together. And so you're the new kid and you don't have the same hook in. So of course I'm not going back to my high school reunion.
David Spark
All right, well, for me it was nice to see everybody. I'm not going back again, but come November. So I went to the prep school, but I went through the elementary school in my town through seventh grade. I got grandfathered into the high school reunion for the year the mine. So I'm going to go to that high school reunion where there were hundreds of kids of which I'm going to know only a small percentage of them. But those people I have not seen since I was 13 years old. So very, very different story.
Patti Degnan
You may not even know who anybody is.
David Spark
It's very possible, quite possible.
Once again, we've got identity issues.
Quote, if we treat agentic AI just like another service account, we will miss the shift. Now, this is NFL CISO Thomas Maldonado. His he points out that most IAM frameworks that's identity access management were built around the assumption that identity maps to a human understandable at the time when they were created. But agents break that. For example, a person can't be in two places at once was the basis for your anomaly detection. Agents do it by design. Thomas identified four pressure points. Ownership, scope, lifecycle, and monitoring. These aren't new. They're the same IAM challenges that were never fully solved for service accounts, but they're now running autonomously at scale. So before debating how to govern AI agents, maybe the real question is whether your IAM program was actually working before they arrived. Andy, I will start with you. How do you establish a baseline for normal agent behavior when the whole point is that agents operate beyond human constraints?
Andy Ellis
So I'm glad that Tomas is calling out this problem, but it was far worse than he pretends it was.
Patti Degnan
Right.
Andy Ellis
First of all, IAM was never about humans. It was about a specific human role. Right. Andy at how to CISO is different than Andy at CISO series from a computer perspective, even though they're both me, and I've got a dozen other digital identities. So let's just start from we don't even understand how to map identities onto the real world. Second, even before the AI explosion happens, the non human identity to human identity ratio is over 30 to 1. We were barely touching 3% of our identities with a model that failed. And that model didn't include the actual governor of identities in our organizations, which is hr.
Patti Degnan
Is it hr? I don't even know if HR knows how to do that.
Andy Ellis
I'm not saying they know how to do it, but how many identity systems have ever dealt with the fact that, like, HR knows somebody's being fired or let go in 90 days, but the identity system doesn't know?
Patti Degnan
Yeah, right.
Andy Ellis
So we don't even understand this problem. We're not thinking about it the right way. We're trying to band aid over the fact that we don't understand how our organizations operate. Now, that said, even the premise that a human can't be in two place at once was gone. Once people had two computers, right? If you had a desktop and a laptop, your desktop was still logged in as you, it was still doing things as you. And one of our core problems is we think of the human as being the employee rather than the human plus their computers. That's actually the atomic component that we should be thinking about identity in. And now that human plus their computers is. And all of their agents, they're a giant aircraft carrier, by the way.
David Spark
So you're just expanding this problem. So you have no idea how to create a baseline here, do you?
Andy Ellis
The problem was already really big and it just got bigger. This is not about a baseline about what a human does or what an agent does. It's about baselining what an organization is. And until we solve that problem, we're going to keep throwing out band aids that don't work.
David Spark
All right, then I'll ask a question that Andy asked and maybe you can answer that is, can you baseline what the organization is and does that affect IAM for both humans and I guess, non human identities, autonomous agents?
Patti Degnan
Well, I mean, I completely agree that we haven't ever solved the problem for humans to begin with. So how are we solving this for agents? No, I don't think you can baseline what the organization is in that scenario because you have to understand what the entire scope is. Right. And holistically, the biggest problem that CISOs have always had is can I see everything and do I know everything that's going on? And the answer is pretty much no. Right? Like you always end up there's some closet of crap that nobody has figured out what is happening there, or you don't own it because you've determined it. It's out of your scope right now because it's not in production or whatever. And then that's where some of the fault lies. Right. I think that there's also a dichotomy of issues when you don't have a good partnership with it, or in some cases to your earlier point, like hr. Right. So you might be the last to know when you have an internal threat problem because someone's going to be let go in 20 days. Right. And so in those scenarios as well, you're not going to be able to identify like not only the scope, but how to monitor that situation.
