Podcast Summary:

CISO Series Podcast
Episode: Why Architect for Human Error When We Can Make People Feel Really Bad About It?
Date: November 25, 2025
Hosts: David Spark, Andy Ellis
Guest: Richard Rushing (CISO, Motorola Mobility)

Episode Overview

This episode explores how security practitioners balance technical controls and human fallibility, challenging the mindset of blaming people for mistakes rather than designing resilient systems. The hosts, joined by Motorola’s CISO Richard Rushing, also discuss what separates great CISOs from mediocre ones, the distinction between cyber hygiene and vulnerabilities, the realities of automation, and the cultural power of mentoring in changing organizational security behaviors.

Key Discussion Points & Insights

1. On Human Error and Security Design

Main Theme: The security industry often blames users for mistakes (human error), but real security should expect error and design for resilience.
Quote (Joshua Copeland, 25:59):
“If a single impulsive click can cascade into the compromise of your entire identity, then the real issue isn’t the human, it’s the bad system design… Human error isn’t a vulnerability to be patched. It’s the default operating mode of being human.”
Andy Ellis (27:19):

“Humans are doing what the human is supposed to do… If you blame human error, it’s because your system’s at fault.”
- Emphasizes that security should account for natural human behaviors (e.g., clicking links) and that controls like phishing-resistant MFA should be the norm.
Richard Rushing (29:26):
- Echoes Andy, adding that metrics usually track user “failures” without accounting for system flaws that allow those failures to have impact.
- Critiques legacy authentication and session models, arguing security design lags behind the reality of decentralized, remote work.

Timestamp: [25:59–31:57]

2. Good CISO vs. Bad CISO Framework

Prompted by Phil Venables’ “Good CISO, Bad CISO” List
Highlights from Discussion:
- Good CISOs are business leaders with strategic vision; bad CISOs are reactive tool managers.
- Andy Ellis (6:02):
  
  “Good CISOs write consumable content… Bad CISOs… got bored around pair number six.”
  - Critiques not the substance but the delivery, warning against filler content in both marketing and security policy.
- Richard Rushing (8:15):
  - Stresses that what’s “good” or “bad” can be contextual—company size, culture, and how the CISO role is structured matter.
Notable Banter:
- Andy says the list felt like “Goofus and Gallant for CISOs” (10:23).
- The hosts joke about the Days of Atonement and sending apologies to Phil.

Timestamp: [05:01–11:10]

3. Security Hygiene vs. Real Vulnerabilities

User Question from Reddit (11:15):
Is there a functional difference between “hygiene” findings and true vulnerabilities in security assessments?
Richard Rushing (12:14):
- Argues they both matter: software defects and configuration issues should be managed as vulnerability classes.
- Hygiene is broader, but ignoring it means accepting organizational risk.
Andy Ellis (13:51):

“I dislike the language… [they’re] conflating language about risk with projects around solving risk.”
- Explains that low-severity issues are like urban litter: not worth triaging one-by-one but still need systematic cleanup.
- Calls for clearer vocabulary—separating hygiene projects from critical risk management.

Timestamp: [11:15–16:24]

4. What’s Worse? (Game Segment)

Scenarios:
A) AI-powered remediation occasionally (once per week) kills a critical business process.
B) No automation; all minor issues linger as tickets for at least a week.
Andy’s Verdict (19:01):

“Shooting the business in the foot once a week is worse than not shooting the business in the foot.”
- Prefers delays over direct, repeated business-impacting outages.
Richard’s View (20:43):
- Disagrees! Argues that unaddressed accumulating issues (especially with today’s rapid-fire zero-days) could destroy a business more thoroughly.
Hosts debate edge cases, wonder where the “race to destruction” has its crossover point.
Andy appeals to the audience for judgment:

“Am I just really wrong here and I’m not thinking correctly about it?”

Timestamp: [18:01–25:15]

5. Mentoring and Security Metrics

Prompt (Eugene Zonda via Maman Ibrahim, 33:34):
Mentoring, not negative compliance metrics, changes security culture, but how can you “report” mentoring’s impact to executives?
Richard Rushing (34:12):
- Describes shifting from annual “death by PowerPoint” training to continuous, peer-driven conversations.
- Effective mentoring = building cross-team relationships and scaling security knowledge organization-wide.
Andy Ellis (36:23):

“We’ve built so many compliance-driven activities that we’ve taken away the energy left for mentoring.”
- Suggests replacing one-size-fits-all training with brief requirements and using that saved time for targeted mentoring that builds real influence.

