EP 11 – The calm CISO: Strength under pressure

David:
You are listening to the Security Matters podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

Hi. This: a developer racing against a deadline pastes a few hundred lines of sensitive code into an AI chatbot to clean it up. The chatbot delivers a flawless solution. The deadline is met, and no one thinks twice. But weeks later, a competitor releases a strikingly similar feature. There’s no sign of a breach, no stolen credentials—just a trail of prompts and a quiet leak that traditional security measures might miss.

Welcome to the world of shadow AI. Tools designed to boost productivity are now becoming invisible threat vectors hiding in plain sight, and businesses are only beginning to grasp the risks. These risks don’t stop at data exposure. They ripple outward, often culminating in ransomware attacks and other costly consequences.

Our guest today, Den Jones, knows this landscape well. As a seasoned cybersecurity leader and now the founder and CEO of the consultancy 909 Cyber, he’s helping organizations confront a world where innovation outpaces policy—and mistakes don’t always look like mistakes. In our conversation, Den unpacks why ransomware is often the final domino, not the first; how machine identities are increasingly dominating the identity landscape; and the mindset it takes to stay calm under nation-state-level pressure.

Let’s dive in with Den Jones.

David:
Den Jones, founder and CEO of 909 Cyber—thanks for coming back onto the podcast.

Den:
Hey, thanks for having me. It’s brilliant to be here. It’s—God, we’re halfway through the year already. I mean, where does this time fly? It’s really unbelievable. Steamrolling right through 2025. Nothing new there, but it is really going fast. And thanks again for having me back.

David:
The last time we spoke, you were on the Trust Issues podcast, which is what this podcast was previously named back in March 2023. And at that time, there was a little bit of a difference between what you’re doing now in that you were a CSO. You’ve gone from leading enterprise security at companies including Adobe and Cisco, and now you’re the founder and CEO of the consultancy firm 909 Cyber, which you launched back in September 2024.

What led you to go out on your own, and what’s been the biggest surprise so far?

Den:
Yeah, David. It is funny, right? So I’d done the big enterprise stuff. I spent a lot of time at Adobe. I ran a lot of teams—infrastructure and operations. My last role there was I ran enterprise security, and that was a really fun, amazing experience.

And I jumped over to Cisco during COVID. I had a team of about 300 people, spent about $60 million in a year, and rebuilt IT security, which we called enterprise security. Solid line to the CIO, dotted line to the CSO. And then, around the corner, you know, I got this small security company, Banyan Security, that I had been a customer of at Adobe.

We used them for our Data of Trust program—a little ZT company. So I joined there. I was their CSO—ran it, ran security, did evangelism, even had my own podcast, which you remember.

David:
Yep.

Den:
So that was a great gig. And then we got acquired by SonicWall. Another great company—small, mid-size, channel-based, very embedded, 30 years of network and security experience. So, you know, another great company.

But the thing was—when a company acquires another company, I don’t remember them acquiring it for their CSO. I think they probably acquired it for, like… hmm, maybe the software. Maybe the technology. Right?

So they did offer me the position. I became CSO at SonicWall—for a minute.

So, Plan A was: become SonicWall CSO.
Plan B was: start my own company.
Plan C was: get a real job.

So in the end, we agreed to a great exit for me that gave me some finances to really start this business. We just got going. I founded the company, and we officially launched in September of last year.

And I guess your other question—the biggest surprise so far?
It’s a saturated market.

Den:
It’s a saturated market. Everybody and their grandmother wants to be a fractional CSO. And everybody and their grandmother wants to do consultancy on the side. So even if it’s not their full-time job, you’ve got a lot of security professionals out there who have a full-time job, and even on the side, they’re hustling—doing fractional work.

So that means people like us, who are building a company—now I look at it like we’re building a firm. We’re not just an ex-CSO, one dude called Den doing fractional work. There’s a group of us. And when you build a group with a group culture, I think we’ve got a better chance of not just surviving, but really thriving and helping our clients be more successful.

