No Trust Podcast: Burning Down Cybersecurity Bullsh*t with Josh Copeland

No Trust Podcast: Burning Down Cybersecurity Bullsh*t with Josh Copeland

In this episode of the No Trust Podcast, host John Spiegel sits down with cybersecurity truth-teller and LinkedIn firestarter Josh Copeland — a former Air Force cyber operator, security leader, and author of Unpopular Opinion: Burning Down the Bullsht to Rebuild Cybersecurity*. If there’s an uncomfortable truth in the security industry, Josh is not just willing to say it… he’s probably already posted it.

Why He Became “Mr. Unpopular Opinion”

Josh didn’t set out to build a brand. He set out to challenge a broken narrative. For too long, he saw cybersecurity conversations dominated by empty positivity, certification worship, and an “everything is awesome” veneer that didn’t match reality.

So he started posting what people were really thinking but afraid to say: compliance isn’t security, SMBs aren’t safe from attackers, certifications don’t equal expertise, and the industry is riddled with illusions of competence.

Those posts exploded — not because they were controversial, but because they were true, and the industry was starved for honesty.

Advice for Veterans Transitioning Into Cybersecurity

John raises a question from a listener whose nephew was leaving the Navy after 20 years and wanted to enter cybersecurity. Josh’s advice was straightforward and extremely practical:

A security clearance is a superpower. Use it.

Organizations will often hire and train someone with a clearance rather than wait a year for a new employee to obtain one. Combined with a baseline certification like Security+, veterans can move quickly into cleared cyber roles and build from there.

What’s Really Broken in Cybersecurity

When asked to name the top problems in the field today, Josh doesn’t hesitate.

1. A Leadership Vacuum

We keep promoting technologists into CISO roles and expecting instant risk executives. But we don’t develop them as leaders, teach them the business, or prepare them for board conversations. It’s a systemic gap.

2. Compliance Theater

Audit checklists have become our comfort blanket, but they do almost nothing to reduce real risk. Regulations lag years behind the threat landscape, yet “passing the audit” remains the gold star too many organizations chase.

3. Tool Sprawl and Shiny Object Syndrome

Every breach leads to buying yet another tool. Meanwhile, most companies use a fraction of the capabilities they already have. Josh puts it bluntly: organizations are drowning in tools but starving for strategy.

Why Vendor Hype Makes This Worse

Cybersecurity marketing is built on fear. Vendors pitch panic, not outcomes. CISOs buy “Ferraris” they don’t need instead of the reliable “Civic” that fits their environment.

Josh says vendors should stop obsessing over features and start focusing on:

• the real problem

• the measurable outcome

• the integration path, not another dashboard

If a vendor can’t articulate those, he’s not interested.

Why Cybersecurity Is Still Reactive in 2025

John brings up a real-world example — Jaguar/Land Rover shutting down operations for weeks after a cyber event. How can incidents this devastating still happen?

Josh’s answer is simple:

Budgets only move after pain. Boards reward recovery, not prevention.

Security leaders haven’t effectively communicated how security ties to revenue, market opportunities, and resilience. Until CISOs connect risk to dollars, they will continue fighting fires instead of preventing them.

How CISOs Can Start Speaking the Language of Business

Josh encourages security leaders to step out of their silos and into the business.

Spend time with finance, HR, operations, manufacturing — whoever actually creates value. Understand their pain points. Learn their vocabulary.

When explaining security, don’t speak in bits and bytes. Translate everything into financial impact, uptime, productivity, and risk tolerance.

And, Josh notes, generative AI now makes this translation easier than ever.

How to Rebuild Security From Scratch

If given a chance to start fresh, Josh wouldn’t begin with tools. He’d begin with:

• Mission and risk

• Outcome design around availability, trust, and resilience

• Business alignment from day one

Only after those are established would he consider what tools are needed.

A Practical “Burn Down” Experiment for Any Security Leader

Josh offers a tangible exercise:
Start with one specific process — such as user onboarding — and rebuild it from scratch with security and efficiency in mind.

Automate account creation from HR systems. Assign roles based on attributes, not copying another user. Remove legacy exceptions. Make it seamless, secure, and scalable.

Prove success in a single slice, then apply that model to other processes. That’s how real transformation happens.

Rapid-Fire Unpopular Opinions

No episode with Josh would be complete without them:

• Zero Trust: “Segmentation with better marketing.”

• MFA Fatigue: Fix your UX — don’t kill MFA.

• Security Training: Make it behavioral, not a checkbox.

• EDR Solves Everything: “I’ve got oceanfront property in Arizona to sell you.”

• Ransomware: It’s faster than ever; get a playbook now.

• AI: It’s not replacing your job — but it will absolutely change how you do it.