Timestamp: [33:34–37:14]

Notable Quotes & Memorable Moments

On CISO effectiveness:
Andy Ellis (06:02):

“The [CISO] list felt like Goofus and Gallant… All of them are pretty decent, none are bad, but the content marketing of it made it really feel like he got bored after the first six or so.”
On “hygiene” vs. “vulnerability” language:
Andy Ellis (13:51):

“If you start redefining vulnerability to mean something different, you’re going to confuse everybody.”
On security design for humans:
Joshua Copeland (25:59):

“If a single impulsive click can cascade into the compromise of your entire identity, then the real issue isn’t the human, it’s the bad system design.”
Banter, apologies, and “Bickertainment”:
- Hosts discuss giving annual mass apologies (01:58–02:51)
- Introduce the term “Bickertainment” for their friendly sniping (03:49–04:10)

Important Segment Timestamps

[00:04] — Opening Security Mistake: Assumptions about persistence and scope of ransomware attacks (Richard Rushing)
[05:01] — Good CISO vs. Bad CISO discussion
[11:15] — Distinguishing Security Hygiene from Vulnerabilities
[18:01] — “What’s Worse?”: AI vs. Manual Remediation Debate
[25:59] — System Design for Human Error (Quote & Deep Dive)
[33:34] — The Power and Reporting of Mentoring in Security Programs

Tone & Style

Conversational & Playful: Frequent banter, jokes, and good-natured ribbing (“Bickertainment”).
Direct & Thoughtful: Challenging industry assumptions, dissecting language, and demanding more pragmatic and human-centered solutions.
Engaged with Audience: Soliciting listener opinions directly (notably during the “What’s Worse?” segment).

Conclusion

The episode forcefully advocates for security programs that work with, not against, human nature. The hosts and guest urge practitioners to expect and design for mistakes, focus on structural controls, and invest energy in relationship-driven mentoring over rote compliance. The recurring message: real security leadership, like real organizational improvement, comes from context-driven empathy and strategic ownership—not just new tools or punitive processes.

For audience participation, feedback, and debate, listeners are encouraged to contact the show at feedbackisoseries.com or find the hosts on LinkedIn.

Podcast Summary:

Episode Overview

Key Discussion Points & Insights

1. On Human Error and Security Design

Main Theme: The security industry often blames users for mistakes (human error), but real security should expect error and design for resilience.
Quote (Joshua Copeland, 25:59):
“If a single impulsive click can cascade into the compromise of your entire identity, then the real issue isn’t the human, it’s the bad system design… Human error isn’t a vulnerability to be patched. It’s the default operating mode of being human.”
Andy Ellis (27:19):

“Humans are doing what the human is supposed to do… If you blame human error, it’s because your system’s at fault.”
- Emphasizes that security should account for natural human behaviors (e.g., clicking links) and that controls like phishing-resistant MFA should be the norm.
Richard Rushing (29:26):
- Echoes Andy, adding that metrics usually track user “failures” without accounting for system flaws that allow those failures to have impact.
- Critiques legacy authentication and session models, arguing security design lags behind the reality of decentralized, remote work.

Timestamp: [25:59–31:57]

2. Good CISO vs. Bad CISO Framework

Prompted by Phil Venables’ “Good CISO, Bad CISO” List
Highlights from Discussion:
- Good CISOs are business leaders with strategic vision; bad CISOs are reactive tool managers.
- Andy Ellis (6:02):
  
  “Good CISOs write consumable content… Bad CISOs… got bored around pair number six.”
  - Critiques not the substance but the delivery, warning against filler content in both marketing and security policy.
- Richard Rushing (8:15):
  - Stresses that what’s “good” or “bad” can be contextual—company size, culture, and how the CISO role is structured matter.
Notable Banter:
- Andy says the list felt like “Goofus and Gallant for CISOs” (10:23).
- The hosts joke about the Days of Atonement and sending apologies to Phil.

Timestamp: [05:01–11:10]

3. Security Hygiene vs. Real Vulnerabilities

User Question from Reddit (11:15):
Is there a functional difference between “hygiene” findings and true vulnerabilities in security assessments?
Richard Rushing (12:14):
- Argues they both matter: software defects and configuration issues should be managed as vulnerability classes.
- Hygiene is broader, but ignoring it means accepting organizational risk.
Andy Ellis (13:51):

“I dislike the language… [they’re] conflating language about risk with projects around solving risk.”
- Explains that low-severity issues are like urban litter: not worth triaging one-by-one but still need systematic cleanup.
- Calls for clearer vocabulary—separating hygiene projects from critical risk management.

