The Risk Apogee
The Risk Apogee is a 1:1 interview series, sponsored by Apogee Global RMS, featuring candid conversations with risk leaders serving small and mid-sized businesses and public sector organizations. Each episode explores how practitioners translate risk theory into practical action, focusing on real incidents, lessons learned, and frameworks that drive resilience in resource-constrained environments
The Risk Apogee
How a 30-Year Practitioner Sees the Future of Security Leadership
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
The CISO role is caught between rising personal liability, tactical overload, and a business landscape that still treats security as a technology function rather than an enterprise risk discipline. Aaron Wurthmann is a fractional security leader with nearly 30 years of experience spanning IT operations, DevOps, and security leadership across Silicon Valley startups and maturing organizations.
In this episode of The Risk Apogee Podcast, Aaron joins host M. K. Palmore to work through the tension between chasing titles and finding the right role, why early-stage companies consistently delay security investment until external forces demand it, and how agentic AI is creating an observability crisis most security teams haven't even begun to address.
Aaron shares how he evaluates talent, why he believes the CISO title should evolve toward a Chief Information Risk Officer model, and what it actually looks like when security leaders align risk registers to budget realities.
Things You Will Learn:
- Why aligning your risk register to your actual budget is the single most revealing test of whether an organization is serious about security.
- How to evaluate when a practitioner is ready for the next level of leadership and why giving titles prematurely does more harm than good.
- What agentic AI and bot-driven tool adoption mean for enterprise observability, and why most security teams are already behind.
Tools & Frameworks Covered:
- People, Process, Things: Aaron's prioritization hierarchy for building security programs: get people bought into the mission first, then establish process, then select technology. Reversal of this order is where most programs break.
- Risk-to-Budget Alignment: The practice of holding organizations accountable by comparing stated security ambitions against actual budget allocation and risk register priorities.
- Least Privilege as an AI Governance Principle: Applying the decades-old principle of least privilege to agentic AI and bot permissions, using the HAL 9000 example as a reference point for over-permissioned autonomous systems.
#CISO #SecurityLeadership #EnterpriseRisk #CyberSecurity #RiskApogee
🎙️ Thanks for tuning in to The Risk Apogee Podcast!
If you enjoyed this episode, don’t forget to follow/subscribe so you never miss an inspiring conversation.
✨ Connect with Apogee Global RMS for more leadership insights:
LinkedIn: https://www.linkedin.com/in/mkpalmore/
Instagram: https://www.instagram.com/apogee_rms/
X/Twitter: https://x.com/apogee_rms
💼 This episode is brought to you by Apogee Global RMS – experts in risk management solutions. Check out their website to learn more about how they can support your business.
Let’s keep growing and leading boldly. Until next time!
Welcome back to the Risk Apogee Podcast. If you're an early stage founder trying to figure out how to build a rock solid security culture without breaking the bank, or an enterprise leader trying to balance risk with rapid innovation, today's guest is exactly who you need to hear from. We are absolutely thrilled to be joined by Aaron Worthman. With over 25 years in the trenches of information security and technology, Aaron's career is a masterclass in scalability. He has navigated the chaos of over a dozen startups and secured the complex environments of Fortune 50 enterprises. Currently, he serves as an advisory chief information security officer at 909 Cyber and is the visionary behind 909 Select, a platform revolutionizing how companies hire trusted, zero-trust cybersecurity freelancers. He also lends his expertise as a board member for the Silicon Valley ISSA and the CIO Scholarship Fund. But beyond the impressive resume, what we really love about Aaron is his pragmatic, human-centric philosophy. He is a massive advocate for the team over title mindset, a dedicated mentor, and a champion for secure by design principles from day one. He knows how to run lean, optimize resources, and actually make security a conversation everyone in the company wants to be a part of. Please join me in welcoming the ultimate security pragmatist, Aaron Worthman.
SPEAKER_00Welcome to the Risk Apogee, where we cut through the noise to get to the truth about risk. Cyber, physical, human. Every organization faces threats. What separates the ones that survive from the ones that don't is the decisions their leaders make under pressure. Each episode, we go inside the arena with the operators and strategists, shaping how organizations defend, adapt, and lead. This is the Risk Apogee.
SPEAKER_03Erin, welcome to the Risk Apogee. Al, thank you for having me. Appreciate you making time for the conversation. The Risk Landscape is always challenging, but I think that we find ourselves in a little bit of a unique period. You've been a uh security practitioner for a number of years. That's a landscape that I think is uh super interesting to folks. It's a landscape that I happen to occupy as well. What have we been getting right over the years as it relates to security? And obviously be ready for the corollary of that too. What are we doing right in the security round?
SPEAKER_04Yeah, well, I think one, we definitely you know continue to recognize it as a risk, especially in this valley, especially in the industry, right? It is a risk, both good and bad. Without any risk, there is no reward. We recognize that, but we also know that uh there's a lot of adversaries in that risk. And so we continue to recognize that and we continue to thankfully take that risk seriously and harden ourselves against the adversaries, whoever those adversaries are, uh, and understand that data needs to be protected, privacy needs to be protected. And I think we're we're pretty good at understanding that. And I think we're we're pretty good at trying to find the balance.