Andy Ellis
And it's not even the threat issue of someone being let go, it's the humans own systems. And how do you know what systems are about to be unowned because of a RIF?
Patti Degnan
Well, now you have agents. You built 60 agents and you're being let go. What happens to them?
Andy Ellis
Right? Who owns those agents? What are they off doing now? Are they all going to be ticking time bombs? Because when your credentials expire, they do and they know it.
David Spark
Is AI going to help us or hurt us?
When two thirds of exploited vulnerabilities are weaponized before or on the day of disclosure, the entire model of reactive security has already failed. That's Resilience Cyber's Chris Hughes breakdown of surge Epps zero day clock shows that the median time to exploit went from 771 days in 2018 to 4 hours in 2024 and I'm sure it's a lot less now. Organizations remediate 10% of new vulnerabilities per month. That's not a gap, it's a different sport. AI is accelerating exploit generation while remediation is still operating under a model that no longer exists. Patch faster would require 9x improvement to the old model, I think. Is a shift to resiliency and remediation not patching the only viable solution? Patti or as Bruce Schneier once said, no industry in 150 years has improved safety without government regulation. Not aviation, automotive, pharma. So do we agree a drastic change needs to be made? And if so, where will the shift be? And are we going to need regulation of some sort?
Patti Degnan
Okay, starting at the last question, do we need regulation of some sort? I don't know that that's going to solve this problem. I also don't think that governments are equipped to handle how to figure out how to think about patching a computer speed that beats AI. I think one of the things that I've been talking about more realistically is that we need to come up with some level of ephemeral infrastructure that is on some level self healing. It's like the next step after having golden images that are repatched every month. We're going to have to do something that's infinitely faster and I don't think that that's been figured out yet.
David Spark
What do you think Andy?
Andy Ellis
So I think there's a couple things going on here. First, actually, Bruce Schneier is flat out wrong. Industries have improved safety without government reg and in fact I'll call out automotive specifically as a place where the vast majority of safety occurred. The auto manufacturers with zero oversight up through 1959, then the IIHS, not a government entity, shows up. We see dramatic improvements in safety coming out of that. The NHTSA is the johnny come lately to the situation. Showing up in 1970 and claiming credit for a lot of the great safety work that is done before then. In fact, since the NHTSA has shown up, we've actually seen a slowdown in the rate of improvement. And in fact, in the last few years it's actually gone up. Like vehicles are less safe as measured by fatalities per mile driven than they were 10 years ago. I think that's more to do with things like Waze and Uber and Lyft than it is to do with the vehicles themselves. But let's not kid ourselves to say that government shows up and solves all These problems. The second challenge that we have to look at here is this is measuring from when the CVE is published, and there's a lot of people who know about a vulnerability before publication, so measuring sort of time to exploit against this thing. That's already a slow process, especially where we now have, like, CVE declaring inbox zero. I think that it's a weird metric, but I'm not disputing the fact that it's easier to write an exploit faster to write an exploit. Like, that's what's going on. Let me say, actually, the single biggest problem here is the vulnpocalypse, or whatever you want to call it, is not the CISO's problem.
David Spark
Ooh, wow, That's a big call.
Andy Ellis
Every CISO likes to pretend that it is their problem and it is not. Imagine for a moment that you're an F16 pilot. You have a crew chief who maintains your airplane.
David Spark
Hold it. You're going too fast. I'm trying to imagine myself as an F16 pilot. This is going to take a while.
Andy Ellis
Yeah, okay. You're not an F16. Imagine Patty's an F16 pilot.
David Spark
I can definitely do that better.
Andy Ellis
And David is her crew chief. David does every repair on Patti's plane. Nothing goes on to Patty's plane without David's approval. And I show up some random dweeb who has no business on the flight line and say, here's the 75 things that I'm in charge of making sure get fixed. Not my job. It's David's job. The crew chief, the person who writes the software, who pushes the software, who maintains the software.
David Spark
The.
Andy Ellis
This is who owns the vulnerability problem, not the ciso.