David:
Thank you for taking me through that. We’ll get back to 909 Cyber in just a moment, but I wanted to ask you about the alternate plan—the lesser plan, the plan that you didn’t want to go to—which was getting a “real job.”

Now, the last time you were here, we talked about how you had begun your professional career as a Royal Mail postman in Scotland. And we also, I think, talked about some of your restaurant work. Is that what you mean by “getting a real job”—going back to the roots?

Den:
No, no. By “real job,” I just meant, you know, another CSO gig. So think of it like this—one of my friends, she runs a very successful IT MSP. We worked together at Adobe years ago. And she said to me, “You should start your own consultancy. You’ll be great at it. You’ve got the right temperament, you’ve got the right experience, and you’ve got the pedigree.”

And she said, “As you build it, you need to be fired many times before you give a shit.”

When you have that one job—if you get fired from that one job, or there’s some problem in that one job—you’re toast, right? So the reality for us was, after that conversation, David, I was like, “Oh yeah. That’s… pretty smart. Yeah. We should do this. I’ll start my company.”

And she said, “You have to be fired 30 times before you care.”

David:
Thirty?

Den:
Yeah. So they’ve got so many clients that they’d need to be fired 30 times.

It’s not necessarily that you’re getting fired, but you’re definitely recognizing that you’re not… the retention of one client isn’t necessarily going to be forever. So as you build the business, you’re thinking about what clients are good for our business.

So that’s where, for us—as we evolved 909 Cyber—it’s not just a fractional CSO-as-a-service. We’ve introduced fractional field CSO, which is helping companies go to market. We’ve got gun-for-hire, hourly-rate billing engineers. Actually, we have CyberArk engineers—so they can go in and help CyberArk clients become successful if they’re struggling.

So we’ve got all sorts of lines of business that enable us to address small, mid, and enterprise markets.

David:
One of the services that 909 Cyber offers is a virtual CISO, or CISO-as-a-service model. For those who may not be familiar with what a CISO-as-a-service model is—or a virtual CISO is—what does that actually look like in practice? And what kinds of organizations is it best suited for?

Den:
Think of a regular full-time security executive—but they work part-time hours. So you’re not paying for 40 hours a week. You’re getting someone who’s part-time. And the number of hours is varied, depending on what the client requires.

You’re providing the strategic direction to the organization for their security program. You may be building it up from scratch. You may be helping them do certifications. You may be leading and training the organization.

Ideally, what I think of—the best companies suited for this—if they’re 500 employees or less. They may have an IT team that we would partner with. They may not. They may have some security people already there, but they don’t want to spend the big money to bring in a full-time CISO.

Because you could spend more money on the engineering and doing the work than doing the strategy. And the strategy—if you bring in a seasoned, experienced CISO—then the strategy to build your security program isn’t necessarily a 40-hour-a-week job. You can pay the executive their high rate, but for a shorter period of time.

And that means you’re spending more money on the engineering and the making—the progress.

David:
And what about the intricacies of the company or the organization itself? How does a virtual CISO serve? How do you pop the hood on what that organization is, so you can really do that role effectively?

Den:
That just comes down to experience. I mean, for us and our team, we’ve got a diverse bench of CISOs who are multi-term CISOs. And it’s everything from big enterprise experience—which doesn’t fit this scenario so well—but a lot of us, it’s all startups, small companies, the SMB space.

And, you know, we’re in the Valley, right? So we were born in San Jose, which means many of the people we’ve got on the team—on the bench—are in the Bay Area. But the reality is, when you’re in the startup world, most of these companies, they don’t need full-time.

I mean, if you think of the cost of a fully loaded CISO—if their base is even 300 or 400—then you add stock, then you fully burden, and you add bonuses. I mean, you could be sitting there from half a million to three-quarters to a million a year for a full-time CISO.

For us, I don’t care the industry you’re in—at the end of it, we have the ability, we’ve got the diversity on the bench, we can jump in. And the other thing is, our network is vast. Because we’ve all got decades of experience—and decades of experience partnering with other people in the industry and building that network.

