Resources

/

Podcasts

/

Secure IT

The CISO Blueprint pt. 1: Why There Are No Nos in IT with Rich Casselberry

Episode 15   Published January 16, 2025 9 minute watch

Secure IT

The Secure IT Podcast, hosted by Automox CISO Jason Kikta, is your one-stop shop for all things IT and cybersecurity. Jason knows good security comes from good IT. Step into a CISO’s shoes and trek through the world of technology and cyber defense to stay ahead of potential threats. Each episode is packed with the latest trends, tips, and expert advice.

Jason Kikta is the CTO of Automox

Host

Jason Kikta

RECENT EPISODES

Best-In-Class Remote Control

CISA's BOD 26-04 Directive Explained

[Nothing Weaponized, Everything Exposed]

[AI Hits the Hat Trick], Ep. 32

View all episodes

Available wherever you get your podcasts

Youtube

Apple Podcasts

Spotify

Overcast

Pocket Casts

Amazon Music

Castro

Goodpods

Castbox

Podcast Addict

Player FM

Deezer

Summary

Security can't answer every request with no. Rich Casselberry, VP of IT Security at ATI, says you either offer a safer path to what someone wants or you make the trade-offs explicit. He did exactly that when finance asked to cut an EDR tool that had stopped 11 ransomware attacks in a year. The principle comes from his paper, The CISO Blueprint, on building strong security from strong IT practices, which he discusses with host Jason Kikta. Casselberry also pushes for deliberate automation. With 90% of his systems patching on their own, his team can stop reacting to every headline vulnerability and spend its time where humans add value.

Takeaways

  1. The principle traces back to a CIO who told Casselberry that IT can't answer no. If the real answer ever was no, the CIO wanted to be brought in to hear why. That forces you to surface the actual constraint instead of stonewalling.

  2. An engineer wanted to plug an unauthenticated access point into the wired network for an iPad project. The team built a scoped VPN tunnel instead, giving him only the lab access he needed. It was better for him and better for security.

  3. When finance proposed cutting an EDR tool, Casselberry showed it had stopped 11 ransomware attacks in the past year at an average cost of $980,000 each. Dropping the line item meant budgeting roughly $10 million to cover the losses it prevented.

  4. About 90% of Casselberry's systems patch automatically. His team doesn't have to scramble when a new attack makes the Wall Street Journal. The fix lands on its normal schedule.

  5. Some teams are accidentally automated because the tool just came with it. Others pursue automation deliberately to reserve human time for work that can't be automated.

Topics

IT Operations

See for yourself how policy-driven IT Automation saves time and eliminates risk.

Dive deeper into this topic

BlueHammer: What You Need to Know and How to...

A Windows zero-day with public exploit code and no patch. Deploy...

When Opportunism Is the Strategy: Why Cyber...

Iran's destructive cyber operations follow opportunity, not...

The Myth of the All-Knowing IT Pro

Podcast

Pulling Back the CX Curtain with Charles Coaxum

Podcast