CISO Series Podcast: "When We See White Smoke, We Know We Have a New CISO"
Date: February 10, 2026
Hosts: David Spark, Mike Johnson, Andy Ellis
Guest: Russ Harris (CISO, Principal Financial Group)
Overview
This episode dives into the realities of the CISO role, focusing on the challenges of demonstrating value to the board, the pitfalls of over-relying on metrics, the promises and myths around AI in cybersecurity, and the critical human aspects of leadership and organizational design. Russ Harris joins as a guest, bringing in-the-trenches experience as a sitting CISO. The hosts also debate classic dilemmas in security, share process improvement advice, and discuss strategies for staying connected with large security teams.
Key Discussion Points & Insights
1. The CISO Role: Should You Even Take the Job?
- Opening Advice:
- Russ Harris: “First of all, don’t be a CISO. It’s a rough job, and you’ve got to have better options… But if you must, then you probably want to make sure that you focus on explicit gaps, not trends… try to focus on the fundamentals.” [00:02]
- Echoed by Andy Ellis: “If you could see yourself doing anything but a CISO, please do it.” [03:54]
- Both highlight the demanding, high-risk nature of the job and emphasize that success depends on fundamental work, not getting lost in hype or chasing trends.
2. Metrics and Board Communication: Why Numbers Alone Fail
- Board Fatigue with Metrics:
- David Spark raises the common scenario: Boards are tired of technical metrics that don’t connect to business concerns. He references a CSO Online article on translating cyber risk to financial exposure. [04:28]
- Andy Ellis’ Position:
- “If you think you can quantify cyber risk… you are almost certainly wrong… First, nobody believes your numbers. Second, there are very few metrics for measuring pieces of the business aside from total outcomes… You have to tell a good story.” [05:32]
- Comparison with other execs (CRO, CMO) to show that metrics are often not as useful as people think.
- Russ Harris Adds:
- “When I see people describe metrics, the visuals … often don’t tie to a decision… That’s your first clue that something’s wrong. If you’re just giving them an integer value… that’s just trivia.” [07:14]
- Importance of “metric value that leads us into a better dialogue” and focusing presentations on choices and business impact.
- Andy’s Warning:
- “Make sure your metrics are not perverse… If you show a chart that looks good but means the opposite, you’ve lost the storytelling war.” [09:29]
Memorable Quote:
“So no matter how attractive the number sounds, if there’s no story to back it, it’s meaningless.” — David Spark [08:49]
3. AI’s Promise (and Limits) in Security Operations
- Frank Wang’s Argument:
- AI will free humans from “tool babysitting” — configuring many SaaS products — and let them focus on intent and broader security/business logic. [10:10]
- Russ Harris’ Take:
- “Tool babysitting is definitely an issue… But we probably need more bilingual folks… the language of the tool and the language of AI… [Total reliance on generalists and AI] is gross oversimplification.” [11:07]
- Stresses ongoing need for depth and real-world context.
- Andy Ellis Expands:
- Bad SaaS tools force humans into configuration grunt work that should be vendor responsibility; AI “wizard” should handle it.
- “You have a SaaS ecosystem that’s more complex than the data center ecosystem your equivalent company had 30 years ago… There’s a team — humans and AIs — to understand what’s in that ecosystem so you can do good design.” [12:49]
- Platform vs. Point Solutions:
- Discussion: If AI truly manages complexity, could organizations move back toward using lots of point solutions instead of big unified platforms?
- Russ notes: “There is a possibility in that zone… It makes it easier for companies of a certain size to build smaller solutions… but the complexity and interdependency remain very high.” [15:00]
- Andy: “We always see this iterative life cycle of point solution to platform to point solution… just goes on and on.” [15:48]
4. Scenario Debate: Deepfake vs. Zero-Day Attack (What’s Worse?)
- Game Set-up:
- Two bad scenarios:
- AI-powered deepfake attack damaging the brand, impersonating execs.
- AI-facilitated zero-day exploit active in your environment. [19:02]
- Two bad scenarios:
- Andy Ellis’ Logic:
- Zero-day is worse: “The zero day is my fault… If you deepfake us to the media… it’s not my fault that somebody else fell for a deepfake.” [20:04, 23:31]
- Emphasizes responsibility: security issues in internal systems are the CISO’s domain; deepfake manipulations are not.
- Russ Harris Agrees:
- Deepfake damage decays quickly; zero-day impact can linger: “On absolute terms… the deepfake has a much quicker decay rate… Whereas on the zero-day side, [the attacker] could continue to do other work… they could do persistence, lateral movement…” [24:31]
- Fun Moment:
- Andy to the media: “If you fell for a deep fake… what would you do? Because now it’s on you.” [25:35]
5. Automation, Process Design, and Human Care
- Ron Bronson’s Thesis:
- Security is a design discipline: “The real challenge is not designing better interfaces. It’s designing organizations, policies and processes that can maintain care over time, even when they are under pressure.” [26:13]
- Automation Caveats:
- Russ Harris: “What I see happening over and over again is we have a process that doesn’t work… we implement the automation of that problem, we’ve now got scale to our brokenness… The best automation is often not executing that process at all.” [27:34, 28:49]
- Shares a story about automating endless, unhelpful access reviews.
