CISO Series Podcast

Episode: Zero Trust Purple Team DevSecOps Mesh: A CASB Journey Through the Identity Fabric
Date: February 11, 2025
Hosts: David Spark, Steve Zaliewski (guest co-host)
Guest: Matt Muller, Field CISO, Tines

Episode Overview

This episode tackles the evolving landscape of security operations, automation, and business alignment, mixing in expert stories, practical tips, and real-world debate. The hosts and guest discuss how to turn early AI adopters into security champions, the challenges of SOC roles, effective security metrics, and how automation is reshaping security operations—shifting the focus from simple efficiency to business effectiveness and risk resilience.

Main Discussion Themes

• Turning AI Early Adopters Into Security Champions
• The Role and Language of the SOC
• Security Automation: What Works, What Doesn’t
• Communicating Security in Business Terms
• Effective Collaboration Between Business and Security Teams

Key Discussion Points & Insights

1. Opening Stories and Security Mistakes

• Biggest Security Mistake
  • Matt Muller recounts a memorable blunder: making a “routine” firewall change right before getting in an elevator with no cell service, only to emerge and discover he’d crashed the production website.

    “There is no such thing as a routine firewall change. And you shouldn't do that right before leaving your desk.”
    —Matt Muller [00:03]

2. The AI Security Champion Challenge [03:15]

• How to Create AI Security Champions
  • Early adopters fall into three buckets: those who want to do the right thing, the indifferent/“ignorant,” and the entitled ones who value business over security.

    "There's those that want to do the right thing… the ones that feign ignorance all the time… and the entitled ones…"
    —Steve Zaliewski [04:11]

  • The goal: Engage early adopters who understand security as champions, while not neglecting to hold the other groups accountable.
  • Drawing lessons from Slack’s adoption path—empower users to teach others and leverage their expertise.

    “People love teaching other people.”
    —Matt Muller [07:03]

  • Recognize that regulated environments may have non-negotiable risk boundaries.

    "Sometimes there's just some data you literally cannot put into public ChatGPT… that is just the bar in the line that you have to hold."
    —Matt Muller [08:31]

3. The Language of Security Operations [09:30]

• Is the SOC Too Focused on Language?
  • Discussion prompts whether vague language and the “security function” label has made the SOC too inward-looking, limiting their role to threat detection rather than broader business risk.
  • Matt Muller argues SOC should help clarify risk taken by business, not just focus on “quality.”

    “Security operations doesn’t exist in a vacuum.”
    —Matt Muller [10:34]

  • Steve Zaliewski suggests SOC is fundamentally about operationalizing SIEM and managing attacks, but the function has become muddied.

    “We never should have called it a SOC; we screwed up on day one.”
    —Steve Zaliewski [11:23]

  • Both agree that effectiveness in attack response and clarity on what SOC is accountable for are essential.

    "Let's get back to understanding what we're ultimately accountable for and where the best place is to spend the money."
    —Steve Zaliewski [13:22]

4. What’s Worse? Game—Third Party Vendor Breach vs. Internal DevOps Pipeline Compromise [16:01]

• Scenario Debate
  • Steve’s take: Internal DevOps pipeline attack is worse, since you can at least cut off a compromised vendor.
  • Matt's take: Third-party vendor compromise is worse due to lack of control over response, forensics, and obligation alignment.

    “Once a breach has happened at a third party vendor, all of your incentive alignment goes out the window.”
    —Matt Muller [18:02]

  • David Spark agrees with Matt: better to have (some) control and insight, even if the internal attack is bad.

5. Security Automation—What’s Overhyped, What Needs More Attention [20:33]

• Automation as Staff Enhancer vs. Replacement
  • Steve dislikes pitches focused on “helping analysts do their jobs faster” if they don’t also rethink the substance of analyst roles.

    “A lot of what the SOC analysts do isn’t actually effective because we’ve gotten that over time.”
    —Steve Zaliewski [21:22]

  • Matt wants to hear less about “time to value in minutes” and more honesty about the real complexity of automation.

    “Automation, especially if you have complex processes, may actually take a little bit of time to get from zero to one.”
    —Matt Muller [21:55]

  • Many teams fight with outdated runbooks, brittle Python scripts, or inflexible legacy SOAR tools; user-friendly automation frees analysts from work they hate so they can focus on meaningful tasks.