Patti Degnan
I like this argument. I definitely agree with it. I don't think you're going to find the CTO or the head of engineering saying that it's only their problem. There's this whole scenario that we've seen forever where you're calling everybody's baby ugly because of vulnerabilities being out in the wild, and then they also don't want to own it, right? Like, oh, you found these problems you should be fixing with them.
Andy Ellis
And like, so I agree with everything you said, except for the word only. I am not saying this is only the CIO's problem or the CTO's problem.
Patti Degnan
Fair? Fair. Okay.
Andy Ellis
But it is their problem. They are the ones who are ultimately responsible for the code that they ship. And if they're not committing to fix it, which they aren't today in modern organizations, it's not gonna get fixed.
David Spark
Are they experiencing the same level of panic than the cybersecurity industry?
Andy Ellis
No, because they have managed to off source all of the anxiety and panic onto the ciso, which suits them just fine.
Patti Degnan
But if you think about it from this perspective, who's the person reporting on the number of vulnerabilities? Technically you're going to be going into the board meeting or the CEO meeting and saying this is how many vulnerabilities are in your infrastructure. And they're not going to say that they own that problem. They're still going to say the CISO owns the problem.
David Spark
Yeah, they're never going to report vulnerabilities.
Andy Ellis
They're never going to. So the CISO's education job to the CEO and the board is to educate them on the lackluster state of vulnerability management within engineering organizations. You're not going to make friends with this, but this is what your job is.
Patti Degnan
I mean, but essentially you're going back to talking about risk tolerance in this scenario. But now what we're really talking about is because of the amount of vulnerabilities that are infinitely happening and being exploited simultaneously and you're daisy chaining everything together. How do you manage the risk in that scenario when you know you're going to end up being popped at some point?
David Spark
Threatlocker is extending Zero trust beyond endpoint control. With the recent release of Zero Trust network access and Zero Trust Cloud access, organizations can now control how users connect to both internal systems and cloud applications. Access isn't based on credentials alone. It requires the right user, the right device and the right conditions. Users are granted only to specific applications, never entire networks or environments. Now that matters because attackers aren't breaking in, as we all know, they're logging in. As we've seen in recent large scale CRM breaches, stolen credentials and misconfigurations can expose massive amounts of sensitive data. ThreatLocker Zero Trust Network Access ensures internal resources are never exposed and only reachable through tightly controlled policies. Zero trust cloud access extends those same protections to SaaS applications. So even if credentials are compromised, access is denied without an approved device. It's a modern approach to access control that reduces attack surface and stops unauthorized access before it even starts. You can learn more and you can start a free trial today if you head over to threatlocker.com CISO remember that's threatlocker.com CISO do me a favor, add that's 5 CISO easiest way to let ThreatLocker know you heard about them from the CISO series.
It's time to play what's Worse.
Patty, you're familiar with how this game is played? Yes.
Patti Degnan
Yes, I am. Pick one.
David Spark
All right, here we go. We have from Ann Marie Van Den Herk, mind the gap advisory. All right? And Annemarie has sent in the following. This one, I think is going to be a tough one. I'm guessing it's a tough one. I'm sometimes wrong. Sometimes you go, oh, this is easy. But here you go, Andy. Note that I make Andy answer first and you agree or disagree with Andy. A hacktivist group posts screenshots claiming they've compromised your product. No confirmation, no details, but it's spreading fast and customers are asking questions.
Andy Ellis
All right, been there, done that.
David Spark
Or an AI generated video of a robbery at your company is going viral and getting picked up by news outlets. Operations appear halted in the video, but none of that is real. But your employees, customers, and board don't know that yet. Which scenario is worse?
