Podcast Summary: CISO Series Podcast

Episode: Why Highlight Diversity When We Can Just Hope You Don't Notice?
Date: March 24, 2026
Hosts: David Spark, Mike Johnson
Guest: Julie Meyerholtz (CISO, Brunswick Corporation)
Theme: Discussions, tips, and debates from security practitioners and vendors on improving security collaboration, risk management, real-world security practices, AI impacts, and the value (and challenges) of diversity in the cyber community.

Main Theme / Purpose

This episode explores the realities facing security leaders: the evolving risks and responsibilities in cloud and AI ecosystems, how to separate effective practices from outdated dogma, and why diversity and open feedback are critical for security maturity. The panel delivers candid commentary on vendor responsibilities vs. enterprise controls, the importance of challenging assumptions, the impact AI is having on risk, and how (and why) to proactively address diversity gaps within the cybersecurity world.

Key Discussion Points & Insights

1. RSAC Predictions, Security Nostalgia, and Enigma Machines

(00:54–05:04)

Hosts tease RSAC trends, joking about the omnipresence of AI and playful predictions about COBOL and mainframe security.
Fond reminiscences of early programming languages (Fortran, Assembly), and passion for historic crypto devices like the Enigma machine.
- Quote: “At past RSAs, they've had the Enigma machine there. Have you ever gotten your hands on an Enigma and played with it? It’s pretty darn cool.” — David Spark (02:53)
- Quote: “It was really one of the early encryption decryption systems... and it was also famously one of the first instances of code breaking.” — Mike Johnson (03:33)

2. Examining the Shared Responsibility Model in Cloud Security

(05:14–09:30)

Prompt: Are CISOs stuck with endless auditing because default cloud settings aren’t secure?
Discussion focuses on the "shared responsibility" model:
- Vendors provide infrastructure and certain controls; customers must configure for their unique needs.
- Insecure defaults (e.g., S3 buckets) have caused breaches, but things are improving.
- Security requires understanding where vendor responsibility ends and customer responsibility begins.
- Quote: “We as companies need to take accountability for owning security. It’s not a 50/50 thing.” — Julie Meyerholtz (08:25)
- Privilege escalation risks differ by business and use case; segmentation and understanding impact are key preventive steps.

3. When ‘Best Practices’ No Longer Make Sense: Shedding Outdated Security Controls

(09:36–16:58)

Prompt: How do you know when security “best practices” are outdated or wasteful?
Common pitfalls:
- Measures like strict password rotations or DLP often don't deliver tangible benefits and may harm usability or performance.
- Compliance does not always equal security; sometimes, regulations force backward steps.
- Consensus: Regularly question the value of each practice, and seek staff feedback.
- Quote: “Compliance is not security... you really need to look at what’s best for the business and how to enable your business to do what it needs to do.” — Julie Meyerholtz (10:45)
Internal audits, asking new team members "why are we doing this?", and periodic first-principles reviews help catch creeping inefficiencies.
- Quote: “Periodically looking around and saying, hey, why do we keep doing this?” — Mike Johnson (12:39)

Creating a Beginner’s Mindset and Design Thinking

Invite outsiders or new hires to question existing practices for fresh perspective.
Promote a culture where feedback is welcomed and acted upon.
- Quote: “Just because we did it that way yesterday doesn’t mean tomorrow is the same day.” — Julie Meyerholtz (15:13)

4. What’s Worse? Quantum-Decryption Leaks vs. AI-Driven Malware

(18:03–22:05)

Scenario 1: Data is leaked after quantum computers break your encryption.
Scenario 2: You face adaptive, AI-powered malware immune to traditional detection.

Mike sees quantum decryption (irreversible data loss) as worse, since it’s already happened — “the data is already out there” (20:28).
Julie disagrees, prioritizing business operational continuity over data loss:
- Quote: “Not all data is created equal... keeping the business running and making sure that we’re not ransomed or attacked and that business is down is more important than leaked data.” — Julie Meyerholtz (21:00)
Both agree: “Neither [scenario] is great.”
Julie’s stance: Ransomware/operational attacks threaten company survival; some data leaks are manageable.

5. Third-Party Risk & The Expanding AI Vendor Footprint

(22:16–27:19)

AI tools multiply your third-party risk by adding new layers: model vendors, connectors, databases, etc.
- Traditional risk reviews (SOC2, point-in-time checks) aren’t sufficient for the fluidity and complexity of AI supply chains.
Critical questions when evaluating AI vendors:
- What data do they access, store, or use for training?
- Who are the sub-processors?
- Is customer data protected or shared?
- Quote: “AI definitely makes our lives a lot harder, especially from the business perspective, because anybody can turn on AI within the business and you may not even know.” — Julie Meyerholtz (23:35)
Both agree: Transparency is lacking, and the space is moving too quickly for comfort.
- Quote: “Things are going to change. That’s how quickly things are moving here… we’re all figuring it out as we go.” — Mike Johnson (24:41)
- AI evolves at a pace beyond human comprehension — increasing risk and confusion.

