In this episode of The New CISO, host Steve Moore speaks with Alex Rice, Founder, CTO, and CISO at HackerOne, about challenging one of cybersecurity's most deeply held beliefs—that security should be the top priority. Drawing from his journey building security programs at Facebook and founding HackerOne, Alex introduces the "safety third" philosophy and explains why accepting that security is never first can actually make you more effective as a leader.

Alex shares his unconventional path into cybersecurity, starting as a 14-year-old programmer in rural Florida and eventually leading product security at Facebook during its explosive growth. He reveals how Facebook ran 70+ penetration tests annually with top-tier vendors and still wasn't finding enough vulnerabilities—until they opened the doors to the hacker community and received over 300 valid findings in a single weekend. This experience became the foundation for HackerOne's bug bounty platform.

The conversation tackles critical leadership challenges facing modern CISOs, including the toxic tendency toward victim blaming when breaches occur, why security teams struggle with customer-centric design, and how to avoid becoming the team everyone knows only for blocking work and sending phishing tests. Alex argues that security professionals must stop drinking their own Kool-Aid and recognize that usability and business outcomes will always take precedence over security controls.

In the episode's second half, Alex addresses AI's role in security operations with refreshing pragmatism. Rather than chasing grandiose AI visions, he advocates for starting with narrow, well-defined tasks where agents can replace security toil—like automated CVSS scoring or vulnerability triage—building trust and expertise before tackling more ambitious projects. He warns against the current trend of AI tools that find more problems when security teams desperately need help fixing the mountain of issues they already know about.

Alex also challenges CISOs to stop over-owning problems like asset inventory management that rightfully belong to other executives, emphasizing the importance of cross-functional collaboration over building security-owned solutions that ultimately fail. Throughout the discussion, he champions a philosophy of empathy, customer-centricity, and accepting hard truths about security's actual place in business priorities—a mindset shift that paradoxically makes security leaders far more effective.

Key Topics Discussed:

1. Why "safety third" should be every CISO's operating philosophy
2. The problem with victim blaming in cybersecurity incidents
3. Building customer-centric security programs that enable rather than block
4. Lessons from scaling Facebook's security program with 70 pen tests per year
5. The origin story of HackerOne and crowdsourced security testing
6. How to avoid becoming the security team everyone resents
7. Practical AI implementation: Starting with toil elimination, not transformation
8. Why CISOs over-own asset management and other problems
9. The importance of process mapping before deploying AI agents
10. Aligning security teams closely with AI and software...

In this episode of The New CISO, host Steve Moore speaks with Iain Paterson, Chief Information Security Officer at Well Health Technologies, about his unconventional path into cybersecurity and the lessons learned from building programs across industries—from banking and healthcare to breach response and beyond.

From skipping college to take an eight-month technical boot camp to leading enterprise security programs, Iain shares how curiosity, hands-on experience, and communication skills shaped his journey. He opens up about the realities of hiring in cybersecurity, why foundational IT work still matters, and how soft skills like empathy and composure are essential for effective leadership. Iain also reflects on leading through high-stress incidents, including the Ashley Madison breach, and explains why staying calm, communicating clearly, and maintaining emotional intelligence define the “new CISO.”

Key Topics Covered:

• A nontraditional start: skipping college for certifications and hands-on learning
• Why technical foundations—servers, networks, and support—still matter
• The problem with “boilerplate” resumes and lack of real-world experience
• Why soft skills are a security superpower: communication, patience, and empathy
• Transitioning from technician to business enabler in cybersecurity
• How early help desk experience builds composure and problem-solving ability
• Lessons from running vulnerability management in large-scale banking
• Learning resilience and resourcefulness as a one-person security team in healthcare
• Behind the scenes of the Ashley Madison breach: stress, responsibility, and empathy
• Why composure, calm communication, and credibility matter in crisis response
• The leadership evolution from technical expert to executive decision-maker
• Building peer networks and finding mentorship to combat isolation as a CISO

Iain’s story highlights how real experience, emotional intelligence, and community support transform good technologists into exceptional leaders. His insights remind us that cybersecurity isn’t just about defense—it’s about communication, composure, and connection.

In this episode of The New CISO (Episode 137), host Steve Moore speaks with Gideon Knocke, CISO at Visage Imaging, about rethinking how we grow in our careers and why learning to “think outside the job” is key to long-term success.

From studying cybersecurity when the field was still new to leading security for millions of patient records in healthcare, Gideon shares how his early curiosity and “career accidents” helped shape his mindset as a modern CISO. He reflects on shifting from technical problem-solving to people-centric leadership, learning how visibility and credibility shape opportunity, and why networking—inside and outside your company—is essential for resilience and growth. Gideon also explains why risk quantification isn’t just about numbers, but about decision-making, communication, and understanding what your organization truly values.

Key Topics Covered:

• Early lessons from studying cybersecurity before it went mainstream
• Why some of the best careers evolve through “happy accidents” and curiosity
• How to build visibility and relevance beyond doing good work
• The difference between being seen as an asset versus a person
• How networking and outreach can transform your mindset and open new doors
• Turning fear of public speaking into confidence through preparation and iteration
• The leadership balance between taking accountability and fostering team candor
• Why large-organization politics can hinder honest communication
• The art of quantifying risk for better decision-making, not just reporting
• Why the new CISO must start with company beliefs and build security on shared values

Gideon’s journey reveals that career success often comes from stepping outside your comfort zone—whether that’s reaching out to 100 strangers on LinkedIn, giving your first talk, or reframing how you communicate risk. His insights remind leaders that growth begins when you stop thinking only about your job and start thinking about your impact.