SPEAKER_03How how are we doing with the execution of that?
SPEAKER_04Because I think the understanding is there, understanding there, but how are we doing it with the execution? The execution is where where things get a little more difficult and it changes per business and per business model, and where how mature that business is also changes too, right? So at an early stage startup, you know, there there is this phrase, and I, you know, I say it often, which is, you know, without no risk, without any risk, there is no reward. And so there's a lot of risk. There's a lot of risk at those early stage companies because they don't have revenue yet. Right.
SPEAKER_03Right.
SPEAKER_04And so, you know, they'll take that high risk and they'll take a high risk maybe with important data, you know, and they know that and it's sort of built into the business model.
SPEAKER_03Let me take that a step further. It's been my observation here in the valley that uh in the early phases of uh largely technology companies, there's no impetus for the for them to even identify a security lead or a security stakeholder early on in the business development. Yeah. My observation of that is that once they once the light bulb goes off and they realize that they need a security leader, someone's thinking strategically about security, that they're then playing catch up because the business has been rolling, maybe even generating revenue, building out its technology footprint. Why is that? Yeah.
SPEAKER_04So I'd say what there's a few different things that could happen, right? They could be going to raise, right? If you sometimes where they're going to raise, their investors could say, Hey, there's too much risk here, you need to, you need to be the security practitioner, or they're going to customers and the customer says, Hey, there's too much risk here, you need to go get some sort of compliance, or or whatever the case is. That's when I typically see some involvement and or they're talking to me or others. So it tends to be some sort of outside force. Right. But the why is the why is this. This is why this is why I think the why. The why, I think, is when you get really smart people, really smart entrepreneurs, they tend to believe, and I think we need them to that they know what they need to do to execute. And I think we need that. We absolutely need people to believe that they know what they need to do to execute and get the ball rolling. We also conversely need them to believe that they don't know, they don't know everything.
SPEAKER_03So, security practitioners, you've been how maybe low? Let's get right into it. Uh in terms of your career, how long have you considered yourself a practitioner?
SPEAKER_04Yeah. So I, you know, I I say this, I'm old enough to remember when IT and security were the same thing. Right. I've been doing this closer to 30 years than I than I care to admit. You know, this this gray is coming in more and more. You know, I have I have thought about dyeing it, and the wife says, do not. You know, I look back, right, at where we were 30 years ago, and it's it's insane to me that the problems that we face today are still in some ways still the same problems that we've had years.
SPEAKER_03Yeah. I mean, there's some persistent themes in the security industry that I I won't say that they haven't been solved. They haven't been, they haven't been resolved in such a way that it takes them off the map as a concern for for practitioners. I even would go so far as to say that the security industry is not very helpful uh in that regard because we're still dealing with sort of these persistent issues that are uh at the end of the day revolve around this topic of cybersecurity fundamentals and the basics and folks um not doing things in the way that they should be. So you're you're a fractional practitioner now. Yes. Um, and when you go into an organization, how much of what you see in terms of problems still revolves around like the basics and fundamentals?
SPEAKER_04Well, it depends on the depends on the organization. So two of my clients are a little more mature uh than than startups, and then two of my other uh clients are at the seat or or is uh series A. So that answer depends on which client we're talking about. Usually when I go in, there's some sort of gotcha that's there that the that the company hadn't even considered, right? Um either some sort of identifiable risk or identity risk or some risk that's being overlooked and that either the business isn't considering a risk or hadn't even not even on their radar, right? Right. Or is so far down uh on the list because again, you revenue is the number one, number one risk. And they need to go get that revenue, they need to go get the compliance uh SOC to ISO 27,001 or whatever, whatever certification they need to achieve in order to achieve revenue.
SPEAKER_03Yeah. How do how do organizations, how should they be thinking about scaling security teams in today's environment? And I asked that question for this uh reason. I see a lot of folks like yourself basically going into fractional work now. I I think the days of the the suit supremely uh experienced and educated CISO sitting in for these long-term CISO gigs, I I I don't know that ever come to a close. I don't think that's a fair statement, but I do see that the landscape shifting in the work that I do at Apogee Global, that I have many more CISOs on the bench and available to me to put plug into projects than I think I would have maybe even five years ago. Why do you think that is? Why do you think the landscape's sort of shifting under our feet?
SPEAKER_04Yeah, I think it's it's hitting us from all angles. I think the business is one looking at where does the CISO really fit? And I think CISOs are also trying to figure out whether or not they want to take on the personal risk. Right. You know, as we've seen in the news, as CISOs get, you know, lack of a better term, left holding the bag, prosecuted and everything. Prosecuted and everything. Even when that case doesn't hold, and in in one case in particular, that didn't, you know, they did drop, they did drop that case. You have to determine whether or not you want to do that, right? We have to start carrying our own liability, right? Because we've learned that the company may not be there to protect us, especially if we've left the company and move on, as we saw with that particular case where he was prosecuted. You know, is it in our best interest to hold that title anymore?
