SANS Cyber Leaders Podcast Season 2: Top Five Takeaways

If you’re a security leader today, your challenges go far beyond technical execution. You're managing geopolitical fallout, AI disruption, boardroom translation gaps, and a shrinking talent pool all while navigating an environment that grows more complex by the day.

That’s why Season 2 of the SANS Cyber Leaders Podcast cut through the noise, focusing on the challenges that matter most to CISOs: building trust, driving readiness, and defending against increasingly sophisticated threats in a politically volatile world. The series, hosted by SANS’ James Lyne and Ciaran Martin, highlighted how top security leaders are responding to evolving conditions—like redefining the CISO role, confronting the human and political dimensions of risk, and making resilience a key measure of security maturity. These five takeaways reflect common ground shared across the season, and where forward-leaning leaders are already prioritizing their attention and resources.

The Modern CISO is an Organizational Change Agent

The modern CISO role requires more than just being a pure technologist. CISOs are increasingly expected to oversee security operations, shape organizational culture, and brief executive boardrooms — often in the same week. During Episode 12, Christine Gadsby (CISO, BlackBerry) spoke about the growing need for CISOs to influence product direction and risk strategy at the executive level, not just enforce security controls. And that expectation only grows in moments of crisis. In Episode 11, Ross McKerchar (CISO, Sophos) made clear that transparency and trust—not technical perfection—are what ultimately define success under pressure. Boards need clarity, not jargon. Teams need guidance, not noise. The job has shifted, and the ability to articulate risk with credibility now matters as much as how you mitigate it.

• Strengthen cross-functional leadership in LDR514: Security Strategic Planning, Policy, and Leadership
• Build board-ready communication and executive influence in LDR516: Building and Leading Vulnerability Management Programs
• Join the SANS CISO Network community to share insights and compare strategies with other senior security leaders.

The Lines Have Blurred Between Cybercrime and Nation-State Adversaries

In 2025, threat actors have become more coordinated, resourced, and ideologically flexible. Cybercriminal organizations are leveraging the same tactics, techniques, and procedures (TTPs) as nation-state adversaries—and sometimes working in parallel with them. In Episode 13, Max Smeets (Senior Researcher, ETH Zurich) described how ransomware groups operate like multinational corporations, complete with internal controls, onboarding, and even dispute resolution. In some cases, they’re protected or enabled by state actors, making attribution more difficult and response more politically sensitive. Manfred Boudreaux-Dehmer (CIO, NATO) echoed this during Episode 9, describing the challenge of coordinating defense across 32 member nations against adversaries unconstrained by borders or bureaucracy. And for Episode 16, Bilyana Lilly (Associate Director, Accenture) unpacked how cyber operations and disinformation campaigns are increasingly used in tandem to destabilize democratic systems.

• Refine your geopolitical threat modeling and actor tracking skills in FOR578: Cyber Threat Intelligence
• Explore enterprise-scale cyber defense strategies in SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise

AI is Transforming SOCs, But Governance Challenges Persist

Amid all the hype around artificial intelligence (AI), this season took a refreshing turn by focusing on what’s actually working inside modern security operations centers (SOCs). AI is delivering measurable improvements for SOC analysts, especially in detection and response efforts. However, it remains critical to ensure that implementation does not outpace governance. John Hubbard (Senior Instructor, SANS Institute) highlighted in Episode 15 how AI is helping defenders catch incidents faster and reduce noise, but also warned that models lacking transparency or testing can quickly undermine trust. Tim Conway (Technical Director, ICS & SCADA Programs, SANS Institute) pointed to similar challenges in industrial environments during Episode 17, where AI is being introduced into systems that were never designed for it. Across the board, the message was clear: AI is here, but it can’t be left on autopilot. CISOs need to stay close to both the tooling and the assumptions behind it.

• Unveil prevalent risks, discover mitigation tactics, and gain insights into AI-related cybersecurity and policy development with AIS247: AI Security Essentials for Business Leaders
• Learn to implement and govern AI in cyber defense with SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
• Download the SANS Critical AI Security Guidelines v1.1 whitepaper to explore practical implementation advice, governance frameworks, and security considerations for deploying AI in enterprise environments.

As Threats Accelerate, Resilience is What Matters Most

As threats grow in volume and velocity, the pressure to prevent every attack has given way to a more grounded reality: some breaches are inevitable, and a resilient response is the real determining factor for recovery. Lisa Forte (Co-founder, Red Goat Cyber Security) emphasized during Episode 10 that most crisis breaches often don’t stem from technical gaps, but from unclear roles, poor decision-making, and lack of communication under stress. Those breakdowns can have major consequences. Conway, in Episode 17, reinforced that notion in his discussion around critical infrastructure security, where the timeline for recovery is measured in hours or days and often under regulatory and safety pressure. Cyber resilience isn’t a backup strategy. It’s what separates successful recovery from irremediable damage.

• Design repeatable playbooks and controls with SEC566: Implementing and Auditing CIS Controls
• Strengthen your ICS/OT cyber resilience strategy with ICS410: ICS/SCADA Security Essentials

The Human Element = Your Weakest Link and Greatest Opportunity

While much of the cybersecurity discussion today is focused on tools and technologies, this season made a clear case that people are the true front line — and often the true failure point. From burnout to insider threats, the human layer shapes everything from detection and response speed to organizational risk tolerance. During Episode 14, Tarah Wheeler (CEO, Red Queen Dynamics) emphasized that stronger inclusion and support for front line teams must be an organizational priority. In addition, in Episode 10 Forte underscored how often insider threats go undetected not because of tooling, but because organizations don’t create space for difficult conversations or recognize the warning signs. Those winning at security are investing in culture, communication, and skill development.

• Empower practitioners to execute sustainable, high-performance operations in SEC450: Blue Team Fundamentals: Security Operations and Analysis
• Develop practical team-building, training, and communication strategies in LDR521: Security Culture for Leaders
• Start building a security-aware organizational culture today with SANS Human Risk Management Training

Stay on the lookout for Season 3!

Season 2 of the Cyber Leaders Podcast brought together CISOs, researchers, and enterprise leaders to talk candidly about what’s working—and what isn’t—in today’s security landscape. If you found value in this season’s insights, you won’t want to miss what’s coming next. Season 3 is already in the works, with new guests, timely topics, and more practical perspectives for those leading security from the front.