Andy Ellis
Okay, this one's fascinating. And I can see sort of there's a parallel, which is the first one might be fake, right? They might have faked those screenshots, but they might not have. So we don't know in this scenario. So we have to go figure it out. The second one, we know it's fake, right? But it's a video, and video is really going to capture the mind of people much, much faster than just a screenshot. It's the sort of thing that immediately changes people's frame of where we are. That said, as the ciso, I absolutely would prefer to have that viral video that we know is AI generated, we know is fake. This is now a brand problem and a PR problem. I can help with that. There's a lot of work I can do there that's very different than I have to go figure out. With no evidence whether or not my product has been breached, and unless I can disprove it, I have to operate under the assumption that it has been for a very long time. So the first scenario, especially from the CISO perspective, is clearly worse. I think from most of the corporate perspective, I think it probably also is worse. Except the brand management problem. Very tactical, very real time in this fake video. But honestly gives you the opportunity to get your CEO in front of news outlets talking about what great things you do. So a great crisis comms team will actually turn the second scenario to a benefit rather than to a negative. So I think on all fronts, the first scenario is worse.
David Spark
All right, how do you feel about this, Patty? Agree. Or disagree.
Patti Degnan
Thousand percent agree. It's a crisis management problem on the second side. And definitely an internal, like, oh, crap moment on the end of the first one.
David Spark
Yeah. So this is more. But. But the way you also see it is this becomes less my problem. I can help with it. But the first scenario is 100% your problem. Yes.
Patti Degnan
Right.
Andy Ellis
The first scenario is 100% the CISO's problem, and it's an unbounded, weird problem. You don't know this is fake. And in fact, it's almost worse if it is fake and you can't prove it because you can't prove the negative. If it's real, you can figure out what they did and maybe deal with it.
David Spark
It.
Patti Degnan
Yeah, I agree.
David Spark
All right. We got consensus way too fast.
Andy Ellis
David hates that.
David Spark
Would. Would you be dealing with this any differently, Patty, or you. You would follow Andy's playbook here?
Patti Degnan
I mean, I. I would probably on the first one, follow Andy's playbook on the second one. The problem is, to me, I'd be like, this is a crisis management problem and the crisis management team should be handling it. And on the first one, yes, you're infinitely digging in to figure out what is actually reality in this scenario.
Andy Ellis
Right. And, like, if I'm a CISO who happens to have a physical security responsibility, I will probably have to become part of the response team. But honestly, that's already part of your job as an executive, so run with it.
Patti Degnan
Yippee.
David Spark
Look what came into my inbox.
Your organization spent many millions implementing Zero Trust architecture. Then your email security team punched permanent hole through all of it, end quote. That's Alan lafort of Strongest Layer, who pointed out that every whitelisted vendor, executive, or outside counsel is a permanent exception to a Zero trust principles that you spent millions enforcing everywhere else. And the teams creating those exceptions aren't being reckless. The tools force the choice. So when the CEOs DocuSign is quarantined and a deal closes today, the whitelist wins. The whitelist file is castle and moat thinking hiding inside your modern security stack. So, Patty, if zero trust is the principle guiding your security program, why does email get a carve out? And does it, do you believe?
Patti Degnan
Potentially. Because the whitelist isn't a security decision,
David Spark
it's a business decision.
Patti Degnan
It's a political one. It's a business decision. So in that scenario, the moment these things happen, like your C suite doesn't get a critical document, there's the pressure just to fix it right out of the gate, and then it overrides all the controls you've spent time putting in place to get them what they need. So it's like that becomes a permanent exception and then it becomes, let's not route this through the proper approval chain. So I think security loses that fight almost every time because the CEO has more organizational gravity than the ciso. Obviously, the immediate pain is visible and loud to them and that whitelists, granted, under pressure, are never reviewed.
David Spark
All right, good point. All right, Patty, nailing it there. This just seems like especially what they're. Whitelisting is often the hottest targets, I would assume. Yes, Andy, it is.
Andy Ellis
But this really feels like a false choice scenario here. Okay, that may have to do with the sender's employer being in email security, but first of all, zero Trust architecture and email security are completely unrelated. Right. What you're looking for in a zero trust architecture is that if a user clicks the link, nothing bad happens. Right? That they have unfishable credentials. So if they click a link and it tries to force them to log in, it's not going to work because your login isn't just a password. So let's just start from that, which is, if you want zero trust architecture and valid email from DocuSign causes a problem, you've got an issue. Now, that said, like the biggest challenge we have, DocuSign is a huge issue in business email compromise. Because I know when I was a director, every time there was a hint that there was some financial transaction coming through, I would probably get 50 DocuSign spam messages showing up that were all phishing attempts that didn't really go to DocuSign.