SPEAKER_03Right.
SPEAKER_04Right? They don't always consider us officers of the company, very often not, almost always not. So do we even want to hold those titles at those companies anymore? We wanted a seat at the table at some point.
SPEAKER_02Yeah.
SPEAKER_04Do we still I remember that being part of the conversation? Right? It was. It absolutely was. And it's one of the reasons why I pursued that path. Do we still? It's a it's a serious question when you ask ourselves. Yeah. I say to anybody who uh is looking to be a CISO or even a director, senior director, VP, I say, you know, be be very careful about the title that you chase. Don't chase a title. You know, look for the right role that's right for you and matches your other important things in your life. Right role and right opportunity. Right role, right opportunity, uh working for the right company. Those things matter more than whatever title it is that you're chasing.
SPEAKER_03Again, I think acknowledging that you and I sort of breathe the same air, small to medium-sized businesses, startups, I think need to get away from this idea of even attempting to match the enterprise level security teams. Uh it's almost chasing fool's gold, this idea that they can build a, you know, some small regional bank and build a team that's similar to what JPM, you know, Morgan Chase has or uh these big uh global conglomerates. I think fractional work is the way uh to achieve that. Uh what have you seen that works really well? Like what's it look like when you're when you're in an engagement and things are just working really well? What's that look like to you?
SPEAKER_04Well, I think I think one, it always comes down to mission. Yeah, right? Company mission, and then moving down from that. Absent that, even if it's department mission, it really helps because it's the people. At the end of the day, it really is people. It is people before things. It is the people that drive the organization. So then it's process after that. Because if you get the people bought in on what it is, whatever it is that we're doing, we're gonna, we're gonna find the process, we're gonna figure that out. And it is the people that understand they need to understand the business, right? Get the people bought in on the mission, get the people bought in on the on the business, make that transparent, right? So one of the things that I am really all about is getting the people on my teams, whether they're dotted line to me, whether I'm fractional or not, it doesn't matter. Getting the people to understand that the business in is in business for the purpose of making money. And sometimes that means explaining to them why it is that some customer is asking for some new certification or some new control, or why it is that we're doing security questionnaires, or some customer asks for some question on some questionnaire that didn't get picked up by AI, and now we have to do it manually. Why you're doing that? All those things are important to the people that are involved.
SPEAKER_03Yeah. Talk to me more about um the transformation of leading and managing people part is something that we I don't think we talk enough about uh in the security space. I want to take that into even even to the point of your own personal sure uh development.
SPEAKER_02Yeah.
SPEAKER_03You're a longtime practitioner. You've had to evolve, I think, probably into a business enabler or business leader, yeah, more so than a practitioner, at particularly at the stage that you're at. It's about business and strategy. It's uh you know the ta you can hire someone to do the tactical stuff if needed. What's that transformation look like today? And and do you think CISOs and and senior level practitioners really understand that the need to lean into business operations and uh, you know, the business lexicon and risk management?
SPEAKER_04Yeah, I'll take the latter first. I think they're starting to. I think I think the modern day CISOs, the ones you're seeing coming up now, are probably more business first. Um, at least I hope they are, because you're gonna need to be going forward. For me personally, my career started the opposite, right? I started here in the valley. I'm, you know, born and raised here in the valley. I started originally as a graphic design. And I thought that was gonna be my career path. I'm gonna do graphic design and that's all I'm gonna do. And then I was working for a startup preparing their computers for them as a receptionist. I thought, you know, I'm just gonna be a receptionist and a graphic designer, and that's what I'm gonna do. And then at some point, they offered me an IT career. And I thought, I'm not, no, I don't need to do that. That's not gonna ever gonna make me enough money. And then they explained to me how much money IT was gonna make me uh was gonna make. And it turns out it was three times as much as I made as a receptionist. And, you know, maybe I didn't want to be a graphic designer after all. So I put the graphic designer career path uh on hold. I still do it, you know, on the side every now and then. But that you know, that went on that got put on hold, and I became uh an IT practitioner for a while just as an IC, and I did that. And then, you know, I did that as a sysadmin and I was DevOps, I was SRE. Uh touched all the rungs on the ladder. Touched all those things. And at some point, they they were bringing in leadership uh for me to report to. And it occurred to me that none of those folks knew what it was like to be up 72 hours in a road in order to keep the production up and running or to keep the email server up and running and all those things. And that hit me a certain way. So I decided at that point, I'll put my hat in the ring and I would say, look, I will go learn how to be a leader so that I never have to report to somebody who doesn't understand the struggle.
SPEAKER_03Yeah.
SPEAKER_04So it was, you know, this, you know, again, lack of a better term, you know, leading from the front line. Took that experience, somebody did give me the opportunity, uh, again, at another startup, to, you know, move into management from being an IC. And then I built a career from that. And so since then, it is trying to find that middle ground, trying to find that balance of managing up while managing down, and explaining to all parties in between the other the other parties' viewpoints.
