{"id":8861,"date":"2025-07-24T07:55:12","date_gmt":"2025-07-24T07:55:12","guid":{"rendered":"http:\/\/localhost\/?p=8861"},"modified":"2025-07-24T07:55:12","modified_gmt":"2025-07-24T07:55:12","slug":"ciso-spotlight-andrew-storms-on-trust-ai-and-why-cisos-need-to-be-optimists","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=8861","title":{"rendered":"CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists"},"content":{"rendered":"<h2>Security Update News<\/h2>\n<h3>Update Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Title<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Update ID<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">WALLARMLAB:F90E925CDC4BFBF865E9D02DB4A35C90<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Type<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">wallarmlab<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Published<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-07-24T11:00:00<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Last Updated<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-07-24T11:00:00<\/td>\n<\/tr>\n<\/table>\n<h3>Security Impact<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Severity<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd; color: #666666; font-weight: bold;\">NONE<\/td>\n<\/tr>\n<\/table>\n<h3>Update Details<\/h3>\n<div style=\"; padding: 15px; border-left: 4px solid #4CAF50; margin-bottom: 20px;\">\nAndrew Storms, VP of Security at Replicated, has spent three decades on the frontlines of cybersecurity. From building Unix systems in the early \u201890s to leading incident response and AI security strategies today, he has seen the CISO role evolve from back-office function to boardroom mainstay. In this spotlight, he shares the lessons that shaped his thinking, why storytelling is a critical CISO skill, and how API security is no longer optional. <\/p>\n<p>## From Reactive Defense to Strategic Inspiration<\/p>\n<p>Andrew\u2019s career began in quality assurance at Broderbund Software, testing classic video games like Carmen Sandiego. But then, a spontaneous invitation to join a fledgling Unix team sent his career hurtling in another direction. <\/p>\n<p>\u201cWe were tasked with getting the company online and building out security,\u201d Andrew recalls. \u201cWe\u2019d roleplay packet inspection like a game of chess. That changed how I thought about security \u2013 it was baked into everything IT touched.\u201d <\/p>\n<p>That early experience inspired Andrew to shift his focus from reactive defense to strategic inspiration \u2013 and inspired a lifelong passion for cybersecurity. <\/p>\n<p>## Transform Cybersecurity from Blocker to Enabler<\/p>\n<p>Like many early security professionals, Andrew once saw his role as the \u201csheriff,\u201d the enforcer of controls. But that mindset, he admits, was flawed.<\/p>\n<p>\u201cThe turning point came when someone asked, \u2018Who are your customers?\u2019 I said, \u2018The people who buy our products. \u2018They said,\u201d No. It\u2019s the business. The employees. You&#8217;re here to support them.\u2019 That changed everything.\u201d <\/p>\n<p>This revelation reframed his role, prompting him to work as an enabler, not as a blocker. \u201cNow, I see security as a sales tool. If I can help sales move faster, or engineering ship quicker, I\u2019m doing my job right.\u201d <\/p>\n<p>## CISOs Should Be Optimists and Storytellers<\/p>\n<p>As the CISO role matures, Andrew argues that soft skills are just as critical as technical chops. He believes that optimism is one of the most important. <\/p>\n<p>\u201cIf you walk in saying the world is on fire, no one listens. But if you understand business goals, you can turn security challenges into opportunities.\u201d <\/p>\n<p>He also believes in the power of storytelling. \u201cI once gave a talk where it was 10 minutes of storytelling and 5 minutes of demo. People loved it. Stories help people understand where you\u2019re coming from, they help build camaraderie.\u201d<\/p>\n<p>## Practice Over Perfection<\/p>\n<p>When it comes to incident response, Andrew favors realism over tabletop drills. \u201cWe hate tabletop exercises. Instead, we fake alerts, drop them into Slack, and see what happens. Did someone respond? What did they do?\u201d <\/p>\n<p>That said, for Andrew, technical drills are only part of the equation. Culture matters too. <\/p>\n<p>\u201cYou must make it okay to say, \u2018I don\u2019t know.\u2019 That\u2019s a sign of maturity, not weakness. It turns uncertainty into an opportunity to learn.\u201d<\/p>\n<p>## The API Security Imperative <\/p>\n<p>For Andrew, API functionality isn\u2019t a feature; it\u2019s a dealbreaker. <\/p>\n<p>\u201cIf your product doesn\u2019t have an API, I won\u2019t buy it,\u201d he says. <\/p>\n<p>That may sound blunt, but it reflects a broader shift in expectations. Security teams today rely on automation, orchestration, and AI-driven workflows \u2013 and APIs are what makes them possible.<\/p>\n<p>\u201cModern environments are built to move fast. If I can\u2019t automate tasks, connect systems, or have an AI agent interact with your tools, then it\u2019s dead weight,\u201d Andrew explains. <\/p>\n<p>But with that flexibility comes risk. APIs offer machine-speed access to sensitive data and, if left unsecured, present a massive attack surface. That\u2019s why API security, he argues, must be continuous and embedded into core operations. <\/p>\n<p>\u201cYou can\u2019t rely on one-time scans anymore,\u201d he says. \u201cAPI threat scanning needs to be 24\/7.