David Spark
Really, that many during a big deal.
Wow.
Andy Ellis
Yes. I'm waiting for a DocuSign message to come in and every 15 minutes I'm getting one. It's just not actually from DocuSign. That's a problem with our email security. But this is not a massive problem. Just filter out anything that claims to be from DocuSign. That's not. We just did not have the right thing set up to have made that possible. And that's a suggestion for every vc, which is you need to be filtering out things that look like DocuSign if you're the VCCO. Not that there's sort of one nearby in the room here to think about that one. So, yes, the reason that whitelists exist is because your security policy is functionally broken. If you were filtering out valid DocuSigns, that's on you, not on the CEO who wants a whitelist.
David Spark
But it's interesting, the docusign is a good example here. And the fact that you saw this incredible behavior whenever a big deal was about to go down. My feeling is in situations like that, you can sort of put up the high alerts for everybody. Yes, since you are watching this, I
Andy Ellis
mean, you can, but it's hard. And this goes back to the earlier conversation of I have multiple identities. The adversaries were not just sending them to my VC account, they were sending them to every email account I had, trying to rely on me clicking on just one of them.
David Spark
Can't you just like quarantine all DocuSign stuff or things that say DocuSign on it?
Patti Degnan
But isn't that the whole question that you asked at the beginning, which is like, this becomes a problem?
David Spark
Yeah, Right.
Andy Ellis
If I quarantine everything that comes from DocuSign. Well, I've got sitting in my inbox right now a docusign from my bank that I need to deal with. So I want to make sure that one gets through.
David Spark
Are you sure it's from your bank?
Andy Ellis
I actually have them. They send me email beforehand and I can call them to verify that that was really from them. And then I always do tend to try to read the headers for DocuSign to make sure that really came from them.
David Spark
Coming up Next, your biggest AI risk probably isn't the model you approved. It's the 10 you don't know about
this. AI Governance and AI Security Tip is sponsored by Speakeasy.
A company stands up an AI governance committee, drafts an acceptable use policy, and green lights a couple of vetted models. Sounds good. Sounds like good planning. Well, meanwhile, marketing is pasting customer data into a public chatbot. A SaaS vendor you're using plenty just switched on an AI feature buried in its settings, and a data science team just fine tuned a model on a laptop. None of this is on anyone's list. Policy doesn't matter if you lack fundamental visibility. AI governance starts just like AI any other security discipline, with an inventory of what you got and what's happening. So NIST AI Risk Management Framework builds this into its govern function, calling for mechanisms to inventory your AI systems. ISO IEC 42001, the first AI management system standard, expects the same. So can you identify and account for the AI in your environment before you try to control it? Shadow AI is picking up where shadow it left off. So build the AI inventory first and make it continuous. This includes your directly sanctioned models, the AI baked into your SaaS, and the tools employees are already using on their own because you know they are a program that governs three models while 30 run unseen isn't governance. It's a rounding error. And it's not a small one.
Go to Speakeasy.com to see how leading enterprises are scaling AI securely with the Speakeasy AI control plane. What's the roi?
For all the solutions being created by cybersecurity startups, the reality is the biggest gaps aren't technical. After speaking to more than a few vendors, Joe, head of Malto, found familiar stories tool sprawl that promises identical outcomes security built for the CISO instead of the people actually using it. An SMB market everyone ignores while chasing Fortune 500 logos. Their ROI gap might be the most damning. Security leaders still can't demonstrate how security enables revenue, and nobody's built that layer yet. If the market isn't missing technology, what is missing? How much can a vendor do? To answer the ROI question, quoting my defense in depth co host Steve Zaluski, former CESA of Levi's, how does this help me sell jeans?
