Do you have something cool to share? Some questions? Let us know:
This episode moves beyond technical implementation details—such as parsing rules or decoupled SIEMs—to focus on C-level leadership, transformation, and strategic communication. The central theme is the necessity for the CISO role to evolve or face obsolescence in the face of continuous digital change (Cloud, AI). The discussion leverages the guest's background as a former CISO, Board Risk Advisor, and author to provide a candid, high-level perspective on developing the crucial soft skills, managing organizational politics, effectively communicating risk to the Board, and prioritizing long-term strategy over acute, day-to-day pressures. A key takeaway is that the modern CISO must be a change driver and business translator, not merely a technologist or a roadblock.
Detailed Discussion Summary (Formal Meeting Debrief)
I. The Evolving CISO: Skills, Transformation, and C-Suite Status
The conversation opened by framing the CISO's journey as one of continuous transformation. David Gee underscored that for anyone in the C-suite, self-transformation is non-negotiable for survival. In the age of AI, which can readily exceed human capacity for recall and specific tasks, the CISO’s competitive advantage rests solely on soft skills—specifically strategic thinking, risk management, and stakeholder management. CISOs must fine-tune these areas to protect the longevity of their roles.
Climbing the C-Suite Mountain: David Gee used the analogy of climbing a mountain, noting that the "summit" (the CISO role) is uncomfortable, cold, and requires constant effort. Growth only occurs when one is uncomfortable, advocating that aspiring and incumbent CISOs should deliberately seek discomfort. This involves identifying knowledge, experience, and behavioral gaps, and actively trying to mimic or role-model the competencies of people two jobs ahead of them, even volunteering for tasks outside their remit (e.g., contributing to a strategy update or architecture roadmap).
Defining C-Suite Membership: Anton Chuvakin raised the critical distinction between having a "C" in the title (CISO) and actually being part of the C-suite. David Gee suggested that CISOs who struggle in this regard often come from a purely technical background. The "secret sauce" for true C-suite inclusion is the ability to translate business needs into technical strategy and vice-versa. This requires understanding the business's need to generate revenue and drive efficiency, while ensuring security is a supportive, not a compromising, element. This translation includes framing risk acceptance—such as forgoing changes to legacy systems to execute a transformation—as a calculated, time-bound risk that the Board is informed about and comfortable with.
II. Leadership and Resilience in Crisis
The discussion shifted to the topic of leadership and resilience following a security breach, an acute trust-shattering event. The key challenge in the post-breach recovery period is restoring confidence—in the Board, management, and the security team itself—without becoming overconfident due to the high degree of unknowns.
Post-Breach Strategy: The guest emphasized the fundamental principle of prioritization during recovery. The CISO's role is to establish clarity for the team, management, and the Board on the sequential steps (Step 1, 2, 3) necessary for rebuilding defenses, while managing expectations that the remediation process is a long-term commitment. He offered a cynical yet realistic analogy of a house being burgled and then burgled again, highlighting that post-incident recovery requires extra measures because the organization is known to be vulnerable. This period requires a combination of clear prioritization, time, and a measure of luck to avoid a repeat incident.
III. Navigating the Cloud Transformation
The hosts probed the CISO's role in ongoing cloud migrations. David Gee cautioned against simple "lifting and shifting," arguing that true transformation requires a security-first approach, or DevSecOps, not just DevOps.
CIO vs. COO Dynamics: David Gee shared a surprising experience from his time as a CISO, noting that Chief Operating Officers (COOs) were often more morally and visibly supportive of security initiatives than Chief Information Officers (CIOs). He surmised that for CIOs, security often presents a pure downside risk—no upside for being secure, but the potential for being fired if a breach occurs—leading to a resistance to security-driven changes, such as the imposition of Multi-Factor Authentication (MFA) on customer-facing applications, even in the wake of public hacks. He recounted an instance where three CIOs resisted an MFA mandate citing customer experience and busy schedules, despite clear evidence of a peer organization being compromised.
The CISO as a Cloud Champion: The possibility of the CISO acting as the primary champion for cloud adoption was discussed. While not universally seeing CISOs as the overt driver, the guest pointed to an example where a CISO needed to redirect a Board conversation away from misplaced availability metrics and toward a fundamental architecture problem.
Reframing the Board Conversation: A CISO was advised to stop asking the Board about arbitrary Service Level Agreements (SLAs) like three nines or four nines of availability. David Gee argued that this is the wrong question because if the organization's crown jewels are still residing in unsecured, unpatchable legacy systems, then they haven't addressed the underlying risk. The correct conversation is to request funding to migrate the critical assets to more secure, cloud-native environments. Doing so provides the desired availability by default and addresses the real issue—insecure legacy widgets—rather than putting "bandaids on" a systemic problem.
