Before the Breach: What 12 CISOs Taught Us About Leadership in 2024
12 CISOs. 1 year of hard truths, real talk, and lessons from the edge of security leadership.
You learn a lot just by listening.
Not for soundbites. Not for headlines. Just to understand what people are really dealing with.
That’s what Season 1 of The Candid CISO turned into. I didn’t set out to run a research project—but after 12 deep conversations with security leaders across industries, it started to feel like one. An oral history of cybersecurity leadership in 2024, told one brutally honest story at a time.
A barefoot ultramarathon through the woods. A career that started in compliance and landed in the boardroom. A hacker turned government CISO. A virtual CISO rethinking how work gets done. These weren’t just résumés—they were signals. Signals of a role in motion, an industry under pressure, and a leadership archetype that’s still being figured out in real time.
By the end of the season, it was clear:
The job description was obsolete.
The pressures were mounting.
And the people doing the work? Still showing up—with humor, grit, and surprising clarity.
The Year Before the Pivot
2024 wasn’t a breaking point—but you could feel something bending.
It was a year of friction. Pressure from the board. Pressure from regulators. Pressure from inside the org to "just make it work." And underneath it all, a growing tension: the job was getting bigger, but the support wasn’t catching up.
You could hear it in conversations with people like
Mandy Andress, who talked about how AI was already reshaping the threat landscape—and how security teams were expected to respond without skipping a beat. Or Tyler Pinckard, who made the case that compliance isn’t just table stakes anymore—it’s a competitive advantage, if you know how to use it.
And then there was Aysha Khan, who reminded us that leadership isn't just about technology—it’s about empathy, clarity, and the willingness to face fear head-on. These weren’t abstract theories. These were real reflections from people navigating real tradeoffs.
Nobody framed 2024 as a crisis year. But almost every guest hinted at the same thing:
The role was shifting.
The noise was rising.
And the window to reimagine leadership—before the job hardened into something unrecognizable—was starting to close.
Seven Things That Stood Out from Season 1
1. Everyone’s Figuring It Out in Real Time
There was no consensus on what it means to “do the CISO job well” in 2024. Not because people weren’t trying—but because the expectations keep shifting.
Mandy Andress described how the role has become more defined in terms of business impact—but also more volatile. In her experience, the job requires continuous recalibration based on technology trends, regulatory pressure, and evolving organizational needs.
Joel Fulton offered a different angle. He spoke openly about the transition from being an individual contributor to leading people—and how that shift demands not just skill, but self-awareness. The takeaway across the board was this: there is no steady state. The modern CISO is expected to evolve in place.
This wasn’t about lack of competence. It was about the reality of a job that outpaces its own definition. The best leaders weren’t chasing a perfect model—they were staying adaptive, curious, and grounded in their own values.
2. Security is Becoming a Business Conversation—Not Just a Technical One
Several guests described the need to reposition security—not as a blocker, but as an enabler.
Rinki Sethi spoke about how security can actually reduce business friction, especially when it comes to compliance and sales. By integrating with the business early, rather than coming in as an afterthought, she was able to shorten sales cycles and build stronger stakeholder trust.
Tyler Pinckard echoed this, arguing that compliance—when used proactively—can become a growth engine. He framed SOC 2 and ISO not just as requirements, but as trust signals that accelerate customer acquisition.
This shift—from "protecting" to "partnering"—was one of the clearest signals of the year. CISOs aren’t just being asked to manage risk. They’re being asked to connect the dots between security, revenue, and reputation.
3. Communication is Now a Core Leadership Skill
It’s no longer enough to be technically competent or strategically aligned. Every guest, in their own way, emphasized the importance of clear, candid communication.
Jason Elrod described his approach to board conversations as radically human. He doesn’t lead with jargon—he leads with clarity. He talks about risk in ways that make people care. And he’s not afraid to admit what he doesn’t know.
Carlota Sage, reflecting on her work as a virtual CISO, pointed out how boundary-setting and communication go hand in hand. In roles that often span multiple teams or organizations, being explicit—about priorities, limitations, and tradeoffs—is essential.
The conversations reminded us that security doesn’t scale through control. It scales through trust—and trust starts with how you communicate, especially when the stakes are high.
4. Diversity of Thought Isn’t a Slogan—It’s an Operating Principle
This wasn’t about checking boxes. It was about how diverse perspectives actually shape better security outcomes.
Aysha Khan spoke about leading with humanity—not as a style, but as a necessity. She shared how her personal journey shaped her leadership, and how creating space for different viewpoints wasn’t just inclusive—it was strategic.
Mandy Andress described how being a gay woman in cybersecurity has influenced how she leads. She didn’t frame it as a challenge to overcome. She framed it as an advantage—something that made her more empathetic, more attuned to cultural dynamics, and more equipped to build resilient teams.