- Focus on designing for maximum effect/minimum friction, not automating bureaucracy.
- Andy Ellis:
- “Too many people don’t understand processes as control systems… If I take responsibility and split it among two people, what I actually get is less care.” [29:52]
- Reminisces about an old defense contractor process: dual-entry, computer cross-checking, and the importance of engagement and control in system design.
- Human Decay Rate:
- “Humans make really bad controls. If you make them do the same thing over and over again… the decay rate is tragic.” — Russ Harris [32:50]
- Andy: “It’s not tragic, it’s amazing. It’s why we’re the dominant species… but terrible for checking a time card.” [32:52]
6. Staying Connected: How a CISO Keeps a Pulse on the Team
- How Often Do Team Members See the CISO?
- Discussion of Reddit survey: responses range from daily to once a year.
- Some leaders engage directly, hold open Q&As, use communication channels for fast context-sharing.
- Andy Ellis:
- “Where is your team talking and are you there? … You need to be out and about and have people happy to take your calls because you never waste their time.” [34:21-36:18]
- Example: Using team chat (Zulip) to instantly stay informed and leverage team expertise.
- Russ Harris (Techniques):
- Weekly 1:1s with all directs (“don’t miss them”), don’t multitask during them.
- Every other week: 1:1s with directs’ directs, expanding reach.
- Quarterly focus groups without managers present for unfiltered feedback.
- Build genuine connections over shared interests.
- Story: Connected with a teammate over a visit to a local brewery, which led to valuable input. [36:30]
- Andy’s Managerial Liturgical Response:
- “If you have an open door policy… practice hearing things you don’t agree with and saying, ‘huh, I need to think about that. I’m listening, but not reacting…’” [39:00]
- Importance: Shutting down dissent or skepticism makes future feedback vanish.
- Russ:
- “If you don’t do that, you will not get great responses the next time.” [39:27]
Notable Quote:
“If you’re just giving them an integer value of something that doesn’t tie to a business reality, they could choose, that’s not really useful context. That’s just trivia.” — Russ Harris [07:14]
Notable Quotes & Moments (with Timestamps)
- The CISO Career Path:
- “First of all, don’t be a CISO. It’s a rough job…” — Russ Harris [00:02]
- “If you could see yourself doing anything but a CISO, please do it.” — Andy Ellis [03:54]
- Metrics Storytelling:
- “At the end of the day, you have to tell a good story… am I doing more for the business than a stock buyback would do?” — Andy Ellis [06:20]
- “If you’re just giving an integer value… that’s just trivia.” — Russ Harris [07:14]
- AI for Security Operations:
- “We probably need more bilingual folks… the language of the tool and also the language of AI…” — Russ Harris [11:35]
- “You have a SaaS ecosystem… more complex than the data center ecosystem your equivalent company had 30 years ago.” — Andy Ellis [12:49]
- Deepfake vs. Zero-Day:
- “Zero-day is my fault… Deepfake, not on me.” — Andy Ellis [20:04]
- “On the deepfake side, there’s probably going to be that initial flush… the decay rate kicks in, and now it’s not going to be as big a deal seven days from now. Totally the reverse could be in the zero day situation.” — Russ Harris [24:31]
- Automation & Process:
- “If you have a process that doesn’t work… we automate the problem, we’ve now got scale to our brokenness.” — Russ Harris [27:34]
- “Humans make really bad controls. If you make them do the same thing over and over again… the decay rate on a human is tragic.” — Russ Harris [32:50]
- Team Connectivity:
- “Where is your team talking and are you there?” — Andy Ellis [34:21]
- “Weekly one-on-ones with all my directs that I don’t miss. I defer just about everything else in relationship to those… I don’t multitask.” — Russ Harris [36:30]
- Managerial Response:
- “If you have an open door policy… practice hearing things you don’t agree with and saying, ‘huh, I need to think about that.’” — Andy Ellis [39:00]
- “The thing that we are describing is critical to being able to make sure the other person is heard.” — Russ Harris [39:27]
Segment Timestamps
- CISO job realities and career advice [00:02–04:22]
- Metrics, storytelling, and board communication [04:28–10:05]
- AI in security operations and tooling [10:10–17:04]
- ‘What’s Worse?’ Deepfake vs. Zero-Day [19:02–25:59]
- Process and organizational design [26:13–33:03]
- CISO presence and team connection [33:08–41:32]
- Hiring and closing notes [41:05–end]
Takeaways
- The CISO’s job is not for the faint of heart: Success depends on focusing on fundamentals and real value, not on trends or storytelling with empty numbers.
- Data and metrics only matter if they enable sound business decisions; numbers without narrative or context are useless.
- AI promises to reduce “tool babysitting” but will not erase the need for security expertise across both tool and business domains; complexity remains.
- Deepfakes may be a PR headache, but systemic vulnerabilities are a CISO’s true risk — responsibility follows control.
- Automation only scales quality if the underlying processes make sense; automating bad processes just multiplies pain.
- Consistent, genuine, multi-level touch with the team (and openness to hearing things you might not like) is a core ingredient of security leadership.
For more engaging discussions and practical insights, subscribe to the CISO Series Podcast and check out Andy Ellis’ book “1% Leadership” (and maybe visit Russ Harris for a beverage in Iowa).