IV. The AI Influx and CISO Strategy
The conversation concluded with a focus on the most disruptive emerging challenge: Artificial Intelligence (AI). David Gee views AI as a "double-edged sword"—powerful, yet currently held by organizations that are not ready for its adoption.
Short-Term Risk and Control: In the short term, the guest fears potential "car crashes" because most organizations lack the necessary detection capabilities, cultural preparedness, and playbooks to manage AI effectively. The immediate threat is "Shadow AI," where employees adopt tools without organizational oversight.
The CISO's AI Mandate: The advice to CISOs is to "get all over it" and not be a victim. A provocative suggestion was made that the CISO should consider themselves the "HR manager for the AI department." This framework entails taking control of the AI lifecycle: onboarding, training, promoting, hiring, and firing the AI agents/tools used across the organization. This provides the necessary control and ensures proper security and training.
The CISO must establish a framework for approval, distinguishing between low-risk use cases that can proceed quickly and high-risk use cases involving sensitive data or business IP that require a slower, more deliberate process with guardrails. This allows the business to move fast in low-risk areas, preventing the CISO from becoming the "department of no" while protecting the most critical assets.
V. Balancing Continuous Improvement and Daily Pressure
The hosts addressed the acute and chronic stress inherent in the CISO role and the challenge of balancing day-to-day duties with long-term strategic thinking and self-improvement.
The Need for Continuous Learning: David Gee, even in retirement, maintains a rigorous schedule of reading and research, underscoring the necessity of continuous learning and accepting that one does not know everything. He encouraged an often unstructured approach to satisfy curiosity, reading about diverse topics to gain new knowledge without adhering to a rigid, sequential learning plan. He also advocated for auditors to get hands-on with AI tools to avoid being disintermediated by technology.
Priority Management over Time Management: The crucial gem shared was the distinction between Priority Management and Time Management.
Time Management is merely figuring out how to efficiently use one’s time.
Priority Management is the strategic act of deciding what is truly important and what should not be done at all.
The CISO must focus on Priority Management first—identifying and dealing with the most basic, fundamental strategic items before addressing the "sexy" or immediate tactical requests. This clarity reduces frustration, tension, and the feeling of constantly being behind, allowing for better focus and long-term planning.
Final Advice for Sleeping Well: David Gee's two-part advice for sleeping well (beyond exhaustion) was:
Trust Your Team: In a role where attacks traditionally happen at night, the CISO must trust the team to be the shield and manage the second shift.
Clarity of Purpose: The CISO must gain clarity on what can be done today and what is reasonably scheduled for tomorrow. Achieving this internal sense of balance and satisfaction with the day's accomplishments prevents the negative pressure of feeling perpetually behind, a pressure that is also felt by the security team.
Timeline of Key Conversation Shifts
Introduction and Thesis Statement: Hosts introduce the guest (David Gee) and frame the discussion around CISO evolution, leadership, and high-level transformation, moving past technical minutiae.
The Evolving CISO: Discussion begins on the required skills for the C-suite, identifying soft skills (strategic thinking, risk management, stakeholder management) as the CISO's primary competitive advantage over AI.
Achieving C-Suite Status: Focus shifts to the distinction between having a "C" title and true C-suite inclusion, highlighting the necessity for the CISO to be a business and technology translator.
Leadership in Crisis: Conversation addresses the critical period following a breach, emphasizing the need for prioritization, resilience, and rebuilding trust with stakeholders and the security team.
CISO Role in Cloud Transformation: The discussion pivots to cloud migration, distinguishing between simple "lift and shift" and true transformation, and comparing the security support received from COOs versus CIOs.
Reframing Board Communication: A specific strategy is offered for communicating with the Board, advising the CISO to redirect conversations from arbitrary availability metrics (e.g., three nines) to addressing the fundamental security weakness of unsecured crown jewels in legacy environments.
Addressing the AI Influx: The focus shifts to AI adoption and the CISO’s proactive role. David Gee discusses the short-term risks of "Shadow AI" and the need for the CISO to act as an "HR manager" for AI agents to maintain control and establish a security framework.
Balancing Stress and Strategy: The conversation broadens to personal and professional balance, emphasizing the crucial difference between Priority Management (deciding what to do) and Time Management (doing it efficiently).
Concluding Advice: Final advice is provided on the two keys to achieving a personal "sense of balance" and sleeping better: trusting the team and maintaining clarity on what is achievable today versus tomorrow.