So if I need a three-letter agency to jump into a client site tomorrow, I’ve got their cell phone numbers.

David:
909 Cyber works with mid-market organizations and SMBs—a segment that is often underserved in the cybersecurity space. What are some of the biggest security blind spots or challenges these companies face? And how do those challenges shift as organizations grow?

Den:
Yeah, it’s interesting, right? Because I even think of the latest Verizon breach reports—the 2025 one. You know, for someone who’s watching this three years from now, the 2025 one was talking about ransomware.

Now, ransomware—if 44% of how breaches happen involve ransomware—and SMBs are hit the hardest. They’re about 88% of that number. That means that small and midsize businesses—they’re clicking links, their users are probably less educated, they’re clicking links. They likely have less technology defending against this one attack vector.

And the reality is, ransomware is an outcome. It didn’t start with “I got ransomware.” It likely started with “I clicked a link,” and then the software installed on my device. So that whole attack vector—ransomware is an outcome.

And I think the reality is, as these companies grow, their defense-in-depth strategy needs to evolve with the business. Because remember, we’re running a business. The business is there to make profit. That means the amount of money a CEO wants to spend on IT and security is ideally as lean as it can be.

They didn’t wake up in the morning thinking, “I’d love to spend some more money on security today.”

So the reality is, you’ve got to put strategies in place that maximize that investment—and ideally differentiate that company in their sales process. So that you have the ability to say, “We’re not just a cost center. IT and security have the ability to add to your credibility, your trust, as you go to market and you sell your product.”

So we’re trying to turn security—not just from being a drain on your expense bucket—but actually help your income bucket.

So the thing for us is, as a company grows, how do we help the IT and security organizations grow with that mindset?

David:
Mm-hmm. And that’s a different challenge.

This may or may not seem obvious, but do you look at security as a growth driver for those organizations?

Den:
Depends on the company. But yeah—any company that is selling services to another company? Definitely.

You have the ability to say, “We do blah, blah, blah, blah, blah. Here’s our Trust Center. This is what we’re doing. And this is how you can have more trust in us than our competition.”

We partner with a lot of startups, because one of the things they’re trying to do is go through compliance. They want to get their SOC 2, their ISO 27001—because for some of their clients, that is a good signal of trust.

Now, I would never say compliance equals security. But you have the ability to say, “We’re doing a little bit better than nothing. And here’s evidence.”

Because a lot of clients want to see evidence that their supplier is meeting at least some minimum bars.

David:
Now that you’re also advising CISOs, what are the top two or three things that are keeping them up at night?

Den:
Well, I think the number one these days is AI, right? So AI-driven threats—that emergent attack vector. Everything from deepfakes to automated vulnerability discovery and exploitation.

And then one big thing is shadow AI. So we’re all familiar with shadow IT. But I think of shadow AI as being employees in the company deploying unvetted AI tools.

David:
Mm.

Den:
And what do they mean to the business?

Then the other one is—there’s a talent shortage. We just recently launched a platform called 909 IC, and the whole goal is to try and bring cybersecurity talent into the industry. So we can talk about that later.

But the reality in the talent shortage is—we can’t hire quick enough to facilitate business growth. And I think it’s the right talent. Then I think it’s talent retention.

And in some jobs it’s worse than others. But I think the reality is, the ones where the burnout is higher—you know, things like your SOC. The guys that are working the night shift, or you’re trying to do “follow the sun.” So different countries, different regions—it’s different hiring challenges.

David:
As AI and agentic AI reshape both the threat landscape and the tools we use to defend against it, what are the biggest opportunities and risks you see for security teams right now?

Den:
There’s two different types of CISOs we’re talking to, right?

One is the ones that don’t want AI near their business. They want to block access to AI. And I’ll put them in the bucket of—you can bury your head in the sand and pretend nothing’s happening. But it’s there. So if you don’t embrace it, then you’re going to be in worse trouble down the line.

