I can't listen to CISO podcasts anymore
Yesterday I started one, I cut it off after eight minutes. I already knew everything. And the worst part is that I know exactly why it's like this, because I'm often on the other side of the mic, being a CISO myself.

Yesterday I started one, I cut it off after eight minutes. I already knew everything. And the worst part is that I know exactly why it's like this, because I'm often on the other side of the mic.
I can't listen to them anymore. Yesterday, a CISO podcast crossed my path, I hit play, and after a few minutes I cut it off. Not because the person was bad, I have no idea, actually. Because I already knew every answer before it came. Security that supports the business without slowing it down, integration as early as possible, secure by default, AI that assists without replacing, with a human somewhere in the loop, and the inevitable inflection point where we would all be. Eighteen years I've been doing this job, and I've been hearing this same script word for word for eighteen years.
The thing is, I know where it comes from. I'm on the other side of the mic more often than my fair share, I get booked for these formats. And there's always, before recording, that moment where they send you the questions in advance and slip in that it'll be light, educational, that you need to stay accessible. In plain terms, don't say anything that might upset the sponsor whose logo will appear at the end. Nobody is stupid in this story. Everyone is afraid, and everyone has good reasons to be afraid.
Because the day a CISO says something precise and true, a flaw he chose to leave open for lack of resources, a budget he was denied, a company he left because he was being asked to sign what he didn't want to sign, he hands out ammunition. To a lawyer, to a board of directors, to a future recruiter who will type his name into Google. The hollow line, at least, never turns back on him. I understand the calculation, and I find it dispiriting.
Me, I hand out ammunition every time, and I do it on purpose. Sometimes I answer beside the easy question, I say in front of a room that some framework everyone praises is useless in the context we're talking about, I recount a decision I only half stand behind. And every time it's the same mechanics, the room cooling off, the moderator moving on a little too quickly, and three days later the comment explaining that I'm too negative, not constructive enough. I don't get re-invited everywhere, and I do without.
Only, let's be honest about what it costs me. I'm a CISO, so I carry that risk like the others, the seat, the board, the lawyer's letter that sometimes ends up arriving. But I'm not only that. I train, I audit, I write, I advise elsewhere. When I say something disruptive, I'm not betting everything on a single square, and it's that spread that buys me a measure of my freedom of tone, not some kind of courage. The CISO whose sole job, sole employer, sole income this is, he risks far more on a single sentence. I'm not going to pretend we're in the same boat.
Because the real problem isn't individual. It isn't a story of the brave on one side and the cowardly on the other. The people best placed to say useful things, those who are in the seat, in the thick of the decision, with all the context, are precisely the ones the ecosystem has taught to keep quiet. Legal, marketing, the sponsor, employer branding, career caution, all of it filters the message until it no longer teaches anyone anything. In the end, there isn't a crowd of mediocre chatterers facing a silent elite. There's an entire discipline that has made speaking truthfully costly, and then acts surprised that its conferences put everyone to sleep.
So no, I'll never make a good podcast guest. Not out of bravery, I've just explained that my freedom of tone comes above all from the fact that I'm not betting everything on a single seat. Simply, I have no reassuring formula to slot in before the credits, and I trip up too often in public to keep up the pretense. Yesterday's episode, I cut it off after eight minutes. It's probably the most honest thing I did all day.
Questions fréquentes
Why can't the author listen to CISO podcasts anymore?
Because he already knows every answer before it comes: security that supports the business, secure by default, AI that assists without replacing. After eighteen years in the job, he hears this same script word for word.
Why is the CISO message so bland?
Before recording, the questions are sent in advance and you're asked to stay light and accessible, meaning to say nothing that might upset the sponsor. Everyone is afraid, and everyone has good reasons to be afraid.
What does a CISO risk by speaking frankly?
A precise and true remark can turn back on him with a lawyer, a board of directors or a recruiter. The hollow line, on the other hand, never turns back on whoever says it.
Does the problem come from a lack of individual courage?
No. The author believes this isn't a story of the brave and the cowardly, but an entire discipline that has made speaking truthfully costly, then acts surprised that its conferences put everyone to sleep.
Why does the author allow himself a freer tone?
Because he doesn't depend on a single seat: he trains, audits, writes and advises elsewhere. That spread buys him a measure of freedom of tone, which he clearly distinguishes from courage.

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
