Podcast Summary: CISO Series Podcast

Episode: You Can't Fall Behind in AI if You Never Start
Date: December 2, 2025
Hosts: David Spark, Mike Johnson (CISO of Rivian), Andy Ellis
Guest: John Barrow (CISO of JB Poins Extra & Company)

Episode Overview

This episode tackles how CISOs and security teams are grappling with the rapid rise of AI, from the challenge of hiring AI security talent to evolving foundational security frameworks and building pragmatic, human-centered security programs. The hosts and guest John Barrow debate the best approaches for improving security culture, working with vendors, and aligning security strategy with business needs and boardroom priorities. The tone is lively, candid, and often humorous, making complex topics accessible through storytelling and debate.

Key Discussion Points and Insights

1. The AI Talent Conundrum: Building Versus Buying (04:16–08:42)

• Prompt: Security teams need AI-savvy professionals, but few exist with true hands-on AI security experience. What’s the best approach?
• Mike Johnson:
  • Advocates for "building unicorns" internally, not hiring externally:
    "The reality is you don't hire unicorns, you build them. This is the thing that we do time and time again. Whenever there's a technology shift, there's always this period...security is working to catch up, and we're in that cycle again." (05:17)
  • Training current engineers leverages business context and sends a positive message to the team.
• John Barrow:
  • Agrees on internal champions but stresses constraints for lean teams: "My engineers...they're already, their plates [are] over full, right? Like they don't have any additional cycles." (06:41)
  • Suggests a hybrid of internal development and strategic external hiring, especially when speed is necessary.

Memorable Exchange:

• David Spark: “Wouldn’t your team relish the opportunity to move to that area and have someone else from the outside take over their responsibilities?”
• John Barrow: “No, I think they would love that. But then the work they're doing now doesn't get accomplished, right." (07:48)

2. Revisiting the CIA Triad: Still Relevant? (08:48–14:03)

• Prompt: Is the CIA triad (Confidentiality, Integrity, Availability) a “Cold War relic”?
• John Barrow:
  • Sees it as foundational but not front-of-mind in day-to-day operations:
    "Everything rolls up to the CIA triad, but I don't think it's not in the forefront of my mind as I'm implementing things..." (09:47)
  • Stresses the human element: Success depends on internal relationships, over-communication, and balancing security with business needs.
• Mike Johnson:
  • Believes the triad’s broadness and flexibility are strengths: "I do think the value of CIA is that it is extremely high level, and basically you can find a home for everything if you really need to." (12:40)
  • Highlights the importance of consistent language and relationship-building with business leaders.

3. What’s Worse? Security Usability vs. Over-Engineering (15:36–18:31)

• Game Setup: Choose the “worse” scenario:
  1. Zero trust blocks every third attempt at company website access, or
  2. Zero trust requires 13-factor authentication (including dance challenge).
• Mike Johnson: Delights in the dance challenge, humorously suggesting it would improve security by deterring access altogether.
• John Barrow:
  • Takes the practical view: "Yeah, I think the dance is worse...cause no one's gonna do that. You're gonna break the business." (17:11)
  • Notes even minor increases in authentication steps prompt user complaints.

4. Bringing GRC and Security to the Boardroom: Strategic Moves and AI Adoption (19:19–22:24)

• Prompt: How to make GRC (governance, risk, compliance) relevant in boardrooms?

• John Barrow:

  • Argues GRC is easily understood, but stresses compliance isn't enough:
    "Being compliant doesn't mean you're secure. Compliance is kind of the baseline, the first step." (19:55)
  • Shares budget constraints and creative negotiation with vendors/startups: "I’ve been able to invest in a lot of great technology...I'm really diving in and leveraging AI startups. And...having my name and the company's name [as] an early adopter is more valuable than making a dollar.” (21:14)
  • AI SOCs (Security Operations Centers) are now essential for scaling operations on a lean team.

• Mike Johnson:

  • Echoes the value of partnering with startups and that mutual benefit is derived from exchanging feedback and experience, not just dollars.

5. Notable Storytelling: “Get the Stories, Not Just the Dollars” (24:08–25:26)

• David Spark:
  • Shares a mentor’s advice on the early days of entrepreneurship: collecting stories from early client relationships is often more valuable than upfront money, as those stories sell future business.

6. Security Tip: Dangers of Legacy Passwords after Passkey Adoption (25:40–27:31)

• When migrating to passkeys, old passwords often remain valid unless explicitly revoked, creating a hidden security risk.
• Key advice: Make sure enabling passkeys disables legacy authentication paths across all accounts.

7. Human-Centered Security Design: People as Honest Mirrors (27:51–32:13)

• Prompted by Joshua Copeland’s quote: "When you say people are the weakest link, what you really mean is we built a broken system..."
• Mike Johnson:
  • Strongly opposes “phish testing” as blame-shifting onto users:
    "If you have set up your system such that if somebody clicks on a link, it's not them who's failed, it's your security program..." (28:55)
• John Barrow:
  • Focus on minimizing operational impact:
    "If we make the controls too stringent or...there's too much impact...they're just going to bypass our process anyway." (30:32)
  • Shares his aversion to dogmatic Zero Trust, which he considers unworkable in practice.
  • Advocates for transparent communication, partnership, and risk management—not avoidance.

8. Security Program Adjustments Based on User Behavior (32:13–33:30)

• Mike Johnson:
  • Notes negative user reactions to repetitive phish tests prompted a rethink of security awareness strategies.
• John Barrow:
  • Blocking AI tools on legal’s order led to significant user pushback; adapted by forming an AI steering group to create a workable, safe path for AI use.

Notable Quotes and Moments

• On hiring AI security talent:
  "You don't hire unicorns, you build them." —Mike Johnson (05:17)

• On the CIA triad’s relevance:
  "The last time I actually mentioned CIA was probably when I was studying for the cissp." —John Barrow (10:05)

• On vendor negotiations and budgets:
  "Having my name and the company's name as an early adopter is more valuable than making a dollar." —John Barrow (21:14)

• On human-centered security:
  "Humans are the most honest mirror of how bad our design really is." —(referencing Joshua Copeland, echoed by hosts)

• On security controls’ usability:
  "If we make the controls too stringent or too uncomfortable...they're just going to bypass our process anyway." —John Barrow (30:32)

Important Timestamps

• AI Security Hiring Debate: 04:16–08:42
• CIA Triad Relevance: 08:48–14:03
• “What’s Worse?” Zero Trust Game: 15:36–18:31
• GRC/Boardroom Strategy & AI Startups: 19:19–22:24
• Mentor Story – Value of Early Client Stories: 24:08–25:26
• Weekly Security Tip (Legacy Password Risk): 25:40–27:31
• Human-Centered Security/Blame Culture: 27:51–32:13
• Security Change Driven by User Behavior: 32:13–33:30

Tone and Notable Moments

The episode is lively, mixing banter, practical wisdom, and irreverent humor (including the recurring “dance authentication” gag). The hosts and guest are candid about industry challenges and emphasize adaptability, relationship-building, and learning from user feedback as central to making security work in the real world.

Listen to this episode for actionable insight into building AI security capability, evolving foundational frameworks, negotiating with vendors, and turning human behavior into a core strength of the security program.