They Can’t Hack All Our Tools If We Keep Buying New Ones

Virtually every organization is making moves to embrace AI. Security teams and threat actors are no exception. But this presents a unique challenge. How do you secure this new generation of tools everyone is so keen on using, while also trying to use them yourself as a security practitioner?

This week’s episode is hosted by David Spark , producer of CISO Series and Mike Johnson , CISO, Rivian . Joining them is their sponsored guest, Rajan Kapoor , CEO of Material Security .

AI creates security's catch-22

AI was supposed to make everyone's job easier, right? Someone forgot to tell the security teams.

While 98 percent of companies embrace AI tools for services such as marketing and finance, security faces the burden of both securing everyone else's AI use while also integrating it into their own workflows, as Aimee Chanthadavong pointed out on CSO Online . Security teams need to enable business productivity, so they must find a "yes, and" approach.

Rather than panicking about AI as an ominous threat, organizations should treat it as a productivity tool focused on speed and efficiency. Start by using AI to augment existing security workflows while helping the company on its AI adoption journey.

Delegation without abandonment

Managing cybersecurity teams means walking the tightrope between infuriating micromanagement and complete abandonment. The challenge emerged from a cybersecurity subreddit discussion about bosses who delegate with "you have to own it, run with it" but provide no actual decision-making authority.

That's a recipe for burnout and confusion. As a leader, establish clear definitions of what good looks like. Have faith in your team that they can work backwards to figure out how to get there. This approach can scale with experience; junior employees need more structure while senior staff can handle greater ambiguity.

The sweet spot provides support and safety nets while allowing your staff room to spread their wings. The risk of them screwing up is often less than the risk of them becoming burned out.

Google's security gaps demand better tools

Google Workspace administrators are drowning in manual processes and workarounds that shouldn't exist in 2025. The platform will alert you about suspicious account access, but it won't automatically rotate passwords or suspend accounts in response. This forces organizations to hire detection engineers who spend months rebuilding the same basic protections at every new job.

Meanwhile, administrators are stuck clicking through endless documentation instead of managing security as code, something that's old hat in Amazon Web Services (AWS) . Organizations need purpose-built tools that handle automation and visibility out of the box, so security teams can focus on actual security work instead of playing developer.

Trust beats sophistication every time

Forget the Hollywood hacker with custom exploits. Real attackers succeed by looking legitimate, noted Anthony Fu of Dvuln . A convincing Docusign email is more effective than sophisticated malware because it exploits something more vulnerable than code: human trust.

Even security vendors send emails from sketchy domains, so expecting employees to make perfect decisions is unrealistic. Smart organizations design defenses assuming that people will occasionally click on suspicious links. This means testing business processes and following attack chains from initial phishing through full account compromise. You can't treat email security as a standalone problem anymore.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now. Listen to the full episode here.

Thanks to Neil Saltman from AHEAD for providing our "What's Worse" scenario.

Huge thanks to our sponsor, Material Security

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Best advice I ever got in security…

“The best advice is focus on the fundamentals, and that hasn’t changed in 30 years. Very often, people aren’t able to do that because they either inherit the security program that someone else built, and did not focus on the fundamentals. The attributes of the fundamentals change, for example, how you do MFA, or you’re coming in to fix a fire, and that’s why you got your job.“ - Rajan Kapoor , CEO, Material Security

Listen to the full episode of “They Can’t Hack All Our Tools If We Keep Buying New Ones”

How Can AI Provide Useful Guidance from Fragmented Security Data?

"Simply getting the right data is often the hardest part, both for people and AI systems. Teams need to ask different questions of data in order to really arrive at whatever the answer they’re looking for." - Matt Eberhart , CEO, Query

Listen to the full episode of “How Can AI Provide Useful Guidance from Fragmented Security Data?”

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter  Richard Stroffolino . We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Montez Fitzpatrick , CISO, NavVis . Thanks to our Cyber Security Headlines sponsor, ThreatLocker .

Thanks to our sponsor, ThreatLocker

Join us Friday for “Hacking Toxic Culture”

Join us on Friday, Month Day, 2025, for Super Cyber Friday: “Hacking Toxic Culture”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Mike Lockhart , CISO, EagleView , and Ross Young , CISO-in-residence, Team8 , for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.