SPEAKER_03Folks today are always looking for how to spot talent. What advice would you give for current level sort of leaders and practitioners? What are you looking for in terms of individual contributor talent? When are they ready for that next level, that next progression of their career? Whether they can get it internally or not.
SPEAKER_04Yeah, drive. It's almost always drive for me. Um, I'll sit down with somebody and usually within the next or within the first 20 to 30 minutes, I'm trying to find, you know, what their drive is, what motivates them, and try to figure out if there's enough there.
SPEAKER_03Is competency a given? So they they have to be technically competent and have the drive.
SPEAKER_04No, no, no. Tell me that that bitch is a lot of things. So it's drive first, right? It's like, do they have the drive to push through whatever whatever obstacle it is that's gonna get in their way? And then problem solving. Okay. Right. Technical competency, I think you can get as a result of trying to solve problems.
SPEAKER_01Okay.
SPEAKER_04Right. But you gotta want to solve problems because that's what this job is. At the end of the day, you are trying to solve a problem.
SPEAKER_03Some would say that's actually the responsibility of any leader, right? You're a problem solver. No one comes to you with the easy stuff as a leader, right? Right. So you look for drive. Uh some might describe that as um grit. Grit, yeah, absolutely. An idea of uh pushing through, being able to accomplish something. That that's identifying talent down. What do you look for in terms of uh folks who are in the uh in the role right now? What should they be thinking about in terms of perfecting their skills to make sure that they're briefing up and leading up in a way that prepares them for their next opportunity?
SPEAKER_04Yeah. So depending on where they're at. So I like to think about technical career paths as as a spectrum. So on one end, there is the IC, on the other end, there's there's the C-suite, right? On this end, it's very tactical, it's very events driven, and things are typically told to you on what you do, what you're gonna do. And on this end, it's strategic, it's visionary. Yeah, right. And somewhere in between, depending on the organization, is is the middle ground. And this could be manager or could be director, the organization typically decides. So you need to decide where it is that you're at, and if that's where you're at, act at act there, act those expectations, right? If you can't, if you're if you're a manager, are you more tactical or are you more uh strategic? Are you more visionary, right? If you're a director, are you more tactical? Are you more visionary? Are you more strategic? And then, and then manage up, manage down from there. And I'll tell you that a lot of the a lot of the directors I meet tend to be a little more tactical than than blend than finding that blend. And that those are the ones that I like to work with the most, right? Because the expectation of you as a director is that you are more typically in most in most organizations, or that you are more strategic, you are more visionary than you are tech.
SPEAKER_03In terms of leading up, managing up, uh, boards of directors have become more involved in technical transformation, the security of the enterprise. What kinds of information do you need to provide to a board in order to make sure that they have the information that they need to then inform leadership about the direction of the organization? Well, they don't need a technical briefing. I'm assuming they don't.
SPEAKER_04First, first and foremost, they don't need a technical briefing and they typically need less than you're gonna than you're gonna try to provide them. They need metrics, they need to know the high priorities. Um, they don't need seven. They certainly don't need seven. Preference is three. Right. Here's the top three risks. I'll settle for five, but you'll you'll have to talk me into why five. I prefer three. More manageable, more manageable, more easily digestible. Okay. Right. And the reason why, the reason why I preach that, the reason why I I teach that is let's let's keep in mind this is a board. They are there to listen to what you have to say for that particular company an hour, and then they have to context shift on to another company. Uh, so there's a lot, they have a lot going on. No, their time, there's money. They they need the top level top level. So you need to give them metrics and explain why these why these three three risks be prepared to answer questions on why those three risks, be prepared to take questions away on why those three was three risks.
SPEAKER_03Some might listen to this and assume that those conversations are happening exactly the way that you just described, but I would say that there's probably still a good number of conversations where even to this day, the chief information security officer starts the briefing off with the technology and tools that they intend to uh buy and or adapt over the course of the coming year in order to strengthen the organization. Which I think is a mistake. That's not the conversation that needs to be. Why why have we um why are we still having that conversation? Why are CISOs still going into the briefing talking about tool adoption and that kind of thing?
SPEAKER_04Yeah, I so I think the those tend to be the more technical C CISOs, which are still being still being put into place. Nothing against those folks. No. I do think those folks need to learn a little more about the business. Also, those folks tend to go last when they're presenting to the board. Yeah. Also mistake. They get less of the board's attention. And I think they probably need more of the board's attention.
SPEAKER_03So that this topic is near and dear to me. Speaking order. Speaking order. Yeah, I speaking. I do some um uh some public speaking uh and having a decent speaking order, being at the right place at a conference or a meeting or something like that, sometimes is the difference between folks uh having any idea as to what you said or folks not paying attention at all.
