Key Takeaways
- Security credibility built on fear erodes when no incidents occur.
- Trust is earned by enabling business speed, not just saying “no” or “yes.”
- Effective CISOs translate security into business value and actively listen to feedback.
- Small, recurring controls matter more than flashy, one‑off projects.
- Stop‑light (red/yellow/green) metrics can give a false sense of safety.
- Engaging end users and surfacing concerns from non‑security staff signal a healthy security culture.
The Trust Gap in Security Leadership
A CISO who never misses a compliance deadline can still be left out of product discussions, while another whose team says yes to everything may be bypassed on the projects that truly matter. The recurring pattern shows that the problem is not always an external adversary; it often lies in the relationship between security and the rest of the business. When that relationship breaks down, even flawless execution fails to earn a seat at the strategic table.
Why Trust Breaks Down Repeatedly
The conversation highlighted a structural issue: security’s value is frequently invisible until something goes wrong. Because credibility built solely on fear fades when no incidents occur, influence wanes precisely when it is needed most. This dynamic shapes how CISOs are perceived, regardless of how well their teams perform, and explains why trust repeatedly erodes in the same places.
Insights from the Super Cyber Friday Episode
During the recent “Hacking Trust in Security: An hour of critical thinking about moving from a cost center to a trusted partner” episode, hosts and guests explored what it takes to shift perception from a tolerated function to a relied‑upon partner. The discussion emphasized that trust must be earned through partnership, enablement, and clear communication rather than through authority alone.
Guest Profiles: Will Gregorian and David Nolan
The episode featured Will Gregorian, CISO at Galileo Medical, and David Nolan, former CISO at Asurion. Both brought years of frontline experience confronting the very trust challenges described. Their contrasting perspectives—one from a current healthcare security leader, the other from a seasoned veteran—provided a rich dialogue on practical steps to rebuild credibility.
Lesson from Gregorian: Framing Conversations Means Impact
Gregorian recalled an executive who, during a release meeting, bluntly said, “Well, that doesn’t help me.” That moment changed his approach forever; he now carefully frames every security conversation to show how it advances business goals. By aligning security language with stakeholder priorities, he transforms resistance into collaboration.
Lesson from Nolan: Small Controls Prevent Big Failures
Nolan used the analogy of changing a car’s oil rather than its engine: modest, regular actions—like patching, configuration reviews, and user training—prevent catastrophic failures that grandiose, one‑off projects might miss. He argued that investing in repeatable, low‑cost hygiene yields far greater protection than occasional, high‑visibility initiatives.
The Human Element Over Technical Controls
Both guests agreed that technical controls alone are insufficient. Gregorian stressed that “the more I work in cybersecurity, I’m like, none of the controls matter. What matters is the human touch, the communication skills.” He emphasized the need to articulate context and nuance so that everyone—executives, engineers, and end users—understands why security decisions are made.
Metrics Can Mislead: Stop‑Light Illusions
Nolan warned against relying on red/yellow/green stop‑light metrics, noting they often create a false sense of security. “You can still get a breach when you’re green,” he said, adding that such metrics can be padded and may ultimately burn an organization that trusts them too deeply. Meaningful measurement must go beyond color codes to reflect real risk reduction.
Learning from Incidents: Good Intentions Lead to Breaches
Reflecting on past incidents, Nolan observed that many breaches start with a millisecond decision—someone clicking something while trying to do their job efficiently. Incidents are rarely the result of malice; they stem from well‑meaning actions that bypass safeguards without the actor realizing the risk. Recognizing this helps security teams design controls that accommodate legitimate workflows.
Feedback Is Gold: Listening to Complaints
Gregorian urged leaders to treat complaints as valuable feedback, even when negative. “If they’re not willing to do it, I would actually value why they’re not doing it. That’s up to us. That’s incumbent on us to figure that out.” By investigating resistance, security can adjust policies, improve usability, and turn critics into advocates.
Chatroom Wisdom: Removing Security Theatre and Engaging Users
Audience contributions reinforced the theme: Aman S. called for eliminating security theatre and vanity metrics; James S. advocated explaining changes to end users so they feel like participants; Duane Gran highlighted that the best security culture is evident when non‑security staff surface concerns; and Jason Thomas likened incidents to “the road to hell paved with good intentions,” urging empathy over blame.
Calls to Action: Upcoming Event and Community Engagement
The series announced the next Super Cyber Friday episode—“Hacking the Death of Entry‑Level Jobs”—scheduled for Friday, May 1, 2026, at 1 PM ET/10 AM PT. Listeners are encouraged to share the registration link on LinkedIn, tag host David Spark and CISO Series, and enter a prize draw. Additionally, the events calendar offers a way to stay updated on future discussions and related content.
Building a Security Brand: Why Perception Matters
Finally, the dialogue reminded listeners that every security team inevitably develops a brand—whether intentionally crafted or not. Dread and relief are the immediate gut reactions from interactions with security, and those moments shape reputation far more than any policy or metric. By consistently partnering with the business, enabling speed with sensible guardrails, and embedding a civil‑defense mindset across the organization, security can transform its brand from a cost center into a trusted, indispensable ally.