So that first group—blocking it, not allowing it—I think that’s a fool’s errand.

David:
And how prominent is that group?

Den:
Thankfully, I think it’s less than 20% of the people we talk to.

David:
Okay.

Den:
But they do exist. And I think different industries make up that group. So if you’re in an industry that’s highly regulated, tightly controlled—medical, finance, government—some of those folks, that’s more that bucket. Because that’s the industry they’re in, and there’s a lot more controls and rigor. Tolerance for risk is different.

Now the other group—the ones that say, “Look, let’s embrace it. Let’s have the teams really dig in and learn about it.” Not just the security team, but the IT team, the engineering team.

And let’s put guardrails. Let’s try and give proactive advice. Let’s try and have a think tank of people in the organization that come together—like an AI steering committee—and they’re really going to try to figure out, “How can the company best leverage AI in a safe way?”

David:
Mm-hmm.

Den:
Let’s recognize that if everyone’s just throwing stuff into ChatGPT, and there’s ever a breach over there, then all that stuff is in the wild.

So what are the risks?

And as they go through the risks, they can determine what their tolerance is. They can determine where they’re taking risks. And they can also determine—look, do we need to bring some of this in-house and create a bigger playground for the organization?

And companies like Adobe, that leverage AI as part of the product—they’re building AI into their products, like Firefly—then you can’t stop the engineers from playing around with AI, because they need to learn a lot about it.

So you need to enable them to learn—ideally quickly—because they’re trying to get product to market quick. And then ultimately, how do you do that in a safe way?

So I look at it like—guardrails and embracing it is the best approach. And any burying your head in the sand? You’re probably going to get left behind. And you’re definitely going to get caught out at some point.

David:
Do you ever wind up in the situation with a CISO from one of those super risk-averse organizations—or someone who’s looking to lock down AI—where they’re just, despite the different assessments you’re taking them through, where you’re doing the pros and the cons and all that kind of stuff, where they still end up just really digging in and still not wanting to open up the possibilities of AI?

Den:
Yeah, so there’s a couple of things.

What’s the role of that CISO we’re working with? The role of that CISO is generally to arm their leadership team with information so they can make decisions.

Our role is: take all of our wealth of knowledge and arm that CISO with information that helps that person and their business be successful. So we could sit there and play devil’s advocate—which we will do—but at the same time, we’ve got to say, okay, what is your unique business?

This goes back to the thing you said earlier about when you hit the ground running within a company—what’s the difference here?

Well, the difference is we’ve got the experience to recognize the constraints that that CISO and their business are working under. And those constraints mean that their view of AI is going to be a lot more conservative and risk-averse.

David:
Mm-hmm.

Den:
Okay—how do we help them explore that? And how do we help them explore what the technologies and opportunities are that can enable them to still learn and leverage, without going over a risk threshold that they’re comfortable with?

David:
Regardless of the organization and tolerance for risk—are there varying levels to how security leaders should approach AI, both defensively and strategically?

Den:
So there’s a couple things.

One is: start off with strategy. Everything is strategy—then tactics next, right?

So from a strategy perspective, I think it’s really important that they understand the business strategy, and how the business strategy is embracing—or not embracing—AI.

And then, if you’re really the CISO, if you’re really the C-level executive, you need to have the ear of the other C-suite. So if you do, then where are you injecting yourself in the conversation as it relates to AI from a strategy perspective?

If you do that right, then part of that—you’re then bringing back in—and you’re looking at where the business is going from a strategic perspective, and what risks does that create? Or reduce? Or increase?

From there, you’ve got to sit there and say, “Right, well—what do we now do from a security program?” And how do we adjust?

Because one adjustment at the business level—you’ve got to look at that trickle effect as it comes into your strategy, and then you determine what do you do next?

And then as part of that, now you look at your defense-in-depth. Now look and say, “Okay, from a defense-in-depth perspective—just with an AI lens—does this change what we’re doing?”

