Skip to Main Content
Back to blog

The Chasing Entropy Podcast Season One is in the Books

by Dave Lewis

December 15, 2025 - 6 min

Related Categories

Twenty-seven episodes. Dozens of CISOs and security leaders. Hours of honest conversation about what actually keeps them up at night.

When I launched the show, the goal was simple. Strip out the fluff and talk about how security really works inside organizations that ship software, handle sensitive data, and carry real operational risk—just practitioners comparing scars.

This season covered three big threads that kept looping back into each other. The changing reality of the CISO role. The rise of agentic AI systems. The grind of day-to-day security work in complex environments. All of it shaped by people who actually own the outcomes.

The CISO job is no longer “just security”

Across episodes with sitting CISOs, former CISOs, and advisors, one theme kept repeating. The role has outgrown the narrow idea of “head of security.”

Guests talked about shaping product strategy, influencing M&A decisions, and acting as a translator between engineering, legal, and the board. Security decisions now touch revenue targets, customer churn, and brand risk. That shift sounds good in theory. In practice, it means CISOs end up accountable for many things they do not fully control.

Several guests described the alignment problem. They own risk, but budgets roll up through other executives. They see threats, but business incentives still reward speed over resilience. They are measured on incident outcomes, yet they do not directly manage the teams that ship code or choose vendors.

We heard candid stories about burnout and turnover. One CISO walked us through the exact timeline of an incident, followed by a board meeting, followed by pressure to “simplify the story” for investors. Another unpacked why they walked away from a role that looked perfect on paper. All of them stressed the same point. Governance on slides and governance in reality are two different things.

A few concrete patterns emerged:

  • The healthiest programs treat security as a design constraint early, not as an after-the-fact control.

  • CISOs who succeed long term invest in political capital, not only technical depth.

  • Boards that receive concise, quantified risk narratives tend to fund security in a more predictable way.

None of that is theoretical. It came from leaders who already lived through breaches, regulatory investigations, and restructuring.

Agentic AI forced everyone to redraw the map

If the CISO role was the structural thread of the season, agentic AI was the disruptive one.

I talked with researchers, builders, and defenders about AI systems that can plan, act, and adapt with far less human hand-holding. Not just models that classify or summarize, but agents that chain actions, call tools, integrate with SaaS, and touch production systems.

The mood was not hype. It was curiosity mixed with concern.

On the risk side, the questions got sharper:

  • How do you test agents that can call arbitrary APIs on your behalf.

  • What is the blast radius when an agent interprets a prompt in an unexpected way.

  • Where do you log intent, not just output, so you can reconstruct what happened.

Several episodes dug into evaluation, not just capability. One guest explained their approach to “red teaming the planner” instead of only the model. Another guest from a large enterprise shared how they introduced guardrails that look a lot like familiar security patterns. Least privilege for tools. Strict boundaries between environments. Strong human review on high-impact actions.

We also spent time on governance. Who owns agent risk? Is it the CISO, the CIO, or the data team? That debate is still unresolved inside many companies. The one clear signal. Wherever AI agents can pivot from data to action, security teams will get pulled in, whether they were consulted or not.

The grind of modern security work

Between strategy and AI, the season also stayed close to the operational reality. The stuff that never makes keynotes.

We broke down identity incidents where the root cause was a single overprivileged service account that no one wanted to touch. We walked through SaaS sprawl and what happens when finance signs a contract and security hears about it six months later. We heard from teams still dealing with old VPN concentrators, fragile OT networks, brittle backups, and half-documented cloud resources.

Several guests talked frankly about tooling fatigue. Too many dashboards. Too little integration. Alerts without context. One recurring message. Visibility without ownership is noise.

We heard practical tactics that worked:

  • Building small, cross-functional “fix teams” for specific classes of risk, such as exposed secrets or misconfigured identity providers.

  • Tying security metrics to business metrics, for example, mapping control adoption to sales cycle friction or support ticket volume.

  • Using tabletop exercises as a way to expose process gaps, not as compliance theater.

These were not abstract frameworks. They were things people tested on real incidents with real stakes.

What we learned by listening

After twenty-seven episodes, some lessons cut across every topic.

First, security teams thrive when they are allowed to be specific. “Reduce risk” is meaningless. “Cut the mean time to revoke access for departing employees from three days to four hours” is actionable. The same applies to vendor review, detection tuning, or AI rollouts. Precision beats broad ambition.

Second, language matters. Many guests described how small shifts in wording changed the outcome of conversations. Talking about “protecting revenue” instead of “blocking threats.” Presenting one or two sharp options, not a buffet of scenarios. Explaining uncertainty without drifting into drama.

Third, community still matters more than tools. People came on the Chasing Entropy Podcast to say the quiet parts out loud. To admit where they guessed. To share how often “best practice” collided with reality. That level of honesty is worth more than another product announcement.

Where the Chasing Entropy Podcast goes next

Season one proved there is room for unvarnished security conversations. The numbers are useful, but the direct feedback from listeners stood out more. Messages from CISOs who replayed episodes for their leadership teams. Notes from practitioners who used an anecdote from the show to justify a change in process. Comments from people new to the field who appreciated hearing that even seasoned leaders fight the same battles.

Season two will dig deeper into a few areas our guests only had time to touch on. Security for AI. Agentic AI in production, not pilots. Identity is the real control plane. The economics of security work, from budget structures to talent models. We will keep the format simple. Bring in people who do the work. Ask them pointed questions. Respect their time and yours.

If you listened to one episode or all twenty-seven, thank you. Your attention is a scarce resource. If you shared the show with a colleague, argued with a guest in your head, or scribbled notes, you are part of the experiment.

Entropy does not stop. Systems age. Threats adapt. Organizations change their minds. The goal of this podcast is not to deliver a final answer. It is to track how security practice evolves, one honest conversation at a time.

Season one is a wrap! See you in 2026!

Podcast: https://podcasts.apple.com/ca/podcast/chasing-entropy-podcast-by-1password/id1811491680 

YouTube: https://www.youtube.com/@ChasingEntropyPodcast 

Continue Reading

December 9, 2025

The role of credentials in the AI espionage campaign reported by Anthropic

AICompliance
Inside Oracle Red Bull Racing: CEO and Team Principal Laurent Mekies on the people, process, and technology that power performance

October 22, 2025

Inside Oracle Red Bull Racing: CEO and Team Principal Laurent Mekies on the people, process, and technology that power performance

PodcastsPartners