SPEAKER_04Yeah, and and so I would say this. Let's assume for just a moment that they I'm sure this isn't the case, but let's assume for just a moment that they put the CISO last because they didn't feel like it was important information. Purely an assumption on my part, purely. I made that up right now, here on the spot. Then okay, purely on the spot. Put them first if that's how you feel. Put them first and get it over with if that's how you feel. And then that way you'll I'm you'll have some feedback for them in order to make them better. That is a better thing to do for all parties involved, including, including the person that you want to up level, right? You want to up level that CISO that's more technical. You want to up level that content that you didn't care, that you, I'm assuming, didn't care about, right? Put them first and get it over with. It's much better strategy for all parties involved.
SPEAKER_03Does it strike you as odd that them our reliance on digital assets and technology, being what it is, it's grown exponentially over time. Now I would venture to guess that there's no global business that doesn't rely heavily on its technology footprint. That the role of the CISO uh still hasn't evolved into a full-fledged member of the C-suite. Like why why do you think that is?
SPEAKER_04Yeah, I don't know that there's one answer that fits that fits all there. Having I am someone who's read read uh five dysfunctions of a of a company and a team, and I noticed there too that this the CISO did not report to the CEO in that book. And that hit me a certain way, too.
SPEAKER_03I was like, you had you felt some type of way.
SPEAKER_04I felt some type of way about that in that book too. Yeah, I I don't know that there's an answer for that other than to say either it's a misunderstood role, it's possible that as a business, it's believed that that should fall underneath whoever's running the technology because it is a technology. In my heart of hearts, and I'm sure I'm gonna get a lot of flack for this. I think five, 10 years from now, the role itself should probably morph into more of a risk role, chief risk officer. And I know there's you know conflicts with chief revenue officer, yeah, right.
SPEAKER_03Well, even even the term chief risk officer means different things in different industries.
SPEAKER_04It yeah, right, exactly.
SPEAKER_03Yeah, right.
SPEAKER_04So whether that's enterprise risk altogether or what have you. I see it being more like that, chief information risk officer, more than more than anything else. And and the reason why I think that that probably more properly aligns where where I think the role should go is the chief information security officer has become, and the information security department has become the department of known slow. It's not working. It's not working. When it doesn't work, people find ways around the way that you do things. Development, product, sales, marketing, they find other tools to run and use and places to put their data. That's a huge risk. That's that's a big risk.
SPEAKER_03So so my uh my friend Malcolm Harkins wrote a book, Protect and Enable, years ago now. And that book may be better than 10 years old. No, you don't. I like it. Malcolm's great. He is, he is great. Shout out to Malcolm. Yeah. Thank you, Malcolm. With that title though, yeah, uh Protect and Enable, I think was a call to action for security practitioners to understand that their job was both to protect and enable the business to move, to do things. Do you think we've overcome that? Um is is it I mean, with the statement that you just made, I I I guess that there's maybe a complex answer to it, but have we gotten beyond practitioners understanding that they don't exist in a vacuum and that they're there to actually help the business move forward? Not yet. Not yet. Yeah, unfortunately. Why why do you think that is?
SPEAKER_04I think it's it it comes from both angles, right? It becomes it comes from the business saying, some businesses, not all, some businesses saying we want to offload this risk by pinning it on this department or this leader or whatever, and then that department or leader or whatever wholly taking it on and saying, I own this, so I'm gonna, you know, I'm gonna become the department of no one's low again, right?
SPEAKER_03Right. The conservative approach role.
SPEAKER_04I don't think you can do that. It needs to be a collaborative effort and then it needs to be a non-adversarial effort. No ad there should be no adversaries in in what it is that we're doing. You should be partnering with sales, should be partnering with development, should be partnering with product in order to get your job done as an information security officer.
SPEAKER_03How about partnering with the CIO? I mean, in most and I say that sheepishly, only because uh I've heard tale that there are actual uh scenarios where the CISO and CIO don't get along right with one another. Like they don't understand that they're in this symbiotic relationship with one another, and like one wants to do this and the other's hardlining and that, and like they don't even talk to one another. Right. I literally've heard CISO's incompetent provide that kind of information.
SPEAKER_04Yeah. I'm assuming in uh the opposite. Most in most situations, especially situations where when I'm full-time, I I own both, right? Because I am who I am, someone who again comes to get the experience, yeah. Who who is it, who has had both or you know, done both.
SPEAKER_03There's been a lot of talk about um AI and its impact just on business in general. How do you perceive the impact of AI on cybersecurity specifically? What what do you see as the potential benefits? Because I don't think anything's been realized just yet, but potential benefits and then maybe potential cons.
SPEAKER_04Yeah. Again, I'll take the latter first. So yeah, the cons. Man, we were in for a lot, a lot more than I think people realize, especially if we don't start getting in front of stuff sooner. So agentic is blowing up right now, Clonbot's blowing up. Moving really fast, right? Really fast. So just for a moment.
SPEAKER_03Just tell me though, are you amazed with how much these agents can do? Like, is that amazing to you, or is it just, oh, okay, that's that's interesting.
SPEAKER_04I'm not amazed by it because I've been because I've been living in it. What I'm amazed by is that there are folks who don't realize, like that are amazed by it. Um that's that's what I'm amazed by. Because it's so think about it like this, right?
SPEAKER_03I'm fairly amazed by it if I'm being fully transparent. Like vibe, vibe coding to me is revolutionary.