Andy Ellis
Andy so I love this question, except for the one thing about ROI to revenue. Steve and I sometimes disagree on this one. It is about helping sell jeans. It's not about being able to quantify how much you help sell jeans. If so, you're a product component, not back of the house. That's okay. But absolutely, here's the challenge in the entire security startup space, which is people are not trying to build products, they're trying to build a company that can get another funding round. That's a really important thing to acknowledge
David Spark
if you're a c. Hold, wait, hold, wait, wait. I want the rep from Andreessen Horowitz to speak.
Andy Ellis
I love the look on Patty's face when I said that.
David Spark
Hold on.
Patti Degnan
I think what I would say is there is a technology surplus and an outcomes deficit actually for a lot of the technology in the space.
Andy Ellis
Right. But if you're a seed stage investor, which I was for four years, every conversation is about how you get the a round. The CEOs are not trying to build a sustainable company. They're trying to build a company that can get an A round. And once they get the A round, which is they got a marquee customer or two.
David Spark
Let me pause for a second on that. Just I want to get a little inside baseball going on here. What is the difference when you're building a company to get an A round versus building a company to get customers and generate revenue and have a sustainable business, what is the big difference there?
Andy Ellis
So let's say that you get a seed round and you bring in say $10 million on a $40 million valuation. Right. You now need to bring in for your A round. Something well, north of that. You're aiming to, hopefully to bring in maybe 30 to 40 million dollars of an A round would be a fantastic outcome at that point. But now your valuation has to be upwards of 150, 200, $250 million, which is a crazy valuation to get at A round. And then every time you get a big round, your next round has to be at an even higher valuation because you don't want to dilute everybody because down rounds become really bad for you. It's a really crazy dynamic. But what this means is if you get a large round early on, you're not interested in this slow sustainable growth of going after the SMB market where each customer is small. You're chasing these Fortune 500 companies because one or two of them gets you that A round. And that creates this dynamic of sell to the ciso, who has a lot of money sell to, even if after two years they're going to throw the product out because by then you've gotten your next round and you're on your next set of customers. That's a core piece of the dynamic. That's a problem.
David Spark
So may I ask, is this why account based marketing exists for this reason specifically?
Andy Ellis
I mean, account based marketing exists for a very different reason. But yes, this is a component of why people are always going after those CISOs of very big customers, because you can just get one of them. And now that's your reference customer for your later vc. And just to be clear, I'm not saying every VC is just part of this sort of multi level marketing scheme, but it is a fundamental dynamic within the industry, which is you are chasing your next round. Once you're sort of in this world of you're not profitable, you're not sustainable. If you don't get the round, you die.
David Spark
All right, Patti, your thoughts on this? Yeah, I mean, you are the one working at vc. He used to work at a vc.
Andy Ellis
Yeah, so I was four years in the VC world.
David Spark
Wild Ventures.
Andy Ellis
Yep.
Patti Degnan
I mean, maybe that's true. I don't feel like. I feel like the world four years ago is very different than the world right now. So I think.
David Spark
Can we point out what the differences you believe are.
Patti Degnan
I think the products that people are building now are inherently different than what the problems they were trying to solve were four years ago.
David Spark
Because they're infused with AI.
Patti Degnan
Well, because that two earlier questions that we've had are creating a whole new slew of problems and attacks surface that weren't in existence before. I also think there's a faster time to revenue for a lot of companies now.
Andy Ellis
Absolutely.
Patti Degnan
So I don't think that that is 100% accurate. Now, is it true that I think I read something that 80% of cybersecurity companies get acquired at some point?
Andy Ellis
I'm surprised it's that low.
Patti Degnan
It might be higher. I think I read that it was 80% like two weeks ago.
Andy Ellis
I guess. I guess 80% acquired and like 19% die.
Patti Degnan
Maybe. Maybe it's like. But it's a significant amount. Right. And I don't know that everybody's chasing the A round anymore.
David Spark
The acquisition without being profitable is far more attractive. Yes.
Patti Degnan
I think that that depends on the founder.
