Defense in Depth

Adam Palmer, CISO at First Hawaiian Bank, shares concise trade-show wisdom from running security programs. He explains how to spark interest in 30 seconds, why strategy beats feature lists, and what concrete next steps win follow-up conversations. Practical tales show what works at booths and what repels busy security leaders.

Matt Brown, solutions architect at Endor Labs who specializes in software composition analysis and supply chain security. He explores why developers prioritize functionality over security. The conversation covers leadership and incentive problems, pragmatic prioritization of vulnerabilities, AI and open source risks, and making security faster and easier for developers.

Evan McHenry, CISO at Robinhood known for running security like an engineering function, talks vendor selection, three-year total cost of ownership, and operational tradeoffs of security tools. He covers delivery models, capacity planning, and matching tool complexity to team skills. The conversation stresses mapping workflows first and prioritizing high-signal tooling to avoid extra operational burden.

Octavia Howell, VP and CISO at Equifax Canada, a veteran leader in enterprise security. She discusses why vendors should stop overpromising. Conversations cover bluffing that damages trust, scare-tactic outreach, being upfront about limitations, and what true partnership looks like in complex sales.

Mark Eggleston, Chief Information Security Officer at CSC, shares his take on phishing testing and security program design. He debates whether simulated phishing erodes trust while arguing for measurable testing. Discussion covers technical controls like MFA, measuring reporting not just clicks, and treating phishing drills as teachable fire drills rather than gotchas.

Cliff Crosland, co-founder and CEO of Scanner.dev, a security data lake startup. He discusses granting AI agents gradual autonomy with read-only first and human checkpoints. They focus on minimizing blast radius, using agents for triage and detection engineering, and the need for memory and learning before wider trust.

All links and images can be found on CISO Series. Check out this post by Dr. Chase Cunningham, CSO at Demo-Force, for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is Brett Conlon, CISO, American Century Investments. In this episode: The experience paradox Who benefits from the narrative Kitchen sink job postings The aggregation problem Huge thanks to our sponsor, Scanner All your security logs end up in cloud storage like AWS S3. Scanner makes them searchable in seconds and runs real-time detections directly on that data. No pipelines, no re-ingestion. 100x faster than traditional data lakes, 10x cheaper than SIEMs. Loved by analysts. Built for AI agents. Learn more at scanner.dev

Rob Allen, Chief Product Officer at ThreatLocker, a product-driven security leader. He discusses getting permissions right and preferring groups over individual rights. They cover patching and secure baselines, the importance of knowing your assets, and automating configuration hygiene. Simple process controls and phone verification for high-risk requests get attention too.

Tom Doughty, CISO at Generate:Biomedicines with hands-on security architecture experience. The conversation covers why cybersecurity marketing often misses buyers, the 3Ms framework of moment/metric/motion, and the risks of AI and agentic claims. It looks at investor-driven buzzwords, practical use cases that help internal buy-in, and why clear, concrete messaging matters.

Matt Goodrich, Director of Information Security at Alteryx, shares insights on AI data hygiene and governance. He highlights the challenges of relying on polished AI outputs, warning about their potential misleading nature. Goodrich emphasizes the importance of integrating human oversight in AI workflows and proposes using multiple AIs for cross-verification. He advocates for treating AI outputs as research rather than authoritative, pushing for a skeptical approach, and underscoring the need for governance to establish trust in AI-driven security systems.