\u201d<\/p>\n<p>Andrew advocates for a layered approach: strong authentication, proper secrets management, web app firewalls, rate limiting, logging, and input\/output validation. <\/p>\n<p>\u201cIt\u2019s not about reinventing the wheel. It\u2019s applying the same security fundamentals we\u2019ve always used, just on a different surface.\u201d <\/p>\n<p>## AI: Embrace the Opportunity, Respect the Risk<\/p>\n<p>In his current role at Replicated, Andrew sees AI as a game-changer, especially for compliance. But it also raises urgent questions about data governance. <\/p>\n<p>\u201cSomeone might ask, \u2018Can I put support logs into an AI tool?\u2019 And I\u2019ll say, \u2018Thanks for asking, let\u2019s assess the risk together.\u2019 These are teachable moments. We want people thinking like security folks.\u201d <\/p>\n<p>His advice? Don\u2019t be a \u201cno-AI-ever&#8221; company. But don\u2019t let AI become shadow IT either. \u201cWork with teams, help them understand risks, data flows, and how to think critically. That\u2019s how you build trust.\u201d <\/p>\n<p>## The CISO\u2019s Future: Trust, Resilience, and AI Stewardship<\/p>\n<p>In the next five years, Andrew expects the CISO to become a company\u2019s \u201ctrust asset,\u201d a visible leader who helps customers and partners feel secure.<\/p>\n<p>That means evolving beyond defense. \u201cIt\u2019s not just about stopping attacks. It&#8217;s about building resilient products and systems that keep the business running, no matter what.\u201d<\/p>\n<p>He also highlights the growing need for data ethics in an AI-driven corporate world. \u201cAI relies on data. So, we need to treat data stewardship as a core security function.\u201d <\/p>\n<p>## The Final Word<\/p>\n<p>Andrew closes with a simple personal wish: a week-long fly-fishing holiday in Montana. But until then, he\u2019s laser-focused on helping security teams \u2013 and businesses \u2013 thrive through empathy, opportunity, and trust. <\/p>\n<p>\u201cThe most powerful thing a CISO can say? \u2018I\u2019m here to help you move faster; and safer. That\u2019s how we win.\u201d <\/p>\n<p>Want to find out how Wallarm\u2019s platform aligns with Andrew\u2019s view of API security? Take a product tour today.<\/p>\n<p>The post CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists appeared first on Wallarm.\n<\/p><\/div>\n<p><a href=\"https:\/\/lab.wallarm.com\/ciso-spotlight-andrew-storms-trust-ai-why-cisos-need-to-be-optimists\/\" target=\"_blank\" style=\"display: inline-block; color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px;\">View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security Update News Update Information Title CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists Update ID WALLARMLAB:F90E925CDC4BFBF865E9D02DB4A35C90 Type wallarmlab&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,5,105],"class_list":["post-8861","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=8861\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists Update ID WALLARMLAB:F90E925CDC4BFBF865E9D02DB4A35C90 Type wallarmlab...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=8861\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-24T07:55:12+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8861#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8861\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists\",\"datePublished\":\"2025-07-24T07:55:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8861\"},\"wordCount\":1008,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\",\"wallarmlab\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8861#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8861\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8861\",\"name\":\"CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-24T07:55:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8861#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8861\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8861#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=8861","og_locale":"en_US","og_type":"article","og_title":"CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists - zero redgem","og_description":"Security Update News Update Information Title CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists Update ID WALLARMLAB:F90E925CDC4BFBF865E9D02DB4A35C90 Type wallarmlab...","og_url":"https:\/\/zero.redgem.net\/?p=8861","og_site_name":"zero redgem","article_published_time":"2025-07-24T07:55:12+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=8861#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=8861"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists","datePublished":"2025-07-24T07:55:12+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=8861"},"wordCount":1008,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","Security","tapic","Vulnerability","wallarmlab"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=8861#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=8861","url":"https:\/\/zero.redgem.net\/?p=8861","name":"CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-24T07:55:12+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=8861#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=8861"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=8861#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8861"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8861\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}