6. Why Exposure Management Requires Learning From Trends

(28:38–29:49)

High-profile SaaS breaches often repeat the same root causes (OAuth abuse, poor offboarding).
Fixing symptoms isn't enough — mature programs seek to prevent root-cause recurrence by analyzing exposure trends over time.
- Quote: “The real power of exposure management isn’t about fixing today’s issues faster, but in preventing tomorrow’s issues from being created at all.” — David Spark (29:32) [Sponsored segment]

7. Is Diversity Call-Out Culture Effective? Building Inclusive Security Communities

(30:12–35:03)

Case: Try Hack Me was called out online for lacking women in its Advent of Cyber lineup, leading to a revised, more balanced list.
Hosts and guest discuss the importance of feedback to combat blind spots in diversity and representation.
- Quote: “Feedback’s a gift. What you choose to do with it is up to you.” — Julie Meyerholtz (31:40)
- The best reaction to being called out is humility, gratitude, and action — not defensiveness.
- Julie highlights proactive measures (diverse teams, open collaboration) and aligning public-facing work with desired representation.
- Quote: “Whenever you’re publicly going out, you’re representing your brand… Is that the brand that you want people to see?” — Julie Meyerholtz (32:01)
Mike emphasizes building trust so others feel comfortable raising these issues, and using feedback to update policies and avoid repeating mistakes.

Notable Quotes & Moments (with Timestamps)

On cloud vendor defaults:
“Cloud providers have weaponized shared responsibility as a shield for shipping insecure defaults.”
– David Spark (05:14)
Questioning ‘secure by design’:
“At the end of the day, some of it is your responsibility, some of it is the vendor’s responsibility... it’s important for you to understand where their responsibilities end and where yours begin.”
– Mike Johnson (06:20)
On compliance vs. security:
“Compliance is not security... had to take my security profile backwards because the regulations prevented me from using things like CrowdStrike.”
– Julie Meyerholtz (10:45)
On challenging legacy practices:
“Periodically looking around and saying, hey, why do we keep doing this?”
– Mike Johnson (12:39)
On AI risk explosion:
“AI... makes our lives a lot harder, especially from the business perspective, because anybody can turn on AI within the business and whether or not you know that that’s happening is a huge risk.”
– Julie Meyerholtz (23:35)
On feedback and diversity:
“Feedback’s a gift. It’s a gift that somebody shared something with you. What you choose to do with it... is up to you.”
– Julie Meyerholtz (31:40)
On learning from mistakes:
“Mature programs analyze exposure trends over time... use exposure data to tune guardrails and defaults, [and] reduce risk before it appears.”
– David Spark (29:49, sponsored segment)

Timestamps for Important Segments

Enigma, retro computing, and security nostalgia (00:54–05:04)
Shared Responsibility in Cloud Security (05:14–09:30)
Identifying and Shedding Outdated Security Controls (09:36–16:58)
What’s Worse: Quantum Leaks or AI Malware? (18:03–22:05)
Third Party and AI Risk (22:16–27:19)
Exposure Management Tips (28:38–29:49, sponsored)
Does Shaming Improve Diversity? (30:12–35:03)
Wrap up and reflections on feedback (35:03–37:30)

Tone & Language

The conversation is candid, practical, and occasionally playful—with emphasis on problem-solving, humility, and collective learning. The hosts and guest maintain a conversational, welcoming tone, encouraging self-reflection, openness to criticism, and a pragmatic approach to real-world challenges.

Key Takeaways

Security is a business enabler — controls should always be mapped to business needs and risk profiles, not dogma.
Periodic re-evaluation is essential — yesterday’s best practices can become today’s waste.
AI is amplifying third-party risks and complexity, outpacing most governance models.
Diversity and feedback are essentials, not options, for healthy security cultures — feedback is a “gift” even when it stings.
No single model fits all — flexibility, segmentation, and business-driven thinking must override checklists.
Change is the only constant — especially in security and tech; policies and controls must evolve alongside technology.

End

Final thoughts:
Julie Meyerholtz sums up by welcoming feedback and emphasizing the value of collaboration, diversity, and adaptability in security leadership. The episode encourages CISOs and practitioners to stay humble, be vigilant in questioning their own processes, and to embrace learning and inclusion as pathways to more resilient, effective security programs.