SPEAKER_04Absolutely. Absolutely. But I've been, I think because I've been, I've been doing, I've been vibe coding and I've been doing the bots and I've been doing N8N, I've been doing cloud bot, like I've been doing it all. Yeah, that I'm not amazed by it. I'm more amazed by what's gonna happen to us all if people don't get amazed by this. That's what I'm amazed by. You know, I'll go talk to somebody and I'll be like, There are a lot of people not paying attention. There's a lot of people not paying attention. That's what's amazing. Yeah, I'm that's when I'm more freaked out by anything else, is I'll go to talk to somebody and I'll be like, hey, so like you guys are at least in your, you know, in your policies, you're talking about bots and people using agentic. Yeah, you know, at least thinking about the concepts of telling people to be wary of how they use their credentials and bots and agentic, right? And they're like, what are you talking about? Okay, well, here let me just paint for you a scenario here, person who hasn't thought about this. What if one of your users installs cloud bots on on their direct machine and it's running and doing things and goes to get some skills that maybe it shouldn't have? And by the way, some of these skills have already been proven to be compromised with malware in them. And then it goes, runs off, and starts creating uh you know, creating havoc in your systems and then does lateral movement because it's compromised. So it's basically a compromised user living on a compromised laptop at that point. Yeah, have you thought about that? And there's not even thinking about that. They're like, what are you talking about, Aaron? Like basically, it's like an adversary on your machine because your user installed Claudbot. Now, like, what's Claudbot?
SPEAKER_03So so this is this is part of the the discussion or argument that if organizations don't lean into this and begin to create their compliance frameworks and create policy and tell their teams and employees how to effectively use these tools, there's gonna be shadow use of the tools because people are using this stuff. People are using stuff daily. And if they can use it on a machine that that allows them from a permission standpoint to use it, they will. Yep. And if there's no compliance around it, if there's no governance, if there's no organization around it, then it could potentially negatively impact uh your environment. I almost want to say that might be the strongest argument to actually move or lean into AI adoption from the GRC standpoint at the very least.
SPEAKER_04Yeah. So I'd say, yeah, at the very least, one, like I was saying earlier, you can't be the department no one slow.
SPEAKER_03No.
SPEAKER_04You just can't. So you need to be able to put guardrails around all of this and say, look, we know you're gonna experiment with this stuff. And it certainly is cool. Here's how you do it safely, right? Don't install on your machine. No, go do it over here. Or here's how you do it, you know, that's gonna protect the company. That's how this should be talked about, right? Even your GRC folks need to be looking forward, looking ahead versus being caught aware, caught unaware on any of this.
SPEAKER_03So one this podcast is about sort of podcast is about all things risk. I think that historically, security practitioners, even security leaders, nothing is more disappointing to me than walking into an enterprise and interacting with security stakeholder and leader who's supposed to be thinking strategically. And they come off to me as very tactical, like, you know, tool adoption, here's the next thing we're gonna get. Oh, yeah. Oh, we're fine, everything seems to be working, you know, we're we're using this, we're using that. And you ask them about well, what's your strategy for the next two years? You know, uh, what do you what are you gonna evolve into? What kind of sick what what do you what kind of security apparatus do you have want to have when you grow up? And many can't answer that question. And I I think it's a little bit of a challenge in our industry that um that the tyranny of the now, the tactical stuff takes precedence over nearly everything. What are we missing? How do we evolve into a uh a security team that is both addressing issues of the current but thinking about the future?
SPEAKER_04Yeah. So I again I would say people before things, and that and that is the things in this in this particular case is the technology, right? When you go buy a tool because the tool is gonna make things better, that's a mistake, right? So the people in the process and then things, right? What are you going to solve there? Strategy isn't always knowing where exactly it is that you're gonna go, right? But it's looking at that North Star and saying, you know, I know the direction in which it is that I want to go.
SPEAKER_03I would agree with that for sure. Yeah, it's about direction. It's not necessarily like the actual destination, yeah. Yeah, pathway. So interesting, you know, all things AI. We talked a little bit about agentic AI again, which I'm absolutely fascinated by. Any thoughts about the growth in the field of robotics? I feel like maybe we're not getting enough attention on that. It's not hitting us in the face at the moment, but I I think that I mean it physically is pretty close to being able to hit us in the face.
SPEAKER_01Yeah, I mean, it's sort of it's coming down the coming down the pipe for sure. Any any thoughts about it?
SPEAKER_04Yeah, no thoughts other than you know, I I do I do watch the videos on you know what what Boston Dynamax has going on or what all of them have going on. And I mean, we're getting pretty close. We're getting pretty close to iRobot. It's it's it's cool. It's really cool.