Why He Wrote the Book

Josh never planned to write a book. He just grew tired of watching organizations fail in the same ways for 20 years: accumulating tools, reacting instead of anticipating, patching holes instead of examining foundations, and ignoring the human side of cybersecurity.

His book lays out what’s broken, why it’s broken, and how to rebuild through first principles — not platitudes. Early readers say they “hear his voice” in every chapter, snark and all.

The Essential Pizza Segment

Every No Trust episode ends with food, and Josh delivers. Despite living in Louisiana, he and his wife regularly drive to a New York–style pizzeria in Marshall, Texas — Pietro’s — because good pizza is worth a pilgrimage.

His ideal slice? Thin crust, perfect umami, the right cheese blend, and absolutely no pineapple.

John counters with Portland’s Pizza Scholl’s, promising a future showdown.

Final Thoughts

This conversation is a masterclass in uncomfortable truths. Josh Copeland doesn’t criticize the industry for sport — he does it because change requires clarity, honesty, and the courage to challenge sacred cows.

The episode pushes leaders to rethink how they buy tools, how they communicate with boards, how they engage the business, and how they build security programs that actually matter.

It’s a challenge the industry needs — and one more step toward burning down the bullsh*t and rebuilding cybersecurity the right way.

Listen Here - https://on.soundcloud.com/t3Z0wj5aj7qTtvoqvy

Cleaned-Up Transcript: No Trust Podcast with Josh Copeland

John:
Welcome back to another episode of the No Trust Podcast, where we cut through the noise and focus on what matters in cybersecurity. I'm John Spiegel, flying solo today — Jay Tilson is stuck traveling somewhere. So I’ll enjoy a slice of pizza with pineapple while we talk with today’s guest.

He’s someone you’ve probably seen stirring things up on LinkedIn as “Mr. Unpopular Opinion.” He’s a former Air Force cyber operator, a security leader, and now the author of Unpopular Opinion: Burning Down the Bullshit to Rebuild Cybersecurity. Josh Copeland doesn’t shy away from calling things as he sees them — broken hiring practices, vendor hype, compliance theater… nothing is off-limits.

Today he’s going to share why he believes cybersecurity is fundamentally flawed, and how to burn some of it down and rebuild it better. This conversation may ruffle feathers — exactly the point. Josh, welcome to the show.

Josh:
Thanks, John. Happy to be here.

Becoming “Mr. Unpopular Opinion”

John:
Let’s start with the name. Why “Mr. Unpopular Opinion”? How did that persona begin?

Josh:
A couple years ago, I got tired of the cybersecurity echo chamber where everything is supposedly great — everyone’s doing the right things, everything’s awesome. That didn’t match what I was seeing. So I started posting blunt observations: small businesses aren’t magically safe, compliance isn’t security, certifications don’t prove capability. Those posts went viral because people were starved for honesty.

It wasn’t about clicks. The persona is just me being contrarian to start conversations — saying uncomfortable truths that everyone knows but won’t say out loud.

Transitioning from Military to Cybersecurity

John:
I saw a post from a former colleague — his nephew is leaving the Navy after 20 years and wants to get into cybersecurity. Any advice for veterans making that jump?

Josh:
For anyone leaving the military, your biggest advantage is your security clearance. There are tons of jobs that require it, and companies would rather hire someone with a clearance and train them than wait a year for a new hire to get one. So leverage it. Get Security+ because it’s the minimum for federal work, and tap into the cleared-professional network. That alone opens doors.

John:
Great advice. Clearances take forever — sometimes years. If you have one, use it.

What’s Broken in Cybersecurity

John:
All right, let’s get into it. What are your top three things that are broken in cybersecurity?

Josh:
First: a leadership vacuum. We promote technologists into CISO roles and expect them to act as risk executives. There’s no meaningful pipeline to develop leadership or teach business fundamentals. We take great engineers and drop them into board-level roles without preparation.

Second: compliance theater. We chase checklists that make regulators happy but don’t reduce risk. Regulations lag new threats by years. Organizations confuse “passing an audit” with being secure.

Third: tool sprawl. Every time a breach happens, companies buy a new tool instead of fixing root causes. They use 25–50% of the tools they already own. If organizations actually maximized what they already have, they’d save money and improve security.

Vendor Hype and Security Buying Behavior

John:
Tool sprawl resonates. I’ve lived that. How does vendor hype play into it?

Josh:
Vendor hype hurts more than it helps. It sells fear, not outcomes. The message is always: “If you don’t buy this, you’ll be breached.” It distorts priorities. Companies chase the newest tool instead of solving the real problem. Before buying anything, leaders should ask: does this improve my security posture? Does it change outcomes?

John:
There’s an idea that security is “bought, not sold.” You rely on peers, vendors you already know, analysts… not the same logic as networking gear or hardware. How does that dynamic help or hurt?