If it does, how does it change it? And then what do we need to do to adjust?

I’ll give you one example, which is: companies are building code as part of their product, and a lot of engineering teams are now pressured to leverage AI a lot more.

The real question here is: if you’re putting your code snippets—like your real, live code—into this technology, what are you going to do when that gets breached?

Do you care?

Right—you might, you might not care. So you’ve got to go through that threat scenario and understand, and then determine what your tolerance for that risk is.

Some companies choose to then bring that in-house, and they’ll run an internal version of it, just so that they don’t risk losing their code.

David:
Wouldn’t that be your recommendation, generally speaking?

Den:
Yeah. I mean—again, it depends on the tolerance of the company, and also the finances and the constraints. Not everybody has that same ability.

If you’re a little startup, you might not want to build your own internal AI copilot.

David:
Going back then to the talent shortage you were speaking of earlier—there’s been a lot of talk, of course, about the cyber skills shortage. What’s your take, and how has that changed since you launched 909 Cyber last fall, now that you’re also in the cyber recruitment space?

Den:
So it’s funny, right? Yeah—our business started off as fractional CISO-as-a-service, subscription model. We opened up beyond that to more consultancy, and as part of that, we’ve got a recruitment division.

And the recruitment does full-time recruitment, but we also have a gun-for-hire, staff augmentation model. And—not because of this—but as we’re trying to fill positions for clients, it is a struggle. Especially—you know, I’ve been in the identity and access management space since ’92.

So I’m like an old Novell guy. And actually, my relationship with CyberArk goes all the way back to around 2003, 2004. At the time, we were putting password-protected files in the vault.

David:
Mm-hmm.

Den:
And that was before PSMs and all that stuff.

David:
This is right around when you were starting at Adobe?

Den:
Yeah, this was probably three or four years into my time at Adobe in the U.S.

So by the time I was running—when we were centralizing the server team and I was leading that team—back in those days, we would store admin passwords for all the servers inside a PDF file. That would be password-protected, then protected by Policy Server, which is an Adobe thing, and then we would put that in the vault.

So I mean—it would be, like, all these layers to get to the file. Because I mean, that was your crown jewels.

So as we’ve been building this business, I’ve kind of recognized—even trying to find good identity and access management people is so hard. It’s a nightmare.

David:
Is it a talent shortage, or is it an expectation of employers?

Den:
How do you mean?

David:
Well, if you look at job postings—and, you know, we pick up these and make fun of them quite a lot. Entry-level job posting where they’re looking for a new college grad, and they turn around and say they want five years of experience in blah.

Den:
Okay, yeah. It’s like—so you want them to have just graduated from a four-year degree course, right? But at the same time, you want them to have five years’ experience.

So if you read through the lines on that, what are they looking for? They’re looking for something that doesn’t really exist. Their expectation is unrealistic based on what they’re asking for—and what they’re willing to pay.

We saw a position for a senior engineer in New York. They wanted to pay $130,000 a year. In Manhattan. Which for me is a non-existent human—because no human I know is going to live in Manhattan and do a senior security engineer role for $130K.

Because a lot of juniors will pick those gigs up, or they’ll work remotely for another company that’s going to pay more. And they wanted them on-site. So that also changes the dynamic a little bit, right?

I saw an AI posting the other week where they wanted, I think, five years’ Gemini experience—something like that. Some nonsense.

David:
How’s that possible?

Den:
Well—it’s not. But, you know, the people that write… and now this goes back to—well, who’s writing a lot of these job posts?

David:
The AI, isn’t it?

Den:
Well, some are by AI now. But some are the HR team. Some—the hiring manager might give some bullet points, and then the HR team, the recruiters, will write it up.

I think there’s a bit of an unrealistic expectation—equivalent to when we go buy a house: we want a two-car garage, we want two fireplaces, five bedrooms, three bathrooms—and we don’t have enough money to buy a one-bedroom tough shed in San Jose.

So the reality is, it’s expectation.