Andy Ellis
Yeah, I'd want to look at that 80% number of how many of those are functionally aqua hires versus positive outcomes. There's a lot of companies that get acquired when they're on their last legs, and functionally that's not a positive outcome other than everybody keeps the job.
David Spark
All right, well, that brings us to the very, very end of the show. I want to thank our guest in studio, guest Patty Degnan, who is the operating partner over it. And I've been told you can say it either way. A16Z or Andreessen Horowitz, which I didn't realize it's the number of letters from essentially N to the T and Andreessen Horowitz. Did you do. Am I right on that?
Patti Degnan
You're right, yeah.
Andy Ellis
You've never seen, like, i18N as an abbreviation or before either?
David Spark
No, I'm slow and stupid
Andy Ellis
as far as I8N. I apologize.
David Spark
I want to thank our sponsor, though. Threatlocker. Remember, go to threatlocker.com CISO. They have their Zero Trust network access and their Zero Trust cloud access will help you build that out. Patty. Now, I don't know about hiring over at A16Z, but I believe many of your portfolio companies are hiring and where to find that is where it's jobs.a16ze.com I believe it is the jobs.a16z.com and essentially that's you essentially host all the job opportunities for your whole portfolio.
Patti Degnan
Oh.
David Spark
So chances are there's something that will speak to you.
Andy Ellis
And it's apparently like 15,000 jobs there. So.
David Spark
15,000. That is a lot.
Andy Ellis
But no CISO roles as of recording date. I went and checked.
David Spark
Really?
Andy Ellis
I searched for ciso, but that's kind
David Spark
of part of your job. You kind of operate as sort of a CISO in residence for many of the companies. Yes.
Patti Degnan
More as an advisor, right? Yes.
David Spark
But you're also advising when to build out their security program and at the point when they need a ciso, correct or.
Patti Degnan
Yes, whatever.
David Spark
First security hire, what becomes that critical moment you think they need a ciso?
Patti Degnan
I mean, I think it's become a lot earlier I have companies that are talking to me now that are 20 people that actually are caring more about security. And I think it's to what we talked about.
David Spark
Is the CISO the first security hire or no?
Patti Degnan
Sometimes. No. Sometimes they're looking for a Swiss army knife, somebody that can help them get through soc to talk to product teams like put in inherent product security features out of the gate and then start thinking about how to build that more strategic programs. Yeah.
David Spark
You did this as well, didn't you?
Andy Ellis
Yeah, Andy. Yeah, I've done it both in early stage companies as sort of an advisory ciso, which is a blend of being the field CISO as well. And then, you know, at Akamai, obviously I did a little bit of everything and. And in fact, one of my how to CISO books is the idealized CISO job description. So over at howtocso.com, you can see all of the different roles you might hold.
David Spark
Very good. Well, check out that also Andy's book one percent Leadership, which I have read, which is excellent, I highly recommend as well. He's holding it up right there. I have a signed copy. Thank you very much, Andy. Thank you very much, Patty. And to our audience, we greatly appreciate your contributions and for listening to the
CISO series podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.
Hosts: David Spark, Andy Ellis
Guest: Patti Degnan (former Notion CISO, now Operating Partner at Andreessen Horowitz)
Release Date: July 7, 2026
This episode dives deep into the persistent challenges of identity management, the realities of implementing Zero Trust, the growing speed of exploit weaponization, and the real versus perceived ROI in cybersecurity startups. The hosts and guest offer an unvarnished look at how businesses, security teams, and vendors cope with accelerating change—especially under the pressures introduced by autonomous agents (AI/ML), regulatory calls, and board-level concerns. Throughout, the panel challenges assumptions and unpacks the messy intersection of cybersecurity theory and business reality.
[05:06] – [09:47]
[09:53] – [15:40]
[21:23] – [25:55]
[17:30] – [21:17]
[26:18] – [28:06]
[28:26] – [33:44]
The discussion is blunt, humorous, and practical, with healthy skepticism of both technology and business/board dynamics. The hosts openly challenge “best practice” dogma, preferring insight over platitudes.
For additional resources and more episodes, visit cisoseries.com.