Josh:
It hurts because we gravitate to what we know instead of what we need. Companies buy the Ferrari when all they need is the Honda Civic. And a lot of times we buy tools that are overkill. The real solution is proper product evaluation: understand requirements, do actual bake-offs, and select the right-fit tool — not the tool you’re familiar with.

Why Security Is Still Reactive

John:
Look at Jaguar/Land Rover — essentially offline for a month due to some cyber event. Why are we still this reactive?

Josh:
Budgets only move after pain. Boards don’t reward prevention — they reward recovery. CISOs are trained to chase fires because that’s what gets funded. And we’ve done a bad job explaining that security is a business enabler and can even be revenue-generating when done right.

Flipping the Conversation with the Board

John:
How does a CISO flip that dynamic and stop being reactive?

Josh:
Understand the business. Understand the customers. Show how specific security investments open new markets — healthcare, for example, if you get HIPAA attested. AI attestation frameworks are emerging now; getting them early can differentiate your company.

Tie everything back to either revenue or reduced operating cost. That’s what boards care about.

Building Trust and Business Alignment

John:
A lot of CISOs are introverted technologists. How do they build influence with the board and the business?

Josh:
Get out of the ivory tower. Go talk to finance, HR, operations. Learn their pain points and help solve them. When you’re visible and collaborative, trust follows. And use generative AI as a translator — it can help turn technical concepts into business language. No one needs bits and bytes; they need dollars and cents.

Rebuilding Security From Scratch

John:
If you were rebuilding security from scratch, where would you begin?

Josh:
Start with mission and risk. Design security outcomes based on availability, trust, and resilience — before buying tools. Align security with business value, not technology fads. A startup has a different risk appetite than a defense contractor. Build for what your business is, not for what Twitter says is best practice.

The Role of Vendors

John:
What should vendors be doing differently?

Josh:
Be partners, not hawkers. Bring clarity and context. Show how you integrate into my environment. Don’t give me “another blinking dashboard.” Focus on problems and outcomes — not features.

Rebuilding Trust With the Business

John:
There’s often distrust between the business and security. How do we fix that?

Josh:
Speak in outcomes and operational dollars. Tie every control to risk reduction and business impact. For example: if a machine generates $1,000/minute in revenue and ransomware takes it down for 72 hours, that’s millions lost. If a $50K protection solution prevents that, the business case becomes obvious.

What CISOs Should Stop Doing Immediately

John:
What should CISOs stop doing tomorrow?

Josh:
Stop chasing every new tool or headline vulnerability. Inventory and use what you already own. Most organizations use a fraction of their existing tooling. Get fundamentals right: identity, visibility, response speed. You don’t need new products to do that.

Moving from Tactical to Strategic Leadership

John:
Leaders often think tactically instead of strategically. How do you move past that?

Josh:
Take your hands off the keyboard. Stop firefighting. Your job is thinking about where the organization needs to be in one, three, five years — and building toward that. It’s hard because firefighting gives dopamine hits. But real leadership is fixing the underlying causes, not the symptoms.

A Practical Burn-Down Experiment

John:
If I’m a security leader at a mid-size org, what’s a realistic first step in burning down and rebuilding?

Josh:
Pick one critical process — I recommend user onboarding — and rebuild it with security by design. Automate provisioning from HR. Assign roles based on attributes, not copying someone else’s access. Remove legacy exceptions. Prove you can transform one process; the organization will support you in transforming others.

Rapid-Fire: Josh’s Unpopular Opinions

John:
Rapid fire. Zero Trust.

Josh:
Segmentation with better marketing.

John:
MFA fatigue.

Josh:
Fix user experience. Don’t kill MFA.

John:
Security training.

Josh:
Make it behavioral, not a checkbox.

John:
EDR solves everything.

Josh:
I’ve got oceanfront property in Arizona to sell you.

John:
Ransomware.

Josh:
It’s getting faster. If you don’t have a playbook, you’re wrong.

John:
AI.

Josh:
It’s not taking your job, but it will change how you do it.

Josh’s Book

John:
Tell us about the book.

Josh:
I never planned to write one. But after two decades watching programs fail the same way — tool hoarding, leadership churn, reactive spending — I realized we needed a principles-first reboot. The book lays out what’s broken, how we got here, and how to rebuild security with a human-centered approach. Feedback so far has been great — people say they can hear my snark in every chapter.

The Pizza Question

John:
We always end with food. Best meal in the last two months?

Josh:
My wife and I routinely drive to a small pizzeria in Marshall, Texas — Pietro’s. Best New York–style slice in the South. Thin crust, savory sauce, the right cheese blend. And absolutely no pineapple.

John:
If you ever make it to Portland, I’ll take you to Pizza Scholl’s. One of the best pies you’ll ever have — all about the crust and quality ingredients.

John:
Josh, thanks for the time and the insights. Great conversation.

Josh:
Always a pleasure.