Den:
I was at a conference in L.A. at the start of the year, and I was talking on stage about strategies for CISOs to be cost-effective. One of them was—I said, leverage startups, because you can be design partners.

But the other one was—I said, leverage interns and students.

An intern can work with you for six weeks in summer. But what I used to do at Adobe—and I’ve done this for over 15 years between Adobe, Cisco, and then Banyan—is: they might work for us over summer. If they’re good, we keep them on staff as a part-time employee.

And then, when the winter break comes in, they ramp up again. Then when they go back to class, they ramp down again—but they’re still doing, like, 10 hours a week.

Right? So over the course of a couple of years, these cyber students—they’re getting their book smarts done at university. They come and work with us part-time. They’re getting real-world experience. They’re learning. They’re networking.

Then by the time they graduate—if they enjoy working with us, and we’ve got the position—they roll straight into the full-time job.

They’ve already onboarded over two years.

David:
So in a way, that’s sort of practical, on-the-job developing of cyber talent.

Den:
Exactly.

David:
To that point—what’s your approach to developing cyber talent, and how can organizations build stronger pipelines?

Den:
So I think there’s a couple of things.

One is the pipeline itself—and this is why we created 909 IC.

Generally, what would happen is: your business would have a relationship with one or two—or say, half a dozen—schools. And then they’ll do a career fair and they’ll bring people in.

But you can go beyond that, right? There are thousands of colleges. And we have them in our system. And we have the students in our system. And that means a diverse pool—and also local people. Reduced cost is there, too.

So let’s say you connect them, and you bring them in.

When we bring them in, our big thing is: we want to try and give them diverse experiences while they work with the company. So it’s not just, “I’m going to do some work with some guys doing audit work and some GRC,” and maybe that helps me get a broader outlook on security in general—because they’re looking at the controls.

At the same time, I might bounce them into the SOC space, so they can get some experience on what life in the SOC looks like. And then incident response.

Then you might say, “Okay, now you’ve done the incident response—I maybe want you to get involved in some red team–type stuff.” So we’ve seen a little bit of the attack and defend. Let’s put you on the other side now.

Of course, it depends on your company’s size, your company’s funding, what you have as a need—because obviously, you’re not just there to serve and say, “Let’s get these students quote-unquote experience.”

But I think the reality is: everywhere that you’ve got a gap in your program, you might want to jump in with one of these young, fresh, enthusiastic students and say, “Okay, I want you to help out here.”

And they’re generally assisting one of the more senior people. Because you want them to shadow someone who’s been doing this for a long time.

Because this is real-world experience in parallel to them getting the book smarts.

David:
A lot of shadowing, for sure.

Den:
Yeah.

David:
So that sounds like a pragmatic approach to developing cyber talent.

You refer to your approach—or perspective—on IT and security as pragmatic security. So what is pragmatic security? What does it mean in practice, and where do you see companies overcomplicating things?

Den:
I have a reputation in the Valley of being no-BS, get-shit-done, and not necessarily being the most politically correct individual in the world.

The reality is—we get paid to deliver results. Our goal, as we deliver results, is: let’s inspire those around us, let’s have some fun, and let’s remember—we’re here to reduce the risk to the business. But at the same time, we don’t need to increase friction.

Most security people I know continually add and add more tools—and more friction—to the workforce that slows the workforce down.

So when I think of pragmatic security, we’re looking for ways to save money.

David:
Mm-hmm.

Den:
Which—when you look at tools—if you look at just the regular number of tools in any organization, if you do a tools assessment, they normally have more than two tools per security employee.

So if you’ve got 20 people in your team and you’ve got 40 tools or more—they’re not going to be fully deployed. They’re not going to be best at protecting your company.

So the reality is, you’ve got to start looking at the tools that we’re deploying and get back to basics and say, “Are we doing the basics right?”

And then from there, let’s try and make sure that we’re not adding more friction to the workforce. Because you want the workforce to move as fast as it can.

So: you reduce cost, you reduce friction, and then you reduce risk.