SPEAKER_03Yeah, there's even a a company out there, and I can't remember the name of it, my apologies right now, but I I think they are pre-selling, you know, a fully functioning robot, and it's like at the 20K range right now. I suspect, like as with all things from technology, you know, the first iteration of it, definitely outside of the financial realm of most consumers, most buyers, but at some point it gets to a financial level for which it becomes basically pretty easy to buy. Yeah. You know, I mean, you could buy a used car for 20K right now. There are gonna be a lot of people out there who are probably gonna buy a first iteration of a robot in their home. And then, you know, it gets under 15K, it becomes even more digestible. Once it gets under 10K, I mean that basically you're gonna see these things all over the place.
SPEAKER_02Yeah.
SPEAKER_03Are you thinking at all from a security standpoint? One, how quickly the technology seems to be evolving. You know, uh, you come from a time as well, uh as well as I where Moore's law was sort of the governing principle of of chip design and that kind of thing. And I we that's been blown out of the water now. Like the evolution of AI and robotics and things is moving at such a rate that there are definitely some potential grenades that we're not thinking about. Uh, what should we be thinking about? Like what kinds of things are uh should be at the forefront, especially for security practitioners as we think about the evolution of these things.
SPEAKER_04Yeah, I certainly think about you mentioned Morris Well, I'm not thinking about Asmo Asimov, Isa Isaac Asimov and around robotics too, right? Harming humans, you know, the three laws, right? Those are those are the ones that come to mind around humans. And are people gonna be designing workarounds too? Those work arounds. So I think about iRobot, and I also think about Robo Robocop. Like those are the ones, those 80s and 90s movies, those, those ones always come to mind for me for for those um and and risk, which are obviously sci-fi.
SPEAKER_03Well, they were so they were sci-fi, they were sci-fi. I don't know that that that's sci-fi now.
SPEAKER_04Yeah, it's it's it's future. But that's what's that's what's inspired inspired us to get where we are here today, right? And so let's not for a moment discount those risks, right? They're there because we've created them. We have literally created these robots and this technology. Let's not also consider those risks to be sci-fi or fiction. Yeah, they are real, right? Just as all the risks that, again, another great movie, you know, Space Odyssey, sorry, uh HAL 9000, real, right? That AI was overpermissioned, right?
SPEAKER_03Yeah, at the core of it.
SPEAKER_04At the core of it, at the end of the day, another, you know, another great author, Steve Wilson, has pointed this out. At the core of it, Hal 9000 was overpermissioned. He was given a task to complete the mission. And the way he saw it, the humans gotta go.
SPEAKER_03Yeah.
SPEAKER_04Why was he only did what his programming did what his programming said told him to do? Yeah, right. Hal, if you look at his original programming, didn't need access to the life control. He didn't need all the permissions that that that he had in order to complete his mission. He was over permissioned, our back was broken, the principles of least privilege were not being followed, he did what he needed to do. So again, call back to the things that we, you know, 30 years ago when fighting this fight for 30 years on you know, least privilege in order to get the task done. You know, AI falls into that. The robots should fall into that as well.
SPEAKER_03If there was one challenge in the security industry that you could solve, just one, just one, what would that be?
SPEAKER_04Yeah, you know, I'm gonna take a hard one because you give me one. I would say uh uh, you know, aligning aligning risk to budget. If you if organization, whatever organization you were being intellectually honest. If you were being intellectually honest and you said, I want to be, you know, I want to be the widget, the most secure widget company. If that's true, if that's if that's legit true, okay, cool.
SPEAKER_03Show me in the budget. We're gonna insert the sound of an unlocking chet treasure chest on this particular point.
SPEAKER_04That's legit true. You know, show me in the budget where that's yeah, where that's true. Because I'll show you a risk register, if assuming there is a risk register for that widget company that's the most secure widget company, uh, where that doesn't align.
SPEAKER_03This um so completely agree with you that if um if we had better perception and understanding of the risks that we're signing up for and align those with what we claim we want to be, the budgets would not be an issue, uh, but they still continue to be. I think communication is a big portion of this. I've been having lots of conversations with uh with folks recently about the importance of leveling up communication skills uh for security practitioners. Absolutely. And people ask me, the folks I mentor all the time, like, what should I be doing? You know, I clearly they're technically sound. They may even I may even turn to them from time to time for technical expertise, where they're like, What's the difference between you and me? Why can't I get to you know doing what you're doing? And I it's communication, it's your ability to communicate. Why don't we do a better job of training communication into our high-level practitioners? Because I think that's that I think that's the bridge.
SPEAKER_04Yeah. It took me, it took me a while, even myself to crack, you know, this own nut of like, yeah. And then for me, I had to sort of look back on all the advice that anybody everybody had given me along the way. I think you have to be ready to hear that advice at the right time for yourself. And it's just sometimes just takes a while, right? I mean, people had certainly given me advice all along the way of Aaron, Aaron, you should think more strategic. Aaron, you should, you know, you should prepare your prepare metrics for you know this or that. And I just wasn't ready to hear it.
SPEAKER_03Yeah. Well, maybe it's a maybe a maturity component to it.
SPEAKER_04I think there's a maturity component to it. I think there's a right place, right time. Again, I think there's a drive and to your point of grit to it. I I think you know, we need to be patient. I also think that we do people a disservice by giving them titles that they're not ready for in order to keep them at the company.