Timestamp: [11:15–16:24]

4. What’s Worse? (Game Segment)

Scenarios:
A) AI-powered remediation occasionally (once per week) kills a critical business process.
B) No automation; all minor issues linger as tickets for at least a week.
Andy’s Verdict (19:01):

“Shooting the business in the foot once a week is worse than not shooting the business in the foot.”
- Prefers delays over direct, repeated business-impacting outages.
Richard’s View (20:43):
- Disagrees! Argues that unaddressed accumulating issues (especially with today’s rapid-fire zero-days) could destroy a business more thoroughly.
Hosts debate edge cases, wonder where the “race to destruction” has its crossover point.
Andy appeals to the audience for judgment:

“Am I just really wrong here and I’m not thinking correctly about it?”

Timestamp: [18:01–25:15]

5. Mentoring and Security Metrics

Prompt (Eugene Zonda via Maman Ibrahim, 33:34):
Mentoring, not negative compliance metrics, changes security culture, but how can you “report” mentoring’s impact to executives?
Richard Rushing (34:12):
- Describes shifting from annual “death by PowerPoint” training to continuous, peer-driven conversations.
- Effective mentoring = building cross-team relationships and scaling security knowledge organization-wide.
Andy Ellis (36:23):

“We’ve built so many compliance-driven activities that we’ve taken away the energy left for mentoring.”
- Suggests replacing one-size-fits-all training with brief requirements and using that saved time for targeted mentoring that builds real influence.

Timestamp: [33:34–37:14]

Notable Quotes & Memorable Moments

On CISO effectiveness:
Andy Ellis (06:02):

“The [CISO] list felt like Goofus and Gallant… All of them are pretty decent, none are bad, but the content marketing of it made it really feel like he got bored after the first six or so.”
On “hygiene” vs. “vulnerability” language:
Andy Ellis (13:51):

“If you start redefining vulnerability to mean something different, you’re going to confuse everybody.”
On security design for humans:
Joshua Copeland (25:59):

“If a single impulsive click can cascade into the compromise of your entire identity, then the real issue isn’t the human, it’s the bad system design.”
Banter, apologies, and “Bickertainment”:
- Hosts discuss giving annual mass apologies (01:58–02:51)
- Introduce the term “Bickertainment” for their friendly sniping (03:49–04:10)

Important Segment Timestamps

[00:04] — Opening Security Mistake: Assumptions about persistence and scope of ransomware attacks (Richard Rushing)
[05:01] — Good CISO vs. Bad CISO discussion
[11:15] — Distinguishing Security Hygiene from Vulnerabilities
[18:01] — “What’s Worse?”: AI vs. Manual Remediation Debate
[25:59] — System Design for Human Error (Quote & Deep Dive)
[33:34] — The Power and Reporting of Mentoring in Security Programs

Tone & Style

Conversational & Playful: Frequent banter, jokes, and good-natured ribbing (“Bickertainment”).
Direct & Thoughtful: Challenging industry assumptions, dissecting language, and demanding more pragmatic and human-centered solutions.
Engaged with Audience: Soliciting listener opinions directly (notably during the “What’s Worse?” segment).

Conclusion

For audience participation, feedback, and debate, listeners are encouraged to contact the show at feedbackisoseries.com or find the hosts on LinkedIn.

wavePod

Why Architect for Human Error When We Can Make People Feel Really Bad About It?

Powered by Wave AI

Summary

Podcast Summary:

Episode Overview

Key Discussion Points & Insights

1. On Human Error and Security Design

2. Good CISO vs. Bad CISO Framework

3. Security Hygiene vs. Real Vulnerabilities

4. What’s Worse? (Game Segment)

5. Mentoring and Security Metrics

Notable Quotes & Memorable Moments

Important Segment Timestamps

Tone & Style

Conclusion

Summary

Podcast Summary:

Episode Overview

Key Discussion Points & Insights

1. On Human Error and Security Design

2. Good CISO vs. Bad CISO Framework

3. Security Hygiene vs. Real Vulnerabilities

4. What’s Worse? (Game Segment)

5. Mentoring and Security Metrics

Notable Quotes & Memorable Moments

Important Segment Timestamps

Tone & Style

Conclusion