David:
How often are you seeing those basics not being done right?

Den:
Every day.

David:
Okay.

Den:
I mean—every company we look at, we can jump in—especially from the identity perspective. I’ll look at a company that’s leveraging Salesforce, and I will, within an hour, show you how many admin-level accounts are not going through their IDP, that are going through the back door—local on Salesforce’s platform.

I mean—they’re great for break glass. You at least want them set up to be multifactor. You at least want some extra rigor around those accounts.

And I can walk into any customer that’s using Salesforce, and I will show you some messy, gnarly, scary stuff.

David:
On the subject of identity—with machine identities outnumbering human identities now by more than 80 to 1 (that’s according to our 2025 Identity Security Landscape Report)—what’s the real risk? And how should organizations be thinking about identity security?

Den:
Like I said earlier—this has been an area for me since the early ’90s. And we used to just say, “Well, that’s a generic account. That’s a service account.” And back then—like back in the ’90s—it was the opposite way around, right?

You’d maybe have 20% or even less be your non-human identities.

And as AI evolves, that 80% number is going to grow.

So I think it’s imperative that companies now figure out their plan for the non-human identities. They look at the technologies that exist. CyberArk is a great technology that we used at Adobe. My team at Cisco used it—so I’m very familiar with how well it works. There are others out there that might meet your needs.

But the reality is—you’ve got to look at: how are you securing these identities?

And one of the things—even for us—is: if you look at the analytics of how they’re logging in, how often, where from, where are they going… If that’s a non-human identity, that non-human identity should be pretty uniform in how it behaves.

Any deviation—you could start to determine whether that account is compromised or not.

So there are some really simple things.

In 2017, we built a team called Security Intelligence at Adobe. Funnily enough, all college grads. And that team did wonders.

They basically would look at anomalous events for identities—both human and non-human. We had it down to, I think, about a 99.5% success rate. Which meant the other 0.5% was noise in the system. We got it to that level—which for me was incredible.

So my biggest thing is: yeah, companies just need to really figure out what they’re going to do with non-human identities.

Every case is unique. But at least—you’ve got to look at how they’re being logged in, and how you’re tracking the movement of those from an intelligence perspective.

David:
And how does that change the way they look at Zero Trust—or have them stay the course in the way they’ve been thinking about Zero Trust?

You’ve been called—or you’ve called yourself—a large-scale Zero Trust deliverer, as I think we talked about last time. How has your thinking evolved since your days at Adobe and Cisco? And what’s next for Zero Trust?

I’ve asked you a lot of questions right there.

Den:
Yeah, there’s a few things in there.

I have called myself that. I mean, I don’t place myself at the same level as John Kindervag—Dr. Zero Trust—or Chase Cunningham. Both great guys, both pioneers in the space.

I would say I’m a practitioner that has been blessed to implement what we called Zero Trust at certain companies.

And, you know, people’s definition will vary. And I don’t—like I said before—read the full book and say, “We’re going to do the full book.”

I think the first thing is: Zero Trust, more than ever, has a place. With AI growing, some of the principles in the Zero Trust frameworks—I think—are going to be really vital for people to leverage and take advantage of.

Accessing applications and services—so when we were talking about it, we’d always say it’s: end users accessing applications and services, regardless of where they are, regardless of where the app is, and along the journey—regardless of the network—and assume an untrusted network.

Now, when you think of non-human identities—I look at the same thing. This is just an application being accessed by a user. So that identity is still a user. And how are we protecting and figuring out the trust level of that user?

David:
So is it kind of Zero Trust at scale, then?

Den:
This is Zero Trust at scale.

So I think the principles of ZT still apply. If anything, they apply more. It’s going to be more important.

You’ve got to start to leverage security intelligence. You’re going to have to start to look for anomalous events. You’re going to have to look at: are we passwordless? How are we protecting the account?

Generally speaking—you know, we’re certificate, we’re FIDO, we’re going to a better level of security assurance rather than just a password.