    “I was talking to a customer recently who described what they do as anger-driven automation…”
    —Matt Muller [23:10]

  • Real advances let automation and AI handle context-sensitive tasks, reducing “eyes on glass” time.

    “We’ve broken through so that the automation and the AI can take some of the eyes on glass out of the process.”
    —Steve Zaliewski [25:19]

  • The future: “Blend deterministic automation... with the predictions and probabilistic outcomes of AI combined with, hey, sometimes you need a human in the loop.”
    —Matt Muller [26:39]

6. Aligning Security with Business Objectives [27:03]

• Buzzwords vs. Business Impact
  • The team dissects why security must be communicated in business terms, not technical jargon (e.g., “we blocked X million attacks").

    “You’ve got to talk about the metrics that the business is interested in, not in the measurement of the security controls themselves.”
    —Steve Zaliewski [28:20]

  • Steve shares the “sell more jeans” philosophy—measuring security by its role in protecting brand, people, and supply chain rather than isolated technical metrics.

    "My job is to sell more jeans, not to secure the company... that just clears the deck for everybody to understand."
    —Steve Zaliewski [29:06]

  • Matt echoes: maturity metrics are useful internally, but business cares about tangible outcomes—parachutes, not the fabric details.

    “If the business is going to go jump off a cliff, we’re measuring and handing out parachutes, not talking about how strong our nylon is…”
    —Matt Muller [30:25]

  • Good communication includes explaining when high-profile risks do not apply:

    "Communication of non-risk is also something that's a little bit underestimated as well."
    —Matt Muller [34:06]

Notable Quotes

• "There is no such thing as a routine firewall change." —Matt Muller [00:03]
• "There's those that want to do the right thing... the ones that feign ignorance... and the entitled ones..." —Steve Zaliewski [04:11]
• "People love teaching other people." —Matt Muller [07:03]
• "We never should have called it a SOC; we screwed up on day one." —Steve Zaliewski [11:23]
• "Once a breach has happened at a third party vendor, all of your incentive alignment goes out the window." —Matt Muller [18:02]
• "You’ve got to talk about the metrics that the business is interested in, not in the measurement of the security controls themselves." —Steve Zaliewski [28:20]
• "If the business is going to go jump off a cliff, we’re measuring and handing out parachutes, not talking about how strong our nylon is..." —Matt Muller [30:25]

Timestamps for Key Segments

• [00:03] Opening security mishap story (Matt Muller)
• [03:15] How to turn AI early adopters into security champions
• [09:30] Language in SOC and security functions
• [16:01] "What's Worse?" — Vendor vs. DevOps compromise debate
• [20:33] Security automation: hype vs. reality and innovations
• [27:03] Communicating security in business terms

Memorable Moments

• Anger-Driven Automation:
  “I was talking to a customer recently who described what they do as anger-driven automation...” —Matt Muller [23:10]
• Steve's "Sell More Jeans" Mantra:
  “My job is to sell more jeans, not to secure the company.” —Steve Zaliewski [29:06]
• "Communication of Non-Risk":
  "I would always have my threat intelligence teams that were looking at articles being published… Even if the attack didn't impact us, we would actually… just say, hey, here's what's out in the chatter. FYI, we have controls against this." —Matt Muller [34:06]

Actionable Takeaways

• Security must be tied to business outcomes. Talk resiliency, risk, and actual operational impact.
• Early adopter champions—seek out those who both adopt new tech and care about security, empower them, and learn from their creative usage.
• Automation’s value is not in speed alone, but in removing drudgery from analysts’ work and letting them focus on meaningful problems.
• Metrics should reflect what matters to the business, not vanity statistics. Boards and execs want to know about the risks that can actually impact the bottom line, not just numbers of attacks blocked.
• Vendor risks can be more challenging than internal ones—lack of control often trumps severity when planning incident response.

Closing and Resources

• Tines offers a free community version—try for hands-on automation.
• Matt Muller is open to connecting on LinkedIn and Bluesky to discuss automation and cybersecurity challenges.
• Listener engagement is encouraged, especially for “What’s Worse?” scenario submission.

This summary captures the episode’s practical wisdom, frank debate, and the candid, personable style of the CISO Series Podcast—useful whether you’re on the front lines of security or engaging in executive board conversations.