Others, like
Chirag Shah, emphasized the value of inclusivity in boardrooms and M&A discussions, where multiple dimensions of risk—financial, technical, cultural—collide. The strongest leaders weren’t just diverse themselves. They actively sought out different ways of thinking and built environments where those voices were heard.
5. Resilience Doesn’t Come From the Job—It Comes From Outside It
One of the most striking patterns across the season was how many guests had found grounding outside their day job.
Jason Elrod told the story of getting lost on a trail run and finishing 19 miles barefoot. It wasn’t a planned metaphor—but it became one. For him, running wasn’t just fitness—it was reflection, perspective, and emotional reset. That kind of physical and mental discipline translated directly into how he leads under pressure.
Carlos De Leon talked about community—how participating in hacker culture, networking events, and groups like Hacker Summer Camp have been essential to his longevity in the field. The job can be isolating. Community makes it sustainable.
And Carlota Sage pointed to burnout directly—how boundary-setting and peer connection weren’t just self-care, but strategic necessities for staying in the work. For many guests, resilience wasn’t a character trait. It was a practice—and it almost always involved stepping away from the screen.
6. AI Was Already Changing the Job—Even if Nobody Had the Full Picture
By mid-2024, AI had moved beyond theoretical conversation. It was changing workflows, surfacing new threats, and raising hard questions about accountability and readiness.
Mandy Andress spoke to the pressure to respond quickly and intelligently to AI-driven threats, even while the rules of engagement were still being written. She acknowledged that while the hype was everywhere, the operational impact was real—and often outpacing what most teams were prepared to handle.
Tyler Pinckard was more direct. He saw AI and automation as necessary tools—not just for detection and response, but for keeping pace with the speed of business. He advocated for using AI to increase efficiency in areas like static analysis and case summarization, while staying mindful of human oversight and judgment.
Across these conversations, one thing was clear: AI wasn’t a separate topic from cybersecurity. It was becoming part of the fabric—both as a capability and a challenge. And CISOs were trying to figure out what that meant for hiring, tooling, and strategy in real time.
7. There’s No One Way to Lead—And No One Path In
Perhaps the most encouraging insight of the season was this: the role of CISO is being shaped by the people in it, not the other way around.
Jimmy Sanders shared how his journey started with an internship at a beef jerky company—hardly a traditional on-ramp into security. From there, he moved into leadership roles at Netflix, Samsung, and eventually ISSA, always bringing an unconventional but fearless mindset to the work.
Carlota Sage, now a respected vCISO, came into the role through a non-linear path as well, and emphasized that her multifaceted background has been one of her greatest strengths—not a liability to overcome.
Even Joel Fulton, with years of executive experience, spoke openly about avoiding toxic environments and choosing to work with people whose values align with his own. Leadership, in his view, begins with that kind of intentionality.
Together, these guests showed that there’s no archetype. No singular mold. The most effective security leaders were defining their own terms—rooted in who they are, what they care about, and how they show up for their teams.
The Real Takeaway
Looking back on Season 1, what stuck with me wasn’t a framework or a trend. It was the tone.
These conversations weren’t theoretical. They were human. A little messy. Sometimes conflicted. Often hopeful.
What I heard, again and again, was a kind of quiet courage—CISOs who knew the role was broken in places, who felt the pressure rising, but who still chose to lean in and lead anyway. Not because they had all the answers. But because they cared. About the work, about the people, and about making security better—on their own terms.
There was no single way to lead. No agreed-upon future. But there was a shared willingness to keep going, even when the map ran out.
That’s what I’ll remember from this season. Not the job title. The posture.
And that’s why I’m grateful to every guest who showed up—not just to talk, but to tell the truth.
What’s Next?
If you’ve made it this far, thank you.
If Season 1 gave you something to think about—or helped you feel a little less alone in the chaos—consider subscribing to The Candid CISO wherever you listen to podcasts. It helps more than you know.
And I’d love to hear from you:
What stuck with you from Season 1?
What topics or themes do you want more of in Season 2?
And which CISO should we sit down with next?
Drop your thoughts in the comments—or even better, swing by our website and check in via the Chat feature. We’d love to know what you're seeing in the field and how we can shape the next season together.
And if you’d like to support the podcast and help us keep this work going, click on Membership and contribute in whatever way makes sense for you. Every bit helps.
Thanks for being part of the journey. Season 2 is coming soon.
Want to Sponsor Season 2?
We’re currently lining up sponsors for Season 2 of The Candid CISO. If your company believes in honest conversations, thoughtful leadership, and elevating the voices of real practitioners in cybersecurity, we’d love to partner with you.
Check out the Sponsorship Deck for details—then reach out if it resonates. Let’s build something meaningful together.