But I think it’s important—you’ve got to look at these frameworks and determine what is right for your business.

The goal is never—and I’ve said this to John and Chase over the years—the goal for me at Adobe and Cisco was never to “do Zero Trust.”

The goal was to respond to business attacks.

We’re seeing attacks coming in. Our role was to protect the company from those attacks.

It just so happens—you can leverage things in that framework to do that. So we called it Zero Trust. You can call it whatever you want.

The reality is—we’re blocking attack vectors. We’re going passwordless. We’re not using VPNs. We’re going away from network-layer access controls to directory and app-layer access controls.

So we’re making these changes because: if that device was compromised, if that user did click the link, if that credential was stolen—then we’ve put defense-in-depth things in place to stop it.

David:
You’ve led security, as we’ve covered, at global enterprises—and now you run your own firm. So based on all of that experience, what’s the best advice you’ve received? And how do you help CISOs and CSOs manage the stress of the role?

Den:
I was lucky enough a while ago to have a coach that I brought in to work with our team, and she had told me to start meditating. And ultimately—get out in nature, meditate more, do yoga, do something which is a calming influence on your life.

So I look at this—and I share advice like this with a lot of people—because emotional strength is important in this role. A level of calmness is important.

When you’re under attack by a nation-state—or you’re in some ransomware incident—the last thing you want is your executives to be losing the plot.

You need them to be calm. A steady hand. Clear thought.

And the analogy I’ll use is—you can’t see through water when it’s all wavy. If raindrops hit it, and it’s all moving around and stuff like that, you can’t see through it. It’s not clear.

Water that’s calm—you can see through. And it’s clear. Provided, of course, you’re not in some dodgy, murky place. Right?

But it’s when you’re calm, when you can reset, when you can think clearly—that’s when you have the best ability to lead through really trying situations.

And unfortunately—when I was at Cisco and Adobe—it was worse than it is now. But the reality is: the further up that ladder you go, people aren’t knocking on your door to wish you well.

People are knocking on your door with escalation after escalation, complaints and everything. Everything is a tug-of-war—vying for position. Especially the more political the company gets. The bigger the company gets, the more politics get involved.

David:
Yeah.

Den:
So at that role—you’re always under pressure. I like the pressure. I thought it was fun.

But the reality is—you need some way to disconnect.

David:
Do you find that CISOs are generally predisposed to calmness?

Den:
Yeah. I mean, I look at it like—most of the CISOs that I hang out with socially—there’s always a level of quirky personality. Almost like—we don’t mind taking the beating down again.

And it is part of the job. I mean, part of the job is—you’re under attack. Right?

Like, I don’t know how many people you know that sign up in life and say, “I would like to lead the team going to defend us against attack… every day.”

David:
It makes me think of a goalie—in soccer, hockey, whatever it may be—they’re just getting those shots flung at them, here, there, and everywhere.

Den:
Yep. And you’ve got to have that mindset. You’ve got to be willing to embrace that and thrive on that.

David:
Yeah.

Den:
And the security team is very much like your defensive line, right? So whether it’s goalie, defenders, midfield, or whatever—depending on your sports analogy—it’s really the defensive line.

I mean, it’s trying to keep your company out of that mess. Keep them out of the news.

David:
So last question for you. You’re out there. You’re doing podcasts. You’re at conferences. You’re running 909 Cyber. You’ve got your own podcast now, 909 Exec. Where else can people find you?

Den:
I think the best places are probably LinkedIn and the website: 909cyber.com. We’re still working on the site, but it’s coming along nicely.

And 909 Exec—we’ve been having fun with it. We launched it because we kept having these great conversations with CIOs, CISOs, and CEOs that we wish we recorded.

So we finally just said, “Let’s hit record.” The idea is to keep it short, conversational, and to bring some real honesty to the executive experience—especially in cybersecurity.

David:
I like that. And I’ll make sure we link to everything in the episode notes. Den, thanks again for joining us on Security Matters.

Den:
Thanks, David. Always a pleasure.