Why CISOs shouldn't go to jail
Dec 04, 2025
Transcript
Samuel Hill
Welcome to Mind What Matters, the show where data security meets real talk.
We are here to unpack the big stories, the happenings and the shifts in the cybersecurity industry, and hopefully do it with a little bit of fun.
Whether you are trying to protect data across your enterprise, justify decisions in the boardroom or secure it across your digital environment, we are here to help you mind what matters.
My name is Samuel Hill, and I am joined, as always, by Landen Brown, the head elf here at the North Pole of the Mind What Matters podcast.
Landen, how are you today?
Landen Brown
I am fantastic, Sam. Happy holidays.
Being the head elf here at MIND is a lot of responsibility, so I appreciate the recognition.
Samuel Hill
A prime position, one we all rely on every year.
So Landen, let us start as we always do. What is on your mind?
Landen Brown
It is funny you ask, Sam, because there is something I am noticing more every year, and it leads me to a question.
When did paying someone to put up your Christmas lights become a booming industry?
I am seeing a massive amount of competition. The number of business cards stacked in my door every day offering to hang and take down Christmas lights is absurd.
At what point did this become so competitive?
Samuel Hill
I will tell you when it changed for me.
I hung my Christmas lights myself this year, before the snow hit, and my wife encouraged that because she knows my aversion to ladders.
We were remodeling and painting a large room with a very tall ceiling. The ladder slid out from under me and I took about a 10 to 15 foot fall.
So ladders and I are not close friends anymore.
I can absolutely understand the appeal of hiring someone more confident with ladder work.
Do they offer storage too?
Landen Brown
I have not heard that one.
But I will say this, even after my time in the military, my fear of heights never went away. So I am quietly considering paying someone to hang my lights, even if I make fun of the idea.
Samuel Hill
I have thought about pooling resources with neighbors. Rent a boom lift, knock out a few houses in an afternoon and split the cost.
We have not done it yet, but it has come up.
Landen Brown
I have heard too many boom lift horror stories. I will pass on that, but I will pay you to do it.
Samuel Hill
I will be right over.
We will figure out the pricing.
What is on my mind is that the holiday season is officially here. I hope everyone has time to gather with people they care about.
Landen, any big plans with your family?
Landen Brown
Not yet.
This is our second year in Idaho, so we are still building traditions. Snowboarding, skiing, tubing, figuring out where to go and when snow is reliable.
All of that is still in flux.
And as you know, when you have more than a few kids, planning actually matters.
So I would say we have a plan to make a plan, and we will make that plan soon.
Samuel Hill
That sounds like a solid plan.
That is the fun part though, creating your own traditions and blending what you grew up with into something new.
Landen Brown
Yeah, and I do not know if you have noticed this, but I have found it almost impossible to replicate the traditions I had growing up.
It is like some force pushes you to create your own with your kids.
Samuel Hill
It is like going back to your childhood home and realizing it is much smaller than you remember.
All right, we have a lot to cover today. Let us get into the headlines.
Headline 1: Software Risk in Aviation
Samuel Hill
Let us talk about software risk.
Airbus had a software issue that caused a JetBlue flight to divert mid-route due to a flight control problem. Reports suggest a sudden drop in altitude and multiple passenger injuries.
That is a lot of risk tied to a single software issue.
Landen, what do you make of this?
Landen Brown
It highlights something we already know. The more software-driven our world becomes, the higher the risk of these events.
But we have also been software-driven for decades, and this is not new.
At Tanium, we saw this firsthand. You cannot deploy software at scale unless you can roll it back at scale.
Back then, there was not a reliable way to do that.
The lesson was simple: do not deploy unless you can undo it just as easily.
Now, with aviation, this is different. You cannot just roll back software instantly. It involves physical systems, human safety and real-world consequences.
Samuel Hill
Exactly. A network outage causes frustration. A flight control issue risks lives.
There was also speculation about solar activity causing data corruption.
Landen Brown
That is not new either.
There are documented cases of cosmic radiation flipping bits on hardware. A single bit flip can change everything.
There are even examples from gaming where this caused unexpected behavior.
The question now is how we harden systems against that, especially in environments like aviation.
Headline 2: Exposed Secrets in GitLab
Samuel Hill
Next story.
Researchers scanned millions of public GitLab repositories and found over 17,000 active secrets.
What is happening here?
Landen Brown
This is not a GitLab problem. It is a developer behavior problem.
It is easier to hardcode credentials than manage them properly.
Developers want speed. That efficiency often turns into shortcuts.
Then those repos get pushed publicly.
There are two issues: why is the repo public, and why are secrets there at all?
The tools to detect this exist, even free ones. Attackers are already using them.
This is a problem organizations need to take more seriously.
Samuel Hill
It comes down to fundamentals.
Do not expose secrets.
Headline 3: SolarWinds and CISO Liability
Samuel Hill
Final story.
Charges against the SolarWinds CISO were dismissed.
What does this mean for security leadership?
Landen Brown
It raises a hard question.
How responsible is a CISO for the consequences of a breach?
SolarWinds had real-world impact, even beyond IT systems.
There should be accountability, but prison time feels excessive.
The role is already one of the most exposed positions in business.
Samuel Hill
It comes down to negligence.
Were best practices followed? Was there due diligence?
That line is hard to define.
Landen Brown
Exactly.
If you follow the chain of responsibility, it becomes impossible.
If CISOs are liable, then what about executives who denied budgets?
Where does it stop?
What Matters Now
Samuel Hill
What matters now is responsibility.
Where does it start, and where does it end?
Landen Brown
I think the more realistic measure is response.
Not preventing every breach, but how quickly you detect, understand and communicate it.
The SEC requirement to disclose breaches within four days is a step in the right direction.
The focus should be readiness and clarity, not perfection.
Samuel Hill
Like a fire department.
You cannot prevent every fire, but you can respond quickly and effectively.
Landen Brown
Exactly.
But vendors have not made this easy. They promise faster response, but only if you invest heavily in their ecosystem.
CISOs are stuck between expectations and constraints.
What Did You Learn
Samuel Hill
What I learned today is simple.
You can only control what is in your control.
Whether it is hanging lights, securing data or leading a security program, do your best with what you have.
Landen Brown
I agree.
Be ready. Be prepared. Be able to answer hard questions quickly.
And on a personal note, maybe focus less on recreating old traditions and more on building new ones.
Samuel Hill
Your kids will remember what you build with them, not what you try to replicate.
Landen, thank you for the conversation.
For Landen Brown, my name is Samuel Hill, and that is all for now.