SPEAKER_03Interesting. Yeah.
SPEAKER_04I know. Hot take. Like I'm not a big fan of giving people getting somebody a director title because you want to keep them. I think you do them a disservice by doing that.
SPEAKER_03Well, I mean, it I we elevate folks based upon technical competency sometime, and I think we don't take into account our expectations for them change and we don't give them the tools to meet those expectations. Yeah, we just assume it's gonna come out of somewhere.
SPEAKER_04When I up level somebody to the opposite, or say, this is this is my expectation of a director, or I'm sorry, I don't know, I only do I don't make it about me typically. I don't go like this is my expectation. I do something like this is the expectation. This is the Here's how you perform at this level. This is how you perform this. This is when you leave this job, this will be the next role's expectation of you as a director. I would do you a disservice if I just up-leveled you to direct or gave you the title of director. So in order for me to promote you to director, we're gonna work on this together. And then we can put a plan together in order to get them to that level. And then the same thing for BP, and then this thing, same thing for SVP. Like that's what I do. And I think that I would like to see us all do that versus what I've seen us all do, which is oh, I'm about ready to lose this really important manager. You know, he or she is performing great, so I'm gonna give them a director title.
SPEAKER_03For you um personally, how do you create balance in the work that you're doing? And by balance, I mean like, you know, making sure you're taking care of your personal wellness and at the same time executing or uh Yeah.
SPEAKER_04Um, I'll tell you, this week, for me, there there has been no balance. So this week I went to attend an AI security conference. Attend, using the keyword, an AI security conference. And then while I was on my way there, my friend who's running the conference said, Hey, I'm gonna need to help you run the front of house for this security conference. So um what was gonna be a nice cushy like I attend and you know enjoy myself became a you know, three days of helping run a security conference. I'll review all the all the talks and stuff later. So I am on, I don't know, eight hours of sleep for the last last three days. I hope everything's going well here. I hope I'm here. I hope I'm actually physically here and not dreaming this. Yeah, okay, okay. Very good. But after this, uh and and the weekend, you know, I I'll I'll do some meditation, I'll do a hike, I'll get some pickleball in. Yeah, I'll, you know, do spend some time with the wife, the dog, and and and reflect. Reflect on the week and you know, honestly just thank, be thankful. I was able to, you know, vent to you and you know, all in all, had a great week. Yeah, okay.
SPEAKER_03So one, I I think as um practitioners, we we are terrible at prognosticating about the future. But I'm gonna ask you to do that. What um what are we talking about in the security industry and the risk lanes 12 months from now?
SPEAKER_04Yeah, I think we're still talking about AI. And I think the agentic problem is going to, I think it's it's gonna get um worse or better, depending, depending on you know, classes. 50-50, yeah, class half full or not. Yeah. Um, I do hope that as security practitioners start to realize that we too can use the bots in our benefit, and we start to do that because clearly the adversaries are and will. So I would say stop being afraid of you know, clawed bots, stop stop being afraid of the things. I know I've said some things on, you know, hey, there's malware already, already in the pipeline. But if we don't start doing that, we won't be able to defend ourselves. Having said that, I think we also have an observability problem because we don't know what tools our users are using today. So we need to get ahead of that. We need to get ahead of that now because that problem in itself is going to be worse 12 months from now, 18 months from now. And you're gonna be playing catch up on where your users are even logging in from, if they're easy, even your users, because the bots are gonna be using your users' credentials.
SPEAKER_03Yeah. So um think about your young self transitioning from graphic design into IT. What are you telling young IT uh professionals today to prepare them for the careers that they're embarking on? What should you be telling?
SPEAKER_04Yeah, so I I do say, depending on depending on where they're at, but what I would say to myself back then, and I've said this to interns as well, I always tell people to do to, as you're entering those early stages, to do it with your eyes wide open. You're going to have to make some sacrifices on whatever they're whatever it is there is. Maybe it's sleep, as as I did, clearly this week, or maybe it is the friends that you that you were hanging out with back then or now, or maybe it is, maybe it is that car that you thought you wanted, or you know, maybe it's whatever it is, but do it with your eyes wide open. You're gonna have to make sacrifices, do with your eyes wide open. Maybe you maybe you want to go with that startup, right? Maybe it's a risky startup, do it with your eyes wide open.
SPEAKER_03Yeah, do the thing.
SPEAKER_04Okay. Do the thing, but do it with your eyes wide open. That's all.
SPEAKER_03Great. Aaron, I appreciate you taking time for this conversation. Thanks for being on the Risk Apogee. Thank you for having me. All right. Outstanding. Thanks. We'll see you guys next time.
SPEAKER_00Thanks for being here on the Risk Apogee. Every episode, we dig into what it actually takes to lead through risk. And that's the same work we do every day at Apogee Global RMS. Cybersecurity, physical security, organizational resilience, talent strategy, one integrated approach built around your people, not just your platforms. Are you ready to move from reactive to resilient? Visit apogeeglobalrms.io and sign up for a risk free consultation with our team of advisors.